* cve-check: building world doesn't create the manifest
@ 2022-04-29 8:22 Davide Gardenal
2022-04-29 15:39 ` [OE-core] " Ralph Siemsen
0 siblings, 1 reply; 2+ messages in thread
From: Davide Gardenal @ 2022-04-29 8:22 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 799 bytes --]
Greetings,
In the current version of cve-check there is no way of creating the manifest when building world. The reason why is due to these two lines:
>
>
> ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest;
> ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
> do_rootfs[recrdeptask] += "${@'do_cve_check' if
> d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
The problem is that in world there is no do_rootfs so the function cve_check_write_rootfs_manifest is never executed hence the manifest is not created.
My idea was to convert cve_check_write_rootfs_manifest to a handler listening for BuildCompleted but then if someone builds more than one image the output is broken.
Any suggestions are welcome and appreciated, thanks!
Davide
[-- Attachment #2: Type: text/html, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [OE-core] cve-check: building world doesn't create the manifest
2022-04-29 8:22 cve-check: building world doesn't create the manifest Davide Gardenal
@ 2022-04-29 15:39 ` Ralph Siemsen
0 siblings, 0 replies; 2+ messages in thread
From: Ralph Siemsen @ 2022-04-29 15:39 UTC (permalink / raw)
To: Davide Gardenal; +Cc: openembedded-core
Hi Davide,
On Fri, Apr 29, 2022 at 4:22 AM Davide Gardenal
<davidegarde2000@gmail.com> wrote:
>
> My idea was to convert cve_check_write_rootfs_manifest to a handler listening for BuildCompleted but then if someone builds more than one image the output is broken.
Actually that is already the case, if one builds multiple images, the
cve manifests tend to include "extra" packages, from recipes built as
part of another image. This tripped me up when I was trying to see
what CVE changed between builds. Another complication is that ordering
of the manifest is not entirely deterministic.
At one point, worked around this by using 'bitbake -g' to generate
pn-buildlist, and then manually assemble the cve manifest using the
recipe names from pn-buildlist, and the files in tmp/deploy/cve. While
this worked, it was not particular elegant, and I eventually abandoned
it. Now I just run bitbake several times, once per image, and I
collect the cve manifest between runs. Then some additional
post-processing to sort and compare between runs.
It would be nice to fix the tool if possible. But I have not really
looked into it.
Ralph
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-29 15:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-29 8:22 cve-check: building world doesn't create the manifest Davide Gardenal
2022-04-29 15:39 ` [OE-core] " Ralph Siemsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox