This repository has been archived by the owner on Jun 25, 2019. It is now read-only.
Add ISA_dep_plugin for dependency checking and visualization #26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Taking pkg alias info into use in CVE plugin
Since checksec.sh functionality relies on readelf(1) utility, which is part of binutils package, we should add runtime dependencies on binutils explicitly. Signed-off-by: Sergey Popovich <[email protected]>
Making junit xml output work for every plugin
Adding checks for executable stack to CFA plugin
…etuid/setgid to CFA plugin
Adding checks for executables that don't drop groups properly
Adding MPX-related checks
…me (PN) While we skipping analysesource task for most of native, nativesdk, cross, crosssdk and other stuff we still have packages like glibc-initial in our report. This is because such initial packages are not belonging to any specific target/image class and thus not subject to the analysesource task removal. To address this issue use Base Package Name (BPN) since it just version of Package Name (PN) with stripped suffixes like -initial, -native, -cross etc. Signed-off-by: Sergey Popovich <[email protected]>
Two common and public tasks exposed by the class are analyse_sources
and analyse_sources_all. Both used to generate ISAFW reports against
given package(s) without building them.
Add descriptive text strings to the task definitions within class to
give more information on them to the user in the listtasks bitbake
task output.
$ bitbake -c listtasks <target>
do_analyse_sources Produce ISAFW reports based ...
do_analyse_sources_all Produce ISAFW reports for all ...
...
TODO: find a way to hide class private tasks do_analysesource and
do_process_reports.
Signed-off-by: Sergey Popovich <[email protected]>
Signed-off-by: Sergey Popovich <[email protected]>
This plugin currently builds a dependency graph internally and puts it in the log file. Temporary data is stored in the report directory, and automatically deleted after a succesfull build.
Additional fixes for xml output
Fetch checksec instead of storing the sript
After the dependency graph has been internally created, generate a .dot file representing the graph and call graphviz to render it. Transitive reduction is applied to the graph definition.
Dependencies are now saved as an object <dep, details>, as run-time dependencies include details like package version. Dependencies are filtered based on DEPENDENCIES_BLACKLIST. A class has been used instead of a namedtuple because openembedded monkey-patches the namedtuple module with an alternative one which is not pickle-able.
PNG graphs were often unreadable, especially in very large graphs. While SVG files are not as convenient and easy to open, they are more suitable for this purpose.
|
Can one of the admins verify this patch? |
Those methods are useful when debugging.
|
ok to test |
|
I would strongly recommend to rebase this PR, as there are too many "merge commits" present in change set. @dallagi please rebase your changes on top of origin/master, making sure that only your change commits are present in PR. |
Add the possibility to generate partial dependency graphs. Dependency graphs are now color-coded: vulnerable packages are represented by red nodes, while packages that depend on vulnerable packages are represented by yellow nodes. Edges in dependency graphs now contain info (e.g., pkg version) when those are provided.
… packages Mapping of source packages to the binary packages they generate is built during the package-processing phase, and it is stored in a temporary file.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This plugin currently builds internally a dependency graph, renders it with graphviz and returns both a .dot file representing the graph and, if graphviz is installed, a visual representation of the graph.
Temporary data is stored in the report directory, and automatically deleted after a succesfull build.