mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-22 22:21:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #229 from flatcar-linux/dongsu/glsa-20220216

Browse Source 
build_library: update allow list for GLSA checks 2022-02-16
This commit is contained in:
Dongsu Park 2022-02-17 11:12:26 +01:00 committed by GitHub
commit 173554db7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
build_library/test_image_content.sh
View File

@ -2,24 +2,13 @@
# Use of this source code is governed by a BSD-style license that can be # Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file. # found in the LICENSE file.
GLSA_WHITELIST=( GLSA_ALLOWLIST=(
201412-09 # incompatible CA certificate version numbers 201412-09 # incompatible CA certificate version numbers
201908-14 # backported both CVE fixes
201909-01 # Perl, SDK only
202003-26 # SDK only
202005-09 # SDK only
202006-03 # perl, SDK only
202008-01 # python, SDK only
202101-18 # python, SDK only
202104-04 # python, SDK only
202105-22 # samba, not affected, samba has no ldap flag, no smbd. 202105-22 # samba, not affected, samba has no ldap flag, no smbd.
202105-34 # bash, non-trivial
202107-31 # polkit, in-progress
202107-48 # systemd, backported fixes to v247.
) )
glsa_image() { glsa_image() {
if glsa-check-$BOARD -t all | grep -Fvx "${GLSA_WHITELIST[@]/#/-e}"; then if glsa-check-$BOARD -t all | grep -Fvx "${GLSA_ALLOWLIST[@]/#/-e}"; then
echo "The above GLSAs apply to $ROOT" echo "The above GLSAs apply to $ROOT"
return 1 return 1
fi fi
@ -42,15 +31,15 @@ test_image_content() {
#returncode=1 #returncode=1
fi fi
local blacklist_dirs=( local denylist_dirs=(
"$root/usr/share/locale" "$root/usr/share/locale"
) )
for dir in "${blacklist_dirs[@]}"; do for dir in "${denylist_dirs[@]}"; do
if [ -d "$dir" ]; then if [ -d "$dir" ]; then
warn "test_image_content: Blacklisted directory found: $dir" warn "test_image_content: Denied directory found: $dir"
# Only a warning for now, size isn't important enough to kill time # Only a warning for now, size isn't important enough to kill time
# playing whack-a-mole on things like this this yet. # playing whack-a-mole on things like this this yet.
#error "test_image_content: Blacklisted directory found: $dir" #error "test_image_content: Denied directory found: $dir"
#returncode=1 #returncode=1
fi fi
done done

8
common.sh
View File

@ -238,9 +238,9 @@ get_gclient_root() {
fi fi
} }
# Populate the ENVIRONMENT_WHITELIST array. # Populate the ENVIRONMENT_ALLOWLIST array.
load_environment_whitelist() { load_environment_allowlist() {
ENVIRONMENT_WHITELIST=( ENVIRONMENT_ALLOWLIST=(
COREOS_OFFICIAL COREOS_OFFICIAL
FLATCAR_BUILD_ID FLATCAR_BUILD_ID
FORCE_STAGES FORCE_STAGES
@ -308,7 +308,7 @@ if [[ -f "${REPO_MANIFESTS_DIR}/version.txt" ]]; then
FLATCAR_DEV_BUILDS FLATCAR_DEV_BUILDS_SDK FLATCAR_DEV_BUILDS FLATCAR_DEV_BUILDS_SDK
# Don't promote FLATCAR_BUILD_ID into an environment variable when it # Don't promote FLATCAR_BUILD_ID into an environment variable when it
# didn't start as one, since we don't want it leaking into the SDK # didn't start as one, since we don't want it leaking into the SDK
# chroot environment via ENVIRONMENT_WHITELIST. # chroot environment via ENVIRONMENT_ALLOWLIST.
declare +x FLATCAR_BUILD_ID declare +x FLATCAR_BUILD_ID
fi fi
: ${FLATCAR_BUILD_ID:=$(date +%Y-%m-%d-%H%M)} : ${FLATCAR_BUILD_ID:=$(date +%Y-%m-%d-%H%M)}