From 9e64bef51335cd7f0f159b305cbddc7d2610d719 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 17 May 2016 16:38:57 -0700
Subject: [PATCH 1/2] setup_board: create a glsa-check wrapper

We want to be able to verify that we don't have any vulnerabilities in the
build root, so install a wrapper for glsa-check
---
 setup_board | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/setup_board b/setup_board
index 1cbb3c3100..ad23b562c6 100755
--- a/setup_board
+++ b/setup_board
@@ -80,7 +80,8 @@ exec sudo -E ${command} ${extra_args} "\$@"
 EOF
   # Note: parent will process these.
   wrappers+=( "${target}" )
-  eval ${command^^}_WRAPPER="${target}" # ${foo^^} returns toupper($foo)
+  upper=${command^^}
+  eval ${upper/-/_}_WRAPPER="${target}" # ${foo^^} returns toupper($foo)
 }
 
 generate_all_wrappers() {
@@ -90,7 +91,7 @@ generate_all_wrappers() {
   info "Generating wrapper scripts"
 
   for wrapper in 'emerge --root-deps' ebuild eclean equery portageq \
-                 qcheck qfile qlist emaint; do
+                 qcheck qfile qlist emaint glsa-check; do
     _generate_wrapper ${wrapper}
   done
 

From 922554303b660b33d60b5c0995d55fed45fa3b6e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 17 May 2016 16:37:20 -0700
Subject: [PATCH 2/2] check_root: Verify that we don't have any applicable GLSA

Once we've built the packages, verify against the Gentoo Linux Security
Advisories to ensure that we're not shipping anything with known
vulnerabilities.
---
 build_library/test_image_content.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/build_library/test_image_content.sh b/build_library/test_image_content.sh
index 4a28f3d4ff..4e52c3931d 100644
--- a/build_library/test_image_content.sh
+++ b/build_library/test_image_content.sh
@@ -2,6 +2,26 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+GLSA_WHITELIST=("201412-09")
+
+glsa_image() {
+  VULNS=()
+  GLSAS=`glsa-check-$BOARD -t all`
+  for GLSA in $GLSAS; do
+    if [[ " ${GLSA_WHITELIST[@]} " =~ " ${GLSA} " ]]; then
+      continue
+    else
+      VULNS+=($GLSA)
+    fi
+  done
+  if [[ ${#VULNS[@]} != 0 ]]; then
+    echo "The following GLSAs apply: $VULNS"
+    return 1
+  fi
+
+  return 0
+}
+
 test_image_content() {
   local root="$1"
   local returncode=0
@@ -45,5 +65,9 @@ test_image_content() {
     #returncode=1
   fi
 
+  if ! glsa_image; then
+      returncode=1
+  fi
+
   return $returncode
 }