mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-08 13:36:58 +02:00
ec19fd5aa2
Now that GLSA metadata was updated as of 2021-09-03, we need to add the following entries to the GLSA allow list, to avoid build failures caused by `glsa-check -t all`. 202006-03: perl 5.26.2, only SDK, allowlist 202008-01: python 2.7.15 & 3.6.5, only SDK, allowlist 202101-18: python 2.7.15 & 3.6.5, only SDK, allowlist 202104-04: python 2.7.15 & 3.6.5, only SDK, allowlist 202105-22: samba 4.12.9, not affected, samba has no ldap flag, no smbd. 202105-34: bash 4.3, non-trivial to update 202107-31: polkit 0.113, in-progress 202107-48: systemd 247.9, backported the fixes to v247.9.
84 lines
2.5 KiB
Bash
84 lines
2.5 KiB
Bash
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
GLSA_WHITELIST=(
|
|
201412-09 # incompatible CA certificate version numbers
|
|
201908-14 # backported both CVE fixes
|
|
201909-01 # Perl, SDK only
|
|
202003-26 # SDK only
|
|
202005-09 # SDK only
|
|
202006-03 # perl, SDK only
|
|
202008-01 # python, SDK only
|
|
202101-18 # python, SDK only
|
|
202104-04 # python, SDK only
|
|
202105-22 # samba, not affected, samba has no ldap flag, no smbd.
|
|
202105-34 # bash, non-trivial
|
|
202107-31 # polkit, in-progress
|
|
202107-48 # systemd, backported fixes to v247.
|
|
)
|
|
|
|
glsa_image() {
|
|
if glsa-check-$BOARD -t all | grep -Fvx "${GLSA_WHITELIST[@]/#/-e}"; then
|
|
echo "The above GLSAs apply to $ROOT"
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
test_image_content() {
|
|
local root="$1"
|
|
local returncode=0
|
|
|
|
info "Checking $1"
|
|
local check_root="${BUILD_LIBRARY_DIR}/check_root"
|
|
if ! ROOT="$root" "$check_root" libs; then
|
|
warn "test_image_content: Failed dependency check"
|
|
warn "This may be the result of having a long-lived SDK with binary"
|
|
warn "packages that predate portage 2.2.18. If this is the case try:"
|
|
echo " emerge-$BOARD -agkuDN --rebuilt-binaries=y -j9 @world"
|
|
echo " emerge-$BOARD -a --depclean"
|
|
#returncode=1
|
|
fi
|
|
|
|
local blacklist_dirs=(
|
|
"$root/usr/share/locale"
|
|
)
|
|
for dir in "${blacklist_dirs[@]}"; do
|
|
if [ -d "$dir" ]; then
|
|
warn "test_image_content: Blacklisted directory found: $dir"
|
|
# Only a warning for now, size isn't important enough to kill time
|
|
# playing whack-a-mole on things like this this yet.
|
|
#error "test_image_content: Blacklisted directory found: $dir"
|
|
#returncode=1
|
|
fi
|
|
done
|
|
|
|
# Check that there are no conflicts between /* and /usr/*
|
|
if ! ROOT="$root" "$check_root" usr; then
|
|
error "test_image_content: Failed /usr conflict check"
|
|
returncode=1
|
|
fi
|
|
|
|
# Check that there are no #! lines pointing to non-existant locations
|
|
if ! ROOT="$root" "$check_root" shebang; then
|
|
warn "test_image_content: Failed #! check"
|
|
# Only a warning for now. We still have to actually remove all of the
|
|
# offending scripts.
|
|
#error "test_image_content: Failed #! check"
|
|
#returncode=1
|
|
fi
|
|
|
|
if ! sudo ROOT="$root" "$check_root" symlink; then
|
|
error "test_image_content: Failed symlink check"
|
|
returncode=1
|
|
fi
|
|
|
|
if ! ROOT="$root" glsa_image; then
|
|
returncode=1
|
|
fi
|
|
|
|
return $returncode
|
|
}
|