Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

build.sh: add support to generate Vigiles reports in automated builds 

This adds two new options:

    * One to generate a Vigiles CVE report along with a build
    * One to include the meta-digi-security layer in a build

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit is contained in:
Gabriel Valcazar 2023-02-15 13:32:17 +01:00
parent 82dc50b6ef
commit 93ea42e229
1 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
sdk/build.sh
View File

@ -3,7 +3,7 @@
# #
# build.sh # build.sh
# #
# Copyright (C) 2013-2022 by Digi International Inc. # Copyright (C) 2013-2023 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -22,6 +22,9 @@
# DY_RM_WORK: Remove the package working folders to save disk space. # DY_RM_WORK: Remove the package working folders to save disk space.
# DY_TARGET: Target image (the default is 'dey-image-qt') # DY_TARGET: Target image (the default is 'dey-image-qt')
# DY_USE_MIRROR: Use internal Digi mirror to download packages # DY_USE_MIRROR: Use internal Digi mirror to download packages
# DY_CVE_REPORT: Generate Vigiles CVE report
# DY_VIGILES_DIR: Path to Vigiles configuration files on the build server
# DY_USE_CVE_LAYER: Apply meta-digi-security layer with CVE fixes
# #
#=============================================================================== #===============================================================================
@ -42,6 +45,13 @@ INHERIT += \"rm_work\"
RM_WORK_EXCLUDE += \"dey-image-qt dey-image-webkit linux-dey qtbase u-boot-dey\" RM_WORK_EXCLUDE += \"dey-image-qt dey-image-webkit linux-dey qtbase u-boot-dey\"
" "
VIGILES_CFG="
VIGILES_KEY_FILE = \"${DY_VIGILES_DIR}/linuxlink_key.json\"
VIGILES_DASHBOARD_CONFIG = \"##VIGILES_CONF_PATH##\"
VIGILES_SUBFOLDER_NAME = \"${DY_REVISION}\"
INHERIT += \"vigiles\"
"
ZIP_INSTALLER_CFG=" ZIP_INSTALLER_CFG="
DEY_IMAGE_INSTALLER = \"1\" DEY_IMAGE_INSTALLER = \"1\"
" "
@ -150,6 +160,11 @@ if [ -n "${DY_MACHINES_LAYER}" ]; then
MACHINES_LAYER="-m ${DY_MACHINES_LAYER}" MACHINES_LAYER="-m ${DY_MACHINES_LAYER}"
fi fi
[ -z "${DY_CVE_REPORT}" ] && DY_CVE_REPORT="false"
[ -z "${DY_USE_CVE_LAYER}" ] && DY_USE_CVE_LAYER="false"
[ "${DY_CVE_REPORT}" = "true" ] && [ -z "${DY_VIGILES_DIR}" ] && error "DY_VIGILES_DIR not specified"
# Per-platform data # Per-platform data
while read -r _pl _tgt; do while read -r _pl _tgt; do
# shellcheck disable=SC2015 # shellcheck disable=SC2015
@ -264,6 +279,18 @@ for platform in ${DY_PLATFORMS}; do
if [ "${DY_MFG_IMAGE}" = "true" ] && ! grep -qs "meta-digi-mfg" conf/bblayers.conf; then if [ "${DY_MFG_IMAGE}" = "true" ] && ! grep -qs "meta-digi-mfg" conf/bblayers.conf; then
sed -i -e "/meta-digi-dey/a\ ${YOCTO_INST_DIR}/sources/meta-digi-mfg \\\\" conf/bblayers.conf sed -i -e "/meta-digi-dey/a\ ${YOCTO_INST_DIR}/sources/meta-digi-mfg \\\\" conf/bblayers.conf
fi fi
# If we want to generate a CVE report, update conf/local.conf
if [ "${DY_CVE_REPORT}" = "true" ]; then
# Build Vigiles config path using platform and patch status
status="non-patched"
[ "${DY_USE_CVE_LAYER}" = "true" ] && status="patched"
VIGILES_CONF_PATH="${DY_VIGILES_DIR}/configs/${platform}_${status}_config"
# Return error if config file doesn't exist
if [ ! -f "${VIGILES_CONF_PATH}" ] && error "Cannot find Vigiles config file ${VIGILES_CONF_PATH}"
printf "%s" "${VIGILES_CFG}" | sed -e "s,##VIGILES_CONF_PATH##,${VIGILES_CONF_PATH},g" >> conf/local.conf
fi
# Apply CVE layer if needed
[ "${DY_USE_CVE_LAYER}" = "true" ] && bitbake-layers add-layer ${YOCTO_INST_DIR}/sources/meta-digi-security
printf "\n[INFO] Show customized local.conf.\n" printf "\n[INFO] Show customized local.conf.\n"
cat conf/local.conf cat conf/local.conf