77 lines
3.0 KiB
Plaintext
77 lines
3.0 KiB
Plaintext
###########################################################
|
|
#
|
|
# classes/ccss.bbclass - ConnectCore Security Services
|
|
#
|
|
# Generates an SBOM for the CCSS CVE analysis tool
|
|
#
|
|
# Copyright (C) 2025 Digi International
|
|
#
|
|
#
|
|
# This source is released under the MIT License.
|
|
#
|
|
###########################################################
|
|
|
|
inherit vigiles
|
|
|
|
CCSS_API_VERSION = "0.1"
|
|
CCSS_IMAGE_TYPE ?= "dev"
|
|
CCSS_ENABLE ?= "1"
|
|
|
|
python do_ccss_generate_sbom() {
|
|
import json
|
|
import os
|
|
import shutil
|
|
import tempfile
|
|
|
|
# Temporary dir to store all files in the SBOM
|
|
ccss_tmp_dir = tempfile.mkdtemp(dir=d.getVar('TOPDIR'))
|
|
|
|
try:
|
|
manifest_file = os.path.join(d.getVar('VIGILES_DIR'), d.getVar('VIGILES_MANIFEST_NAME') + d.getVar('VIGILES_MANIFEST_SUFFIX'))
|
|
ccss_kconfig = os.path.join(d.getVar('VIGILES_DIR'),'.'.join([_get_kernel_pf(d), 'config']))
|
|
ccss_uconfig = os.path.join(d.getVar('VIGILES_DIR'),'.'.join([_get_uboot_pf(d), 'config']))
|
|
|
|
# Copy Vigiles manifest and kernel/uboot configs if they're available
|
|
if os.path.exists(manifest_file):
|
|
shutil.copy(manifest_file, os.path.join(ccss_tmp_dir, 'manifest.json'), follow_symlinks=True)
|
|
if os.path.exists(ccss_kconfig):
|
|
shutil.copy(ccss_kconfig, os.path.join(ccss_tmp_dir, 'kernel.config'), follow_symlinks=True)
|
|
if os.path.exists(ccss_uconfig):
|
|
shutil.copy(ccss_uconfig, os.path.join(ccss_tmp_dir, 'uboot.config'), follow_symlinks=True)
|
|
|
|
dict_out = dict(
|
|
api_version = d.getVar('CCSS_API_VERSION'),
|
|
date = d.getVar('DATETIME'),
|
|
has_ccss_patches = bb.utils.contains('BBFILE_COLLECTIONS', 'digi-security', 'y', 'n', d),
|
|
image_type = d.getVar('CCSS_IMAGE_TYPE'),
|
|
som = d.getVar('DIGI_SOM'),
|
|
yocto_codename = d.getVar('DISTRO_CODENAME')
|
|
)
|
|
|
|
with open(os.path.join(ccss_tmp_dir, 'config.json'), 'w') as f_out:
|
|
s = json.dumps(dict_out, indent=2, sort_keys=True)
|
|
f_out.write(s)
|
|
|
|
# Create .zip file
|
|
shutil.make_archive(os.path.join(d.getVar('TOPDIR'), 'CCSS_' + d.getVar('IMAGE_BASENAME') + '-' + d.getVar('DATETIME')), 'zip', ccss_tmp_dir)
|
|
finally:
|
|
# Remove temporary dir
|
|
bb.utils.remove(ccss_tmp_dir, recurse=True)
|
|
}
|
|
|
|
# Don't execute do_ccss_generate_sbom() unless explicitly enabled for a given
|
|
# image
|
|
python __anonymous() {
|
|
if d.getVar('CCSS_ENABLE') != '1':
|
|
d.setVarFlag('do_ccss_generate_sbom', 'noexec', '1')
|
|
}
|
|
|
|
addtask do_ccss_generate_sbom after do_image before do_image_complete
|
|
|
|
# Since do_ccss_generate_sbom() uses the DATETIME variable to create the
|
|
# metadata JSON, said variable will expand to different values when the
|
|
# function is parsed in different stages of the build (first by the bitbake
|
|
# cooker, and then by a worker). This causes metadata/hash mismatch errors due
|
|
# to non-deterministic content, so exclude DATETIME from the hash calculation.
|
|
do_ccss_generate_sbom[vardepsexclude]="DATETIME"
|