diff mbox series

[RFC,v9,05/10] toolchain/toolchain-ext: glibc cpe-info support

Message ID 20200616170341.45098-5-matthew.weber@rockwellcollins.com
State New
Headers show
Series [RFC,v9,01/10] cpe-info: new make target | expand

Commit Message

Matthew Weber June 16, 2020, 5:03 p.m. UTC
From: Shruthi Singh <shruthi.singh@rockwellcollins.com>

This commit adds the correct CPE string for glibc, describing CPE ID,
VERSION, PACKAGE NAME and URL.

Signed-off-by: Shruthi Singh shruthi.singh@rockwellcollins.com
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes

v8
 - No change

v7
 - New
---
 package/pkg-generic.mk                             | 14 ++++++++++++++
 .../toolchain-external/pkg-toolchain-external.mk   |  7 +++++++
 2 files changed, 21 insertions(+)

Comments

Thomas Petazzoni June 25, 2020, 11:09 a.m. UTC | #1
On Tue, 16 Jun 2020 12:03:36 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:

>  $(1)-cpe-info: PKG=$(2)
> +ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
> +$(1)-cpe-info: toolchain
> +endif
>  $(1)-cpe-info:
>  ifeq ($$($(2)_TYPE),target)
> +ifneq ($$($(2)_NAME),toolchain-external)
> +ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
> +ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y)
> +	$$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
> +	$$(eval $(2)_CPE_ID_VENDOR = gnu)
> +	$$(eval $(2)_CPE_ID_NAME = glibc)
> +	$$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
> +	$$(eval $(2)_RAWNAME = glibc)

It is absolutely atrocious to have this stuff directly in the middle of
pkg-generic.mk, and even further only within the $(1)-cpe-info target.

Why isn't this been done inside the external toolchain package itself,
or the external toolchain package infrastructure ?

I think this specific issue of having proper tracking of the target
elements (C library, gcc runtime) of the toolchain is global, and not
just for CPE/CVE tracking: we already do not properly track this in
terms of legal-info for example.

So rather than this one-off hack that solves just the specific case of
CPE tracking for glibc in external toolchains, we need a more global
solution.

Thomas
diff mbox series

Patch

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 3bc9567652..21e510365e 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -984,8 +984,22 @@  $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
 endif
 
 $(1)-cpe-info: PKG=$(2)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
+$(1)-cpe-info: toolchain
+endif
 $(1)-cpe-info:
 ifeq ($$($(2)_TYPE),target)
+ifneq ($$($(2)_NAME),toolchain-external)
+ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y)
+	$$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
+	$$(eval $(2)_CPE_ID_VENDOR = gnu)
+	$$(eval $(2)_CPE_ID_NAME = glibc)
+	$$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
+	$$(eval $(2)_RAWNAME = glibc)
+endif # ifeq ($(BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC),y)
+endif # ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+endif # ifneq ($$($(2)_NAME),toolchain-external)
 ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 	@$$(call MESSAGE,"Collecting cpe info")
 	$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
index 6d91cb5d1e..14065345d7 100644
--- a/toolchain/toolchain-external/pkg-toolchain-external.mk
+++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
@@ -453,6 +453,13 @@  define TOOLCHAIN_EXTERNAL_INSTALL_SYSROOT_LIBS
 	$(call copy_toolchain_sysroot,$${SYSROOT_DIR},$${ARCH_SYSROOT_DIR},$${ARCH_SUBDIR},$${ARCH_LIB_DIR},$${SUPPORT_LIB_DIR})
 endef
 
+define TOOLCHAIN_CPE_INFO
+	ARCH_SYSROOT_DIR="$(call toolchain_find_sysroot,$(TOOLCHAIN_EXTERNAL_CC) $(TOOLCHAIN_EXTERNAL_CFLAGS))" ; \
+	MAJ=`awk '{ if ($$1 = /#define/ && ($$2= /__GLIBC__/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+	MIN=`awk '{ if ($$1 = /#define/ && ($$2 = /_GLIBC_MINOR/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+	echo $${MAJ}.$${MIN}
+endef
+
 # Create a symlink from (usr/)$(ARCH_LIB_DIR) to lib.
 # Note: the skeleton package additionally creates lib32->lib or lib64->lib
 # (as appropriate)