Commit Graph

53014 Commits

Author SHA1 Message Date
Fabrice Fontaine
e8535d1b19 package/i2pd: bump to version 2.33.0
>From https://github.com/PurpleI2P/i2pd/releases/tag/2.33.0:
 - UDP tunnels through ECIES-X25519-AEAD-Ratchet
 - Shared transient addresses
 - ECIES-X25519-AEAD-Ratchet and multiple encryption keys through I2CP
 - Pre-calculated x25519 ephemeral keys
 - crypto.ratchet.inboundTags parameter
 - Don't save invalid address to AddressBook
 - Correct ECDSA signatures names in SAM
 - New webconsole layout
 - Shared routing path for datagram session
 - Change datagram routing path if nothing comes back in 10 seconds
 - Updated reseed servers list
 - Don't connect through terminated SAM destination

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:58:02 +02:00
Fabrice Fontaine
b517934b79 package/botan: bump to version 2.15.0
https://botan.randombit.net/news.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:57:47 +02:00
Adam Duskett
29db5b3aed package/libblockdev: add support for swap plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:57:13 +02:00
Adam Duskett
723b9a9d7d package/libblockdev: add support for part plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:51:40 +02:00
Adam Duskett
7ddf853ae0 package/libblockdev: add support for mdraid plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:47:21 +02:00
Adam Duskett
05c46e723a package/libblockdev: add support for lvm plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:46:26 +02:00
Adam Duskett
63759893f7 package/libblockdev: add support for loop plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:45:58 +02:00
Adam Duskett
445813d8cc package/libblockdev: add support for fs plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:44:37 +02:00
Waldemar Brodkorb
ebf2949aaf Revert "package/parted: disable on uclibc"
Commit 25b1dc4613 disabled parted on
uClibc due to the following build failure:

atari.c:221:9: error: dereferencing pointer to incomplete type 'struct __uclibc_locale_struct'
  return isalnum_l(part->id[0], atr_c_locale)

This was fixed in upstream uClibc-ng as of upstream commit
d1a3ca7ca56630fddde7311a0474eed4a21335a7, which was part of the 1.0.33
uClibc-ng release. On the Buildroot side, even though Buildroot
2020.02 was using uClibc-ng 1.0.32, we already had this patch
backported.

So we can now safely re-enable parted for uClibc-ng toolchains, as
well as its reverse dependencies.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:40:19 +02:00
Adam Duskett
c45cce332a package/libblockdev: add support for crypto plugin
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 21:20:33 +02:00
Adam Duskett
bf87263b6d package/libbytesize: new package
Libbytesize is a small library providing a C "class" for working with
arbitrary big sizes in bytes.

The mdraid plugin for libblockdev depends on this package, which newer
versions of udisks require when building with the udisks daemon
enabled.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 16:39:09 +02:00
Adam Duskett
0c52826291 package/libblockdev: new package
libblockdev is a C library supporting GObject introspection for
manipulation of block devices. It has a plugin-based architecture
where each technology (like LVM, Btrfs, MD RAID, Swap,...) is
implemented in a separate plugin, possibly with multiple
implementations.

gobject-introspection is not a strict dependency and may be disabled
via a configure flag.

This is the base package with everything disabled, the subsequent
patches in this series will add more options necessary to bump udisks
to the latest.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 16:20:09 +02:00
Yann E. MORIN
e1bf9bedd5 support/scripts/gen-bootlin-toolchains: be less verbose
Drop the debug-level print as noticed by Titouan.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
2020-08-29 16:10:02 +02:00
Thomas Petazzoni
efce79db65 support/testing/test/toolchain/test_external_bootlin: new test cases
This commit adds the new test cases generated automatically by the
bl-toolchains-gen script, to test the integration of the Bootlin
toolchains.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 15:47:46 +02:00
Thomas Petazzoni
64b74b204e toolchain/toolchain-external/toolchain-external-bootlin: finalize package addition
This commit wires-up the toolchain-external-bootlin package into
Buildroot by:

 - Adding
   toolchain/toolchain-external/toolchain-external-bootlin/Config.in,
   which is not generated by the bl-toolchains-gen script as it is a
   static file that does not depend on the list and characteristics of
   available Bootlin toolchains.

 - Including that file, as well as the Config.in.options file, from
   toolchain/toolchain-external/Config.in.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 15:47:39 +02:00
Thomas Petazzoni
2165746ff0 toolchain/toolchain-external/toolchain-external-bootlin: add auto-generated files
This commit adds the contents of the
toolchain/toolchain-external/toolchain-external-bootlin/ files
generated by bl-toolchains-gen, unmodified.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 15:47:39 +02:00
Thomas Petazzoni
184d47a7ad support/scripts/gen-bootlin-toolchains: add new script to support Bootlin toolchains
https://toolchains.bootlin.com/ has been providing for a few years a
number of ready-to-use pre-built toolchains, for a wide range of
architectures (which it turns out, are all built using Buildroot).

While toolchains.bootlin.com provides Buildroot config fragments to
easily use those toolchains with Buildroot (see [0] for example), this
is not visible anywhere. So instead, we would like to add support for
these toolchains in Buildroot just like we have existing support for
Linaro, ARM, Synopsys, etc. toolchains.

[0] https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/fragments/aarch64--glibc--bleeding-edge-2020.02-2.frag

However, the number of toolchains provided by toolchains.bootlin.com
is really large, and they are regularly updated. Maintaining that
manually would be time consuming and error-prone. So instead, this
commit introduces a script that automatically generates:

 - toolchain/toolchain-external/toolchain-external-bootlin/Config.in.options
 - toolchain/toolchain-external/toolchain-external-bootlin/toolchain-external-bootlin.mk
 - toolchain/toolchain-external/toolchain-external-bootlin/toolchain-external-bootlin.hash
 - support/testing/tests/toolchain/test_external_bootlin.py

We create a single external toolchain package, with a Kconfig "choice"
as a sub-option to select the toolchain variant to be used. The script
contains a Python dict that provides the mapping between the
toolchains provided by toolchains.bootlin.com, and the architecture
options/variants they are applicable to.

The test cases allow to verify that the toolchain configuration is
correct, and that it is able to build a Busybox based system. It
doesn't do any runtime testing as such testing is already done by
toolchains.bootlin.com: the test cases here are only meant to verify
that the toolchain-external-bootlin package works as expected.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 15:47:39 +02:00
Thomas Petazzoni
6354edea04 package/docker-cli: drop <pkg>_WORKSPACE variable
Since the go.mod integration, the <pkg>_WORKSPACE variable is useless,
so drop it.

Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 15:02:30 +02:00
Thomas Petazzoni
a289fc8b69 docs/manual/adding-packages-golang.txt: update following go.mod integration
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Thomas Petazzoni
92584815ba package/mender-artifact: drop custom GOFLAGS
Now that we have switched to the go.mod integration, all Go packages
are built with -mod=vendor, so there's no need to have custom GOFLAGS
in mender-artifact.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
913fac5bb1 package/docker-proxy: drop <pkg>_WORKSPACE variable
With the go.mod integration, the <pkg>_WORKSPACE variable has become
useless, drop it.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
cfcf745e10 package/docker-engine: drop <pkg>_SRC_SUBDIR variable
With the go.mod integration, the DOCKER_ENGINE_SRC_SUBDIR has become
useless, drop it.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
a7ed0ae6cc package/docker-containerd: drop <pkg>_WORKSPACE variable
With the go.mod integration, the <pkg>_WORKSPACE variable is no longer
needed, drop it.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
302bb3347c package/runc: drop <pkg>_WORKSPACE variable
With the go.mod integration, the <pkg>_WORKSPACE variable has become
useless, so drop it.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:12 +02:00
Christian Stewart
7afd262da0 package/go: implement go modules integration
The Go compiler needs to know the "import path" to the root of package
source repositories. Previously, this was done by creating a fake
_gopath in the build directory and symlinking the package source into
that path.

Go has deprecated the GOPATH mechanism in favor of a new approach -
Modules - which specifies the root import path (and dependencies) in a
"go.mod" file. This commit moves Buildroot to use the new go.mod
approach, which requires:

 - Passing GO111MODULE=on when building host or target Go packages.

 - Passing GOPROXY=off and -mod=vendor to prevent the Go module system
   from downloading by itself sources from the Internet. We currently
   only support Go packages that have all their dependencies in their
   source tree in "vendor" directories.

 - Specifying a <pkg>_GOMOD variable, which is used both to create a
   minimal go.mod file in the package source tree if it exists, and to
   invoke the right build targets. Indeed, all elements in
   <pkg>_BUILD_TARGETS are now relative to <pkg>_GOMOD.

Reference: https://github.com/golang/go/wiki/Modules

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:06 +02:00
Christian Stewart
b80bcd7ffa package/docker-cli: define <pkg>_GOMOD variable
In preparation for the go.mod integration, define the DOCKER_CLI_GOMOD
variable.

We also use it as a handy shortcut when defining DOCKER_CLI_LDFLAGS.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Christian Stewart
edb06ecf3b package/docker-engine: define <pkg>_GOMOD variable
In preparation for the go.mod integration, define the
DOCKER_ENGINE_GOMOD variable.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Christian Stewart
01c5e0ed72 package/docker-containerd: define <pkg>_GOMOD variable
In preparation for the go.mod integration, define the
DOCKER_CONTAINERD_GOMOD variable.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
0d26fb58b7 package/go: drop GO_TARGET_ENV / GO_HOST_ENV
Now that GO_TARGET_ENV and GO_HOST_ENV are just aliases to
HOST_GO_TARGET_ENV and HOST_GO_HOST_ENV, drop the former two, and use
the latter two directly.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
1a17e4ae99 package/go: re-integrate GO_COMMON_ENV into HOST_GO_COMMON_ENV
There is no point in having some common Go env variables defined in
pkg-golang.mk:GO_COMMON_ENV, and some in
package/go/go.mk:HOST_GO_COMMON_ENV. Let's move all of them to
package/go/go.mk:HOST_GO_COMMON_ENV.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7a89fa07ee package/go: pass CFLAGS/CXXFLAGS/LDFLAGS in HOST_GO_TARGET_ENV
HOST_GO_HOST_ENV is explicitly specifying
HOST_CGO_{CFLAGS,CXXFLAGS,LDFLAGS}, so let's do the same for target
packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
557282a9c0 package/go: introduce HOST_GO_COMMON_ENV
A few variables are common between HOST_GO_TARGET_ENV and
HOST_GO_HOST_ENV, so let's introduce a HOST_GO_COMMON_ENV variable for
those few common ones (which will increase in follow-up commits).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7c3e3cbcf2 package/go: add a HOST_GO_HOST_ENV variable
package/go/go.mk provides a HOST_GO_TARGET_ENV which provides a useful
set of environment variables needed to build target Go packages.

For host packages, we simply have package/pkg-golang.mk defining
GO_HOST_ENV to specify CFLAGS/LDFLAGS, but that's it: we don't pass an
explicit path to the compiler, we don't pass GO111MODULE, GOCACHE,
GOROOT, etc.

This commit introduces a HOST_GO_HOST_ENV variable that provides the
appropriate set of environment variables to use when building host
golang packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:48 +02:00
Thomas Petazzoni
46080111af package/watchdog: drop AUTORECONF
The upstream tarball provides an already generated configure script,
which works fine, so there's no need to AUTORECONF.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:34:15 +02:00
Thomas Petazzoni
4f17ebafb2 DEVELOPERS: add Alejandro González for watchdog
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:33:00 +02:00
Alejandro González
d4ed6b7b85 package/watchdog: new package
watchdog is a flexible watchdog daemon that improves on the already
available Busybox watchdog daemon by providing more advanced features,
like defining custom system status checks and executing repair scripts
to react upon invariants that don't hold.

Due to "watchdog" being also provided by Busybox, we need to make that
package/watchdog installs the watchdog binary in the same place as
Busybox (i.e in /sbin), and need to add a dependency of Busybox on
this new watchdog package.

Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:30:05 +02:00
Peter Seiderer
ce49a59ff7 package/wayland-utils: new package
From [1] (for details see [2]):

This is first release of wayland-utils which only contains (for now)
wayland-info, a utility for displaying information about the Wayland
protocols supported by a Wayland compositor.

wayland-info is basically a standalone version of weston-info as found
in weston repository.

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-July/041565.html
[2] https://lists.freedesktop.org/archives/wayland-devel/2020-July/041520.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 13:58:02 +02:00
Adam Duskett
cfe47f4f79 package/mender-artifact: do not download modules during the build process
By default, go will attempt to download needed modules before building, which
is not desirable. This behavior also causes permission issues when cleaning,
as go downloads modules as read-only by default. Because mender-artifact
includes the modules in the vendor directory, mod=vendor prevents the package
from downloading the go modules during the build process and prevents
permission issues when cleaning.

Fixes:
http://autobuild.buildroot.net/results/d5bcaca73ae74fe8b0ebd39b6331564cd639fb66

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 13:52:02 +02:00
Thomas Petazzoni
ed33cecb51 Config.in.legacy: adjust location of gdb 8.1 legacy option
The gdb 8.1 option will have been removed from 2020.11, not 2020.08.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 13:50:52 +02:00
Horatiu Vultur
841c604748 package/easyframes: new package
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 12:04:01 +02:00
Gwenhael Goavec-Merou
130a0163af package/uhd: new package
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 00:07:51 +02:00
Sergio Prado
68cf4136bb package/powertop: bump version to 2.13
Also separate the fields in the hash file by two spaces and add pgp
signature check.

Since we're now using the default value for POWERTOP_SOURCE, drop this
variable definition.

Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 23:44:10 +02:00
Peter Korsgaard
9cd0654380 configs/roseapplepi: switch to mainline 5.7.19 kernel
Mainline Linux now has basic s500/roseapplepi support, so switch to that to
get rid of the dependency on gcc7.  Add two patches for the dts / fix that
didn't make it for kernel 5.7.

The mainline kernel does not yet have support for the mmc interface, so
change to initramfs for now.  Patches for mmc support have been posted
recently, so this can be reverted once they show up in a stable kernel:

https://lore.kernel.org/lkml/cover.1593124368.git.cristian.ciocaltea@gmail.com/

The owl serial port is called ttyOWLn in mainline, so adjust the bootargs to
match.  Also drop the unneeded execute permission on uEnv.txt.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 23:42:08 +02:00
Gregory CLEMENT
fafa3e4e29 support/scripts/cve-checker: add a per configuration CVE checker
This scripts takes as entry on stdin a JSON description of the package
used for a given configuration. This description is the one generated
by "make show-info".

The script generates the list of all the packages used and if they are
affected by a CVE. The output is either a JSON or an HTML file similar
to the one generated by pkg-stats.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>=
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 11:35:03 +02:00
Gregory CLEMENT
2a2f69d672 support/scripts: make CVE class independent of the Packaage class
The affects method of the CVE uses the Package class defined in
pkg-stats. The purpose of migrating the CVE class outside of pkg-stats
was to be able to reuse it from other scripts. So let's remove the
Package dependency and only use the needed information.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 11:00:40 +02:00
Gregory CLEMENT
b9c9f23f9a package/pkg-utils.mk: report the list of ignored CVEs in show-info
Add the list of the CVEs to ignore for each package because they
already have a fix for it.

This information will be useful for a cve-checker.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 10:22:24 +02:00
Gregory CLEMENT
52ae092046 support/scripts/cve.py: use the JSON data in 1.1 schema
In 2019, the JSON vulnerability feeds switched their schema from
version 1.0 to 1.1.

The main difference is the removal of the "affects" element that we
were using to check if a package was affected by a CVE.

This information is now available in the "configuration" element which
contains the cpeid as well as properties about the versions
affected. Instead of having a list of the versions affected, with
these properties, it is possible to have a range of versions.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:14:39 +02:00
Gregory CLEMENT
f8ee65570a support/scripts/pkg-stats: move CVE related code to a separate module
In order to be able to use the CVE checking logic outside of
pkg-stats, move the CVE class in a module that can be used by other
scripts.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:14:38 +02:00
Thomas Petazzoni
008ca2c583 support/scripts/pkg-stats: consider "-" as a wildcard when doing CVE version matching
Some CVE entries in the NVD database have version_value set to "-",
which seems to indicate that it applies to all versions of the
software project, or that they don't really know which versions are
affected, and which are not.

So, for the benefit of doubt, it seems more appropriate to consider
such CVEs as affecting our packages.

This makes the total number of CVEs affecting our next branch jump
from 141 CVEs to 658 CVEs, but that number will go back down once we
switch to the JSON 1.1 schema. Indeed, in the JSON 1.0 schema, there
are often cases where a version_value is set to "=" *and* specific
versions are set to.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:14:38 +02:00
Thomas Petazzoni
e631c314b1 support/scripts/pkg-stats: drop erroneous "break" in CVE.affects()
Commit 7d2779ecbb
("support/script/pkg-stats: handle exception when version comparison
fails") erroneousy introduced a "break" within a try/expect block.

This break has the unfortunate consequence that every CVE that was
using the <= operator was skipped, and according to the current
CVE statistics, made us miss 74 CVEs out of 141 CVEs.

Here is for reference the complete list of CVEs we missed:

 - gnupg
   CVE-2006-3082
   CVE-2019-13050

 - jhead
   CVE-2020-6624
   CVE-2020-6625

 - patch
   CVE-2018-6952
   CVE-2019-20633

 - json-c
   CVE-2020-12762

 - git
   CVE-2018-1000110
   CVE-2018-1000182
   CVE-2019-1003010
   CVE-2020-2136

 - iperf2
   CVE-2016-4303

 - libtorrent
   CVE-2009-1760
   CVE-2016-5301

 - lua
   CVE-2020-15888
   CVE-2020-15889
   CVE-2020-15945
   CVE-2020-24342

 - openvpn
   CVE-2020-7224

 - smack
   CVE-2016-10027

 - bashtop
   CVE-2019-18276

 - links
   CVE-2008-3319

 - argus
   CVE-2011-3332

 - libraw
   CVE-2020-15503

 - netcat
   CVE-2008-5727
   CVE-2008-5728
   CVE-2008-5729
   CVE-2008-5730
   CVE-2008-5742
   CVE-2015-2214

 - subversion
   CVE-2017-1000085
   CVE-2018-1000111
   CVE-2020-2111

 - python
   CVE-2013-1753
   CVE-2015-5652
   CVE-2017-17522
   CVE-2017-18207
   CVE-2019-20907
   CVE-2019-9674

 - cereal
   CVE-2020-11104
   CVE-2020-11105

 - opencv
   CVE-2017-1000450
   CVE-2017-12597
   CVE-2017-12598
   CVE-2017-12599
   CVE-2017-12600
   CVE-2017-12601
   CVE-2017-12602
   CVE-2017-12603
   CVE-2017-12604
   CVE-2017-12605
   CVE-2017-12606
   CVE-2017-12862
   CVE-2017-12863
   CVE-2017-12864
   CVE-2019-15939

 - docker
   CVE-2015-1843
   CVE-2015-3627
   CVE-2015-3630
   CVE-2015-3631
   CVE-2016-3697
   CVE-2017-14992
   CVE-2019-16884

 - trousers
   CVE-2020-24330
   CVE-2020-24331
   CVE-2020-24332

 - libcroco
   CVE-2020-12825

 - libpupnp
   CVE-2020-13848

 - openjpeg
   CVE-2020-15389

 - flex
   CVE-2015-1773

 - libesmtp
   CVE-2019-19977

 - ed
   CVE-2015-2987

 - libmad
   CVE-2018-7263

 - grub
   CVE-2020-15705

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:14:38 +02:00