Merge pull request #547 from mjg59/glsa

Matthew Garrett · Matthew Garrett · commit 9a3c5a9d2e1f · 2016-05-17T16:49:36.000-07:00
Verify GLSA status when building packages
diff --git a/build_library/test_image_content.sh b/build_library/test_image_content.sh
@@ -2,6 +2,26 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+GLSA_WHITELIST=("201412-09")
+
+glsa_image() {
+  VULNS=()
+  GLSAS=`glsa-check-$BOARD -t all`
+  for GLSA in $GLSAS; do
+    if [[ " ${GLSA_WHITELIST[@]} " =~ " ${GLSA} " ]]; then
+      continue
+    else
+      VULNS+=($GLSA)
+    fi
+  done
+  if [[ ${#VULNS[@]} != 0 ]]; then
+    echo "The following GLSAs apply: $VULNS"
+    return 1
+  fi
+
+  return 0
+}
+
 test_image_content() {
   local root="$1"
   local returncode=0
@@ -45,5 +65,9 @@ test_image_content() {
     #returncode=1
   fi
 
+  if ! glsa_image; then
+      returncode=1
+  fi
+
   return $returncode
 }
diff --git a/setup_board b/setup_board
@@ -80,7 +80,8 @@ exec sudo -E ${command} ${extra_args} "\$@"
 EOF
   # Note: parent will process these.
   wrappers+=( "${target}" )
-  eval ${command^^}_WRAPPER="${target}" # ${foo^^} returns toupper($foo)
+  upper=${command^^}
+  eval ${upper/-/_}_WRAPPER="${target}" # ${foo^^} returns toupper($foo)
 }
 
 generate_all_wrappers() {
@@ -90,7 +91,7 @@ generate_all_wrappers() {
   info "Generating wrapper scripts"
 
   for wrapper in 'emerge --root-deps' ebuild eclean equery portageq \
-                 qcheck qfile qlist emaint; do
+                 qcheck qfile qlist emaint glsa-check; do
     _generate_wrapper ${wrapper}
   done
 
