add cve checks for all examples

cve results will be uploaded to s3
file: cve-summary

source-repo/kas/build.buildspec.yml

@@ -25,3 +25,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/build/tmp/deploy/images/qemux86-64/aws-biga-image-qemux86-64*
+    - $TMP_DIR/build/tmp/log/cve/cve-summary*

source-repo/kas/kas.yml

@@ -9,6 +9,8 @@ local_conf_header:
     qemu-config: |
         EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
         IMAGE_INSTALL:append = " greengrass-bin"
+        INHERIT += "cve-check"
+        include cve-extra-exclusions.inc
 
 repos:
   poky:

source-repo/meta-aws-demo/build.buildspec.yml

@@ -19,6 +19,10 @@ phases:
       - git submodule update --init --recursive
       - echo Build started on `date`
       - . ./init-build-env $TMP_DIR
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
       - BUILD_DEVICE=qemu bitbake core-image-minimal
   post_build:
     commands:
@@ -30,3 +34,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64*
+    - $TMP_DIR/tmp/log/cve/cve-summary*

source-repo/poky-ami/build.buildspec.yml

@@ -28,6 +28,11 @@ phases:
       # Update our local conf to build the EC2 AMI.
       - echo 'MACHINE = "aws-ec2-arm64"' >> $TMP_DIR/conf/local.conf
       - echo 'INHERIT += "aws-ec2-image"' >> $TMP_DIR/conf/local.conf
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
+      # build the image
       - bitbake core-image-minimal
       - echo Build completed on `date`
   post_build:
@@ -44,3 +49,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/aws-ec2-arm64/core-image-minimal*
+    - $TMP_DIR/tmp/log/cve/cve-summary*

source-repo/poky/build.buildspec.yml

@@ -18,6 +18,11 @@ phases:
       - repo init -u $CODEBUILD_SRC_DIR -b main -m manifest.xml
       - repo sync
       - . poky/oe-init-build-env $TMP_DIR
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
+      # build the image
       - bitbake core-image-minimal
   post_build:
     commands:
@@ -29,3 +34,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64*
+    - $TMP_DIR/tmp/log/cve/cve-summary*

test/__snapshots__/demo-pipeline.test.ts.snap

@@ -6081,7 +6081,7 @@ def handler(event, context):
           "BranchName": "main",
           "S3": {
             "Bucket": "cdk-hnb659fds-assets-12341234-eu-central-1",
-            "Key": "1de2dc6cbcd5d77c4571a033541f7c54c370a8404216a48e1a05fb19708f8572.zip",
+            "Key": "be1ef3027fcc83dcf3e6dad360bb0adeb5475cc89dd63f47af480d614cc2584c.zip",
           },
         },
         "RepositoryName": "layer-repo-MyTestStack",

test/__snapshots__/source-repo.test.ts.snap

@@ -16,7 +16,7 @@ exports[`Demo Source Repository Snapshot 1`] = `
           "BranchName": "main",
           "S3": {
             "Bucket": "cdk-hnb659fds-assets-12341234-eu-central-1",
-            "Key": "1de2dc6cbcd5d77c4571a033541f7c54c370a8404216a48e1a05fb19708f8572.zip",
+            "Key": "be1ef3027fcc83dcf3e6dad360bb0adeb5475cc89dd63f47af480d614cc2584c.zip",
           },
         },
         "RepositoryName": "charlie",