From 5a3f3d9f98feff767cc07e6fdc990ee4bf3cbd46 Mon Sep 17 00:00:00 2001
From: Thomas Roos <throos@amazon.de>
Date: Tue, 10 Oct 2023 15:43:47 +0200
Subject: [PATCH] add cve checks for all examples

cve results will be uploaded to s3
file: cve-summary
---
 source-repo/kas/build.buildspec.yml           | 1 +
 source-repo/kas/kas.yml                       | 2 ++
 source-repo/meta-aws-demo/build.buildspec.yml | 5 +++++
 source-repo/poky-ami/build.buildspec.yml      | 6 ++++++
 source-repo/poky/build.buildspec.yml          | 6 ++++++
 test/__snapshots__/demo-pipeline.test.ts.snap | 2 +-
 test/__snapshots__/source-repo.test.ts.snap   | 2 +-
 7 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/source-repo/kas/build.buildspec.yml b/source-repo/kas/build.buildspec.yml
index 606b997..e5d6de2 100644
--- a/source-repo/kas/build.buildspec.yml
+++ b/source-repo/kas/build.buildspec.yml
@@ -25,3 +25,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/build/tmp/deploy/images/qemux86-64/aws-biga-image-qemux86-64*
+    - $TMP_DIR/build/tmp/log/cve/cve-summary*
diff --git a/source-repo/kas/kas.yml b/source-repo/kas/kas.yml
index dbc8a12..f17cc8a 100644
--- a/source-repo/kas/kas.yml
+++ b/source-repo/kas/kas.yml
@@ -9,6 +9,8 @@ local_conf_header:
     qemu-config: |
         EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
         IMAGE_INSTALL:append = " greengrass-bin"
+        INHERIT += "cve-check"
+        include cve-extra-exclusions.inc
 
 repos:
   poky:
diff --git a/source-repo/meta-aws-demo/build.buildspec.yml b/source-repo/meta-aws-demo/build.buildspec.yml
index 6b38290..c04ffda 100644
--- a/source-repo/meta-aws-demo/build.buildspec.yml
+++ b/source-repo/meta-aws-demo/build.buildspec.yml
@@ -19,6 +19,10 @@ phases:
       - git submodule update --init --recursive
       - echo Build started on `date`
       - . ./init-build-env $TMP_DIR
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
       - BUILD_DEVICE=qemu bitbake core-image-minimal
   post_build:
     commands:
@@ -30,3 +34,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64*
+    - $TMP_DIR/tmp/log/cve/cve-summary*
diff --git a/source-repo/poky-ami/build.buildspec.yml b/source-repo/poky-ami/build.buildspec.yml
index 6f2fd7d..1b2a5d1 100644
--- a/source-repo/poky-ami/build.buildspec.yml
+++ b/source-repo/poky-ami/build.buildspec.yml
@@ -28,6 +28,11 @@ phases:
       # Update our local conf to build the EC2 AMI.
       - echo 'MACHINE = "aws-ec2-arm64"' >> $TMP_DIR/conf/local.conf
       - echo 'INHERIT += "aws-ec2-image"' >> $TMP_DIR/conf/local.conf
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
+      # build the image
       - bitbake core-image-minimal
       - echo Build completed on `date`
   post_build:
@@ -44,3 +49,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/aws-ec2-arm64/core-image-minimal*
+    - $TMP_DIR/tmp/log/cve/cve-summary*
diff --git a/source-repo/poky/build.buildspec.yml b/source-repo/poky/build.buildspec.yml
index f12e413..c0aece7 100644
--- a/source-repo/poky/build.buildspec.yml
+++ b/source-repo/poky/build.buildspec.yml
@@ -18,6 +18,11 @@ phases:
       - repo init -u $CODEBUILD_SRC_DIR -b main -m manifest.xml
       - repo sync
       - . poky/oe-init-build-env $TMP_DIR
+      # Update our local conf to check for CVEs
+      - echo 'INHERIT += "cve-check"' >> $TMP_DIR/conf/local.conf
+      # this will suppress false positive CVEs
+      - echo 'include cve-extra-exclusions.inc' >> $TMP_DIR/conf/local.conf
+      # build the image
       - bitbake core-image-minimal
   post_build:
     commands:
@@ -29,3 +34,4 @@ artifacts:
   discard-paths: true
   files:
     - $TMP_DIR/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64*
+    - $TMP_DIR/tmp/log/cve/cve-summary*
diff --git a/test/__snapshots__/demo-pipeline.test.ts.snap b/test/__snapshots__/demo-pipeline.test.ts.snap
index 7f9f4dd..457c1ed 100644
--- a/test/__snapshots__/demo-pipeline.test.ts.snap
+++ b/test/__snapshots__/demo-pipeline.test.ts.snap
@@ -6081,7 +6081,7 @@ def handler(event, context):
           "BranchName": "main",
           "S3": {
             "Bucket": "cdk-hnb659fds-assets-12341234-eu-central-1",
-            "Key": "1de2dc6cbcd5d77c4571a033541f7c54c370a8404216a48e1a05fb19708f8572.zip",
+            "Key": "be1ef3027fcc83dcf3e6dad360bb0adeb5475cc89dd63f47af480d614cc2584c.zip",
           },
         },
         "RepositoryName": "layer-repo-MyTestStack",
diff --git a/test/__snapshots__/source-repo.test.ts.snap b/test/__snapshots__/source-repo.test.ts.snap
index 72185e4..d7195b9 100644
--- a/test/__snapshots__/source-repo.test.ts.snap
+++ b/test/__snapshots__/source-repo.test.ts.snap
@@ -16,7 +16,7 @@ exports[`Demo Source Repository Snapshot 1`] = `
           "BranchName": "main",
           "S3": {
             "Bucket": "cdk-hnb659fds-assets-12341234-eu-central-1",
-            "Key": "1de2dc6cbcd5d77c4571a033541f7c54c370a8404216a48e1a05fb19708f8572.zip",
+            "Key": "be1ef3027fcc83dcf3e6dad360bb0adeb5475cc89dd63f47af480d614cc2584c.zip",
           },
         },
         "RepositoryName": "charlie",