add a GitHub action that checks for CVEs on every pull request and ni…

…ghtly

.github/workflows/auto-update.yml

@@ -2,7 +2,7 @@ name: Auto-Recipe-Update
 
 on:
   schedule:
-    - cron: '0 0 * * 2-5'
+    - cron: '0 1 * * 2-5'
   workflow_dispatch:
 
 jobs:

.github/workflows/nightly-cve-check.yml

@@ -0,0 +1,81 @@
+name: nightly-cve-check
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+jobs:
+  nightly-cve-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install required packages to run nighly-cve-check
+        run: |
+          sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales
+          echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen
+          sudo locale-gen
+      - name: Checkout meta-aws
+        uses: actions/checkout@v3
+        with:
+          path: yocto_cve/meta-aws
+      - name: Checkout meta-oe
+        uses: actions/checkout@v3
+        with:
+          repository: openembedded/meta-openembedded
+          path: yocto_cve/meta-openembedded
+      - name: Checkout poky
+        run: |
+          cd yocto_cve/
+          git clone git://git.yoctoproject.org/poky --single-branch
+      - name: Cache sstate + downloads
+        uses: actions/cache@v3
+        with:
+          path: |
+            yocto_cve/build/sstate-cache
+            yocto_cve/build/downloads
+          key: cache-cve-sstate-downloads
+      - name: Run CVE check
+        run: |
+          cd yocto_cve/
+          source poky/oe-init-build-env build
+          bitbake-layers add-layer ../meta-openembedded/meta-oe
+          bitbake-layers add-layer ../meta-openembedded/meta-python
+          bitbake-layers add-layer ../meta-openembedded/meta-networking
+          bitbake-layers add-layer ../meta-openembedded/meta-multimedia
+          bitbake-layers add-layer ../meta-aws
+          echo 'INHERIT += "cve-check"' >> conf/local.conf
+          bitbake -c cve_check `find ../meta-aws -name *.bb -type f  | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'`
+      - name: Show cve-summary.json
+        run: |
+            cat yocto_cve/build/tmp/log/cve/cve-summary.json
+      - name: Check results (cve-summary.json) for unpatched CVEs
+        shell: bash
+        run: |
+          jq  -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > unpatched-cves.json; \
+           if [ $? -eq 0 ]; then echo "::error::Found unpatched CVEs in packages: $(jq  -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' unpatched-cves.json)" && exit 1; fi; \
+           if [ $? -eq 4 ] ; then echo "::notice::No unpatched CVEs found" && exit 0; fi; \
+          echo "::error::General error" && exit 99
+      - name: Generate step summary
+        if: '!cancelled()'
+        shell: bash
+        run: |
+          if [ -f unpatched-cves.json ]; then
+            echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY
+            cat unpatched-cves.json >> $GITHUB_STEP_SUMMARY
+          else
+            echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY
+          cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY
+      - name: Save cve-summary.json
+        if: '!cancelled()'
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-summary.json
+          path: yocto_cve/build/tmp/log/cve/cve-summary.json
+      - name: Save cve-summary
+        if: '!cancelled()'
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-summary
+          path: yocto_cve/build/tmp/log/cve/cve-summary
+          if-no-files-found: ignore

.github/workflows/pr-cve-check.yml

@@ -0,0 +1,82 @@
+name: pr-cve-check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - 'master-next'
+jobs:
+  pr-cve-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install required packages to run cve-check
+        run: |
+          sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales
+          echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen
+          sudo locale-gen
+      - name: Checkout meta-aws
+        uses: actions/checkout@v3
+        with:
+          path: yocto_cve/meta-aws
+      - name: Checkout meta-oe
+        uses: actions/checkout@v3
+        with:
+          repository: openembedded/meta-openembedded
+          path: yocto_cve/meta-openembedded
+      - name: Checkout poky
+        run: |
+          cd yocto_cve/
+          git clone git://git.yoctoproject.org/poky --single-branch
+      - name: Cache sstate + downloads
+        uses: actions/cache@v3
+        with:
+          path: |
+            yocto_cve/build/sstate-cache
+            yocto_cve/build/downloads
+          key: cache-cve-sstate-downloads
+      - name: Run CVE check
+        run: |
+          cd yocto_cve/
+          source poky/oe-init-build-env build
+          bitbake-layers add-layer ../meta-openembedded/meta-oe
+          bitbake-layers add-layer ../meta-openembedded/meta-python
+          bitbake-layers add-layer ../meta-openembedded/meta-networking
+          bitbake-layers add-layer ../meta-openembedded/meta-multimedia
+          bitbake-layers add-layer ../meta-aws
+          echo 'INHERIT += "cve-check"' >> conf/local.conf
+          bitbake -c cve_check `find ../meta-aws -name *.bb -type f  | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'`
+      - name: Show cve-summary.json
+        run: |
+            cat yocto_cve/build/tmp/log/cve/cve-summary.json
+      - name: Check results (cve-summary.json) for unpatched CVEs
+        shell: bash
+        run: |
+          jq  -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > unpatched-cves.json; \
+           if [ $? -eq 0 ]; then echo "::error::Found unpatched CVEs in packages: $(jq  -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' unpatched-cves.json)" && exit 1; fi; \
+           if [ $? -eq 4 ] ; then echo "::notice::No unpatched CVEs found" && exit 0; fi; \
+          echo "::error::General error" && exit 99
+      - name: Generate step summary
+        if: '!cancelled()'
+        shell: bash
+        run: |
+          if [ -f unpatched-cves.json ]; then
+            echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY
+            cat unpatched-cves.json >> $GITHUB_STEP_SUMMARY
+          else
+            echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY
+          cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY
+      - name: Save cve-summary.json
+        if: '!cancelled()'
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-summary.json
+          path: yocto_cve/build/tmp/log/cve/cve-summary.json
+      - name: Save cve-summary
+        if: '!cancelled()'
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-summary
+          path: yocto_cve/build/tmp/log/cve/cve-summary
+          if-no-files-found: ignore

recipes-support/amazon-ssm-agent/amazon-ssm-agent_3.2.2086.0.bb

@@ -1,6 +1,7 @@
 SUMMARY = "Amazon SSM Agent"
 DESCRIPTION = "An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs)."
 HOMEPAGE = "https://github.com/aws/amazon-ssm-agent"
+CVE_PRODUCT = "amazon_ssm_agent"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "\
@@ -93,4 +94,3 @@ do_install () {
     install -d ${D}${systemd_unitdir}/system/
     install -m 644 ${S}/packaging/linux/amazon-ssm-agent.service ${D}${systemd_unitdir}/system/amazon-ssm-agent.service
 }
-