Skip to content

Dependency scanning for Yocto/OpenEmbedded

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem to solve

Existing dependency scanning mechanisms in GitLab do not currently support embedded Linux build systems such as Yocto/OpenEmbedded

Intended users

Further details

An example of the final output of an Automotive Grade Linux build is available here, with the manifest file in the images directory being probably the best place to look for package name and version number

https://mirrors.edge.kernel.org/AGL/release/lamprey/11.91.0/raspberrypi4/deploy/

It is generated by downloading multiple repositories for metadata about what packages are needed in the build, and in some cases, what patches need to be applied to the packages. This can complicate the idea of scanning dependencies for vulnerabilities, as the vulnerability may be patched as a part of the recipe in order to prevent having to maintain a fork of the repository. (Often, these patches come directly from newer versions upstream and are backported. Or, they are submitted to upstream in order to remove the need for the separate patch file.)

Example manifest file showing package names and versions that went into the image: https://mirrors.edge.kernel.org/AGL/release/lamprey/11.91.0/raspberrypi4/deploy/images/raspberrypi4-64/agl-demo-platform-crosssdk-raspberrypi4-64-20210518123541.rootfs.manifest

However, if it works, it would be a really nice way to stay on top of security for a complex embedded system.

Proposal

Add support for dependency scanning for Yocto/OpenEmbedded projects, either by scanning the metadata used to build the project, or scanning the manifest after the build (probably easier, though unclear if patches have been applied to that source).

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

GitLab Ultimate

Links / references

/cc @plafoucriere

Edited by 🤖 GitLab Bot 🤖