Dependency scanning for Yocto/OpenEmbedded
Problem to solve
Existing dependency scanning mechanisms in GitLab do not currently support embedded Linux build systems such as Yocto/OpenEmbedded
Intended users
- Parker (Product Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Further details
An example of the final output of an Automotive Grade Linux build is available here, with the manifest file in the images directory being probably the best place to look for package name and version number
https://mirrors.edge.kernel.org/AGL/release/lamprey/11.91.0/raspberrypi4/deploy/
It is generated by downloading multiple repositories for metadata about what packages are needed in the build, and in some cases, what patches need to be applied to the packages. This can complicate the idea of scanning dependencies for vulnerabilities, as the vulnerability may be patched as a part of the recipe in order to prevent having to maintain a fork of the repository. (Often, these patches come directly from newer versions upstream and are backported. Or, they are submitted to upstream in order to remove the need for the separate patch file.)
Example manifest file showing package names and versions that went into the image: https://mirrors.edge.kernel.org/AGL/release/lamprey/11.91.0/raspberrypi4/deploy/images/raspberrypi4-64/agl-demo-platform-crosssdk-raspberrypi4-64-20210518123541.rootfs.manifest
However, if it works, it would be a really nice way to stay on top of security for a complex embedded system.
Proposal
Add support for dependency scanning for Yocto/OpenEmbedded projects, either by scanning the metadata used to build the project, or scanning the manifest after the build (probably easier, though unclear if patches have been applied to that source).
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
/cc @plafoucriere