This shall be a quick dive into the possibilities of this layer. For in-depth configuration please see the other documents in this folder.
-
Linux machine (I would recommend using a Debian or Ubuntu release)
-
Some required tooling. On Ubuntu run
sudo apt-get install build-essential chrpath diffstat gawk gcc-multilib git-core libsdl1.2-dev python3 socat texinfo unzip wget xterm
-
At least 50GB of free disk space
mkdir -p /mnt/mydisk/workspace cd /mnt/mydisk/workspaceYou could adjust the path to your specific needs
-
poky release cloned locally
git clone git://git.yoctoproject.org/poky poky
-
This layer locally cloned
git clone https://github.com/priv-kweihmann/meta-sca.git meta-sca
-
poky configuration setup
cd /mnt/mydisk/workspace/poky . ./oe-init-build-env
-
add the meta-sca layer
bitbake-layers add-layer /mnt/mydisk/workspace/meta-sca
-
configuration for meta-sca layer
/mnt/mydisk/workspace/meta-sca/scripts/configure /mnt/mydisk/workspace/meta-sca
try to answer the questions from the tool. If you don't know (or maybe don't care) just press [Enter] to use the default
-
append the output of the configure-script to local.conf. The path of the local.conf in this example is /mnt/mydisk/workspace/poky/build/local.conf
Now it's time to decide what to check on
-
just add 'INHERIT += "sca"' to your local.conf
echo 'INHERIT += "sca"' >> /mnt/mydisk/workspace/poky/build/local.conf
-
just add 'INHERIT += "sca"' to your local.conf
echo 'INHERIT += "sca"' >> /mnt/mydisk/workspace/poky/build/local.conf
-
additionally add the names of all layer to SCA_SPARE_LAYER. E.g. to disable SCA for all layer shipped with poky
echo 'SCA_SPARE_LAYER = "core yocto yoctobsp"' >> /mnt/mydisk/workspace/poky/build/local.conf
-
add 'inherit sca' to the recipe you want
inherit sca
- this special case is documented here
- note that this requires an additional layer to be setup
-
run a build
bitbake core-image-minimal
Replace core-image-minimal with any image/recipe you want
As soon as the build is done - you might be interested in the results. Therefore we use a small python script to print all findings to console
/mnt/mydisk/workspace/meta-sca/scripts/results2console /mnt/mydisk/workspace/poky/build/tmp/deploy/images/*/scaan excerpt of the output could look like this
flawfinder@busybox: applets/applet_tables.c:212:1 - [warning] - [flawfinder.flawfinder.char] - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length| used tool | @ | recipe | : | file path | : | line | : | column | - | severity | - | error ID | - | message |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| flawfinder | @ | busybox | : | applets/applet_tables.c | : | 212 | : | 1 | - | [warning] | - | [flawfinder.flawfinder.char] | - | Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. |
There are multiple ways of fixing findings. For example
- patch file(s)
- or issue(s) in upstream
- or ignoring an issue
The strategy depends on your work environment and the origin of the recipe (resp. its sources)
I recommend the usage of 'devtool' for creating patches. See detailed documentation. Be aware that on every update of the underlying recipe sources, your patch file(s) might have to be 'refreshed'. So this way is only recommended when the original sources are (more or less) under your control.
Find out which bugtracker is used for this component (check if the recipe does have a 'BUGTRACKER' entry) and create an issue there. This way might have the longest turnaround time but will create the least effort maintaining in future
Possible options are described at severity transformation or suppression. Use this strategy only if you're sure that this finding doesn't cause ANY side effects!