From a91ddf4869806cbe92758f528afe4e51329e9ae0 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Fri, 26 Jan 2024 16:43:41 +0000
Subject: [PATCH] CI/cve.yml: add a CVE-checking Kas fragment

Add a Kas fragment to enable the CVE checker.  Disable warnings by
default but show them for the layers in meta-arm, because we only care
about meta-arm issues in this CI.

Explicitly hide kernel warnings as the kernel typically has tens of open
CVEs, and if we're carrying a kernel explicitly then it's typically an
interim kernel between releases.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 ci/cve.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 ci/cve.yml

diff --git a/ci/cve.yml b/ci/cve.yml
new file mode 100644
index 00000000..381f8557
--- /dev/null
+++ b/ci/cve.yml
@@ -0,0 +1,16 @@
+header:
+  version: 14
+
+local_conf_header:
+  cve: |
+    INHERIT += "cve-check"
+
+    # Just show the warnings for our layers
+    CVE_CHECK_SHOW_WARNINGS = "0"
+    CVE_CHECK_SHOW_WARNINGS:layer-arm-toolchain = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-bsp = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-systemready = "1"
+
+    # Ignore the kernel, we sometime carry kernels in meta-arm
+    CVE_CHECK_SHOW_WARNINGS:pn-linux-yocto = "0"