python3-checksec-py, python3-pylddwrap, python3-icontract: add recipes

they were sent for meta-security long time ago in 2021: https://lists.yoctoproject.org/g/yocto/message/54470 but never merged there, now there are lief, docopt, rich, asttokens already in meta-python and checksec-py depends on lief version, e.g. 976d530867 is needed to fixcompatibility with newer lief currently in meta-python Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-19 23:28:38 +00:00 · 2025-11-14 13:58:04 +01:00
parent 38ea8a4617
commit a78e6d2109
4 changed files with 148 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch
+++ b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
+From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Fri, 2 Jul 2021 14:42:25 +0200
+Subject: [PATCH] main: Add option to ignore symlinks
+
+When analyzing a complete rootfs (which might not be the rootfs of the
+analyzing system) symlinks within that rootfs might be broken. In
+particular absolute symlinks. However, if by chance such a symlink
+currently points to a valid binary in your system, this binary pointed
+to is analyzed. This commit adds the possibility to ignore symlinks to
+files (symlinks to dirs are already ignored by default). This allows to
+solve the issue described above, and if the whole rootfs is analyzed
+there shouldn't be a loss of information (because all the binaries will
+be analyzed anyway). Additionally, this also saves some time when
+performing the analysis.
+
+Upstream-Status: Submitted [https://github.com/Wenzel/checksec.py/pull/106]
+---
+ checksec/__main__.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/checksec/__main__.py b/checksec/__main__.py
+index a14862f..931d850 100644
+--- a/checksec/__main__.py
+++ b/checksec/__main__.py
+@@ -8,6 +8,7 @@ Options:
+     -w WORKERS --workers=WORKERS    Specify the number of process pool workers [default: 4]
+     -j --json                       Display results as JSON
+     -s LIBC --set-libc=LIBC         Specify LIBC library to use to check for fortify scores (ELF)
+    -i --ignore-symlinks            Ignore symlinks to files
+     -d --debug                      Enable debug output
+     -h --help                       Display this message
+ """
+@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe
+ from .utils import lief_set_logging
+ 
+ 
+-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
+def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
+     for path in filepath_list:
+         if path.is_dir() and not path.is_symlink():
+             try:
+                 if recursive:
+                     for f in os.scandir(path):
+-                        yield from walk_filepath_list([Path(f)], recursive)
+                        yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
+                 else:
+                     yield from (Path(f) for f in os.scandir(path))
+             except OSError:
+                 continue
+-        elif path.is_file():
+        elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
+             yield path
+ 
+ 
+@@ -75,6 +76,7 @@ def main(args):
+     json = args["--json"]
+     recursive = args["--recursive"]
+     libc_path = args["--set-libc"]
+    ignore_symlinks = args["--ignore-symlinks"]
+ 
+     # logging
+     formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
+@@ -110,7 +112,7 @@ def main(args):
+             # we need to consume the iterator once to get the total
+             # for the progress bar
+             check_output.enumerating_tasks_start()
+-            count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
+            count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
+             check_output.enumerating_tasks_stop(count)
+             with ProcessPoolExecutor(
+                 max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
+@@ -119,7 +121,7 @@ def main(args):
+                     check_output.processing_tasks_start()
+                     future_to_checksec = {
+                         pool.submit(checksec_file, filepath): filepath
+-                        for filepath in walk_filepath_list(filepath_list, recursive)
+                        for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
+                     }
+                     for future in as_completed(future_to_checksec):
+                         filepath = future_to_checksec[future]