Add aircrack-ng, crowdsec, ncrack, and opendnssec where appropriate
now that they have been updated to build again.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Bump to HEAD of ncrack's master branch to pick up build fixes for
newer gcc's. PV has been updated to indicate that we are now
building something newer than the 0.7 tagged commit.
License-Update: copyright years refreshed
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove libmspack recipe, and remove it from clamav's DEPENDS.
clamav now vendors its own substantially modified copy, so there's
no reason to carry a recipe for it.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Upgrade to the latest release, 1.7, and rework recipe so that it
actually builds again. Note that the extra scripts are no longer
installed by default as they seem somewhat stale and likely further
work is required to have any of them work. A PACKAGECONFIG option,
"ext-scripts" has been added to enable installing them if they are
required for some reason.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The crowdsec recipes has seemingly been broken since soon after its
addition, rewrite it to build the latest version with the go-mod
bbclass.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Use patch submitted upstream to fix build error:
| src/lib/tpm.c: In function ‘tpm_unseal’:
| src/lib/tpm.c:1040:16: error: incompatible types when returning type ‘_Bool’ but ‘twist’ {aka ‘const char *’} was expected
| 1040 | return false;
| | ^~~~~
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to wrynose. For meta-parsec, added wrynose to the list
of supported versions.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Change the "poky" layer configuration name to "meta-yocto" in the
KAS configuration so the cloned repo name is less confusing in logs,
and fix a spot where "poky" -> "openembedded-core" had been missed
in the gitlab configuration.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Commit cd729862f6 added native/nativesdk
possibility to tpm2-pkcs11.
After 784ca4b658 which added rdepends on
python3-tpm2-pytss, there are errors like:
Missing or unbuildable dependency chain was:
['<image>', 'swtpm-native', 'tpm2-pkcs11-tools-native', 'python3-tpm2-pytss-native']
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Allow downstream users to explicitly select desired PACKAGECONFIG
options (e.g. via "=").
Users are currently forced to use ":remove" (with "ptest").
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This is necessary for cryptsetup starting from v2.8.0 which introduced
"[units]" in its output breaking the parsing of veritysetup output.
VERITY header information for image-poky-20250701085433.squashfs-zst.verity.
UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98
Hash type: 1
Data blocks: 40091
Data block size: 4096 [bytes]
Hash blocks: 318
Hash block size: 4096 [bytes]
Hash algorithm: sha256
Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b
Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693
This extends the value filter to remove the "[units]" from the .env file,
while retaining compatibility to older cryptsetup releases.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes to catch up with current kas and future-proof a bit:
* Update the kas configuration file versions to 19 to match kas 4.8.x.
* Change refspec to branch to remove deprecation warnings.
* Add quoting around URLs to match upstream examples.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Since clang is in openembedded-core now, meta-parsec no longer needs
meta-clang. Also updated maintainers in meta-parsec README.md since
it had previously been missed.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
jansson is required as of Suricata 5.0:
https://github.com/OISF/suricata/commit/e49c40428e1b9f7e5dcdb5857c3978d5cb859fd9
This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828
On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
| ERROR: Jansson is now required.
|
| Go get it from your distribution or from:
| http://www.digip.org/jansson/
|
| Ubuntu/Debian: apt install libjansson-dev
| CentOS: yum install jansson-devel
| Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Switch back to the "stable" branch in SRC_URI now that upstream
has changed its branch maintenance model so it is indeed stable.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Inherit github-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version:
After the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version: 2.11.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add UPSTREAM_CHECK_URI to check the correct latest stable verison.
Before the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version:
After the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version: 0.9.9.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add modern ClamAV 1.4.3 recipe with comprehensive improvements over
the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and
associated patches as they are superseded by this version.
Major changes in 1.4.3:
- Upgraded core engine with improved threat detection capabilities
- Added Rust components requiring cross-compilation support
- Updated CMake build system replacing legacy autotools
- Modernized library dependencies (LLVM, JSON-C, PCre2)
- Added comprehensive license compliance for multi-component package
- Enhanced cross-compilation support for all target architectures
The recipe includes dynamic Cargo configuration using Yocto variables
to support cross-compilation to any target architecture supported by
the build system.
Runtime configuration improvements:
- Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths
- Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav
- Added pkg_postinst scripts to ensure correct directory ownership
- Implemented CMake cache variables for cross-compilation
- Updated all license checksums for compliance
- Added Rust toolchain integration with automatic environment setup
- Use Cargo vendoring with cargo + cargo-update-recipe-crates classes
Security rationale:
- ClamAV 0.104.4 reached end-of-life and is no longer maintained
- Upstream strongly recommends migration to 1.4.x for security updates
Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com>
(regenerated diff, fixed building with systemd,
fixed target Rust configuration, disabled for 32-bit targets)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add basic openscap test. This looks for an existing profile and run a basic scan.
Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Fixes:
- typo in the RDEPENDS class-target override ('-' instead of ':')
- typo SUMARRY -> SUMMARY
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
It was pointed out that the recipe was wrongly doing
FILESEXTRAPATHS:append, but on inspection the recipe does
not need it at all, so just remove.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
In Yocto, there is only one Python interpreter (python3), and the
auto-generated "fail2ban-python" symlink is not used. To ensure
all installed scripts can run correctly, replace the shebang line
from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3"
during installation.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Scott Murray
Clayton Casciato
Wenlin Kang
Haiqing Bai
Zhang Peng
Peter Marko
Khem Raj
Yi Zhao
Marta Rybczynska
Peter Kjellerstedt
Stephan Wurm
hongxu
Hemant Jadhav
Louis Rannou
Yi Zhao
Haixiao Yan