[yocto] Yocto Build Auditing

[Barry G]

Hi all,

I was curious if anyone has created any sort of build auditing software
for Yocto builds.  Our company has an extensive software quality assurance
program and we are trying to figure out the best methods to audit our
builds.

In the past we have used clearaudit type software.  The current
home-grown version of our build system on Linux uses inotify
to track files touched in our build repositories.  We generally
try to have file-based audit records that record the file path/version
that can be traced to individual releases.  We are currently using
Mercurial as our revision control system.

Right now it seems like the best solution to this issue would be
to create a wrapper that would fetch our software from Mercurial,
create a tar file out of it, hand those tar files to Yocto,
start an inotify process to watch the build directories Yocto uses,
bitbake our image, collect the list of files touched by yocto,
"join" those files with the files that went into the tar
files, and then "join" those records against the Mercurial checkout
records to obtain changeset information/approval metadata.

It would certainly be easier to resolve the revision of the Mercurial
repository without individual files-touched information, but knowing
which files are actually compiled has been highly useful information in
the past.  For example, when a CVE is released against package foo
for a vulnerability in bar.c, it is reassuring to know that our releases
didn't even compile bar.c.

We do peer code reviews/UT along with static code analysis on many version
of each file in our repositories.  When we release a product build we have
to show to management that each file that went into our released image
underwent our QA process.  It is definitely a lot of work, but it
is necessary for audit/compliance.

Anyone else out there challenged with these type of requirements?
How are other companies handling this?  Any better methods/solutions people
can recommend?

Thanks for your help!

Barry