Commit Graph

976 Commits

Author SHA1 Message Date
Saikrishna Arcot
d554cd55d6
[202305] Update Linux kernel to 5.10.179 (#16958)
Why I did it
Update the kernel to 5.10.179 for the 202305 branch

Work item tracking
Microsoft ADO (number only): 24592132
How I did it
How to verify it
2023-10-23 22:37:30 +08:00
mssonicbld
f6bf09d796
upgrade xgs SAI version to 8.4.21.0 (#16805) (#16873) 2023-10-13 16:11:28 +08:00
Samuel Angebault
696c3ec44d
[202305][Arista] Update platform library submodules (#16702) 2023-10-12 22:53:35 +08:00
mssonicbld
94044d0dbf
[Nokia][sonic-platform] Update Nokia sonic-platform submodule - SFP support for CMIS CDB operations (#16572) (#16796) 2023-10-08 03:21:38 +08:00
snider-nokia
5819846c61 [Nokia][sonic-platform] Update Nokia sonic-platform submodule (#16348)
This likely fixes Nokia-ION/ndk#21

To fix a failure that results when edge condition results in MDIPC channel being freed with mismatched ownership.
2023-09-21 18:33:53 +08:00
Aravind Mani
f57a3e64d0 [devices]: Dell S6100 API 2.0 fix (#16363)
Why I did it
sonic-mgmt test failure is seen for update_firmware component API

Microsoft ADO: 25208748

How I did it
Edited API 2.0 to fix this issue.

How to verify it
Run sonic-mgmt test after the fix and verify it passes.
2023-09-21 16:33:23 +08:00
Samuel Angebault
6adbd770f4
[202305][Arista] Update platform library submodules (#16375)
- Ignore intermittent IO errors during get_change_event in the Platform API
- Fix tunings for some ports on CatalinaDD
2023-09-08 23:42:18 -07:00
mssonicbld
ac34681b92
Update the iSMART_64 tool (#15936) (#16139)
Why I did it
Updating the iSMART_64 tool for supporting latest debian releases.

How I did it
On branch new_ismart
Changes to be committed:
(use "git restore --staged ..." to unstage)
modified: platform/broadcom/sonic-platform-modules-dell/s6100/scripts/iSMART_64

How to verify it
In s6100, run the iSMART_64 tool.
md5sum - 24725730d7649769c7ba50971c1f2955

Co-authored-by: Santhosh Kumar T <53558409+santhosh-kt@users.noreply.github.com>
2023-08-14 22:42:30 +08:00
mssonicbld
14ba74ede9
[E1031] fix pca9548 initializes failed occasionally (#15712) (#16052) 2023-08-07 03:01:06 +08:00
Samuel Angebault
82108429c6
[202305][Arista] Update platform submodules (#16010)
Why I did it
fix pcied leak on chassis
fix fan status led setting on fixed systems
misc fixes
Work item tracking
Microsoft ADO (number only):
How I did it
Updated arista platform library submodules

Description for the changelog
Update Arista platform submodules
2023-08-06 21:31:17 +08:00
mssonicbld
ff5c03f91b
[Nokia][sonic-platform] Update Nokia sonic-platform submodule (#15239) (#15873) 2023-07-19 20:07:15 +08:00
Aravind Mani
b26445cf7b
Dell FPGA driver fix (#15144)
Why I did it
FPGA driver crash was observed in Dell FPGA based platforms.

How I did it
Fixed FPGA crash

How to verify it
Load FPGA driver and check whether the kernel crashes.
2023-06-05 11:01:46 -07:00
Song Yuan
21bcaab280
Install ptf afpacket module required by ptf_nn_agent. (#14503)
Why I did it
ptf_nn_agent failed to start in dnx rpc syncd because module afpacket was not installed.
Please see issue sonic-net/sonic-mgmt#7822

How I did it
Add downloading ptf afpacket module in docker file.

How to verify it
Verified that ptf_nn_agent was started successfully in dnx rpc syncd with the change.
2023-05-17 11:34:43 -07:00
andywongarista
dad61f3d81
[Arista] Update platform library submodules (#15049)
Fix lpmode on 7060DX5-32
Fix psu led issue on 7060DX5-64
Use sonic_xcvr lpmode if platform does not support hw lpmode
Add chassis cooling algorithm
Change cooling algorithm default interval to 10s
Force filesystem sync on linecard reboot
2023-05-15 15:42:29 -07:00
Samuel Angebault
205e60ea9e
[Arista] Update platform library submodules (#14827)
- Fix watchdog reboot cause for wolverine linecard
- Fix PSU fan speed of 0% by adding max RPM to most psu descriptions
- Add product DCS-7060DX5-64
- Add product DCS-7060DX5-32
2023-05-03 10:19:38 -07:00
Marty Y. Lok
a68b4ef149
[Nokia7250][sonic-platform] Update sonic-platform submodule for Nokia-7150IXRE platform (#14548)
Why I did it

Update sonic-platform submodule for Nokia-7250IXRE Platform. This requires the new NDK 22.9.8 and above

How I did it
Update submodule sonic-platform for Nokia-7250IXRE platform.
c9f316e Disparate process and thread-safe protection for MDIPC transport, and refactored presence logic to better align with SfpStateUpdateTask operation
a3486cc Added _get_module_bulk_info() and cache the info for 5 seconds to optimize the chassisd update.
4b2e729 Fixed the nokia_cmd show qfpga help display
7b87049 Fixed the nokia_cmd show midplane helper dispaly.
83eabea Add "nokia_cmd set ndk-monitor-action" and "nokia_cmd set ndk-log-level" commands
8aad7de Add nokia_cmd show ndk-version
d2c55e3 Modify the psu.py and module.py to optimize the psud running time


Signed-off-by: mlok <marty.lok@nokia.com>
2023-04-27 08:52:22 -07:00
Hua Liu
e17e4fc4c0
[S6100] Improve S6100 serial-getty monitor, wait and re-check when getty not running to avoid false alert. (#14402)
[S6100] Improve S6100 serial-getty monitor, wait and re-check when getty not running to avoid false alert. 

#### Why I did it
On S6100, the serial-getty service some time can't auto-restart by systemd. So there is a monit unit to check serial-getty service status and restart it.

However, this monit will report false alert, because in most case when serial-getty not running, systemd can restart it successfully.

To avoid the false alert, improve the monitor to wait and re-check.

Steps to reproduce this issue:
1. User login to device via console, and keep the connection.
2. User login to device via SSH, check the serial-getty@ttyS1.service service, it's running.
3. Run 'monit reload' from SSH connection.
4. Check syslog 1 minutes later, there will be false alert: ' 'serial-getty' process is not running'

#### How I did it
Add check-getty.sh script to recheck again later when getty service not running.
And update monit unit to check serial-getty service status with this script to avoid false alert.

#### How to verify it
Pass all UT.
Manually check fixed code work correctly:


```
admin@***:~$ sudo systemctl stop  serial-getty@ttyS1.service
admin@***:~$ sudo /usr/local/bin/check-getty.sh 
admin@***:~$ echo $?
1
admin@***:~$ sudo systemctl status serial-getty@ttyS1.serviceserial-getty@ttyS1.service - Serial Getty on ttyS1
     Loaded: loaded (/lib/systemd/system/serial-getty@.service; enabled-runtime; vendor preset: enabled)
     Active: inactive (dead) since Tue 2023-03-28 07:15:21 UTC; 1min 13s ago

admin@***:~$ sudo /usr/local/bin/check-getty.sh 
admin@***:~$ echo $?
0
admin@***:~$ sudo systemctl status serial-getty@ttyS1.serviceserial-getty@ttyS1.service - Serial Getty on ttyS1
     Loaded: loaded (/lib/systemd/system/serial-getty@.service; enabled-runtime; vendor preset: enabled)
```

syslog:
```
Mar 28 07:10:37.597458 *** INFO systemd[1]: serial-getty@ttyS1.service: Succeeded.
Mar 28 07:12:43.010550 *** ERR monit[593]: 'serial-getty' status failed (1) -- no output
Mar 28 07:12:43.010744 *** INFO monit[593]: 'serial-getty' trying to restart
Mar 28 07:12:43.010846 *** INFO monit[593]: 'serial-getty' stop: '/bin/systemctl stop serial-getty@ttyS1.service'
Mar 28 07:12:43.132172 *** INFO monit[593]: 'serial-getty' start: '/bin/systemctl start serial-getty@ttyS1.service'
Mar 28 07:13:43.286276 *** INFO monit[593]: 'serial-getty' status succeeded (0) -- no output
```

#### Description for the changelog
[S6100] Improve S6100 serial-getty monitor.

#### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
2023-04-05 21:34:31 -07:00
Santhosh Kumar T
c4435e833b
[DellEMC] S6100 - Adding logger to fetch SSD FW Upgrade status (#14247)
Adding logger to fetch SSD FW Upgrade status
2023-04-04 10:19:47 -07:00
andywongarista
896b292589
[Arista] Update platform library submodules (#14450)
implement chassis platform API reboot
fix rpc powercycle on linecard
fix psu/fan LED logic in arista daemon
remove psu LED for PikeZ
2023-03-30 11:50:40 -07:00
Ikki Zhu
105decc4d1
[celestica/e1031]: enable emc2305 fan controller timeout feature (#14401)
Why I did it
There is rare condition, emc2305 hold SMBus and cause SMBus completion wait timed out.

How I did it
Enable EMC2305 SMBus timeout feature, 30ms period of inactivity will reset the interface.

How to verify it
Use 'i2cget -y -f 23 0x4d 0x20 b' to read EMC2305 configuration register and check DIS_TO bit not set.

Signed-off-by: Eric Zhu <erzhu@celestica.com>
2023-03-27 10:14:37 -07:00
FuzailBrcm
f822373e53
Enabling FPGA device support in PDDF (#13477)
Why I did it
To enable FPGA support in PDDF.

How I did it
Added FPGAI2C and FPGAPCI in the build path for the PDDF debian package
Added the support for FPGA access APIs in the drivers of fan, xcvr, led etc.
Added the FPGA device creation support in PDDF utils and parsers

How to verify it
These changes can be verified on some platform using such FPGAs. For testing purpose, we took Dell S5232f platform and brought it up using PDDF. In doing so, FPGA devices are created using PDDF and optics eeproms were accessed using common FPGA drivers. Below are some of the logs.
2023-03-14 17:53:35 -07:00
Samuel Angebault
8bd6a8891c
[Arista] Update platform library submodules (#14037)
- Add chassis platform API reboot
- Add fwutil hooks for firmware updates
- Fix PikeZ i2c bus identification issue
- Fix testing issue
2023-03-14 09:36:25 -07:00
zitingguo-ms
1cd67444e4
Upgrade SAI xgs version to 8.4.0.2 and migrate to DMZ (#14212)
Why I did it
Upgrade SAI XGS version to 8.4.0.2 and migrate to DMZ repo.

How I did it
Update SAI XGS version in sai.mk.

How to verify it
Run the SONiC and SAI test with the SAI pipeline.

Signed-off-by: zitingguo-ms zitingguo@microsoft.com
2023-03-14 14:09:30 +08:00
Ikki Zhu
f801b8fb2d
[Seastone] fix dx010 qsfp eeprom data write issue (#13930)
Why I did it
Platform cases test_tx_disable, test_tx_disable_channel, test_power_override failed in dx010.

How I did it
Add i2c access algorithm for CPLD i2c adapters.

How to verify it
Verify it with platform_tests/api/test_sfp.py::TestSfpApi test cases.
2023-03-01 14:35:53 +08:00
Marty Y. Lok
cf4a172486
[Nokia][sonic-platform] Update Nokia sonic-platform submodule (#13522)
d768d19 Remove warning msg when a transceiver op takes > 200ms
7451689 Support the module.py in IMM to query the Supervisor card eeprom info

Signed-off-by: mlok <marty.lok@nokia.com>
2023-02-21 11:22:04 -08:00
Samuel Angebault
8437e893b4
[Arista] Update platform library submodules (#13870)
add SEU reporting on chassis
fix fallback logic for Clearlake eeprom identification
fix fan speed reporting for a specific model
move pcie timeout configuration for Upperlake in platform code (deprecates hwsku-init)
2023-02-17 13:51:17 -08:00
Marty Y. Lok
fd3966a0b8
[Nokia][sonic-platform] Update sonic-platform submodule for Nokia IXR7250E platform (#13437)
Why I did it
Update Nokia sonic-platform submodule

81a9c77  [Supervisor] Modifed the get_description to fix the name for Nokia-IXR7250E-SUP-10 card.
e49ddfb Fix the LedContorlCommon to get the physical index from port mapping
dd143f1 [module] modify the chassis.py and module.py to allow supervisor to retrieve the line card eemprom info
How I did it
Update Nokia sonic-platform submodule

81a9c77  [Supervisor] Modifed the get_description to fix the name for Nokia-IXR7250E-SUP-10 card.
e49ddfb Fix the LedContorlCommon to get the physical index from port mapping
dd143f1 [module] modify the chassis.py and module.py to allow supervisor to retrieve the line card eemprom info
How to verify it
On supervisor, "show chassis module status" should show Nokia-IXR7250E-SUP-10 instead of Nokia-IXR7250-SUP-10

Signed-off-by: mlok <marty.lok@nokia.com>
2023-01-24 11:40:59 -08:00
Marty Y. Lok
e1f0d7650e
[Nokia][sonic-platform] Update sonic-platform submodule for Nokia IXR7250E (#13145)
fcb45b5 Add MDIPC channel cleanup code at signal-based termination time and don't precache in get_presence unless required
8984b3d Properly synchronize transceiver module presence globally

Signed-off-by: mlok <marty.lok@nokia.com>

Signed-off-by: mlok <marty.lok@nokia.com>
2023-01-18 15:47:02 -08:00
Samuel Angebault
dfaf379e27
[Arista] Update platform library submodules (#13398)
- add module reboot APIs for chassis
- add supervisor module on linecard (fixes show chassis module midplane-status)
- improve RTC update mechanism and sync every 10 mins
- fix sbtsi temp sensor presence/thresholds
- fix Mineral status leds
- remove thermal object on xcvrs
- misc fixes
2023-01-18 10:03:48 -08:00
Jemston Fernando
892f26556c
[platform]: Fix Belgite platform issues (#13389)
As part of platform hardening this commit fixes several platform issues
in various components like PSU, FAN, Temperature, LED.
2023-01-18 10:00:07 -08:00
Ikki Zhu
4539035e90
[Seastone] Enhancement fix for PR12200 syseeprom issue (#13344)
Why I did it
[Seastone] Enhancement fix for PR12200 syseeprom issue.

How I did it
Enhance the fix through replace the hardcoded devnum to bash variable

How to verify it
show platform syseeprom or decode-syseeprom
2023-01-12 23:51:33 -08:00
pettershao-ragilenetworks
bce4aa1412
[ragile] adapter for kernel 5.x (#10762)
Why I did it
Ragile adapter ra-b6510-32c ra-b6510-48v8c ra-b6910-64c ra-b6920-4s to kernel 5.x

Signed-off-by: “pettershao” pettershao@ragilenetworks.com
2023-01-12 18:01:47 -08:00
Richard.Yu
3ebdaefa8c
[SAIServer]Upgrade SAI server init script (#13175) (#13227) (#13232)
Why I did it
why
In order to apply different config across different platform, and use the code with a unified format, reuse syncd init script to init saiserver.

How I did it
how
Reuse syncd init script

How to verify it
Test
Test in DUT s6000 and dx010 with sonic 202205
2023-01-06 11:44:34 +08:00
Mai Bui
06e1a0bc14
[device/dell] Mitigation for security vulnerability (#11875)
Dependency: [PR (#12065)](https://github.com/sonic-net/sonic-buildimage/pull/12065) needs to merge first.

#### Why I did it
`commands` module is not protected against malicious input
`getstatusoutput` is detected without a static string, uses `shell=True`
#### How I did it
Eliminate the use of `commands`
Use `subprocess.run()`, commands in `subprorcess.run()` are totally static
Fix indentation
#### How to verify it
Tested on DUT
[dell_log.txt](https://github.com/sonic-net/sonic-buildimage/files/9561332/dell_log.txt)
2023-01-05 16:22:09 -08:00
Santhosh Kumar T
e83aa15f30
[DellEMC] Fixing 'show interface status' break in DellEMC platforms (#13021)
When a non-root user tries to run 'show interface status' command, the command got break as 2.0 API throws permission denied error.
2022-12-20 12:38:09 -08:00
Junchao-Mellanox
2126def04e
[infra] Support syslog rate limit configuration (#12490)
- Why I did it
Support syslog rate limit configuration feature

- How I did it
Remove unused rsyslog.conf from containers
Modify docker startup script to generate rsyslog.conf from template files
Add metadata/init data for syslog rate limit configuration

- How to verify it
Manual test
New sonic-mgmt regression cases
2022-12-20 10:53:58 +02:00
tianshangfei
b65e06f998
two platforms supporting S3IP SYSFS (TCS8400, TCS9400) (#12386)
Why I did it
Add two platform that support s3IP framework

How I did it
Add two platforms supporting S3IP SYSFS (TCS8400, TCS9400)

How to verify it
Manual test
2022-12-18 16:16:53 +08:00
Konstantin Vasin
dfc73fc8bd
[build] use real wget for SAI_FLAGS (#12665)
Why I did it

We download libsaibcm.deb every time when we use make to build.
That's because we use build hook but not real wget to get hash for SAI_FLAGS.
As a result we also call curl for libsaibcm.deb inside of function download_packages.

How I did it
Add SKIP_BUILD_HOOK=y to use real wget instead of build hook.

How to verify it
I redirected all requests to proxy to log them (1st column is timing).

Without fix (curl, curl , wget):

1668034736.348 0 CONNECT sonicstorage.blob.core.windows.net:443
1668034831.997 40064209 GET https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm_7.1.17.4_amd64.deb
1668034832.601 0 CONNECT sonicstorage.blob.core.windows.net:443
1668034833.212 113911 GET https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm-dev_7.1.17.4_amd64.deb
1668034833.831 0 CONNECT sonicstorage.blob.core.windows.net:443
1668034834.030 549 HEAD https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm_7.1.17.4_amd64.deb
1668034834.235 547 HEAD https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm-dev_7.1.17.4_amd64.deb

Fixed version (only wget):

1668034973.199 0 CONNECT sonicstorage.blob.core.windows.net:443
1668034973.339 549 HEAD https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm_7.1.17.4_amd64.deb
1668034973.501 547 HEAD https://sonicstorage.blob.core.windows.net/public/sai/bcmsai/REL_7.0/7.1.17.4/libsaibcm-dev_7.1.17.4_amd64.deb

Signed-off-by: Konstantin Vasin <k.vasin@yadro.com>
2022-12-13 23:28:00 -08:00
Kalimuthu-Velappan
0dc22bd27c
05.Version cache - docker dpkg caching support (#12005)
This feature caches all the deb files during docker build and stores them
into version cache.

It loads the cache file if already exists in the version cache and copies the extracted
deb file from cache file into Debian cache path( /var/cache/apt/archives).

The apt-install always installs the deb file from the cache if exists, this
avoid unnecessary package download from the repo and speeds up the overall build.

The cache file is selected based on the SHA value of version dependency
files.

Why I did it
How I did it
How to verify it


* 03.Version-cache - framework environment settings

It defines and passes the necessary version cache environment variables
to the caching framework.

It adds the utils script for shared cache file access.

It also adds the post-cleanup logic for cleaning the unwanted files from
the docker/image after the version cache creation.

* 04.Version cache - debug framework

Added DBGOPT Make variable to enable the cache framework
scripts in trace mode. This option takes the part name of the script to
enable the particular shell script in trace mode.

Multiple shell script names can also be given.

	Eg: make DBGOPT="image|docker"

Added verbose mode to dump the version merge details during
build/dry-run mode.
	Eg: scripts/versions_manager.py freeze -v \
		'dryrun|cmod=docker-swss|cfile=versions-deb|cname=all|stage=sub|stage=add'

* 05.Version cache - docker dpkg caching support

This feature caches all the deb files during docker build and stores them
into version cache.

It loads the cache file if already exists in the version cache and copies the extracted
deb file from cache file into Debian cache path( /var/cache/apt/archives).

The apt-install always installs the deb file from the cache if exists, this
avoid unnecessary package download from the repo and speeds up the overall build.

The cache file is selected based on the SHA value of version dependency
files.
2022-12-12 09:20:56 +08:00
Mai Bui
51a1eb112b
[device/celestica] Mitigation for command injection vulnerability (#11740)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [PR (#12065)](https://github.com/sonic-net/sonic-buildimage/pull/12065) needs to merge first.
#### Why I did it
1. `eval()` - not secure against maliciously constructed input, can be dangerous if used to evaluate dynamic content. This may be a code injection vulnerability.
2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
4. `is` operator - string comparison should not be used with reference equality.
5. `globals()` - extremely dangerous because it may allow an attacker to execute arbitrary code on the system
#### How I did it
1. `eval()` - use `literal_eval()`
2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
3. `os` - use with `subprocess`
4. `is` - replace by `==` operator for value equality
5. `globals()` - avoid the use of globals()
2022-12-09 10:30:20 -05:00
hari-selvam
d993444883
[sflow]: Unblocked psample_*() function calls in BRCM ESW platforms for proper functionality of sflow feature (#12918)
*Replaced BRCM SDK's psample support flag(PSAMPLE_SUPPORT) with linux kernel psample module support config flag(CONFIG_PSAMPLE) in saibcm-modules.
*Replaced BUILD_PSAMPLE conditioanl check with CONFIG_PSAMPLE to build psample callback library(psample-cb.o), only if psample config is enabled in linux kernel.
*Cleaned up PSAMPLE_SUPPORT related commented code.

Signed-off-by: haris@celestica.com

Signed-off-by: haris@celestica.com
2022-12-07 17:14:34 -08:00
Samuel Angebault
19ec89b830
[Arista] Update platform library submodules (#12967)
- add reboot cause support for linecards
- add back a Wolverine variant removed by mistake
- misc fixes and improvements
2022-12-06 23:34:59 -08:00
Marty Y. Lok
f2ece3a4fc
[Nokia]Update Nokia platform submodule for Nokia-IXR7250E platform (#12876)
1d53bf4 Skip platform NDK health check two times in watchdog.sh
d68297c Added code to shutdown the channel after the grpc call also fixed the show fp-status command
0769efe Impelemented the module API to return the correct eeprom info for fabric card.
171569c Remove explicit logger identifier for transceiver module operations; use inherited id
6c4d651 Corrected the log messages for firmware install

Signed-off-by: mlok <marty.lok@nokia.com>
2022-12-05 11:38:52 -08:00
Ikki Zhu
64e7fff7c7
[Platform/Seastone]: fix syseeprom tlv read issue (#12200)
Why I did it
Fix Seastone syseeprom tlv header read incorrect issue

How I did it
Set mux idle_state

How to verify it
i2cdump -y -f 12 0x50 i
2022-12-05 09:49:43 -08:00
Santhosh Kumar T
f10f79b754
[DellEMC] Master: S6100: SSD upgrade status: Moving from smartctl to iSMART (#12784)
Why I did it
smartctl tool is available only in PMON docker. Hence, the tool may be not accessible incase PMON docker goes down.
Using iSMART_64 tool to fetch the SSD firmware version and device model information.

How I did it
Replacing smartctl with iSMART_64.
2022-12-01 17:16:10 -08:00
Mai Bui
95bb7f3b78
[device/ragile] Mitigation for security vulnerability (#11744)
Signed-off-by: maipbui <maibui@microsoft.com>
#### Why I did it
The [xml.etree.ElementTree](https://docs.python.org/3/library/xml.etree.elementtree.html#module-xml.etree.ElementTree) module is not secure against maliciously constructed data.
`os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content
`subprocess.getstatusoutput` is dangerous because include shell=True in the implementation
#### How I did it
Remove xml. Use [lxml](https://pypi.org/project/lxml/) XML parsers package that prevent potentially malicious operation.
Replace `os` by `subprocess`
Use command as an array instead of string
Use `getstatusoutput_noshell` in `sonic_py_common` lib
2022-11-29 11:54:37 -05:00
Mai Bui
35c4e9912d
[ruijie] Replace os.system and remove subprocess with shell=True (#12107)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
1. `getstatusoutput` is used without a static string and it uses `shell=True`
2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
#### How I did it
1. use `getstatusoutput` without shell=True
2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
3. `os` - use with `subprocess`
2022-11-28 12:43:43 -05:00
Richard.Yu
19e3d8ce98
[submodule]Advance sairdis with sai 1.11 and add brcm and mlnx sai sdk (#12471)
* rebase code

advance sairedis

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* Update Mellanox SDK/FW to 4026

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* Update Mellanox SAI to 2211.23.1.0

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* update Switch-SDK-drivers pointer

Signed-off-by: Kebo Liu <kebol@nvidia.com>

* git update sai header in saibcm

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

* mapping to sairedis 202211

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
Signed-off-by: Kebo Liu <kebol@nvidia.com>
Co-authored-by: Kebo Liu <kebol@nvidia.com>
2022-11-23 09:02:36 -08:00
Mai Bui
2f6b34a637
[device/juniper] Mitigation for security vulnerability (#11838)
Signed-off-by: maipbui maibui@microsoft.com
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
`commands` module is not secure
command injection in `getstatusoutput` being used without a static string
#### How I did it
Eliminate `commands` module, use `subprocess` module only
Convert Python 2 to Python 3
2022-11-22 10:46:12 -05:00
Guohan Lu
a618728d91 Revert "[SAI PTF]Support sai ptf v2 Syncd-rpc (#12761)"
This reverts commit 9734b427ff.
2022-11-21 07:22:26 +00:00