classes/yocto-check-layer: add check for tasks that allow network access

Add a new test that checks that no tasks between do_fetch (exclusive)
and do_build (inclusive) are allowed to use the network, with rare
exceptions.

The only exception currently is build-appliance-image's do_image task,
as that currently usese pip to install the required Toaster dependencies.

Note that this will mean layers that have Go-based recipes will fail
unless they're using the gomod fetcher and have a complete list of
modules in the SRC_URI.

(From OE-Core rev: e95b3bd194e294412bc0419c9c74abfc2f37406f)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/classes-global/yocto-check-layer.bbclass

@@ -27,6 +27,36 @@ def check_insane_skip(d):
             d.setVar("QA_ERRORS_FOUND", "True")
 
 
+# Check that no tasks (with rare exceptions) between do_fetch and do_build
+# use the network.
+def check_network_flag(d):
+    # BPN:task names that are allowed to reach the network, using fnmatch to compare.
+    allowed = []
+    # build-appliance-image uses pip at image time
+    allowed += ["build-appliance-image:do_image"]
+
+    def is_allowed(bpn, task):
+        from fnmatch import fnmatch
+        name = f"{bpn}:{task}"
+        return any(fnmatch(name, pattern) for pattern in allowed)
+
+    bpn = d.getVar("BPN")
+    seen = set()
+    stack = {"do_build"}
+    while stack:
+        task = stack.pop()
+        if task == "do_fetch":
+            continue
+
+        seen.add(task)
+        deps = d.getVarFlag(task, "deps") or []
+        stack |= {d for d in deps if d not in seen}
+
+        network = bb.utils.to_boolean(d.getVarFlag(task, "network"))
+        if network and not is_allowed(bpn, task):
+            bb.error(f"QA Issue: task {task} has network enabled")
+
 python () {
     check_insane_skip(d)
+    check_network_flag(d)
 }