From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [NEXT 02/26] cpe-info: update manual for new pkg vars
Date: Tue, 27 Feb 2018 22:43:43 +0100 [thread overview]
Message-ID: <20180227224343.14ad0df8@windsurf.lan> (raw)
In-Reply-To: <1519697441-54194-3-git-send-email-matthew.weber@rockwellcollins.com>
Hello,
On Mon, 26 Feb 2018 20:10:17 -0600, Matt Weber wrote:
> Provide guidance on setting up the <pkgname>_CPE_ID
> and <pkgname>_CVE_PATCHED variables.
> ---
> docs/manual/adding-packages-generic.txt | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
> index 63ea51b..635c5d2 100644
> --- a/docs/manual/adding-packages-generic.txt
> +++ b/docs/manual/adding-packages-generic.txt
> @@ -453,6 +453,21 @@ information is (assuming the package name is +libfoo+) :
> FLAT binary format is only 4k bytes. If the application consumes more stack,
> append the required number here.
>
> +* +LIBFOO_CPE_ID+ is a space-separated list of the package's Common Product
> + Enumeration (CPE) identification string(s).
So you can have mutiple entries in this list ? In which cases ?
> + +make cpe-info+ copies all of these into a +cpe-manifest.csv+ file.
> + This variable is optional. If it is not defined, +unknown+ will appear in
> + the +CPI ID+ field of the manifest file for this package.
Side question: is this manifest.csv file generated in some standardized
format, or is it just some CSV format you can up with, just like we did
for legal-info ?
> + To identify a package's possible CPE(s), the National Vunerability
> + Database can be searched at https://nvd.nist.gov/products/cpe/search.
> +
> +* +LIBFOO_CVE_PATCHED+ is a space-separated list of the package's Common
> + Vunerability Enumeration (CVE) identification strings. This list
> + represents patches applied to the package beyond the current version,
> + which may fix CVEs.
I find this description a bit unclear. Indeed LIBFOO_CVE_PATCHED
doesn't "represents patches". Instead it "Enumerates CVEs that are
fixed by patches added in Buildroot". We can perhaps expand and say
that it allows the CPE reporting mechanism to know that a given CVE is
fixed, even if Buildroot is not using an upstream release that has the
CVE fixed.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
http://bootlin.com
next prev parent reply other threads:[~2018-02-27 21:43 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 2:10 [Buildroot] [NEXT 00/26] Package CVE Reporting Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 01/26] cpe-info: new make target Matt Weber
2018-02-27 21:40 ` Thomas Petazzoni
2018-02-28 4:30 ` Matthew Weber
2018-03-01 20:21 ` Arnout Vandecappelle
2018-02-27 2:10 ` [Buildroot] [NEXT 02/26] cpe-info: update manual for new pkg vars Matt Weber
2018-02-27 21:43 ` Thomas Petazzoni [this message]
2018-02-28 4:22 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 03/26] cpe-info: id prefix/suffix Matt Weber
2018-02-27 21:45 ` Thomas Petazzoni
2018-02-28 4:14 ` Matthew Weber
2018-03-01 20:34 ` Arnout Vandecappelle
2018-03-03 3:01 ` Matthew Weber
2018-03-01 20:32 ` Arnout Vandecappelle
2018-02-27 2:10 ` [Buildroot] [NEXT 04/26] cpe-info: only report target pkgs Matt Weber
2018-02-27 21:45 ` Thomas Petazzoni
2018-02-28 4:13 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 05/26] bash: add CPE id Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 06/26] boa: " Matt Weber
2018-02-27 22:17 ` Thomas Petazzoni
2018-02-28 4:00 ` Matthew Weber
2018-02-28 6:38 ` Thomas Petazzoni
2018-03-01 20:47 ` Arnout Vandecappelle
2018-03-01 22:55 ` Matthew Weber
2018-03-02 8:19 ` Arnout Vandecappelle
2018-03-02 9:49 ` Thomas Petazzoni
2018-03-02 16:14 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 07/26] boost: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 08/26] busybox: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 09/26] bzip2: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 10/26] dhcp: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 11/26] e2fsprogs: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 12/26] gdb: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 13/26] glibc: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 14/26] gnupg: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 15/26] gzip: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 16/26] iproute2: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 17/26] libgcrypt: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 18/26] libopenssl: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 19/26] libzlib: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 20/26] linux: " Matt Weber
2018-02-27 22:18 ` Thomas Petazzoni
2018-02-28 4:12 ` Matthew Weber
2018-03-02 9:55 ` Thomas Petazzoni
2018-02-27 2:10 ` [Buildroot] [NEXT 21/26] linux-headers: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 22/26] openssh: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 23/26] rsyslog: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 24/26] tcpdump: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 25/26] util-linux: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 26/26] xerces: " Matt Weber
2018-02-27 21:37 ` [Buildroot] [NEXT 00/26] Package CVE Reporting Thomas Petazzoni
2018-02-28 4:42 ` Matthew Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180227224343.14ad0df8@windsurf.lan \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox