From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [NEXT 06/26] boa: add CPE id
Date: Fri, 2 Mar 2018 10:49:33 +0100 [thread overview]
Message-ID: <20180302104933.39fbda31@windsurf.lan> (raw)
In-Reply-To: <8245f0c5-94fc-a0b3-9710-8c0c779dcbdd@mind.be>
Hello,
On Fri, 2 Mar 2018 09:19:25 +0100, Arnout Vandecappelle wrote:
> Just to be clear about what you're saying here: in v3, you'll making it so that
> nothing has to be done explicitly in the package to get a CPE ID, but it may be
> (and probably will be) invalid? So that the initial report will contain a huge
> amount of invalid entries, and we can fix them one by one?
>
> I realize I'm contradicting myself, but that still leaves us with a problem (or
> rather, limitation). We have no way of keeping track of which packages have been
> checked and which haven't, so we have no way of keeping track of which ones are
> broken.
>
> Or perhaps the pkg-stats script could eventually check the entry in the CPE
> database, and add a column to indicate that it's valid or not?
Yes, that would be the idea.
> > The CPE list will be as accurate as people using it update the NIST
> > entries, either manually or as Buildroot nudges them to send an email.
> > The CVEs those CPEs will find is another complete story and most open
> > ways of searching for those don't concluded clean results without a
> > good amount of manual intervention.
>
> Yes, I do realize that this is a kind of catch-22 situation, if nobody uses the
> database then obviously it will not be up-to-date. But to be honest, right now I
> don't even really understand what kind of information you can get from it even
> in the ideal case. That's why I asked to post an RFC script, so we can get some
> idea of what the end goal is (and ultimately, whether this is worth the effort).
Yes, I agree. The current proposal that just adds CPE_ID to packages,
and has a mechanism to generate a CSV based on that isn't very useful
per-se. I would also like to see the tooling that processes those
CPE_ID to query the NIST database, and get some useful data out of it.
Even if the data isn't great for the moment because the NIST database
is limited, it would show how the whole thing would be useful.
Right now the patch series just adds some IDs and generates a CSV with
those IDs, which isn't terribly useful.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
http://bootlin.com
next prev parent reply other threads:[~2018-03-02 9:49 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 2:10 [Buildroot] [NEXT 00/26] Package CVE Reporting Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 01/26] cpe-info: new make target Matt Weber
2018-02-27 21:40 ` Thomas Petazzoni
2018-02-28 4:30 ` Matthew Weber
2018-03-01 20:21 ` Arnout Vandecappelle
2018-02-27 2:10 ` [Buildroot] [NEXT 02/26] cpe-info: update manual for new pkg vars Matt Weber
2018-02-27 21:43 ` Thomas Petazzoni
2018-02-28 4:22 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 03/26] cpe-info: id prefix/suffix Matt Weber
2018-02-27 21:45 ` Thomas Petazzoni
2018-02-28 4:14 ` Matthew Weber
2018-03-01 20:34 ` Arnout Vandecappelle
2018-03-03 3:01 ` Matthew Weber
2018-03-01 20:32 ` Arnout Vandecappelle
2018-02-27 2:10 ` [Buildroot] [NEXT 04/26] cpe-info: only report target pkgs Matt Weber
2018-02-27 21:45 ` Thomas Petazzoni
2018-02-28 4:13 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 05/26] bash: add CPE id Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 06/26] boa: " Matt Weber
2018-02-27 22:17 ` Thomas Petazzoni
2018-02-28 4:00 ` Matthew Weber
2018-02-28 6:38 ` Thomas Petazzoni
2018-03-01 20:47 ` Arnout Vandecappelle
2018-03-01 22:55 ` Matthew Weber
2018-03-02 8:19 ` Arnout Vandecappelle
2018-03-02 9:49 ` Thomas Petazzoni [this message]
2018-03-02 16:14 ` Matthew Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 07/26] boost: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 08/26] busybox: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 09/26] bzip2: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 10/26] dhcp: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 11/26] e2fsprogs: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 12/26] gdb: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 13/26] glibc: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 14/26] gnupg: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 15/26] gzip: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 16/26] iproute2: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 17/26] libgcrypt: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 18/26] libopenssl: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 19/26] libzlib: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 20/26] linux: " Matt Weber
2018-02-27 22:18 ` Thomas Petazzoni
2018-02-28 4:12 ` Matthew Weber
2018-03-02 9:55 ` Thomas Petazzoni
2018-02-27 2:10 ` [Buildroot] [NEXT 21/26] linux-headers: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 22/26] openssh: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 23/26] rsyslog: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 24/26] tcpdump: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 25/26] util-linux: " Matt Weber
2018-02-27 2:10 ` [Buildroot] [NEXT 26/26] xerces: " Matt Weber
2018-02-27 21:37 ` [Buildroot] [NEXT 00/26] Package CVE Reporting Thomas Petazzoni
2018-02-28 4:42 ` Matthew Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180302104933.39fbda31@windsurf.lan \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox