* [Buildroot] CVE tracking for selected packages
@ 2020-02-19 9:21 Thomas De Schampheleire
2020-02-19 10:25 ` Titouan Christophe
2020-02-19 12:38 ` Thomas Petazzoni
0 siblings, 2 replies; 4+ messages in thread
From: Thomas De Schampheleire @ 2020-02-19 9:21 UTC (permalink / raw)
To: buildroot
Hi all,
With the recent addition of CVE checks in the pkg-stats script, we
have made a great step forward, and anyone can check the list at:
http://autobuild.buildroot.org/stats/ to see which packages have which CVEs.
What would be another great improvement, is the possibility to check
for a given defconfig in a particular Buildroot tree (i.e. not
necessarily the master) which CVEs are not yet solved.
Basically something like:
make cve-info
which would list only those CVEs applicable for the packages selected,
so that a user knows directly if action is required or not for their
particular case.
Alternatively, we could add the info to 'make show-info', but since
obtaining the info will also require a download of the CVE databases,
I assume this is not desired.
For the implementation, I assume we should either create a make target
to call pkg-stats with the list of packages required, and perhaps
restricting to CVE checking only (instead of also version checking),
or extract the CVE logic to another file that can be reused by both
pkg-stats as the new thing.
Feedback welcome!
Thomas
^ permalink raw reply [flat|nested] 4+ messages in thread* [Buildroot] CVE tracking for selected packages 2020-02-19 9:21 [Buildroot] CVE tracking for selected packages Thomas De Schampheleire @ 2020-02-19 10:25 ` Titouan Christophe 2020-02-19 10:33 ` Titouan Christophe 2020-02-19 12:38 ` Thomas Petazzoni 1 sibling, 1 reply; 4+ messages in thread From: Titouan Christophe @ 2020-02-19 10:25 UTC (permalink / raw) To: buildroot Hello Thomas and all, On 2/19/20 10:21 AM, Thomas De Schampheleire wrote: > Hi all, > > With the recent addition of CVE checks in the pkg-stats script, we > have made a great step forward, and anyone can check the list at: > http://autobuild.buildroot.org/stats/ to see which packages have which CVEs. > > What would be another great improvement, is the possibility to check > for a given defconfig in a particular Buildroot tree (i.e. not > necessarily the master) which CVEs are not yet solved. I'm glad that you come up with this proposal. I also wanted something similar for our builds. > > Basically something like: > > make cve-info > > which would list only those CVEs applicable for the packages selected, > so that a user knows directly if action is required or not for their > particular case. > > Alternatively, we could add the info to 'make show-info', but since > obtaining the info will also require a download of the CVE databases, > I assume this is not desired. > > For the implementation, I assume we should either create a make target > to call pkg-stats with the list of packages required, and perhaps > restricting to CVE checking only (instead of also version checking), > or extract the CVE logic to another file that can be reused by both > pkg-stats as the new thing. Extracting this logic into a dedicated script would make sense, as finding the CVEs only requires a list of pairs [(package, version)], and could be run entirely outside of a Buildroot tree. In my CI/CD pipelines, I already run `make legal-info` as the last step, and I imagine reusing the CSV output of legal-info (or any other script that generates a "manifest" of the included packages) could be done on a daily basis, like in a nightly build. > > Feedback welcome! > > Thomas > Best regards, Titouan PS: By the way, I have some code nearly ready to switch to the v1.1 of the NVD feeds. Patch soming soon. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] CVE tracking for selected packages 2020-02-19 10:25 ` Titouan Christophe @ 2020-02-19 10:33 ` Titouan Christophe 0 siblings, 0 replies; 4+ messages in thread From: Titouan Christophe @ 2020-02-19 10:33 UTC (permalink / raw) To: buildroot Hello myself, Thomas and all, On 2/19/20 11:25 AM, Titouan Christophe wrote: > Hello Thomas and all, > > On 2/19/20 10:21 AM, Thomas De Schampheleire wrote: >> Hi all, >> >> With the recent addition of CVE checks in the pkg-stats script, we >> have made a great step forward, and anyone can check the list at: >> http://autobuild.buildroot.org/stats/ to see which packages have which >> CVEs. >> >> What would be another great improvement, is the possibility to check >> for a given defconfig in a particular Buildroot tree (i.e. not >> necessarily the master) which CVEs are not yet solved. > > I'm glad that you come up with this proposal. I also wanted something > similar for our builds. > >> >> Basically something like: >> >> ???? make cve-info >> >> which would list only those CVEs applicable for the packages selected, >> so that a user knows directly if action is required or not for their >> particular case. >> >> Alternatively, we could add the info to 'make show-info', but since >> obtaining the info will also require a download of the CVE databases, >> I assume this is not desired. >> >> For the implementation, I assume we should either create a make target >> to call pkg-stats with the list of packages required, and perhaps >> restricting to CVE checking only (instead of also version checking), >> or extract the CVE logic to another file that can be reused by both >> pkg-stats as the new thing. > > Extracting this logic into a dedicated script would make sense, as > finding the CVEs only requires a list of pairs [(package, version)], and > could be run entirely outside of a Buildroot tree. EDIT: second time I forget about the <pkg>_IGNORE_CVES ! => Yet the matching could be done with a list of triples [(package, version, [ignored CVEs])]. The list of ignored CVEs only changes when bumping the Buildroot version, so all the rest of my message remains valid :) > > In my CI/CD pipelines, I already run `make legal-info` as the last step, > and I imagine reusing the CSV output of legal-info (or any other script > that generates a "manifest" of the included packages) could be done on a > daily basis, like in a nightly build. > >> >> Feedback welcome! >> >> Thomas >> > > Best regards, > > Titouan > > PS: By the way, I have some code nearly ready to switch to the v1.1 of > the NVD feeds. Patch soming soon. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] CVE tracking for selected packages 2020-02-19 9:21 [Buildroot] CVE tracking for selected packages Thomas De Schampheleire 2020-02-19 10:25 ` Titouan Christophe @ 2020-02-19 12:38 ` Thomas Petazzoni 1 sibling, 0 replies; 4+ messages in thread From: Thomas Petazzoni @ 2020-02-19 12:38 UTC (permalink / raw) To: buildroot On Wed, 19 Feb 2020 10:21:39 +0100 Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote: > What would be another great improvement, is the possibility to check > for a given defconfig in a particular Buildroot tree (i.e. not > necessarily the master) which CVEs are not yet solved. > > Basically something like: > > make cve-info Absolutely. > For the implementation, I assume we should either create a make target > to call pkg-stats with the list of packages required, and perhaps > restricting to CVE checking only (instead of also version checking), > or extract the CVE logic to another file that can be reused by both > pkg-stats as the new thing. I don't think calling into pkg-stats is really a good idea for that, we probably want some other "thing", possibly also used by pkg-stats. Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-19 12:38 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-02-19 9:21 [Buildroot] CVE tracking for selected packages Thomas De Schampheleire 2020-02-19 10:25 ` Titouan Christophe 2020-02-19 10:33 ` Titouan Christophe 2020-02-19 12:38 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox