[Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix

From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix
Date: Sun, 21 Jun 2020 11:23:16 +0200	[thread overview]
Message-ID: <20200621092316.GC2351@scaer> (raw)
In-Reply-To: <20200616170341.45098-2-matthew.weber@rockwellcollins.com>

On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> There are two types of software CPE prefixes applicable for software,
> one for applications and one for operating systems.
> Note: The third type is for hardware.
> 
> This patchset determines which should be used and stores that
> information with the package for later use when assembling the CPE
> report.

So this means that the CPE manifest in patch 1 is incomplete, and indeed
does not represent actual CPE information, right?

In this case, I think we should not create that manifest until we have
the full information available to generate it.

I am fine with the series introducing the CPE info bit by bit, because
it is easier to review (thanks! :-) ), but the manifest is useless if
only parts of the series is applied.

So, the series should probably be something like:

  - introduce basic CPE info from pakcage metadata
        (patch 1 without the manifest creation)

  - introduce the OS / Application prefix

  - introduce the generic suffix

  - introduce support for the minor-version

etc...

See also a comment below...

> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 1408845613..7d892ca1d6 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
>  $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
>  $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>  
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif

I think the CPE ID could be constructed as:

    ifneq ($(filter linux linux-headers,$(1)),)
    $(2)_CPE_ID = $(CPE_PREFIX_OS)
    else
    $(2)_CPE_ID = $(CPE_PREFIX_APP)
    endif

    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VENDOR))
    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_NAME))
    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VERSION))

    $(2)_CPE_ID += $(CPE_SUFFIX)

... and then...

>  $(1)-cpe-info: PKG=$(2)
>  $(1)-cpe-info:
>  ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  	@$$(call MESSAGE,"Collecting cpe info")
> -	$(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> +	$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))

... use $(subst $(space),:,$($(2)_CPE_ID))

The CPE spec, chapter 5.3.2, bullet point 2, states:
    The underscore (x5f) MAY be used, and it SHOULD be used in place of
    whitespace characters (which SHALL NOT be used).

So we know there will be no space in any of the fields, and thus any
existing space is due to our append-assignment, so we can replace the
spaces with a colon.

Regards,
Yann E. MORIN.

>  endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  
>  # legal-info: declare dependencies and set values used later for the manifest
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'