From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [RFC v9 01/10] cpe-info: new make target
Date: Thu, 25 Jun 2020 13:00:55 +0200 [thread overview]
Message-ID: <20200625130055.5062a0a0@windsurf> (raw)
In-Reply-To: <20200616170341.45098-1-matthew.weber@rockwellcollins.com>
Hello Matt,
On Tue, 16 Jun 2020 12:03:32 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> Similar to make legal-info, produce a csv delimited file containing
> all selected packages CPE identification.
>
> By default, support the pkg infra defining a set of CPE_ID_* defaults
> using the package name for the vendor and name as most CPE IDs seem
> to align with that assumption. Plus initially, use the pkg version as
> the CPE ID's version field.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
This patch really does two things:
- Add some CPE_* variables into the package infrastructure
- Add a cpe-info make target
These are two separate things, should be two separate patches. However,
see below.
> +.PHONY: cpe-info-clean
> +cpe-info-clean:
> + @rm -f $(CPE_MANIFEST_CSV)
> +
> +.PHONY: cpe-info-prepare
> +cpe-info-prepare:
> + @$(call MESSAGE,"Gathering CPE info")
> + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
> +
> +.PHONY: cpe-info
> +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
> + @echo "CPE info produced in $(CPE_MANIFEST_CSV)"
I don't think we need/want an additional make target. We have "make
show-info" already, it outputs a JSON blurb, which we can extend with
additional information from the packages.
> +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
These variables should be documented in the Buildroot manual.
I see you set some default values for those CPE_ID values, but I am
wondering if that's how we want to do this. Indeed a big question,
which was discussed in a thread earlier this year between Michael
Walle, Akshay Bhat and me is that how do we then distinguish packages
for which the CPE information in Buildroot has been verified and is
known to be correct, from packages that have the CPE information not
verified, and even further from packages that don't have any CPE
information because this specific package is not known in the NVD
database.
So I'd like to see a proposal that clarifies how we are going to handle
this. One way is to *not* have any default value for those CPE
variables, and add them to packages progressively, so that we know that
when the CPE information is there, it _has_ been verified.
It's not great because it means adding gazillions of CPE_ID information
in packages. But is there any other option ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-06-25 11:00 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
2020-06-21 9:23 ` Yann E. MORIN
2020-06-22 11:34 ` Matthew Weber
2020-06-25 11:04 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
2020-06-21 8:56 ` Yann E. MORIN
2020-06-22 11:35 ` Matthew Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
2020-06-25 11:09 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
2020-06-25 11:12 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
2020-06-25 11:14 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
2020-06-25 11:18 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 09/10] docs/manual: new security management section Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 10/10] packages: fixup of cpe info Matt Weber
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
2020-06-22 11:44 ` Matthew Weber
2020-06-22 20:55 ` Frank Hunleth
2020-06-25 11:00 ` Thomas Petazzoni [this message]
2020-07-01 7:43 ` Gregory CLEMENT
2020-07-01 11:57 ` Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625130055.5062a0a0@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox