From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars
Date: Thu, 25 Jun 2020 13:12:42 +0200 [thread overview]
Message-ID: <20200625131242.07bf9831@windsurf> (raw)
In-Reply-To: <20200616170341.45098-6-matthew.weber@rockwellcollins.com>
On Tue, 16 Jun 2020 12:03:37 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
There are only _CPE_ variables, no _CVE_ variable is documented here.
> +* +LIBFOO_CPE_ID_VENDOR+
> + This variable is optional. It only must be defined if the package name
> + does not match what the CPE ID uses for the vendor. By default it's set
> + to <pkg-name>_project.
> +
> +* +LIBFOO_CPE_ID_NAME+
> + This variable is optional. It only must be defined if the package name
> + does not match what the CPE ID uses for the name. By default it's set
> + to <pkg-name>.
> +
> +* +LIBFOO_CPE_ID_VERSION+
> + This variable is optional. By default it's set to <pkg-version>.
> +
> +* +LIBFOO_CPE_ID_VERSION_MINOR+
> + This variable is optional. By default it's set to *.
None of this documentation describes *what* those variables must
contain. It says it's optional, what is the default value, but does not
explain what value it should be set to. This is especially true for
VERSION vs. VERSION_MINOR.
> +* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
> + default case of a single package's Common Product Enumeration (CPE)
> + identification string. +make cpe-info+ copies all of these into a
> + +cpe-manifest.csv+ file. To identify a package's possible CPE,
> + the National Vunerability Database can be searched at
> + https://nvd.nist.gov/products/cpe/search.
This explanation could be extended a bit to explain clearly that a
default _CPE_ID value will be defined based on the other CPE_ID_*
variables, and that this should be used to override the overall value
only in special situations.
However, in practice, do we have such cases ? Do you have situation
where customizing VENDOR, NAME, VERSION, VERSION_MINOR is not enough,
and you have to set a package-specific CPE_ID value directly ?
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-06-25 11:12 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
2020-06-21 9:23 ` Yann E. MORIN
2020-06-22 11:34 ` Matthew Weber
2020-06-25 11:04 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
2020-06-21 8:56 ` Yann E. MORIN
2020-06-22 11:35 ` Matthew Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
2020-06-25 11:09 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
2020-06-25 11:12 ` Thomas Petazzoni [this message]
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
2020-06-25 11:14 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
2020-06-25 11:18 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 09/10] docs/manual: new security management section Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 10/10] packages: fixup of cpe info Matt Weber
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
2020-06-22 11:44 ` Matthew Weber
2020-06-22 20:55 ` Frank Hunleth
2020-06-25 11:00 ` Thomas Petazzoni
2020-07-01 7:43 ` Gregory CLEMENT
2020-07-01 11:57 ` Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625131242.07bf9831@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox