From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*'
Date: Wed, 4 Nov 2020 17:54:03 +0100 [thread overview]
Message-ID: <20201104175403.4fb8b39f@windsurf.home> (raw)
In-Reply-To: <CANQCQpb-yMdETe6FUTkGbqKK4oFzwsuAsBGNB_k79P-azdyemQ@mail.gmail.com>
Hello,
On Wed, 4 Nov 2020 10:45:32 -0600
Matthew Weber <matthew.weber@collins.com> wrote:
> > So it should be taken into account. In this specific case, it is
> > combined with an AND with CPE ID
> > cpe:2.3:o:suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
> > we don't support this kind of matching, we'd better be on the safe
> > side, and report this CVE as affecting tar, do an analysis of the CVE
> > impact, and document it in TAR_IGNORE_CVES.
>
> I agree, it is better to over-report and give people the option of
> setting the ignore entry or to go work with the CPE dictionary team to
> make an update to how that CVE is being mapped to the CPE.
That is the idea. And among the new CVEs that appear, there are really
some CVEs where the NVD database just specify "*", without any
combination with a particular operating system or distribution: i.e the
CVE description is so imprecise that it doesn't even say which versions
of the software component are affected.
> I was interested to know if yocto has an existing listing of CVE they
> are ignoring as well. I looked a bit at the cve-checker[2] but I
> couldn't find any existing list or metadata within yocto but instead a
> few forked tools that all allow you to create a Software Bill Of
> Materials (SBOM) and provide a list of overall excluded CVE [1]. It
> seems better to keep the initial refinement within Buildroot or to
> push instead for making a correction in the actual CVE mapping. If
> the user wants to whitelist it outside of Buildroot for their specific
> use case, that could be a topic for a future patchset on creation of a
> Software Bill Of Materials matching/tailored for their defconfig.
> Thoughts?
Yes, we could certainly think of allowing the user to extend the list
of ignored CVEs. I haven't tried doing <pkg>_IGNORE_CVES +=
CVE-YYYY-XYZ in external.mk from an external tree. I don't know if it's
going to play well with the expansion ordering, though.
> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-11-04 16:54 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-04 14:51 [Buildroot] [PATCH 00/10] Introduce CPE ID matching for CVEs Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*' Thomas Petazzoni
2020-11-04 16:45 ` Matthew Weber
2020-11-04 16:54 ` Thomas Petazzoni [this message]
2020-11-26 15:32 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 02/10] support/scripts/cve-checker: parse arguments earlier Thomas Petazzoni
2020-11-26 15:32 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables Thomas Petazzoni
2020-11-04 17:03 ` Matthew Weber
2020-11-05 17:02 ` Thomas Petazzoni
2020-11-12 7:40 ` Heiko Thiery
2020-11-26 15:34 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables Thomas Petazzoni
2020-11-04 17:06 ` Matthew Weber
2020-11-12 7:36 ` Heiko Thiery
2020-11-26 15:36 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available Thomas Petazzoni
2020-11-04 17:09 ` Matthew Weber
2020-11-12 7:44 ` Heiko Thiery
2020-11-26 15:37 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 06/10] support/testing/tests/core/test_cpeid: new test Thomas Petazzoni
2020-11-04 17:12 ` Matthew Weber
2020-11-26 15:37 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results Thomas Petazzoni
2020-11-04 17:20 ` Matthew Weber
2020-11-26 15:38 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 08/10] support/script/pkg-stats: " Thomas Petazzoni
2020-11-04 17:18 ` Matthew Weber
2020-11-05 17:01 ` Thomas Petazzoni
2020-11-05 17:20 ` Matthew Weber
2020-11-12 7:59 ` Heiko Thiery
2021-01-11 22:37 ` Arnout Vandecappelle
2021-01-12 15:23 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching Thomas Petazzoni
2020-11-04 18:33 ` Matthew Weber
2020-11-05 8:46 ` Peter Korsgaard
2020-11-05 8:55 ` Thomas Petazzoni
2020-11-05 14:55 ` Gregory CLEMENT
2020-11-05 16:59 ` Thomas Petazzoni
2020-11-06 14:48 ` Gregory CLEMENT
2020-11-04 14:51 ` [Buildroot] [PATCH 10/10] package: provide CPE ID details for numerous packages Thomas Petazzoni
2020-11-04 15:42 ` Alexander Dahl
2020-11-04 15:49 ` Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201104175403.4fb8b39f@windsurf.home \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox