Re: [Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

On Wed, 9 Aug 2023 22:31:11 +0200
Arnout Vandecappelle <arnout@mind.be> wrote:

>   Using the CPE database is actually useless. I think we should drop it.

When I read this, I disagreed...

>   It actually doesn't matter at all if a CPE entry (including the version) is 
> found in the CPE database. If there's a CVE for it, then the entry will exist. 
> But usually, the CVE will have a version range. In that case, we anyway match 
> the version range without caring at all if the specific version exists in the 
> CPE database or not.
> 
>   So, I think we should just construct a CPE string and match it against the 
> CVEs, without consulting the CPE database at all.
> 
>   It _does_ make sense to do a lookup in the CPE database for the CPE string, 
> but with * as the version part. This allows us to validate if the 
> vendor/project/etc. are set correctly. But that's something we can do in 
> individual API calls for each package, like we do for release-monitoring.

... but then you say we should still use the CPE database, and I agree
on the why we should use it: to have some reasonable certainty that the
CPE ID we create in Buildroot for each package has a chance of matching
the CPEs that will be associated to the CVEs that will perhaps one day
be reported against this software package. So yes, perhaps we should
just match in the CPE database with version set to '*', so that we
don't care if the CPE database isn't aware of the latest releases of
software packages, which it rarely is.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot