[Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Christian Hitz via buildroot]

From: Christian Hitz <christian.hitz@bbv.ch>

cpe:2.3:o:arm:arm-trusted-firmware:2.4:-:*:*:*:*:*:* is a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/detail/78601535-610A-45A5-A5F0-AFC6A27A7F83

Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
---
 boot/arm-trusted-firmware/arm-trusted-firmware.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..ebb9b8e9f6 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -24,6 +24,8 @@ ARM_TRUSTED_FIRMWARE_LICENSE = BSD-3-Clause
 ARM_TRUSTED_FIRMWARE_LICENSE_FILES = docs/license.rst
 endif
 endif
+ARM_TRUSTED_FIRMWARE_CPE_ID_VENDOR = arm
+ARM_TRUSTED_FIRMWARE_CPE_ID_PREFIX = cpe:2.3:o
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE):$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT),y:y)
 BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Arnout Vandecappelle via buildroot]

On 28/02/2024 15:51, Christian Hitz via buildroot wrote:
> From: Christian Hitz <christian.hitz@bbv.ch>
> 
> cpe:2.3:o:arm:arm-trusted-firmware:2.4:-:*:*:*:*:*:* is a valid CPE
> identifier for this package:
> 
>    https://nvd.nist.gov/products/cpe/detail/78601535-610A-45A5-A5F0-AFC6A27A7F83

  This entry is from 2021, and they haven't added any entries for later versions 
(it's now at version 2.10).

  So I think this CPE entry is not relevant for any current version. If we add 
the CPE ID now, we will not notice if later they in fact name it e.g. 
trusted-firmware-arm. Note that the upstream repository is called 
trustedfirmware-a, and that there is a CPE entry for trusted_firmware-m [1] 
although that one also hasn't been updated for recent releases...

  So I don't think we should merge this.

  Regards,
  Arnout

[1] https://nvd.nist.gov/products/cpe/detail/2AF395D6-6367-4EFF-A0D0-C0CB6CA99E3E


> 
> Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
> ---
>   boot/arm-trusted-firmware/arm-trusted-firmware.mk | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> index 2d554c1da8..ebb9b8e9f6 100644
> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> @@ -24,6 +24,8 @@ ARM_TRUSTED_FIRMWARE_LICENSE = BSD-3-Clause
>   ARM_TRUSTED_FIRMWARE_LICENSE_FILES = docs/license.rst
>   endif
>   endif
> +ARM_TRUSTED_FIRMWARE_CPE_ID_VENDOR = arm
> +ARM_TRUSTED_FIRMWARE_CPE_ID_PREFIX = cpe:2.3:o
>   
>   ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE):$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT),y:y)
>   BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Heiko Stuebner via buildroot]

From: Heiko Stuebner <heiko.stuebner@cherry.de>

Trusted-Firmware has been using a number of CPE identifiers in the past
but especially after v2.4, the correct identifier would be similar
to cpe:2.3:o:arm:trusted_firmware-a:2.12:rc0:*:*:-:*:*:*

  https://nvd.nist.gov/products/cpe/detail/65DEC230-1CD5-40DB-903A-22537D1E44FE

Add the relevant CPE fields to the trusted-firmware package.

Signed-off-by: Heiko Stuebner <heiko.stuebner@cherry.de>
---
 boot/arm-trusted-firmware/arm-trusted-firmware.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index b81ce0d827..6de35dca7a 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -5,6 +5,9 @@
 ################################################################################
 
 ARM_TRUSTED_FIRMWARE_VERSION = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION))
+ARM_TRUSTED_FIRMWARE_CPE_ID_PREFIX = cpe:2.3:o
+ARM_TRUSTED_FIRMWARE_CPE_ID_VENDOR = arm
+ARM_TRUSTED_FIRMWARE_CPE_ID_PRODUCT = trusted_firmware-a
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL),y)
 # Handle custom ATF tarballs as specified by the configuration
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Quentin Schulz via buildroot]

Hi Heiko,

On 3/25/26 4:03 PM, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner@cherry.de>
> 
> Trusted-Firmware has been using a number of CPE identifiers in the past
> but especially after v2.4, the correct identifier would be similar
> to cpe:2.3:o:arm:trusted_firmware-a:2.12:rc0:*:*:-:*:*:*
> 
>    https://nvd.nist.gov/products/cpe/detail/65DEC230-1CD5-40DB-903A-22537D1E44FE
> 
> Add the relevant CPE fields to the trusted-firmware package.
> 

meta-arm (the official Yocto layer from Arm themselves) reports 4 
possible CPEs (c.f. 
https://git.yoctoproject.org/meta-arm/commit/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc?id=067a259cbd5ad4d2a8c2b4ea2cff5acdc126ccd2), 
TF-A source code adds yet another one, c.f. 
https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/refs/heads/master/docs/sbom.cdx.json.

As far as I could tell, only two CPEs have been used so far. I've sent a 
request to NVD to merge existing CPEs (and/or add all existing CPEs to 
existing CVEs such that looking for one CPE will return all applicable 
CVEs). I've sent a patch 
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/49486) 
to TF-A to fix the CycloneDX to avoid yet another CPE to appear (but 
since it's been in releases since v2.13, maybe it's "too late" and 
someone in the future will use that CPE and NVD won't correct it before 
publishing /me shrugs).

cpe:2.3:o:arm:trusted_firmware-a: indeed seems to be the one people now 
use to report CVEs as it contains the two newest CVEs for TF-A (the 
other CPE with CVEs haven't seen a new one since 2017).

Yocto supports the SPDX v3 format which allows to specify multiple CPEs 
(externalIdentifier) per Software Package. CycloneDX doesn't though... 
So I am wondering what's the plan on Buildroot-side here?

OP-TEE OS also has multiple CPEs... meta-arm Yocto layer reports 
linaro:op-tee and op-tee:op-tee_os. Ugh...

Anyway, this looks fine to me so:

Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>

Thanks!
Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Quentin Schulz via buildroot]

Hi Heiko,

On 3/25/26 4:03 PM, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner@cherry.de>
> 
> Trusted-Firmware has been using a number of CPE identifiers in the past
> but especially after v2.4, the correct identifier would be similar
> to cpe:2.3:o:arm:trusted_firmware-a:2.12:rc0:*:*:-:*:*:*
> 
>    https://nvd.nist.gov/products/cpe/detail/65DEC230-1CD5-40DB-903A-22537D1E44FE
> 
> Add the relevant CPE fields to the trusted-firmware package.
> 

Thinking about it a bit more, I **think** we may want to strip lts- 
prefix for the CPE_ID_VERSION. I don't see any version past 2.4 on NVD 
so we cannot really know what they'll do once they need to tackle LTSes, 
but I am assuming they are NOT going to use the lts- prefix?

What do you think?

Cheers,
Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

[Heiko Stuebner via buildroot]

Am Mittwoch, 25. März 2026, 19:12:33 Mitteleuropäische Normalzeit schrieb Quentin Schulz:
> Hi Heiko,
> 
> On 3/25/26 4:03 PM, Heiko Stuebner wrote:
> > From: Heiko Stuebner <heiko.stuebner@cherry.de>
> > 
> > Trusted-Firmware has been using a number of CPE identifiers in the past
> > but especially after v2.4, the correct identifier would be similar
> > to cpe:2.3:o:arm:trusted_firmware-a:2.12:rc0:*:*:-:*:*:*
> > 
> >    https://nvd.nist.gov/products/cpe/detail/65DEC230-1CD5-40DB-903A-22537D1E44FE
> > 
> > Add the relevant CPE fields to the trusted-firmware package.
> > 
> 
> Thinking about it a bit more, I **think** we may want to strip lts- 
> prefix for the CPE_ID_VERSION. I don't see any version past 2.4 on NVD 
> so we cannot really know what they'll do once they need to tackle LTSes, 
> but I am assuming they are NOT going to use the lts- prefix?
> 
> What do you think?

I think you're quite right :-) .

I also realized I messed the versioning anyway and did not remove
the "v" to match the version used in CPEs.

Done both now in v2.

Thanks for the review
Heiko


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot