Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

From: Quentin Schulz via buildroot <buildroot@buildroot.org>
To: Heiko Stuebner <heiko@sntech.de>, buildroot@buildroot.org
Cc: Etienne Carriere <etienne.carriere@foss.st.com>,
	Heiko Stuebner <heiko.stuebner@cherry.de>
Subject: Re: [Buildroot] [PATCH] package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*
Date: Wed, 25 Mar 2026 17:11:42 +0100	[thread overview]
Message-ID: <ae06ae1d-7bf6-4668-a8fe-2c96e92b1ad6@cherry.de> (raw)
In-Reply-To: <20260325150346.414826-1-heiko@sntech.de>

Hi Heiko,

On 3/25/26 4:03 PM, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner@cherry.de>
> 
> Trusted-Firmware has been using a number of CPE identifiers in the past
> but especially after v2.4, the correct identifier would be similar
> to cpe:2.3:o:arm:trusted_firmware-a:2.12:rc0:*:*:-:*:*:*
> 
>    https://nvd.nist.gov/products/cpe/detail/65DEC230-1CD5-40DB-903A-22537D1E44FE
> 
> Add the relevant CPE fields to the trusted-firmware package.
> 

meta-arm (the official Yocto layer from Arm themselves) reports 4 
possible CPEs (c.f. 
https://git.yoctoproject.org/meta-arm/commit/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc?id=067a259cbd5ad4d2a8c2b4ea2cff5acdc126ccd2), 
TF-A source code adds yet another one, c.f. 
https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/refs/heads/master/docs/sbom.cdx.json.

As far as I could tell, only two CPEs have been used so far. I've sent a 
request to NVD to merge existing CPEs (and/or add all existing CPEs to 
existing CVEs such that looking for one CPE will return all applicable 
CVEs). I've sent a patch 
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/49486) 
to TF-A to fix the CycloneDX to avoid yet another CPE to appear (but 
since it's been in releases since v2.13, maybe it's "too late" and 
someone in the future will use that CPE and NVD won't correct it before 
publishing /me shrugs).

cpe:2.3:o:arm:trusted_firmware-a: indeed seems to be the one people now 
use to report CVEs as it contains the two newest CVEs for TF-A (the 
other CPE with CVEs haven't seen a new one since 2017).

Yocto supports the SPDX v3 format which allows to specify multiple CPEs 
(externalIdentifier) per Software Package. CycloneDX doesn't though... 
So I am wondering what's the plan on Buildroot-side here?

OP-TEE OS also has multiple CPEs... meta-arm Yocto layer reports 
linaro:op-tee and op-tee:op-tee_os. Ugh...

Anyway, this looks fine to me so:

Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>

Thanks!
Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot