| Message ID | 1552082667-46877-3-git-send-email-matthew.weber@rockwellcollins.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Package CPE Reporting | expand |
On 08/03/2019 23:04, Matt Weber wrote: > There are two types of software CPE prefixes applicable for software, > one for applications and one for operating systems. > Note: The third type is for hardware. > > This patchset determines which should be used and stores that > information with the package for later use when assembling the CPE > report. > > Refs: > https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf > https://cpe.mitre.org/specification/ > > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> > --- > Changes > > v8 > - Rebase > > v4 -> v7 > - None > > v3 > [Arnout > - Moved CPE prefix and suffix defines to package/Makefile.in > > v1 -> v2 > [Thomas P > - Change to using a filter on pkg name value vs ifelse > --- > package/Makefile.in | 4 ++++ > package/pkg-generic.mk | 8 +++++++- > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/package/Makefile.in b/package/Makefile.in > index dc818a2..644282f 100644 > --- a/package/Makefile.in > +++ b/package/Makefile.in > @@ -389,6 +389,10 @@ TARGET_CONFIGURE_ARGS = \ > > ################################################################################ > > +CPE_PREFIX_OS = cpe:2.3:o > +CPE_PREFIX_APP = cpe:2.3:a > +CPE_SUFFIX = *:*:*:*:*:*:* This is not correct. For Python packages, for instance, the language field is set to python. > + > ifeq ($(BR2_SYSTEM_ENABLE_NLS),y) > NLS_OPTS = --enable-nls > TARGET_NLS_DEPENDENCIES = host-gettext > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk > index 644128d..a547c65 100644 > --- a/package/pkg-generic.mk > +++ b/package/pkg-generic.mk > @@ -916,11 +916,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME) > $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) > $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION) > > +ifneq ($(filter linux linux-headers,$(1)),) > +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS) The linux and linux-headers packages are so special that I don't think it makes sense to have a separate rule here. For example, the value of LINUX_VERSION is probably NOT what you want to use in CPE_ID. Regards, Arnout > +else > +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP) > +endif > + > $(1)-cpe-info: PKG=$(2) > $(1)-cpe-info: > ifneq ($$(call qstrip,$$($(2)_SOURCE)),) > @$$(call MESSAGE,"Collecting cpe info") > - $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) > + $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) > endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) > > # legal-info: declare dependencies and set values used later for the manifest >
diff --git a/package/Makefile.in b/package/Makefile.in index dc818a2..644282f 100644 --- a/package/Makefile.in +++ b/package/Makefile.in @@ -389,6 +389,10 @@ TARGET_CONFIGURE_ARGS = \ ################################################################################ +CPE_PREFIX_OS = cpe:2.3:o +CPE_PREFIX_APP = cpe:2.3:a +CPE_SUFFIX = *:*:*:*:*:*:* + ifeq ($(BR2_SYSTEM_ENABLE_NLS),y) NLS_OPTS = --enable-nls TARGET_NLS_DEPENDENCIES = host-gettext diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 644128d..a547c65 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -916,11 +916,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME) $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION) +ifneq ($(filter linux linux-headers,$(1)),) +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS) +else +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP) +endif + $(1)-cpe-info: PKG=$(2) $(1)-cpe-info: ifneq ($$(call qstrip,$$($(2)_SOURCE)),) @$$(call MESSAGE,"Collecting cpe info") - $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) + $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) # legal-info: declare dependencies and set values used later for the manifest
There are two types of software CPE prefixes applicable for software, one for applications and one for operating systems. Note: The third type is for hardware. This patchset determines which should be used and stores that information with the package for later use when assembling the CPE report. Refs: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf https://cpe.mitre.org/specification/ Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- Changes v8 - Rebase v4 -> v7 - None v3 [Arnout - Moved CPE prefix and suffix defines to package/Makefile.in v1 -> v2 [Thomas P - Change to using a filter on pkg name value vs ifelse --- package/Makefile.in | 4 ++++ package/pkg-generic.mk | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-)