| Message ID | 20201104145145.1316167-5-thomas.petazzoni@bootlin.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Introduce CPE ID matching for CVEs | expand |
Thomas, On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt > index b8bfcb4aff..3fcf741a1a 100644 > --- a/docs/manual/adding-packages-generic.txt > +++ b/docs/manual/adding-packages-generic.txt > @@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345 > LIBFOO_IGNORE_CVES += CVE-2020-54321 > ---------------------- > > +* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the > + package to define its https://nvd.nist.gov/products/cpe[CPE > + identifier]. The available variables are: > ++ > +-- > +** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier, > + i.e the first three fields. When not defined, the default value is > + +cpe:2.3:a+. > + > +** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE > + identifier. When not defined, the default value is > + +<pkgname>_project+. > + > +** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE > + identifier. When not defined, the default value is +<pkgname>+. > + > +** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE > + identifier. When not defined the default value is > + +$(LIBFOO_VERSION)+. > + > +** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the > + CPE identifier. When not defined the default value is +*+. > +-- > ++ > +If any of those variables is defined, then the generic package > +infrastructure assumes the package provides valid CPE information. In > +this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic > +package infrastructure will define +LIBFOO_CPE_ID+. > ++ > +Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID > += YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+, > ++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+, > ++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct > +for this package and don't need to be explicitly overridden. > ++ > +For a host package, if its +LIBFOO_CPE_ID_*+ variables are not > +defined, it inherits the value of those variables from the > +corresponding target package. > + > The recommended way to define these variables is to use the following > syntax: > Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Hi Thomas, Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni <thomas.petazzoni@bootlin.com>: > > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > > diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt > index b8bfcb4aff..3fcf741a1a 100644 > --- a/docs/manual/adding-packages-generic.txt > +++ b/docs/manual/adding-packages-generic.txt > @@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345 > LIBFOO_IGNORE_CVES += CVE-2020-54321 > ---------------------- > > +* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the > + package to define its https://nvd.nist.gov/products/cpe[CPE > + identifier]. The available variables are: > ++ > +-- > +** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier, > + i.e the first three fields. When not defined, the default value is > + +cpe:2.3:a+. > + > +** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE > + identifier. When not defined, the default value is > + +<pkgname>_project+. > + > +** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE > + identifier. When not defined, the default value is +<pkgname>+. > + > +** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE > + identifier. When not defined the default value is > + +$(LIBFOO_VERSION)+. > + > +** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the > + CPE identifier. When not defined the default value is +*+. > +-- > ++ > +If any of those variables is defined, then the generic package > +infrastructure assumes the package provides valid CPE information. In > +this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic s/sent/set/ ? > +package infrastructure will define +LIBFOO_CPE_ID+. > ++ > +Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID > += YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+, > ++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+, > ++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct > +for this package and don't need to be explicitly overridden. > ++ > +For a host package, if its +LIBFOO_CPE_ID_*+ variables are not > +defined, it inherits the value of those variables from the > +corresponding target package. > + > The recommended way to define these variables is to use the following > syntax: > Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
On Wed, 4 Nov 2020 15:51:38 +0100 Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) Both Matt and Heiko have given their Reviewed-by, so I have applied. I have fixed when applying the typo reported by Heiko. Thomas
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt index b8bfcb4aff..3fcf741a1a 100644 --- a/docs/manual/adding-packages-generic.txt +++ b/docs/manual/adding-packages-generic.txt @@ -502,6 +502,45 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345 LIBFOO_IGNORE_CVES += CVE-2020-54321 ---------------------- +* +LIBFOO_CPE_ID_*+ variables is a set of variables that allows the + package to define its https://nvd.nist.gov/products/cpe[CPE + identifier]. The available variables are: ++ +-- +** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier, + i.e the first three fields. When not defined, the default value is + +cpe:2.3:a+. + +** +LIBFOO_CPE_ID_VENDOR+, specifies the vendor part of the CPE + identifier. When not defined, the default value is + +<pkgname>_project+. + +** +LIBFOO_CPE_ID_PRODUCT+, specifies the product part of the CPE + identifier. When not defined, the default value is +<pkgname>+. + +** +LIBFOO_CPE_ID_VERSION+, specifies the version part of the CPE + identifier. When not defined the default value is + +$(LIBFOO_VERSION)+. + +** +LIBFOO_CPE_ID_VERSION_MINOR+ specifies the _update_ part of the + CPE identifier. When not defined the default value is +*+. +-- ++ +If any of those variables is defined, then the generic package +infrastructure assumes the package provides valid CPE information. In +this case, +LIBFOO_CPE_ID_VALID = YES+ will be sent, and the generic +package infrastructure will define +LIBFOO_CPE_ID+. ++ +Alternatively, a package can also explicitly set +LIBFOO_CPE_ID_VALID += YES+ if the default values for +LIBFOO_CPE_ID_PREFIX+, ++LIBFOO_CPE_ID_VENDOR+, +LIBFOO_CPE_ID_PRODUCT+, ++LIBFOO_CPE_ID_VERSION+, +LIBFOO_CPE_ID_VERSION_MINOR+ are all correct +for this package and don't need to be explicitly overridden. ++ +For a host package, if its +LIBFOO_CPE_ID_*+ variables are not +defined, it inherits the value of those variables from the +corresponding target package. + The recommended way to define these variables is to use the following syntax:
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- docs/manual/adding-packages-generic.txt | 39 +++++++++++++++++++++++++ 1 file changed, 39 insertions(+)