Message ID | 20201104145145.1316167-4-thomas.petazzoni@bootlin.com |
---|---|
State | Accepted |
Headers | show |
Series | Introduce CPE ID matching for CVEs | expand |
Thomas / Greg, On Wed, Nov 4, 2020 at 8:53 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > From: Matt Weber <matthew.weber@rockwellcollins.com> > > Currently, the match between Buildroot packages and CVEs is solely > based on the package names. Unfortunately, as one can imagine, there > isn't necessarily a strict mapping between Buildroot package names, > and how software projects are referenced in the National Vulnerability > Database (NVD) which we use. > > The NVD has defined the concept of CPE (Common Platform Enumeration) > identifiers, which uniquely identifies software components based on > string looking like this: > > cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:* > > In particular, this CPE identifier contains a vendor name (here > "netsurf-browser"), a product name (here "libnsbmp") and a version > (here "0.1.2"). > > This patch series introduces the concept of CPE ID in Buildroot, where > each package can be associated to a CPE ID. A package can define one > or several of: > > - <pkg>_CPE_ID_VENDOR > - <pkg>_CPE_ID_PRODUCT > - <pkg>_CPE_ID_VERSION > - <pkg>_CPE_ID_VERSION_MINOR > - <pkg>_CPE_ID_PREFIX > > If one or several of those variables are defined, then the > <pkg>_CPE_ID will be defined by the generic package infrastructure as > follows: > > $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* > > <pkg>_CPE_ID_* variables that are not explicitly specified by the > package will carry a default value defined by the generic package > infrastructure. > > If a package is happy with the default <pkg>_CPE_ID, and therefore > does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it > can set <pkg>_CPE_ID_VALID = YES. > > If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined > by the package, then <pkg>_CPE_ID_VALID = YES will be set by the > generic package infrastructure. Oh good call, so we don't need to explicitly set the VALID if we've already tailored it. > > Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will > be defined. Indeed, we want to be able to distinguish packages for > which the CPE ID information has been checked and is considered valid, > from packages for which the CPE ID information has never been > verified. For thise reason, we cannot simply define a default value Spelling thise -> this This was a good addition as now it is easy to tell what has been verified. Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Hello, On Wed, 4 Nov 2020 11:03:04 -0600 Matthew Weber <matthew.weber@rockwellcollins.com> wrote: > > If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined > > by the package, then <pkg>_CPE_ID_VALID = YES will be set by the > > generic package infrastructure. > > Oh good call, so we don't need to explicitly set the VALID if we've > already tailored it. That is the idea. The only thing I am not fully happy with is that a package can't set directly <pkg>_CPE_ID, only the infrastructure can do that. I couldn't figure out a reasonable way to allow a package to set <pkg>_CPE_ID while still keeping the generic-package code simple enough *and* match the other constraints that we have. Thanks, Thomas
Hi Thomas, Am Mi., 4. Nov. 2020 um 15:52 Uhr schrieb Thomas Petazzoni <thomas.petazzoni@bootlin.com>: > > From: Matt Weber <matthew.weber@rockwellcollins.com> > > Currently, the match between Buildroot packages and CVEs is solely > based on the package names. Unfortunately, as one can imagine, there > isn't necessarily a strict mapping between Buildroot package names, > and how software projects are referenced in the National Vulnerability > Database (NVD) which we use. > > The NVD has defined the concept of CPE (Common Platform Enumeration) > identifiers, which uniquely identifies software components based on > string looking like this: > > cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:* > > In particular, this CPE identifier contains a vendor name (here > "netsurf-browser"), a product name (here "libnsbmp") and a version > (here "0.1.2"). > > This patch series introduces the concept of CPE ID in Buildroot, where > each package can be associated to a CPE ID. A package can define one > or several of: > > - <pkg>_CPE_ID_VENDOR > - <pkg>_CPE_ID_PRODUCT > - <pkg>_CPE_ID_VERSION > - <pkg>_CPE_ID_VERSION_MINOR > - <pkg>_CPE_ID_PREFIX > > If one or several of those variables are defined, then the > <pkg>_CPE_ID will be defined by the generic package infrastructure as > follows: > > $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* > > <pkg>_CPE_ID_* variables that are not explicitly specified by the > package will carry a default value defined by the generic package > infrastructure. > > If a package is happy with the default <pkg>_CPE_ID, and therefore > does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it > can set <pkg>_CPE_ID_VALID = YES. > > If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined > by the package, then <pkg>_CPE_ID_VALID = YES will be set by the > generic package infrastructure. > > Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will > be defined. Indeed, we want to be able to distinguish packages for > which the CPE ID information has been checked and is considered valid, > from packages for which the CPE ID information has never been > verified. For thise reason, we cannot simply define a default value > for <pkg>_CPE_ID. > > The <pkg>_CPE_ID_* values for the host package are inherited from the > same variables of the corresponding target package, as we normally do > for most package variables. > > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > package/pkg-generic.mk | 70 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 70 insertions(+) > > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk > index 54de03da03..621fb91424 100644 > --- a/package/pkg-generic.mk > +++ b/package/pkg-generic.mk > @@ -608,6 +608,76 @@ $(2)_REDISTRIBUTE ?= YES > > $(2)_REDIST_SOURCES_DIR = $$(REDIST_SOURCES_DIR_$$(call UPPERCASE,$(4)))/$$($(2)_BASENAME_RAW) > > +# If any of the <pkg>_CPE_ID_* variables are set, we assume the CPE ID > +# information is valid for this package. > +ifneq ($$($(2)_CPE_ID_VENDOR)$$($(2)_CPE_ID_NAME)$$($(2)_CPE_ID_VERSION)$$($(2)_CPE_ID_VERSION_MINOR)$$($(2)_CPE_ID_PREFIX),) > +$(2)_CPE_ID_VALID = YES > +endif > + > +# When we're a host package, make sure to use the variables of the > +# corresponding target package, if any. > +ifneq ($$($(3)_CPE_ID_VENDOR)$$($(3)_CPE_ID_NAME)$$($(3)_CPE_ID_VERSION)$$($(3)_CPE_ID_VERSION_MINOR)$$($(3)_CPE_ID_PREFIX),) > +$(2)_CPE_ID_VALID = YES > +endif > + > +# If the CPE ID is valid for the target package so it is for the host > +# package > +ifndef $(2)_CPE_ID_VALID > + ifdef $(3)_CPE_ID_VALID > + $(2)_CPE_ID_VALID = $$($(3)_CPE_ID_VALID) > + endif > +endif > + > +ifeq ($$($(2)_CPE_ID_VALID),YES) > + # CPE_ID_VENDOR > + ifndef $(2)_CPE_ID_VENDOR > + ifdef $(3)_CPE_ID_VENDOR > + $(2)_CPE_ID_VENDOR = $$($(3)_CPE_ID_VENDOR) > + else > + $(2)_CPE_ID_VENDOR = $$($(2)_RAWNAME)_project > + endif > + endif > + > + # CPE_ID_NAME > + ifndef $(2)_CPE_ID_NAME > + ifdef $(3)_CPE_ID_NAME > + $(2)_CPE_ID_NAME = $$($(3)_CPE_ID_NAME) > + else > + $(2)_CPE_ID_NAME = $$($(2)_RAWNAME) > + endif > + endif > + > + # CPE_ID_VERSION > + ifndef $(2)_CPE_ID_VERSION > + ifdef $(3)_CPE_ID_VERSION > + $(2)_CPE_ID_VERSION = $$($(3)_CPE_ID_VERSION) > + else > + $(2)_CPE_ID_VERSION = $$($(2)_VERSION) > + endif > + endif > + > + # CPE_ID_VERSION_MINOR > + ifndef $(2)_CPE_ID_VERSION_MINOR > + ifdef $(3)_CPE_ID_VERSION_MINOR > + $(2)_CPE_ID_VERSION_MINOR = $$($(3)_CPE_ID_VERSION_MINOR) > + else > + $(2)_CPE_ID_VERSION_MINOR = * > + endif > + endif > + > + # CPE_ID_PREFIX > + ifndef $(2)_CPE_ID_PREFIX > + ifdef $(3)_CPE_ID_PREFIX > + $(2)_CPE_ID_PREFIX = $$($(3)_CPE_ID_PREFIX) > + else > + $(2)_CPE_ID_PREFIX = cpe:2.3:a > + endif > + endif > + > + # Calculate complete CPE ID > + $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* > +endif # ifeq ($$($(2)_CPE_ID_VALID),YES) > + > # When a target package is a toolchain dependency set this variable to > # 'NO' so the 'toolchain' dependency is not added to prevent a circular > # dependency. Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com> Thank you
On Wed, 4 Nov 2020 15:51:37 +0100 Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > From: Matt Weber <matthew.weber@rockwellcollins.com> > > Currently, the match between Buildroot packages and CVEs is solely > based on the package names. Unfortunately, as one can imagine, there > isn't necessarily a strict mapping between Buildroot package names, > and how software projects are referenced in the National Vulnerability > Database (NVD) which we use. > > The NVD has defined the concept of CPE (Common Platform Enumeration) > identifiers, which uniquely identifies software components based on > string looking like this: > > cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:* > > In particular, this CPE identifier contains a vendor name (here > "netsurf-browser"), a product name (here "libnsbmp") and a version > (here "0.1.2"). > > This patch series introduces the concept of CPE ID in Buildroot, where > each package can be associated to a CPE ID. A package can define one > or several of: > > - <pkg>_CPE_ID_VENDOR > - <pkg>_CPE_ID_PRODUCT > - <pkg>_CPE_ID_VERSION > - <pkg>_CPE_ID_VERSION_MINOR > - <pkg>_CPE_ID_PREFIX > > If one or several of those variables are defined, then the > <pkg>_CPE_ID will be defined by the generic package infrastructure as > follows: > > $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* > > <pkg>_CPE_ID_* variables that are not explicitly specified by the > package will carry a default value defined by the generic package > infrastructure. > > If a package is happy with the default <pkg>_CPE_ID, and therefore > does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it > can set <pkg>_CPE_ID_VALID = YES. > > If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined > by the package, then <pkg>_CPE_ID_VALID = YES will be set by the > generic package infrastructure. > > Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will > be defined. Indeed, we want to be able to distinguish packages for > which the CPE ID information has been checked and is considered valid, > from packages for which the CPE ID information has never been > verified. For thise reason, we cannot simply define a default value > for <pkg>_CPE_ID. > > The <pkg>_CPE_ID_* values for the host package are inherited from the > same variables of the corresponding target package, as we normally do > for most package variables. > > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > --- > package/pkg-generic.mk | 70 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 70 insertions(+) Considering this has been started by Matt Weber, then looked at by Grégory Clement, then by me, and finally Reviewed-by both Matt and Heiko, I've applied this change to next. Thanks! Thomas
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 54de03da03..621fb91424 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -608,6 +608,76 @@ $(2)_REDISTRIBUTE ?= YES $(2)_REDIST_SOURCES_DIR = $$(REDIST_SOURCES_DIR_$$(call UPPERCASE,$(4)))/$$($(2)_BASENAME_RAW) +# If any of the <pkg>_CPE_ID_* variables are set, we assume the CPE ID +# information is valid for this package. +ifneq ($$($(2)_CPE_ID_VENDOR)$$($(2)_CPE_ID_NAME)$$($(2)_CPE_ID_VERSION)$$($(2)_CPE_ID_VERSION_MINOR)$$($(2)_CPE_ID_PREFIX),) +$(2)_CPE_ID_VALID = YES +endif + +# When we're a host package, make sure to use the variables of the +# corresponding target package, if any. +ifneq ($$($(3)_CPE_ID_VENDOR)$$($(3)_CPE_ID_NAME)$$($(3)_CPE_ID_VERSION)$$($(3)_CPE_ID_VERSION_MINOR)$$($(3)_CPE_ID_PREFIX),) +$(2)_CPE_ID_VALID = YES +endif + +# If the CPE ID is valid for the target package so it is for the host +# package +ifndef $(2)_CPE_ID_VALID + ifdef $(3)_CPE_ID_VALID + $(2)_CPE_ID_VALID = $$($(3)_CPE_ID_VALID) + endif +endif + +ifeq ($$($(2)_CPE_ID_VALID),YES) + # CPE_ID_VENDOR + ifndef $(2)_CPE_ID_VENDOR + ifdef $(3)_CPE_ID_VENDOR + $(2)_CPE_ID_VENDOR = $$($(3)_CPE_ID_VENDOR) + else + $(2)_CPE_ID_VENDOR = $$($(2)_RAWNAME)_project + endif + endif + + # CPE_ID_NAME + ifndef $(2)_CPE_ID_NAME + ifdef $(3)_CPE_ID_NAME + $(2)_CPE_ID_NAME = $$($(3)_CPE_ID_NAME) + else + $(2)_CPE_ID_NAME = $$($(2)_RAWNAME) + endif + endif + + # CPE_ID_VERSION + ifndef $(2)_CPE_ID_VERSION + ifdef $(3)_CPE_ID_VERSION + $(2)_CPE_ID_VERSION = $$($(3)_CPE_ID_VERSION) + else + $(2)_CPE_ID_VERSION = $$($(2)_VERSION) + endif + endif + + # CPE_ID_VERSION_MINOR + ifndef $(2)_CPE_ID_VERSION_MINOR + ifdef $(3)_CPE_ID_VERSION_MINOR + $(2)_CPE_ID_VERSION_MINOR = $$($(3)_CPE_ID_VERSION_MINOR) + else + $(2)_CPE_ID_VERSION_MINOR = * + endif + endif + + # CPE_ID_PREFIX + ifndef $(2)_CPE_ID_PREFIX + ifdef $(3)_CPE_ID_PREFIX + $(2)_CPE_ID_PREFIX = $$($(3)_CPE_ID_PREFIX) + else + $(2)_CPE_ID_PREFIX = cpe:2.3:a + endif + endif + + # Calculate complete CPE ID + $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* +endif # ifeq ($$($(2)_CPE_ID_VALID),YES) + # When a target package is a toolchain dependency set this variable to # 'NO' so the 'toolchain' dependency is not added to prevent a circular # dependency.