[v8,6/9] cpe-info: update manual for new pkg vars

Provide guidance on setting up the *_CPE_* and *_CVE_* variables.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes

v8
 - Added note about minor version
 - Removed CVE patch listing as the backend has not be implemented
    (LIBFOO_CVE_PATCHED)

v4 -> v7
 - None

v3
 - Updated to make *_CPE_VENDOR optional
 - Changed wording around _CPE_ID as there is only one defined now

v2
[Thomas P
 - Reworded LIBFOO_CVE_PATCHED description

[Matt W
 - Added definition for new preset variables to auto-gen the CPE ID
 - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
---
 docs/manual/adding-packages-generic.txt | 111 +++++++++++++++++++-------------
 1 file changed, 68 insertions(+), 43 deletions(-)

On 08/03/2019 23:04, Matt Weber wrote:
> +license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
> +analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with

 "for vulnerability analysis" is not entirely correct; it's for product
identification. And of course this would be a full CPE_ID not just a vendor. So
it should become something like

... and the CPE (Common Platform Enumeration) identifier.

 There should be a reference to the cpe-info section as well, but of course that
can be added only after that section has been added.

 Regards,
 Arnout

On Fri, Mar 8, 2019, 23:06 Matt Weber <matthew.weber@rockwellcollins.com>
wrote:

> Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> Changes
>
> v8
>  - Added note about minor version
>  - Removed CVE patch listing as the backend has not be implemented
>     (LIBFOO_CVE_PATCHED)
>
> v4 -> v7
>  - None
>
> v3
>  - Updated to make *_CPE_VENDOR optional
>  - Changed wording around _CPE_ID as there is only one defined now
>
> v2
> [Thomas P
>  - Reworded LIBFOO_CVE_PATCHED description
>
> [Matt W
>  - Added definition for new preset variables to auto-gen the CPE ID
>  - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
> ---
>  docs/manual/adding-packages-generic.txt | 111
> +++++++++++++++++++-------------
>  1 file changed, 68 insertions(+), 43 deletions(-)
>
> diff --git a/docs/manual/adding-packages-generic.txt
> b/docs/manual/adding-packages-generic.txt
> index 7be1754..ddf1b2e 100644
> --- a/docs/manual/adding-packages-generic.txt
> +++ b/docs/manual/adding-packages-generic.txt
> @@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell
> scripts.
>  09: LIBFOO_SITE = http://www.foosoftware.org/download
>  10: LIBFOO_LICENSE = GPL-3.0+
>  11: LIBFOO_LICENSE_FILES = COPYING
> -12: LIBFOO_INSTALL_STAGING = YES
> -13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
> -14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
> -15:
> -16: define LIBFOO_BUILD_CMDS
> -17:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
> -18: endef
> -19:
> -20: define LIBFOO_INSTALL_STAGING_CMDS
> -21:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a
> $(STAGING_DIR)/usr/lib/libfoo.a
> -22:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
> -23:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
> -24: endef
> -25:
> -26: define LIBFOO_INSTALL_TARGET_CMDS
> -27:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
> -28:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
> -29: endef
> -30:
> -31: define LIBFOO_USERS
> -32:    foo -1 libfoo -1 * - - - LibFoo daemon
> -33: endef
> -34:
> -35: define LIBFOO_DEVICES
> -36:    /dev/foo  c  666  0  0  42  0  -  -  -
> -37: endef
> -38:
> -39: define LIBFOO_PERMISSIONS
> -40:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -
> -41: endef
> -42:
> -43: $(eval $(generic-package))
> +12: LIBFOO_CPE_ID_VENDOR = foosoftware
> +13: LIBFOO_INSTALL_STAGING = YES
> +14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
> +15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
> +16:
> +17: define LIBFOO_BUILD_CMDS
> +18:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
> +19: endef
> +20:
> +21: define LIBFOO_INSTALL_STAGING_CMDS
> +22:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a
> $(STAGING_DIR)/usr/lib/libfoo.a
> +23:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
> +24:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
> +25: endef
> +26:
> +27: define LIBFOO_INSTALL_TARGET_CMDS
> +28:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
> +29:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
> +30: endef
> +31:
> +32: define LIBFOO_USERS
> +33:    foo -1 libfoo -1 * - - - LibFoo daemon
> +34: endef
> +35:
> +36: define LIBFOO_DEVICES
> +37:    /dev/foo  c  666  0  0  42  0  -  -  -
> +38: endef
> +39:
> +40: define LIBFOO_PERMISSIONS
> +41:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -
> +42: endef
> +43:
> +44: $(eval $(generic-package))
>  --------------------------------
>
> -The Makefile begins on line 7 to 11 with metadata information: the
> +The Makefile begins on line 7 to 12 with metadata information: the
>  version of the package (+LIBFOO_VERSION+), the name of the
>  tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball
> recommended)
>  the Internet location at which the tarball can be downloaded from
> -(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
> -license text (+LIBFOO_LICENSE_FILES+). All variables must start with
> +(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
> +license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
> +analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
>  the same prefix, +LIBFOO_+ in this case. This prefix is always the
>  uppercased version of the package name (see below to understand where
>  the package name is defined).
>
> -On line 12, we specify that this package wants to install something to
> +On line 13, we specify that this package wants to install something to
>  the staging space. This is often needed for libraries, since they must
>  install header files and other development files in the staging space.
>  This will ensure that the commands listed in the
>  +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
>
> -On line 13, we specify that there is some fixing to be done to some
> +On line 14, we specify that there is some fixing to be done to some
>  of the 'libfoo-config' files that were installed during
>  +LIBFOO_INSTALL_STAGING_CMDS+ phase.
>  These *-config files are executable shell script files that are
> @@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \
>  --------------------------------
>  ================================
>
> -On line 14, we specify the list of dependencies this package relies
> +On line 15, we specify the list of dependencies this package relies
>  on. These dependencies are listed in terms of lower-case package names,
>  which can be packages for the target (without the +host-+
>  prefix) or packages for the host (with the +host-+) prefix).
>  Buildroot will ensure that all these packages are built and installed
>  'before' the current package starts its configuration.
>
> -The rest of the Makefile, lines 16..29, defines what should be done
> +The rest of the Makefile, lines 17..29, defines what should be done
>  at the different steps of the package configuration, compilation and
>  installation.
>  +LIBFOO_BUILD_CMDS+ tells what steps should be performed to
> @@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which
>  contains the directory where the source code of the package has been
>  extracted.
>
> -On lines 31..43, we define a user that is used by this package (e.g.
> +On lines 32..44, we define a user that is used by this package (e.g.
>  to run a daemon as non-root) (+LIBFOO_USERS+).
>
> -On line 35..37, we define a device-node file used by this package
> +On line 36..38, we define a device-node file used by this package
>  (+LIBFOO_DEVICES+).
>
> -On line 39..41, we define the permissions to set to specific files
> +On line 40..42, we define the permissions to set to specific files
>  installed by this package (+LIBFOO_PERMISSIONS+).
>
> -Finally, on line 43, we call the +generic-package+ function, which
> +Finally, on line 44, we call the +generic-package+ function, which
>  generates, according to the variables defined previously, all the
>  Makefile code necessary to make your package working.
>
> @@ -482,6 +484,29 @@ not and can not work as people would expect it should:
>    locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,
>    `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.
>
> +* +LIBFOO_CPE_ID_VENDOR+
> +  This variable is optional. It only must be defined if the package name
> +  does not match what the CPE ID uses for the vendor. By default it's set
> +  to <pkg-name>_project.
> +
> +* +LIBFOO_CPE_ID_NAME+
> +  This variable is optional. It only must be defined if the package name
> +  does not match what the CPE ID uses for the name. By default it's set
> +  to <pkg-name>.
> +
> +* +LIBFOO_CPE_ID_VERSION+
> +  This variable is optional. By default it's set to <pkg-version>.
> +
> +* +LIBFOO_CPE_ID_VERSION_MINOR+
> +  This variable is optional. By default it's set to *.
> +
> +* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
> +  default case of a single package's Common Product Enumeration (CPE)
> +  identification string. +make cpe-info+ copies all of these into a
> +  +cpe-manifest.csv+ file. To identify a package's possible CPE,
> +  the National Vunerability Database can be searched at
>

Also here: Vulnerability with l


+  https://nvd.nist.gov/products/cpe/search.
> +
>  The recommended way to define these variables is to use the following
>  syntax:
>
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 8, 2019, 23:06 Matt Weber &lt;<a href="mailto:matthew.weber@rockwellcollins.com">matthew.weber@rockwellcollins.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Provide guidance on setting up the *_CPE_* and *_CVE_* variables.<br>
<br>
Signed-off-by: Matthew Weber &lt;<a href="mailto:matthew.weber@rockwellcollins.com" target="_blank" rel="noreferrer">matthew.weber@rockwellcollins.com</a>&gt;<br>
---<br>
Changes<br>
<br>
v8<br>
 - Added note about minor version<br>
 - Removed CVE patch listing as the backend has not be implemented<br>
    (LIBFOO_CVE_PATCHED)<br>
<br>
v4 -&gt; v7<br>
 - None<br>
<br>
v3<br>
 - Updated to make *_CPE_VENDOR optional<br>
 - Changed wording around _CPE_ID as there is only one defined now<br>
<br>
v2<br>
[Thomas P<br>
 - Reworded LIBFOO_CVE_PATCHED description<br>
<br>
[Matt W<br>
 - Added definition for new preset variables to auto-gen the CPE ID<br>
 - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO<br>
---<br>
 docs/manual/adding-packages-generic.txt | 111 +++++++++++++++++++-------------<br>
 1 file changed, 68 insertions(+), 43 deletions(-)<br>
<br>
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt<br>
index 7be1754..ddf1b2e 100644<br>
--- a/docs/manual/adding-packages-generic.txt<br>
+++ b/docs/manual/adding-packages-generic.txt<br>
@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts.<br>
 09: LIBFOO_SITE = <a href="http://www.foosoftware.org/download" rel="noreferrer noreferrer" target="_blank">http://www.foosoftware.org/download</a><br>
 10: LIBFOO_LICENSE = GPL-3.0+<br>
 11: LIBFOO_LICENSE_FILES = COPYING<br>
-12: LIBFOO_INSTALL_STAGING = YES<br>
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config<br>
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb<br>
-15:<br>
-16: define LIBFOO_BUILD_CMDS<br>
-17:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all<br>
-18: endef<br>
-19:<br>
-20: define LIBFOO_INSTALL_STAGING_CMDS<br>
-21:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a<br>
-22:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h<br>
-23:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib<br>
-24: endef<br>
-25:<br>
-26: define LIBFOO_INSTALL_TARGET_CMDS<br>
-27:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib<br>
-28:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d<br>
-29: endef<br>
-30:<br>
-31: define LIBFOO_USERS<br>
-32:    foo -1 libfoo -1 * - - - LibFoo daemon<br>
-33: endef<br>
-34:<br>
-35: define LIBFOO_DEVICES<br>
-36:    /dev/foo  c  666  0  0  42  0  -  -  -<br>
-37: endef<br>
-38:<br>
-39: define LIBFOO_PERMISSIONS<br>
-40:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -<br>
-41: endef<br>
-42:<br>
-43: $(eval $(generic-package))<br>
+12: LIBFOO_CPE_ID_VENDOR = foosoftware<br>
+13: LIBFOO_INSTALL_STAGING = YES<br>
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config<br>
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb<br>
+16:<br>
+17: define LIBFOO_BUILD_CMDS<br>
+18:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all<br>
+19: endef<br>
+20:<br>
+21: define LIBFOO_INSTALL_STAGING_CMDS<br>
+22:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a<br>
+23:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h<br>
+24:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib<br>
+25: endef<br>
+26:<br>
+27: define LIBFOO_INSTALL_TARGET_CMDS<br>
+28:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib<br>
+29:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d<br>
+30: endef<br>
+31:<br>
+32: define LIBFOO_USERS<br>
+33:    foo -1 libfoo -1 * - - - LibFoo daemon<br>
+34: endef<br>
+35:<br>
+36: define LIBFOO_DEVICES<br>
+37:    /dev/foo  c  666  0  0  42  0  -  -  -<br>
+38: endef<br>
+39:<br>
+40: define LIBFOO_PERMISSIONS<br>
+41:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -<br>
+42: endef<br>
+43:<br>
+44: $(eval $(generic-package))<br>
 --------------------------------<br>
<br>
-The Makefile begins on line 7 to 11 with metadata information: the<br>
+The Makefile begins on line 7 to 12 with metadata information: the<br>
 version of the package (+LIBFOO_VERSION+), the name of the<br>
 tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)<br>
 the Internet location at which the tarball can be downloaded from<br>
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the<br>
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with<br>
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the<br>
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability<br>
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with<br>
 the same prefix, +LIBFOO_+ in this case. This prefix is always the<br>
 uppercased version of the package name (see below to understand where<br>
 the package name is defined).<br>
<br>
-On line 12, we specify that this package wants to install something to<br>
+On line 13, we specify that this package wants to install something to<br>
 the staging space. This is often needed for libraries, since they must<br>
 install header files and other development files in the staging space.<br>
 This will ensure that the commands listed in the<br>
 +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.<br>
<br>
-On line 13, we specify that there is some fixing to be done to some<br>
+On line 14, we specify that there is some fixing to be done to some<br>
 of the &#39;libfoo-config&#39; files that were installed during<br>
 +LIBFOO_INSTALL_STAGING_CMDS+ phase.<br>
 These *-config files are executable shell script files that are<br>
@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \<br>
 --------------------------------<br>
 ================================<br>
<br>
-On line 14, we specify the list of dependencies this package relies<br>
+On line 15, we specify the list of dependencies this package relies<br>
 on. These dependencies are listed in terms of lower-case package names,<br>
 which can be packages for the target (without the +host-+<br>
 prefix) or packages for the host (with the +host-+) prefix).<br>
 Buildroot will ensure that all these packages are built and installed<br>
 &#39;before&#39; the current package starts its configuration.<br>
<br>
-The rest of the Makefile, lines 16..29, defines what should be done<br>
+The rest of the Makefile, lines 17..29, defines what should be done<br>
 at the different steps of the package configuration, compilation and<br>
 installation.<br>
 +LIBFOO_BUILD_CMDS+ tells what steps should be performed to<br>
@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which<br>
 contains the directory where the source code of the package has been<br>
 extracted.<br>
<br>
-On lines 31..43, we define a user that is used by this package (e.g.<br>
+On lines 32..44, we define a user that is used by this package (e.g.<br>
 to run a daemon as non-root) (+LIBFOO_USERS+).<br>
<br>
-On line 35..37, we define a device-node file used by this package<br>
+On line 36..38, we define a device-node file used by this package<br>
 (+LIBFOO_DEVICES+).<br>
<br>
-On line 39..41, we define the permissions to set to specific files<br>
+On line 40..42, we define the permissions to set to specific files<br>
 installed by this package (+LIBFOO_PERMISSIONS+).<br>
<br>
-Finally, on line 43, we call the +generic-package+ function, which<br>
+Finally, on line 44, we call the +generic-package+ function, which<br>
 generates, according to the variables defined previously, all the<br>
 Makefile code necessary to make your package working.<br>
<br>
@@ -482,6 +484,29 @@ not and can not work as people would expect it should:<br>
   locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,<br>
   `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.<br>
<br>
+* +LIBFOO_CPE_ID_VENDOR+<br>
+  This variable is optional. It only must be defined if the package name<br>
+  does not match what the CPE ID uses for the vendor. By default it&#39;s set<br>
+  to &lt;pkg-name&gt;_project.<br>
+<br>
+* +LIBFOO_CPE_ID_NAME+<br>
+  This variable is optional. It only must be defined if the package name<br>
+  does not match what the CPE ID uses for the name. By default it&#39;s set<br>
+  to &lt;pkg-name&gt;.<br>
+<br>
+* +LIBFOO_CPE_ID_VERSION+<br>
+  This variable is optional. By default it&#39;s set to &lt;pkg-version&gt;.<br>
+<br>
+* +LIBFOO_CPE_ID_VERSION_MINOR+<br>
+  This variable is optional. By default it&#39;s set to *.<br>
+<br>
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the<br>
+  default case of a single package&#39;s Common Product Enumeration (CPE)<br>
+  identification string. +make cpe-info+ copies all of these into a<br>
+  +cpe-manifest.csv+ file. To identify a package&#39;s possible CPE,<br>
+  the National Vunerability Database can be searched at<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Also here: Vulnerability with l</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+  <a href="https://nvd.nist.gov/products/cpe/search" rel="noreferrer noreferrer" target="_blank">https://nvd.nist.gov/products/cpe/search</a>.<br>
+<br>
 The recommended way to define these variables is to use the following<br>
 syntax:<br>
<br>
-- <br>
1.9.1<br>
<br>
_______________________________________________<br>
buildroot mailing list<br>
<a href="mailto:buildroot@busybox.net" target="_blank" rel="noreferrer">buildroot@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/buildroot" rel="noreferrer noreferrer" target="_blank">http://lists.busybox.net/mailman/listinfo/buildroot</a><br>
</blockquote></div></div></div>