[NEXT,20/26] linux: add CPE id

Message ID	1519697441-54194-21-git-send-email-matthew.weber@rockwellcollins.com
State	Changes Requested
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Matt Weber <matthew.weber@rockwellcollins.com> To: buildroot@buildroot.org Date: Mon, 26 Feb 2018 20:10:35 -0600 Message-Id: <1519697441-54194-21-git-send-email-matthew.weber@rockwellcollins.com> In-Reply-To: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [NEXT 20/26] linux: add CPE id Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	Package CVE Reporting \| expand [NEXT,00/26] Package CVE Reporting [NEXT,01/26] cpe-info: new make target [NEXT,02/26] cpe-info: update manual for new pkg vars [NEXT,03/26] cpe-info: id prefix/suffix [NEXT,04/26] cpe-info: only report target pkgs [NEXT,05/26] bash: add CPE id [NEXT,06/26] boa: add CPE id [NEXT,07/26] boost: add CPE id [NEXT,08/26] busybox: add CPE id [NEXT,09/26] bzip2: add CPE id [NEXT,10/26] dhcp: add CPE id [NEXT,11/26] e2fsprogs: add CPE id [NEXT,12/26] gdb: add CPE id [NEXT,13/26] glibc: add CPE id [NEXT,14/26] gnupg: add CPE id [NEXT,15/26] gzip: add CPE id [NEXT,16/26] iproute2: add CPE id [NEXT,17/26] libgcrypt: add CPE id [NEXT,18/26] libopenssl: add CPE id [NEXT,19/26] libzlib: add CPE id [NEXT,20/26] linux: add CPE id [NEXT,21/26] linux-headers: add CPE id [NEXT,22/26] openssh: add CPE id [NEXT,23/26] rsyslog: add CPE id [NEXT,24/26] tcpdump: add CPE id [NEXT,25/26] util-linux: add CPE id [NEXT,26/26] xerces: add CPE id

Message ID

1519697441-54194-21-git-send-email-matthew.weber@rockwellcollins.com

State

Changes Requested

Headers

From: Matt Weber <matthew.weber@rockwellcollins.com>
To: buildroot@buildroot.org
Date: Mon, 26 Feb 2018 20:10:35 -0600
Message-Id: <1519697441-54194-21-git-send-email-matthew.weber@rockwellcollins.com>
In-Reply-To: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com>
References: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com>
Subject: [Buildroot] [NEXT 20/26] linux: add CPE id
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Series

Package CVE Reporting | expand

Comments

Thomas Petazzoni Feb. 27, 2018, 10:18 p.m. UTC | #1

Hello,

On Mon, 26 Feb 2018 20:10:35 -0600, Matt Weber wrote:

> +LINUX_CPE_ID = $(LINUX_NAME):$(LINUX_NAME)_kernel:$(LINUX_VERSION)

How is the CPE database reacting when LINUX_VERSION is some random Git
SHA1, from a private Git tree that nobody has access to ?

Best regards,

Thomas

Matt Weber Feb. 28, 2018, 4:12 a.m. UTC | #2

Thomas,

On Tue, Feb 27, 2018 at 4:18 PM, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> Hello,
>
> On Mon, 26 Feb 2018 20:10:35 -0600, Matt Weber wrote:
>
>> +LINUX_CPE_ID = $(LINUX_NAME):$(LINUX_NAME)_kernel:$(LINUX_VERSION)
>
> How is the CPE database reacting when LINUX_VERSION is some random Git
> SHA1, from a private Git tree that nobody has access to ?

I brought this up to one of my security guys and he had a good point.
He pointed out that since we keep the reporting seperate from any
proposed automated CVE analysis.  The user specific analysis could
manage taking the hash and manually doing the effort to tie that to a
linux version.  Then looking at the individual CVEs on top of that
version.  There isn't a good way to include that in the buildsystem
that we can see but most analysis tools have a way to keep notes with
a configuration.  For any buildroot automated CVE reporting I don't
think you'd run into this hash case for linux as there wouldn't be a
default version selected as a hash (so far at least that I know of)

For packages which use hashes, the suggestion was made to use the
major and minor syntax where we state the version to be the last
release and the next wildcard field is the minor version and set we
that to the hash.  So for validating a CPE is correct (pkg-stats
maintenance), we would just look at the major version.  However for
the analysis activity where a target CPE report is used to find CVEs,
they would take into account the major and also go look at the hash
manually to determine where that falls past the  major.  On the
buildroot side we could also add CVE_PATCHED items covering that delta
if we know what they are.  I should do an example of this in my next
patchset (one of the github packages).

Matt

Thomas Petazzoni March 2, 2018, 9:55 a.m. UTC | #3

Hello,

On Tue, 27 Feb 2018 22:12:18 -0600, Matthew Weber wrote:

> > How is the CPE database reacting when LINUX_VERSION is some random Git
> > SHA1, from a private Git tree that nobody has access to ?  
> 
> I brought this up to one of my security guys and he had a good point.
> He pointed out that since we keep the reporting seperate from any
> proposed automated CVE analysis.  The user specific analysis could
> manage taking the hash and manually doing the effort to tie that to a
> linux version.

Indeed, you can do it manually, but it kind of removes the whole point
of having automated tools to check which CVEs are applicable to your
system. And the kernel is a very critical part of the system.

> Then looking at the individual CVEs on top of that
> version.  There isn't a good way to include that in the buildsystem
> that we can see but most analysis tools have a way to keep notes with
> a configuration.  For any buildroot automated CVE reporting I don't
> think you'd run into this hash case for linux as there wouldn't be a
> default version selected as a hash (so far at least that I know of)

I'm sorry, I don't understand this last sentence, could you explain ?

> For packages which use hashes, the suggestion was made to use the
> major and minor syntax where we state the version to be the last
> release and the next wildcard field is the minor version and set we
> that to the hash.

CPE IDs have a concept of major and minor version ?

So we would have something like:

FOO_VERSION = f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
FOO_CPE_ID = foo:foo:2.3:f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

Where 2.3 is the closest "release" to
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ?

If that's what you propose, then for Linux, we could have a Config.in
option to fill in what is the Linux official release that is the
closest to the custom version being used.

>  So for validating a CPE is correct (pkg-stats
> maintenance), we would just look at the major version.  However for
> the analysis activity where a target CPE report is used to find CVEs,
> they would take into account the major and also go look at the hash
> manually to determine where that falls past the  major.

Not sure I understand what you're proposing here.

> On the buildroot side we could also add CVE_PATCHED items covering
> that delta if we know what they are.  I should do an example of this
> in my next patchset (one of the github packages).

Yes, please do an example, it would probably be easier for me to
understand what you're proposing :)

Thanks!

Thomas

diff --git a/linux/linux.mk b/linux/linux.mk
index 5300b9c..7afd9b5 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -7,6 +7,7 @@ 
 LINUX_VERSION = $(call qstrip,$(BR2_LINUX_KERNEL_VERSION))
 LINUX_LICENSE = GPL-2.0
 LINUX_LICENSE_FILES = COPYING
+LINUX_CPE_ID = $(LINUX_NAME):$(LINUX_NAME)_kernel:$(LINUX_VERSION)
 
 define LINUX_HELP_CMDS
 	@echo '  linux-menuconfig       - Run Linux kernel menuconfig'

[NEXT,20/26] linux: add CPE id

Commit Message

Comments

Patch