[NEXT,00/26] Package CVE Reporting

Message ID	1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Matt Weber <matthew.weber@rockwellcollins.com> To: buildroot@buildroot.org Date: Mon, 26 Feb 2018 20:10:15 -0600 Message-Id: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [NEXT 00/26] Package CVE Reporting Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	Package CVE Reporting \| expand [NEXT,00/26] Package CVE Reporting [NEXT,01/26] cpe-info: new make target [NEXT,02/26] cpe-info: update manual for new pkg vars [NEXT,03/26] cpe-info: id prefix/suffix [NEXT,04/26] cpe-info: only report target pkgs [NEXT,05/26] bash: add CPE id [NEXT,06/26] boa: add CPE id [NEXT,07/26] boost: add CPE id [NEXT,08/26] busybox: add CPE id [NEXT,09/26] bzip2: add CPE id [NEXT,10/26] dhcp: add CPE id [NEXT,11/26] e2fsprogs: add CPE id [NEXT,12/26] gdb: add CPE id [NEXT,13/26] glibc: add CPE id [NEXT,14/26] gnupg: add CPE id [NEXT,15/26] gzip: add CPE id [NEXT,16/26] iproute2: add CPE id [NEXT,17/26] libgcrypt: add CPE id [NEXT,18/26] libopenssl: add CPE id [NEXT,19/26] libzlib: add CPE id [NEXT,20/26] linux: add CPE id [NEXT,21/26] linux-headers: add CPE id [NEXT,22/26] openssh: add CPE id [NEXT,23/26] rsyslog: add CPE id [NEXT,24/26] tcpdump: add CPE id [NEXT,25/26] util-linux: add CPE id [NEXT,26/26] xerces: add CPE id

Message ID

1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com

Headers

From: Matt Weber <matthew.weber@rockwellcollins.com>
To: buildroot@buildroot.org
Date: Mon, 26 Feb 2018 20:10:15 -0600
Message-Id: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com>
Subject: [Buildroot] [NEXT 00/26] Package CVE Reporting
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Series

Package CVE Reporting | expand

Message

Matt Weber Feb. 27, 2018, 2:10 a.m. UTC

This series adds new infrastructure to report
a packages CPE identifier in a similar way
that the legal info is currently reported.

The addition of CPE IDs to the packages is a
manual process, but in a later patchset
additions are planned to the pkg-stats script
to automate maintenance the process.

Matt Weber (26):
  cpe-info: new make target
  cpe-info: update manual for new pkg vars
  cpe-info: id prefix/suffix
  cpe-info: only report target pkgs
  bash: add CPE id
  boa: add CPE id
  boost: add CPE id
  busybox: add CPE id
  bzip2: add CPE id
  dhcp: add CPE id
  e2fsprogs: add CPE id
  gdb: add CPE id
  glibc: add CPE id
  gnupg: add CPE id
  gzip: add CPE id
  iproute2: add CPE id
  libgcrypt: add CPE id
  libopenssl: add CPE id
  libzlib: add CPE id
  linux: add CPE id
  linux-headers: add CPE id
  openssh: add CPE id
  rsyslog: add CPE id
  tcpdump: add CPE id
  util-linux: add CPE id
  xerces: add CPE id

 Makefile                                | 17 ++++++++++++++++-
 docs/manual/adding-packages-generic.txt | 15 +++++++++++++++
 linux/linux.mk                          |  1 +
 package/bash/bash.mk                    |  1 +
 package/boa/boa.mk                      |  2 +-
 package/boost/boost.mk                  |  1 +
 package/busybox/busybox.mk              |  1 +
 package/bzip2/bzip2.mk                  |  2 ++
 package/dhcp/dhcp.mk                    |  1 +
 package/e2fsprogs/e2fsprogs.mk          |  1 +
 package/gdb/gdb.mk                      |  1 +
 package/glibc/glibc.mk                  |  2 ++
 package/gnupg/gnupg.mk                  |  1 +
 package/gzip/gzip.mk                    |  1 +
 package/iproute2/iproute2.mk            |  1 +
 package/libgcrypt/libgcrypt.mk          |  1 +
 package/libopenssl/libopenssl.mk        |  1 +
 package/libzlib/libzlib.mk              |  1 +
 package/linux-headers/linux-headers.mk  |  1 +
 package/openssh/openssh.mk              |  2 ++
 package/pkg-generic.mk                  | 26 ++++++++++++++++++++++++++
 package/pkg-utils.mk                    |  8 ++++++++
 package/rsyslog/rsyslog.mk              |  1 +
 package/tcpdump/tcpdump.mk              |  1 +
 package/util-linux/util-linux.mk        |  2 ++
 package/xerces/xerces.mk                |  1 +
 26 files changed, 91 insertions(+), 2 deletions(-)

Comments

Thomas Petazzoni Feb. 27, 2018, 9:37 p.m. UTC | #1

Hello,

On Mon, 26 Feb 2018 20:10:15 -0600, Matt Weber wrote:
> This series adds new infrastructure to report
> a packages CPE identifier in a similar way
> that the legal info is currently reported.
> 
> The addition of CPE IDs to the packages is a
> manual process, but in a later patchset
> additions are planned to the pkg-stats script
> to automate maintenance the process.

Thanks for working on this and coming up with a proposal!

While I'm fine with the package annotations, I am not yet sure that a
"make cpe-info" is what we want here.

In particular, I'm thinking about the interaction with pkg-stats, and
the work I've done to make pkg-stats query release-monitoring.org to
check for new upstream versions. Ideally, pkg-stats should also query
the CPE information and add it to its report.

For now, pkg-stats reports about all packages in Buildroot, but I'm
hoping to improve that and make it possible for pkg-stats to only
generate a report about the list of packages selected in the current
Buildroot configuration.

So I don't have a very clear cut answer, but I see some overlap between
cpe-info and pkg-stats, and I'd like to have a common view on what is
the mid/long-term direction we want to take.

Thomas

Matt Weber Feb. 28, 2018, 4:42 a.m. UTC | #2

Thomas,

On Tue, Feb 27, 2018 at 3:37 PM, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> Hello,
>
> On Mon, 26 Feb 2018 20:10:15 -0600, Matt Weber wrote:
[snip]
> While I'm fine with the package annotations, I am not yet sure that a
> "make cpe-info" is what we want here.
>
> In particular, I'm thinking about the interaction with pkg-stats, and
> the work I've done to make pkg-stats query release-monitoring.org to
> check for new upstream versions. Ideally, pkg-stats should also query
> the CPE information and add it to its report.

Agreed, but I see that as a seperate function and a next step after
this patchset.  I see the basic report as the first step to get others
to contribute more CPE information to packages.  I'm sure others using
Buildroot have external tools they use to take the CPEs and do their
analysis.  We can passively get the benefit of those efforts finding
the CPEs which need updates util the pkg-stats is ready.  Hopefully
we'd have a pkg-stats solution in place not to long after the
reporting has been in use.

>
> For now, pkg-stats reports about all packages in Buildroot, but I'm
> hoping to improve that and make it possible for pkg-stats to only
> generate a report about the list of packages selected in the current
> Buildroot configuration.

I do agree that if the cpe-info using infra is merged, the long term
plan would be to move that to a script once the pkg-stats CPE checking
and CPE helper functions it uses exist to build a comparable CPE
report.

In general, I'd advocate for an incremental approach so some of the
benefits can start to be realized while the automation is matured.

Matt