Message ID | 1519697441-54194-2-git-send-email-matthew.weber@rockwellcollins.com |
---|---|
State | Changes Requested |
Headers | show |
Series | Package CVE Reporting | expand |
Hello, On Mon, 26 Feb 2018 20:10:16 -0600, Matt Weber wrote: > Similar to make legal-info, produce a csv delimited > file containing all selected packages CPE > identification. > > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> > --- > Makefile | 17 ++++++++++++++++- > package/pkg-generic.mk | 12 ++++++++++++ > package/pkg-utils.mk | 8 ++++++++ > 3 files changed, 36 insertions(+), 1 deletion(-) > > diff --git a/Makefile b/Makefile > index ec39bcd..7eda990 100644 > --- a/Makefile > +++ b/Makefile > @@ -146,7 +146,7 @@ nobuild_targets := source %-source \ > clean distclean help show-targets graph-depends \ > %-graph-depends %-show-depends %-show-version \ > graph-build graph-size list-defconfigs \ > - savedefconfig printvars > + savedefconfig printvars cpe-info %-cpe-info > ifeq ($(MAKECMDGOALS),) > BR_BUILDING = y > else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),) > @@ -230,6 +230,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv > LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv > LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings > LEGAL_REPORT = $(LEGAL_INFO_DIR)/README > +CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv > > ################################################################################ > # > @@ -788,6 +789,19 @@ legal-info: dirs legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p > mv .legal-info.sha256 legal-info.sha256) > @echo "Legal info produced in $(LEGAL_INFO_DIR)" > > +.PHONY: cpe-info-clean > +cpe-info-clean: > + @rm -f $(CPE_MANIFEST_CSV) > + > +.PHONY: cpe-info-prepare > +cpe-info-prepare: > + @$(call MESSAGE,"Gathering CPE info") > + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE) > + > +.PHONY: cpe-info > +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info) > + @echo "CPE info produced in $(CPE_MANIFEST_CSV)" > + > .PHONY: show-targets > show-targets: > @echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS)) > @@ -1047,6 +1061,7 @@ help: > @echo ' source - download all sources needed for offline-build' > @echo ' external-deps - list external packages used' > @echo ' legal-info - generate info about license compliance' > + @echo ' cpe-info - generate info about security CPE identification' > @echo ' printvars - dump all the internal variables' > @echo > @echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build' > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk > index a2a12e7..8622787 100644 > --- a/package/pkg-generic.mk > +++ b/package/pkg-generic.mk > @@ -830,6 +830,17 @@ else > $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2) > endif > > +$(1)-cpe-info: PKG=$(2) > +$(1)-cpe-info: > +ifneq ($$(call qstrip,$$($(2)_SOURCE)),) > + @$$(call MESSAGE,"Collecting cpe info") > +ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) > + $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) > +else > + $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) > +endif > +endif A question is: do we need a new make target, or can an external script do the same thing ? After all, "make printvars" gives you pretty much the needed information. All what is missing is that you can't easily get the list of selected packages in the current configuration, but that would be useful for me for the pkg-stats script as well. So a "make show-packages" or "make list-packages" could be useful. Perhaps that's how we can make our two different needs converge: by having external scripts rather than adding more stuff to the package infrastructure. A ./utils/cpe-report script could do pretty much what you've done here. Thoughts ? Thomas
On Tue, Feb 27, 2018 at 3:40 PM, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello, > > On Mon, 26 Feb 2018 20:10:16 -0600, Matt Weber wrote: >> Similar to make legal-info, produce a csv delimited >> file containing all selected packages CPE >> identification. >> >> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> [snip] > > A question is: do we need a new make target, or can an external script > do the same thing ? > > After all, "make printvars" gives you pretty much the needed > information. All what is missing is that you can't easily get the list > of selected packages in the current configuration, but that would be > useful for me for the pkg-stats script as well. So a "make > show-packages" or "make list-packages" could be useful. > > Perhaps that's how we can make our two different needs converge: by > having external scripts rather than adding more stuff to the package > infrastructure. A ./utils/cpe-report script could do pretty much what > you've done here. > > Thoughts ? I was on the fence when I looked at where to make the change. I went the infra route because it ended up being really simple to generate that data and the whole process seamed clean. I could see after creating some of the CPE maintaining scripting we could easily convert to your suggested approach for the report generation as well. I just didn't want the creation of the CPE scripting holding up the reporting function, as I can get more developers to focus on improving the CPE information across a few products over the next quarter if I have the reports. We have been looking at the pkg-stats script and thinking about the impl steps to take. hoping to get more time on them next month. Matt
On 28-02-18 05:30, Matthew Weber wrote: > On Tue, Feb 27, 2018 at 3:40 PM, Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: >> Hello, >> >> On Mon, 26 Feb 2018 20:10:16 -0600, Matt Weber wrote: >>> Similar to make legal-info, produce a csv delimited >>> file containing all selected packages CPE >>> identification. >>> >>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> > [snip] >> >> A question is: do we need a new make target, or can an external script >> do the same thing ? >> >> After all, "make printvars" gives you pretty much the needed >> information. Indeed. and other things that are currently in the infra could also work that way. E.g. graph-depends would speed up dramatically if it could make use of printvars. One limitation, however: we currently have quite a few where something like 'make foo-cpe-info' is a useful feature. In the infra, it comes for free; in a script, it needs special treatment. On the positive side, however, it should be possible to write a python module that generalizes all this: gather of packages, doing printvars, filtering the output. Oh, one more thing: if we go that route, then I think printvars should gain a feature to do output a Python dictionary. Or a JSON object. Or something like that. Now, the QUOTED_VARS is OK for shell but not for Python. And it doesn't fully work in shell eval, because some variable names (e.g. 4TH_xxx) are not valid shell variable names. >> All what is missing is that you can't easily get the list >> of selected packages in the current configuration, but that would be >> useful for me for the pkg-stats script as well. So a "make >> show-packages" or "make list-packages" could be useful. PACKAGES comes pretty close - but since we don't have full Config.in.host it's incomplete, of course. So we indeed need a recursive list-packages rule. >> Perhaps that's how we can make our two different needs converge: by >> having external scripts rather than adding more stuff to the package >> infrastructure. A ./utils/cpe-report script could do pretty much what >> you've done here. >> >> Thoughts ? > > I was on the fence when I looked at where to make the change. I went > the infra route because it ended up being really simple to generate > that data and the whole process seamed clean. That is indeed true: make basically has the infra already to do the recursive expansion we need. We'd have to duplicate that into Python. But as I said, it can be done once and then used by several scripts. There is one reason why I would really prefer things to move to scripts: every additional inner-generic-package variable and rule slows down make a little bit. It's not by a huge amount, but I think I once tested that removing all those extra rules and their variables from inner-generic-packages sped up 'make -qp' by about 10%. > I could see after > creating some of the CPE maintaining scripting we could easily convert > to your suggested approach for the report generation as well. I agree. Regards, Arnout > I just > didn't want the creation of the CPE scripting holding up the reporting > function, as I can get more developers to focus on improving the CPE > information across a few products over the next quarter if I have the > reports. > > We have been looking at the pkg-stats script and thinking about the > impl steps to take. hoping to get more time on them next month. > > Matt > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
diff --git a/Makefile b/Makefile index ec39bcd..7eda990 100644 --- a/Makefile +++ b/Makefile @@ -146,7 +146,7 @@ nobuild_targets := source %-source \ clean distclean help show-targets graph-depends \ %-graph-depends %-show-depends %-show-version \ graph-build graph-size list-defconfigs \ - savedefconfig printvars + savedefconfig printvars cpe-info %-cpe-info ifeq ($(MAKECMDGOALS),) BR_BUILDING = y else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),) @@ -230,6 +230,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings LEGAL_REPORT = $(LEGAL_INFO_DIR)/README +CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv ################################################################################ # @@ -788,6 +789,19 @@ legal-info: dirs legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p mv .legal-info.sha256 legal-info.sha256) @echo "Legal info produced in $(LEGAL_INFO_DIR)" +.PHONY: cpe-info-clean +cpe-info-clean: + @rm -f $(CPE_MANIFEST_CSV) + +.PHONY: cpe-info-prepare +cpe-info-prepare: + @$(call MESSAGE,"Gathering CPE info") + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE) + +.PHONY: cpe-info +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info) + @echo "CPE info produced in $(CPE_MANIFEST_CSV)" + .PHONY: show-targets show-targets: @echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS)) @@ -1047,6 +1061,7 @@ help: @echo ' source - download all sources needed for offline-build' @echo ' external-deps - list external packages used' @echo ' legal-info - generate info about license compliance' + @echo ' cpe-info - generate info about security CPE identification' @echo ' printvars - dump all the internal variables' @echo @echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build' diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index a2a12e7..8622787 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -830,6 +830,17 @@ else $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2) endif +$(1)-cpe-info: PKG=$(2) +$(1)-cpe-info: +ifneq ($$(call qstrip,$$($(2)_SOURCE)),) + @$$(call MESSAGE,"Collecting cpe info") +ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) + $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) +else + $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) +endif +endif + # legal-info: declare dependencies and set values used later for the manifest ifneq ($$($(2)_LICENSE_FILES),) $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES) @@ -972,6 +983,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-dependency,$$($(2)_SOURCE)) $(1)-clean-for-reconfigure \ $(1)-clean-for-reinstall \ $(1)-configure \ + $(1)-cpe-info \ $(1)-depends \ $(1)-dirclean \ $(1)-external-deps \ diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk index c3acc22..11a2457 100644 --- a/package/pkg-utils.mk +++ b/package/pkg-utils.mk @@ -95,3 +95,11 @@ define legal-license-file # pkgname, pkgname-pkgver, pkgdir, filename, file-full } && \ cp $(5) $(LICENSE_FILES_DIR_$(6))/$(2)/$(4) endef + +# +# cpe-info helper functions +# + +define cpe-manifest # cpe, cve patched, pkg name, version, url + echo '"$(1)","$(2)","$(3)","$(4)","$(5)"' >>$(CPE_MANIFEST_CSV) +endef
Similar to make legal-info, produce a csv delimited file containing all selected packages CPE identification. Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> --- Makefile | 17 ++++++++++++++++- package/pkg-generic.mk | 12 ++++++++++++ package/pkg-utils.mk | 8 ++++++++ 3 files changed, 36 insertions(+), 1 deletion(-)