[NEXT,03/26] cpe-info: id prefix/suffix

Message ID	1519697441-54194-4-git-send-email-matthew.weber@rockwellcollins.com
State	Changes Requested
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Matt Weber <matthew.weber@rockwellcollins.com> To: buildroot@buildroot.org Date: Mon, 26 Feb 2018 20:10:18 -0600 Message-Id: <1519697441-54194-4-git-send-email-matthew.weber@rockwellcollins.com> In-Reply-To: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com> References: <1519697441-54194-1-git-send-email-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [NEXT 03/26] cpe-info: id prefix/suffix Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	Package CVE Reporting \| expand [NEXT,00/26] Package CVE Reporting [NEXT,01/26] cpe-info: new make target [NEXT,02/26] cpe-info: update manual for new pkg vars [NEXT,03/26] cpe-info: id prefix/suffix [NEXT,04/26] cpe-info: only report target pkgs [NEXT,05/26] bash: add CPE id [NEXT,06/26] boa: add CPE id [NEXT,07/26] boost: add CPE id [NEXT,08/26] busybox: add CPE id [NEXT,09/26] bzip2: add CPE id [NEXT,10/26] dhcp: add CPE id [NEXT,11/26] e2fsprogs: add CPE id [NEXT,12/26] gdb: add CPE id [NEXT,13/26] glibc: add CPE id [NEXT,14/26] gnupg: add CPE id [NEXT,15/26] gzip: add CPE id [NEXT,16/26] iproute2: add CPE id [NEXT,17/26] libgcrypt: add CPE id [NEXT,18/26] libopenssl: add CPE id [NEXT,19/26] libzlib: add CPE id [NEXT,20/26] linux: add CPE id [NEXT,21/26] linux-headers: add CPE id [NEXT,22/26] openssh: add CPE id [NEXT,23/26] rsyslog: add CPE id [NEXT,24/26] tcpdump: add CPE id [NEXT,25/26] util-linux: add CPE id [NEXT,26/26] xerces: add CPE id

Matt Weber Feb. 27, 2018, 2:10 a.m. UTC

There are two types of software cpe prefixes, one for
applications and one for operating systems. Note: There
is a third type for hardware.

This patchset determines which should be used and stores
that information with the package for later use when
assembling the CPE report.

There is also a suffix which we just default to wildcards
at this point.

Refs:
   https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
   https://cpe.mitre.org/specification/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/pkg-generic.mk | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

Thomas Petazzoni Feb. 27, 2018, 9:45 p.m. UTC | #1

Hello,

On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote:

> +ifeq ($(1),linux)
> +	$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else ifeq ($(1),linux-headers)
> +	$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)

You can also do:

ifneq ($(filter linux linux-headers,$(1)),)
$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
else
$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
endif

But OK, it's not a big difference :)

>  $(1)-cpe-info: PKG=$(2)
>  $(1)-cpe-info:
> @@ -837,9 +849,9 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
>  	$(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
>  else
> -	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
> -endif
> -endif
> +	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
> +endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
> +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)

These two comments after the endif's are good, but should have been
part of a previous commit, which was adding the endif's.

Thanks!

Thomas

Matt Weber Feb. 28, 2018, 4:14 a.m. UTC | #2

Thomas,

On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> Hello,
>
> On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote:
>
>> +ifeq ($(1),linux)
>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>> +else ifeq ($(1),linux-headers)
>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>
> You can also do:
>
> ifneq ($(filter linux linux-headers,$(1)),)
> $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> else
> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> endif
>
> But OK, it's not a big difference :)

Cleaner though if there are any others.  Will update in v2.

>
>>  $(1)-cpe-info: PKG=$(2)
>>  $(1)-cpe-info:
>> @@ -837,9 +849,9 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>>  ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
>>       $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
>>  else
>> -     $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
>> -endif
>> -endif
>> +     $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
>> +endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
>> +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>
> These two comments after the endif's are good, but should have been
> part of a previous commit, which was adding the endif's.
>

Will update in v2.

Matt

Arnout Vandecappelle March 1, 2018, 8:32 p.m. UTC | #3

On 27-02-18 03:10, Matt Weber wrote:
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 8622787..8b80de7 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -550,6 +550,10 @@ ifndef $(2)_LICENSE_FILES
>   endif
>  endif
>  
> +CPE_PREFIX_OS = cpe:2.3:o
> +CPE_PREFIX_APP = cpe:2.3:a
> +CPE_SUFFIX = *:*:*:*:*:*:*

 Since this is inside inner-generic-package, you are re-defining these variables
for every package. That's not what you want to do :-)

 All (or most) of the common variables are currently defined in
package/Makefile.in. For specific infras they are defined in that specific infra
file, but not so for the generic infra. So I guess these should also be defined
in package/Makefile.in.

 Regards,
 Arnout

Arnout Vandecappelle March 1, 2018, 8:34 p.m. UTC | #4

On 28-02-18 05:14, Matthew Weber wrote:
> Thomas,
> 
> On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
>> Hello,
>>
>> On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote:
>>
>>> +ifeq ($(1),linux)
>>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>>> +else ifeq ($(1),linux-headers)
>>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>>
>> You can also do:
>>
>> ifneq ($(filter linux linux-headers,$(1)),)
>> $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>> else
>> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
>> endif
>>
>> But OK, it's not a big difference :)
> 
> Cleaner though if there are any others.  Will update in v2.

 Yeah, like, what about bootloaders?

 Regards,
 Arnout

[snip]

Matt Weber March 3, 2018, 3:01 a.m. UTC | #5

Arnout,

On Thu, Mar 1, 2018 at 2:34 PM, Arnout Vandecappelle <arnout@mind.be> wrote:
>
>
> On 28-02-18 05:14, Matthew Weber wrote:
>> Thomas,
>>
>> On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni
>> <thomas.petazzoni@bootlin.com> wrote:
>>> Hello,
>>>
>>> On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote:
>>>
>>>> +ifeq ($(1),linux)
>>>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>>>> +else ifeq ($(1),linux-headers)
>>>> +     $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>>>
>>> You can also do:
>>>
>>> ifneq ($(filter linux linux-headers,$(1)),)
>>> $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
>>> else
>>> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
>>> endif
>>>
>>> But OK, it's not a big difference :)
>>
>> Cleaner though if there are any others.  Will update in v2.
>
>  Yeah, like, what about bootloaders?
>

Looks like uboot isn't yet defined.  So that one will need to be
proposed before we'll know os or app.  However grub is listed and is
of app type.

Matt

[NEXT,03/26] cpe-info: id prefix/suffix

Commit Message

Comments

Patch