Message ID | 1519697441-54194-4-git-send-email-matthew.weber@rockwellcollins.com |
---|---|
State | Changes Requested |
Headers | show |
Series | Package CVE Reporting | expand |
Hello, On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote: > +ifeq ($(1),linux) > + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) > +else ifeq ($(1),linux-headers) > + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) You can also do: ifneq ($(filter linux linux-headers,$(1)),) $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) else $(2)_CPE_PREFIX = $(CPE_PREFIX_APP) endif But OK, it's not a big difference :) > $(1)-cpe-info: PKG=$(2) > $(1)-cpe-info: > @@ -837,9 +849,9 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),) > ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) > $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) > else > - $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) > -endif > -endif > + $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) > +endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) > +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) These two comments after the endif's are good, but should have been part of a previous commit, which was adding the endif's. Thanks! Thomas
Thomas, On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello, > > On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote: > >> +ifeq ($(1),linux) >> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >> +else ifeq ($(1),linux-headers) >> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) > > You can also do: > > ifneq ($(filter linux linux-headers,$(1)),) > $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) > else > $(2)_CPE_PREFIX = $(CPE_PREFIX_APP) > endif > > But OK, it's not a big difference :) Cleaner though if there are any others. Will update in v2. > >> $(1)-cpe-info: PKG=$(2) >> $(1)-cpe-info: >> @@ -837,9 +849,9 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),) >> ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) >> $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) >> else >> - $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) >> -endif >> -endif >> + $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) >> +endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) >> +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) > > These two comments after the endif's are good, but should have been > part of a previous commit, which was adding the endif's. > Will update in v2. Matt
On 27-02-18 03:10, Matt Weber wrote: > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk > index 8622787..8b80de7 100644 > --- a/package/pkg-generic.mk > +++ b/package/pkg-generic.mk > @@ -550,6 +550,10 @@ ifndef $(2)_LICENSE_FILES > endif > endif > > +CPE_PREFIX_OS = cpe:2.3:o > +CPE_PREFIX_APP = cpe:2.3:a > +CPE_SUFFIX = *:*:*:*:*:*:* Since this is inside inner-generic-package, you are re-defining these variables for every package. That's not what you want to do :-) All (or most) of the common variables are currently defined in package/Makefile.in. For specific infras they are defined in that specific infra file, but not so for the generic infra. So I guess these should also be defined in package/Makefile.in. Regards, Arnout
On 28-02-18 05:14, Matthew Weber wrote: > Thomas, > > On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: >> Hello, >> >> On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote: >> >>> +ifeq ($(1),linux) >>> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >>> +else ifeq ($(1),linux-headers) >>> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >> >> You can also do: >> >> ifneq ($(filter linux linux-headers,$(1)),) >> $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >> else >> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP) >> endif >> >> But OK, it's not a big difference :) > > Cleaner though if there are any others. Will update in v2. Yeah, like, what about bootloaders? Regards, Arnout [snip]
Arnout, On Thu, Mar 1, 2018 at 2:34 PM, Arnout Vandecappelle <arnout@mind.be> wrote: > > > On 28-02-18 05:14, Matthew Weber wrote: >> Thomas, >> >> On Tue, Feb 27, 2018 at 3:45 PM, Thomas Petazzoni >> <thomas.petazzoni@bootlin.com> wrote: >>> Hello, >>> >>> On Mon, 26 Feb 2018 20:10:18 -0600, Matt Weber wrote: >>> >>>> +ifeq ($(1),linux) >>>> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >>>> +else ifeq ($(1),linux-headers) >>>> + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >>> >>> You can also do: >>> >>> ifneq ($(filter linux linux-headers,$(1)),) >>> $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) >>> else >>> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP) >>> endif >>> >>> But OK, it's not a big difference :) >> >> Cleaner though if there are any others. Will update in v2. > > Yeah, like, what about bootloaders? > Looks like uboot isn't yet defined. So that one will need to be proposed before we'll know os or app. However grub is listed and is of app type. Matt
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 8622787..8b80de7 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -550,6 +550,10 @@ ifndef $(2)_LICENSE_FILES endif endif +CPE_PREFIX_OS = cpe:2.3:o +CPE_PREFIX_APP = cpe:2.3:a +CPE_SUFFIX = *:*:*:*:*:*:* + ifndef $(2)_REDISTRIBUTE ifdef $(3)_REDISTRIBUTE $(2)_REDISTRIBUTE = $$($(3)_REDISTRIBUTE) @@ -829,6 +833,14 @@ $(2)_KCONFIG_VAR = BR2_$(2) else $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2) endif +ifeq ($(1),linux) + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) +else ifeq ($(1),linux-headers) + $(2)_CPE_PREFIX = $(CPE_PREFIX_OS) +else + $(2)_CPE_PREFIX = $(CPE_PREFIX_APP) +endif + $(1)-cpe-info: PKG=$(2) $(1)-cpe-info: @@ -837,9 +849,9 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),) ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) $(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) else - $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) -endif -endif + $(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep)) +endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),) +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) # legal-info: declare dependencies and set values used later for the manifest ifneq ($$($(2)_LICENSE_FILES),)
There are two types of software cpe prefixes, one for applications and one for operating systems. Note: There is a third type for hardware. This patchset determines which should be used and stores that information with the package for later use when assembling the CPE report. There is also a suffix which we just default to wildcards at this point. Refs: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf https://cpe.mitre.org/specification/ Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- package/pkg-generic.mk | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-)