diff mbox series

[RFC,v9,02/10] cpe-info: id prefix/suffix

Message ID 20200616170341.45098-2-matthew.weber@rockwellcollins.com
State New
Headers show
Series [RFC,v9,01/10] cpe-info: new make target | expand

Commit Message

Matthew Weber June 16, 2020, 5:03 p.m. UTC
There are two types of software CPE prefixes applicable for software,
one for applications and one for operating systems.
Note: The third type is for hardware.

This patchset determines which should be used and stores that
information with the package for later use when assembling the CPE
report.

Refs:
   https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
   https://cpe.mitre.org/specification/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes

v8
 - Rebase

v4 -> v7
 - None

v3
[Arnout
 - Moved CPE prefix and suffix defines to package/Makefile.in

v1 -> v2
[Thomas P
 - Change to using a filter on pkg name value vs ifelse
---
 package/Makefile.in    | 4 ++++
 package/pkg-generic.mk | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

Comments

Yann E. MORIN June 21, 2020, 9:23 a.m. UTC | #1
On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> There are two types of software CPE prefixes applicable for software,
> one for applications and one for operating systems.
> Note: The third type is for hardware.
> 
> This patchset determines which should be used and stores that
> information with the package for later use when assembling the CPE
> report.

So this means that the CPE manifest in patch 1 is incomplete, and indeed
does not represent actual CPE information, right?

In this case, I think we should not create that manifest until we have
the full information available to generate it.

I am fine with the series introducing the CPE info bit by bit, because
it is easier to review (thanks! :-) ), but the manifest is useless if
only parts of the series is applied.

So, the series should probably be something like:

  - introduce basic CPE info from pakcage metadata
        (patch 1 without the manifest creation)

  - introduce the OS / Application prefix

  - introduce the generic suffix

  - introduce support for the minor-version

etc...

See also a comment below...

> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 1408845613..7d892ca1d6 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
>  $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
>  $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>  
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif

I think the CPE ID could be constructed as:

    ifneq ($(filter linux linux-headers,$(1)),)
    $(2)_CPE_ID = $(CPE_PREFIX_OS)
    else
    $(2)_CPE_ID = $(CPE_PREFIX_APP)
    endif

    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VENDOR))
    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_NAME))
    $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VERSION))

    $(2)_CPE_ID += $(CPE_SUFFIX)

... and then...

>  $(1)-cpe-info: PKG=$(2)
>  $(1)-cpe-info:
>  ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  	@$$(call MESSAGE,"Collecting cpe info")
> -	$(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> +	$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))

... use $(subst $(space),:,$($(2)_CPE_ID))

The CPE spec, chapter 5.3.2, bullet point 2, states:
    The underscore (x5f) MAY be used, and it SHOULD be used in place of
    whitespace characters (which SHALL NOT be used).

So we know there will be no space in any of the fields, and thus any
existing space is due to our append-assignment, so we can replace the
spaces with a colon.

Regards,
Yann E. MORIN.

>  endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  
>  # legal-info: declare dependencies and set values used later for the manifest
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Matthew Weber June 22, 2020, 11:34 a.m. UTC | #2
Yann,


On Sun, Jun 21, 2020 at 4:24 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> > There are two types of software CPE prefixes applicable for software,
> > one for applications and one for operating systems.
> > Note: The third type is for hardware.
> >
> > This patchset determines which should be used and stores that
> > information with the package for later use when assembling the CPE
> > report.
>
> So this means that the CPE manifest in patch 1 is incomplete, and indeed
> does not represent actual CPE information, right?
>
> In this case, I think we should not create that manifest until we have
> the full information available to generate it.
>
> I am fine with the series introducing the CPE info bit by bit, because
> it is easier to review (thanks! :-) ), but the manifest is useless if
> only parts of the series is applied.
>
> So, the series should probably be something like:
>
>   - introduce basic CPE info from pakcage metadata
>         (patch 1 without the manifest creation)
>
>   - introduce the OS / Application prefix
>
>   - introduce the generic suffix
>
>   - introduce support for the minor-version
>

Good point on ordering

> etc...
>
> See also a comment below...
>
> > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> > index 1408845613..7d892ca1d6 100644
> > --- a/package/pkg-generic.mk
> > +++ b/package/pkg-generic.mk
> > @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> >  $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> >  $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
> >
> > +ifneq ($(filter linux linux-headers,$(1)),)
> > +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> > +else
> > +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> > +endif
>
> I think the CPE ID could be constructed as:
>
>     ifneq ($(filter linux linux-headers,$(1)),)
>     $(2)_CPE_ID = $(CPE_PREFIX_OS)
>     else
>     $(2)_CPE_ID = $(CPE_PREFIX_APP)
>     endif
>
>     $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VENDOR))
>     $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_NAME))
>     $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VERSION))
>
>     $(2)_CPE_ID += $(CPE_SUFFIX)
>
> ... and then...
>
> >  $(1)-cpe-info: PKG=$(2)
> >  $(1)-cpe-info:
> >  ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
> >       @$$(call MESSAGE,"Collecting cpe info")
> > -     $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> > +     $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
>
> ... use $(subst $(space),:,$($(2)_CPE_ID))
>
> The CPE spec, chapter 5.3.2, bullet point 2, states:
>     The underscore (x5f) MAY be used, and it SHOULD be used in place of
>     whitespace characters (which SHALL NOT be used).
>
> So we know there will be no space in any of the fields, and thus any
> existing space is due to our append-assignment, so we can replace the
> spaces with a colon.
>

Thanks, that makes sense and then we don't end up with any spaces to
have to clean up later.

Regards,
Matt
Thomas Petazzoni June 25, 2020, 11:04 a.m. UTC | #3
On Tue, 16 Jun 2020 12:03:33 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:

> +CPE_PREFIX_OS = cpe:2.3:o
> +CPE_PREFIX_APP = cpe:2.3:a
> +CPE_SUFFIX = *:*:*:*:*:*:*
> +
>  ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
>  NLS_OPTS = --enable-nls
>  TARGET_NLS_DEPENDENCIES = host-gettext
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 1408845613..7d892ca1d6 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
>  $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
>  $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>  
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif

Shouldn't the CPE_ID be directly defined with those, i.e in PATCH
01/10, and the type be overridden by the packages which are not
"application" packages, i.e:

$(2)_CPE_TYPE ?= a
$(2)_CPE_ID ?= cpe:2.3:$$($(2)_CPE_TYPE):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):*:*:*:*:*:*:*

Of course, the linux package would have to set LINUX_CPE_TYPE = o.

Best regards,

Thomas
diff mbox series

Patch

diff --git a/package/Makefile.in b/package/Makefile.in
index 51f5cbce4f..c6a21276a2 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -373,6 +373,10 @@  TARGET_CONFIGURE_ARGS = \
 
 ################################################################################
 
+CPE_PREFIX_OS = cpe:2.3:o
+CPE_PREFIX_APP = cpe:2.3:a
+CPE_SUFFIX = *:*:*:*:*:*:*
+
 ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
 NLS_OPTS = --enable-nls
 TARGET_NLS_DEPENDENCIES = host-gettext
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 1408845613..7d892ca1d6 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -976,11 +976,17 @@  $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
 $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
 $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
 
+ifneq ($(filter linux linux-headers,$(1)),)
+$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
+else
+$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
+endif
+
 $(1)-cpe-info: PKG=$(2)
 $(1)-cpe-info:
 ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 	@$$(call MESSAGE,"Collecting cpe info")
-	$(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+	$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
 endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 
 # legal-info: declare dependencies and set values used later for the manifest