From patchwork Tue Jun 16 17:03:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1310597 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49mZKx3Nxqz9sRW for ; Wed, 17 Jun 2020 03:04:04 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id A36FE89611; Tue, 16 Jun 2020 17:04:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTjfOpIzJeza; Tue, 16 Jun 2020 17:03:59 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 482E7895FE; Tue, 16 Jun 2020 17:03:59 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id A62141BF5DC for ; Tue, 16 Jun 2020 17:03:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9F0768954E for ; Tue, 16 Jun 2020 17:03:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvneA3BzyOfI for ; Tue, 16 Jun 2020 17:03:46 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from secvs05.rockwellcollins.com (secvs05.rockwellcollins.com [205.175.225.131]) by hemlock.osuosl.org (Postfix) with ESMTPS id 9E68289557 for ; Tue, 16 Jun 2020 17:03:46 +0000 (UTC) IronPort-SDR: t3n81W0veop/kFD6HvSOMzj0KkcbChcWDQo0tcWNv8ixhpd4+NpVw/9LMkJolgwRXMkA/8un6C wyfBDZouRRHLTo6x63dDwpHS/dyeD82fbF5nyBlEoSte4KVA9jo9BFHvleMDUonPPh3AwcuLeh yeI4//0S9bF5yeVLV8hTqptkVbIJoCxblHtrLYYxuMX5ZiZovGZ/5wLvInZXvd1AAraoHKUlF8 B/dTmOLiZAzHbxmrW+BUYferFXKWbNFnI8Mjc7gbvXQXXez8gYjQir0FSqgzcWEI3qlUE+Tm2u QuQ= Received: from ofwgwc03.rockwellcollins.com (HELO dtulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs05.rockwellcollins.com with ESMTP; 16 Jun 2020 12:03:45 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by dtulimr02.rockwellcollins.com (Postfix) with ESMTP id 0144C2004B; Tue, 16 Jun 2020 12:03:44 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Tue, 16 Jun 2020 12:03:40 -0500 Message-Id: <20200616170341.45098-9-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200616170341.45098-1-matthew.weber@rockwellcollins.com> References: <20200616170341.45098-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [RFC v9 09/10] docs/manual: new security management section X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This changeset captures an initial discussion on the use of CPE reporting within a target build. It notes the reporting limitations and provides actions a user could take to improve upon the current report information. There is also an example of how one might do CVE analysis using the CPE report information. Signed-off-by: Matthew Weber --- Changes v8 - Updated for cpe-report changes - Added notes on doing CVE searches and submissions v7 - New --- docs/manual/cpe-reporting.txt | 107 ++++++++++++++++++++++++++++++++++ docs/manual/manual.txt | 2 + 2 files changed, 109 insertions(+) create mode 100644 docs/manual/cpe-reporting.txt diff --git a/docs/manual/cpe-reporting.txt b/docs/manual/cpe-reporting.txt new file mode 100644 index 0000000000..11da979345 --- /dev/null +++ b/docs/manual/cpe-reporting.txt @@ -0,0 +1,107 @@ +// -*- mode:doc; -*- +// vim: set syntax=asciidoc: + +[[cpe-info]] + +== Security Vulnerability Management + +There are many different vulnerability databases (open/paid). This +section documents the use of the National Vulnerability Database(NVD) +provided by the National Institute of Standards and Technology (NIST). + +Within Buildroot, the intent is to provide good reporting of the build +configuration's inventory of software. The vulnerability analysis is +assumed to occur outside of the Buildroot environment (at this time). + +=== Common Platform Enumeration (CPE) Reporting + +Buildroot consists of a series of upstream packages. Each of those +packages may have a CPE definition used to map vulnerabilities to Common +Vulnerabilities and Exposures (CVE). A single package CPE has many versions +and each version may have a suite of CVEs associated. + +To make the gathering of the software inventory of CPE easier, Buildroot can +collect for you all the CPE related to the configured defconfig. To produce +this material, after you have configured Buildroot with +make menuconfig+, ++make xconfig+ or +make gconfig+, run: + +-------------------- +make cpe-info +-------------------- + +Buildroot then collects and writes the +$(TOPDIR)/cpe-manifest.csv+. This file +can be used for manual inspection against a CVE database or provided to +external tools which perform CVE inventory/analysis. + +*CPE Maintenance* + +To maintain these CPE strings for version changes against the NIST dictionary, +the manifest can be further processed. First, navigate to your Buildroot +directory and execute the script below. The script has some optional arguments +for providing a alternate dictionary URL or caching a processed dictionary. + +-------------------- +support/scripts/cpe-report -c $(TOPDIR)/cpe-manifest.csv +-------------------- + +This script retrieves the NIST dictionary and classifies each CPE as either +matched, requires version update or missing. Based on this analysis, the script +automatically uses the NIST dictionary entries to produce a draft of XML which +can be submitted to NIST to update a version of an entry in the dictionary. It +is important to review the generated xml files in the cpe folder as they may +need refined reference tags and adjustments to how the version is represented +in the title. + +In the case of missing items, a +cpe-report-missing.txt+ report is output by +the script and can be used as a starting point to manually create a xml file +to submit. Note, some manual analysis using the NIST search engine (https://nvd.nist.gov/products/cpe/search) +is suggested for these missing item as the Buildroot +CPE_ID_+ variables maybe +slightly incorrect and cause the cpe-report script to catagorize the package +as missing. If that is the case, a change can be made by adjusting the default +CPE variables in the specific package's +.mk+. See xref:_infrastructure_for_packages_with_specific_build_systems[] +discussion on the use of +LIBFOO_CPE_*+. +If the package is truely missing, the package's Kconfig help material and .mk +should provide most of the information to construct a new NIST submission. + +To submit a new entry or updated entry to NIST, create an request email to the +cpe_dictionary@nist.gov recipient and attach a individual xml file per package +being added/updated. It is OK to have multiple version updates in a single +file as long as they are all for the same package. For reference the guidance +can be found on the NIST CPE site (https://nvd.nist.gov/products/cpe). + +*Limitations* + +Buildroot does not produce or accurately present some of the CPE material. Items +such as any versions which are non-number/hash are not compliant with the CPE +string specification and would require a manual analysis to update the CPE list +before any external CVE analysis should occur. This is a similar situation for +packages like the Linux kernel or U-Boot which may not have a version which +directly maps to a CPE. + +There is an assumed default CPE string for each package which is auto-generated +using existing package information. The output of +make cpe-info+ is based on +this default information and the packages which have been individually tailored +to match existing CPE strings. The Buildroot developers try to do their best to +keep those declarative statements as accurate as possible, to the best of their +knowledge. However, it is very well possible that those declarative statements +are not all fully accurate nor exhaustive. Similar to legal-info, it is your +responsibility to verify this information. + +=== Common Vulnerability and Exposures (CVE) Anaylsis +The Common Vulnerabilities and Exposures (CVE) system provides a +reference-method for publicly known information-security vulnerabilities and +exposures. (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) + +Like previously stated, there are many tools and methods to perform this +analysis. The most basic example is to do a manual CVE analysis by navigating +to the NVD search engine (https://nvd.nist.gov/vuln/search) and using the CPE +string identified in the first field of the +$(TOPDIR)/cpe-manifest.csv+. +Here's an example for tcpdump. + +CPE ID: "cpe:2.3:a:tcpdump:tcpdump:4.9.1:*:*:*:*:*:*:*" + +Result: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Atcpdump%3Atcpdump%3A4.9.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*&search_type=all + +Beyond the manual search approach, the next step would be a more centralized +shared database with multi-feed support (NVD+). The cve-search project aims +to offer that type of solution (https://github.com/cve-search/cve-search). diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt index 48de65ee10..fcc087f6f1 100644 --- a/docs/manual/manual.txt +++ b/docs/manual/manual.txt @@ -46,6 +46,8 @@ include::legal-notice.txt[] include::beyond-buildroot.txt[] +include::cpe-reporting.txt[] + = Developer guide include::how-buildroot-works.txt[]