diff mbox series

[01/17] cpe-info: new make target

Message ID 20201006134250.22738-2-gregory.clement@bootlin.com
State Superseded
Headers show
Series Adding CPE ID support for CVEs | expand

Commit Message

Gregory CLEMENT Oct. 6, 2020, 1:42 p.m. UTC 
From: Matt Weber <matthew.weber@rockwellcollins.com>

Similar to make legal-info, produce a csv delimited file containing
all selected packages CPE identification.

By default, support the pkg infra defining a set of CPE_ID_* defaults
using the package name for the vendor and name as most CPE IDs seem
to align with that assumption. Plus initially, use the pkg version as
the CPE ID's version field.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 Makefile               | 17 ++++++++++++++++-
 package/pkg-generic.mk | 13 +++++++++++++
 package/pkg-utils.mk   |  8 ++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

Comments

Akshay Bhat Oct. 6, 2020, 9:14 p.m. UTC | #1 
On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT
<gregory.clement@bootlin.com> wrote:
>
> From: Matt Weber <matthew.weber@rockwellcollins.com>
<snip>
> +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)

Overall this is a big step in the right direction :)

A future enhancement would be to support multiple CPE_ID's for the same package:
Example 1: CVE can be reported against a library or utility
https://nvd.nist.gov/vuln/detail/CVE-2019-3823
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2019-5482
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

See below of how Yocto handles the same:
The format they follow is space separated CPE_VENDOR:CPE_NAME for all
combinations to be checked:
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15
Note: Curl is the worst case offender, because older curl CVEs used to
have a different vendor!

Here are few examples of packages needing multiple mappings:
https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123

Other naming inconsistencies examples of the top of my head:
xorg-server vs x_server
https://nvd.nist.gov/vuln/detail/CVE-2019-17624
cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
libsdl vs simple_directmedia_layer
https://nvd.nist.gov/vuln/detail/CVE-2019-13626
cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2019-12222
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*

While some of these should be reported to NVD and fixed, practically
the number of such CVEs is significant to follow and fixup. Might be
easier to add tooling support to query multiple CPE_ID*'s like how
Yocto does.
This could be a future enhancement given the proposal here is
definitely better than what currently exists in Buildroot :)

Thanks,
Akshay
Matt Weber Oct. 16, 2020, 1:07 p.m. UTC | #2 
All,

On Tue, Oct 6, 2020 at 4:16 PM Akshay Bhat <akshay.bhat@timesys.com> wrote:
>
> On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT
> <gregory.clement@bootlin.com> wrote:
> >
> > From: Matt Weber <matthew.weber@rockwellcollins.com>
> <snip>
> > +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> > +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> > +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> > +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>
> Overall this is a big step in the right direction :)
>
> A future enhancement would be to support multiple CPE_ID's for the same package:
> Example 1: CVE can be reported against a library or utility
> https://nvd.nist.gov/vuln/detail/CVE-2019-3823
> cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2019-5482
> cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
>
> See below of how Yocto handles the same:
> The format they follow is space separated CPE_VENDOR:CPE_NAME for all
> combinations to be checked:
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15
> Note: Curl is the worst case offender, because older curl CVEs used to
> have a different vendor!

I wonder if this could be as simple as the way we build the CPE ID
variable.  Maybe for these cases we can just set the full list of CPE
vendor:name values to be checked.  Where as by default the CPE ID is
constructed like it is today but with one item in the list.

>
> Here are few examples of packages needing multiple mappings:
> https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123
>
> Other naming inconsistencies examples of the top of my head:
> xorg-server vs x_server
> https://nvd.nist.gov/vuln/detail/CVE-2019-17624
> cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2018-14665
> cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
> libsdl vs simple_directmedia_layer
> https://nvd.nist.gov/vuln/detail/CVE-2019-13626
> cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2019-12222
> cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
>
> While some of these should be reported to NVD and fixed, practically
> the number of such CVEs is significant to follow and fixup. Might be
> easier to add tooling support to query multiple CPE_ID*'s like how
> Yocto does.
> This could be a future enhancement given the proposal here is
> definitely better than what currently exists in Buildroot :)
>

Thanks for bringing this multiple ID case up as I know I didn't
originally address it in the original CPE series Greg amends.

Regards,
Matt Weber
diff mbox series

Patch

diff --git a/Makefile b/Makefile
index 9648fa58d8..9b788cf937 100644
--- a/Makefile
+++ b/Makefile
@@ -141,7 +141,7 @@  nobuild_targets := source %-source \
 	clean distclean help show-targets graph-depends \
 	%-graph-depends %-show-depends %-show-version \
 	graph-build graph-size list-defconfigs \
-	savedefconfig update-defconfig printvars
+	savedefconfig update-defconfig printvars cpe-info %-cpe-info
 ifeq ($(MAKECMDGOALS),)
 BR_BUILDING = y
 else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),)
@@ -228,6 +228,7 @@  LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv
 LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv
 LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings
 LEGAL_REPORT = $(LEGAL_INFO_DIR)/README
+CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv
 
 BR2_CONFIG = $(CONFIG_DIR)/.config
 
@@ -873,6 +874,19 @@  legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all
 		mv .legal-info.sha256 legal-info.sha256)
 	@echo "Legal info produced in $(LEGAL_INFO_DIR)"
 
+.PHONY: cpe-info-clean
+cpe-info-clean:
+	@rm -f $(CPE_MANIFEST_CSV)
+
+.PHONY: cpe-info-prepare
+cpe-info-prepare:
+	@$(call MESSAGE,"Gathering CPE info")
+	@$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
+
+.PHONY: cpe-info
+cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
+	@echo "CPE info produced in $(CPE_MANIFEST_CSV)"
+
 .PHONY: show-targets
 show-targets:
 	@echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS))
@@ -1154,6 +1168,7 @@  help:
 	@echo '  legal-info             - generate info about license compliance'
 	@echo '  show-info              - generate info about packages, as a JSON blurb'
 	@echo '  printvars              - dump internal variables selected with VARS=...'
+	@echo '  cpe-info               - generate info about security CPE identification'
 	@echo
 	@echo '  make V=0|1             - 0 => quiet build (default), 1 => verbose build'
 	@echo '  make O=dir             - Locate all output files in "dir", including .config'
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 54de03da03..01df3a3a4f 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -970,6 +970,18 @@  else
 $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
 endif
 
+$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
+$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
+$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+
+$(1)-cpe-info: PKG=$(2)
+$(1)-cpe-info:
+ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+	@$$(call MESSAGE,"Collecting cpe info")
+	$(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+
 # legal-info: declare dependencies and set values used later for the manifest
 ifneq ($$($(2)_LICENSE_FILES),)
 $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
@@ -1121,6 +1133,7 @@  DL_TOOLS_DEPENDENCIES += $$(call extractor-system-dependency,$$($(2)_SOURCE))
 	$(1)-clean-for-reconfigure \
 	$(1)-clean-for-reinstall \
 	$(1)-configure \
+	$(1)-cpe-info \
 	$(1)-depends \
 	$(1)-dirclean \
 	$(1)-external-deps \
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index 4fcb076e21..f1d085ece1 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -228,3 +228,11 @@  legal-deps = \
         $(filter-out $(if $(1:host-%=),host-%),\
             $(call non-virtual-deps,\
                 $($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)])
+
+#
+# cpe-info helper functions
+#
+
+define cpe-manifest # cpe, pkg name, version, url
+	echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV)
+endef