Message ID | 20201006134250.22738-2-gregory.clement@bootlin.com |
---|---|
State | Superseded |
Headers | show |
Series | Adding CPE ID support for CVEs | expand |
On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT <gregory.clement@bootlin.com> wrote: > > From: Matt Weber <matthew.weber@rockwellcollins.com> <snip> > +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project > +$(2)_CPE_ID_NAME ?= $$($(2)_NAME) > +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) > +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION) Overall this is a big step in the right direction :) A future enhancement would be to support multiple CPE_ID's for the same package: Example 1: CVE can be reported against a library or utility https://nvd.nist.gov/vuln/detail/CVE-2019-3823 cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/detail/CVE-2019-5482 cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* See below of how Yocto handles the same: The format they follow is space separated CPE_VENDOR:CPE_NAME for all combinations to be checked: https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15 Note: Curl is the worst case offender, because older curl CVEs used to have a different vendor! Here are few examples of packages needing multiple mappings: https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4 https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32 https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24 https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123 Other naming inconsistencies examples of the top of my head: xorg-server vs x_server https://nvd.nist.gov/vuln/detail/CVE-2019-17624 cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/detail/CVE-2018-14665 cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:* libsdl vs simple_directmedia_layer https://nvd.nist.gov/vuln/detail/CVE-2019-13626 cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/detail/CVE-2019-12222 cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:* While some of these should be reported to NVD and fixed, practically the number of such CVEs is significant to follow and fixup. Might be easier to add tooling support to query multiple CPE_ID*'s like how Yocto does. This could be a future enhancement given the proposal here is definitely better than what currently exists in Buildroot :) Thanks, Akshay
All, On Tue, Oct 6, 2020 at 4:16 PM Akshay Bhat <akshay.bhat@timesys.com> wrote: > > On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT > <gregory.clement@bootlin.com> wrote: > > > > From: Matt Weber <matthew.weber@rockwellcollins.com> > <snip> > > +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project > > +$(2)_CPE_ID_NAME ?= $$($(2)_NAME) > > +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) > > +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION) > > Overall this is a big step in the right direction :) > > A future enhancement would be to support multiple CPE_ID's for the same package: > Example 1: CVE can be reported against a library or utility > https://nvd.nist.gov/vuln/detail/CVE-2019-3823 > cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* > https://nvd.nist.gov/vuln/detail/CVE-2019-5482 > cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* > > See below of how Yocto handles the same: > The format they follow is space separated CPE_VENDOR:CPE_NAME for all > combinations to be checked: > https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15 > Note: Curl is the worst case offender, because older curl CVEs used to > have a different vendor! I wonder if this could be as simple as the way we build the CPE ID variable. Maybe for these cases we can just set the full list of CPE vendor:name values to be checked. Where as by default the CPE ID is constructed like it is today but with one item in the list. > > Here are few examples of packages needing multiple mappings: > https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4 > https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32 > https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24 > https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123 > > Other naming inconsistencies examples of the top of my head: > xorg-server vs x_server > https://nvd.nist.gov/vuln/detail/CVE-2019-17624 > cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:* > https://nvd.nist.gov/vuln/detail/CVE-2018-14665 > cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:* > libsdl vs simple_directmedia_layer > https://nvd.nist.gov/vuln/detail/CVE-2019-13626 > cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:* > https://nvd.nist.gov/vuln/detail/CVE-2019-12222 > cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:* > > While some of these should be reported to NVD and fixed, practically > the number of such CVEs is significant to follow and fixup. Might be > easier to add tooling support to query multiple CPE_ID*'s like how > Yocto does. > This could be a future enhancement given the proposal here is > definitely better than what currently exists in Buildroot :) > Thanks for bringing this multiple ID case up as I know I didn't originally address it in the original CPE series Greg amends. Regards, Matt Weber
diff --git a/Makefile b/Makefile index 9648fa58d8..9b788cf937 100644 --- a/Makefile +++ b/Makefile @@ -141,7 +141,7 @@ nobuild_targets := source %-source \ clean distclean help show-targets graph-depends \ %-graph-depends %-show-depends %-show-version \ graph-build graph-size list-defconfigs \ - savedefconfig update-defconfig printvars + savedefconfig update-defconfig printvars cpe-info %-cpe-info ifeq ($(MAKECMDGOALS),) BR_BUILDING = y else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),) @@ -228,6 +228,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings LEGAL_REPORT = $(LEGAL_INFO_DIR)/README +CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv BR2_CONFIG = $(CONFIG_DIR)/.config @@ -873,6 +874,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all mv .legal-info.sha256 legal-info.sha256) @echo "Legal info produced in $(LEGAL_INFO_DIR)" +.PHONY: cpe-info-clean +cpe-info-clean: + @rm -f $(CPE_MANIFEST_CSV) + +.PHONY: cpe-info-prepare +cpe-info-prepare: + @$(call MESSAGE,"Gathering CPE info") + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE) + +.PHONY: cpe-info +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info) + @echo "CPE info produced in $(CPE_MANIFEST_CSV)" + .PHONY: show-targets show-targets: @echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS)) @@ -1154,6 +1168,7 @@ help: @echo ' legal-info - generate info about license compliance' @echo ' show-info - generate info about packages, as a JSON blurb' @echo ' printvars - dump internal variables selected with VARS=...' + @echo ' cpe-info - generate info about security CPE identification' @echo @echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build' @echo ' make O=dir - Locate all output files in "dir", including .config' diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 54de03da03..01df3a3a4f 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -970,6 +970,18 @@ else $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2) endif +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project +$(2)_CPE_ID_NAME ?= $$($(2)_NAME) +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION) + +$(1)-cpe-info: PKG=$(2) +$(1)-cpe-info: +ifneq ($$(call qstrip,$$($(2)_SOURCE)),) + @$$(call MESSAGE,"Collecting cpe info") + $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) +endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) + # legal-info: declare dependencies and set values used later for the manifest ifneq ($$($(2)_LICENSE_FILES),) $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES) @@ -1121,6 +1133,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-system-dependency,$$($(2)_SOURCE)) $(1)-clean-for-reconfigure \ $(1)-clean-for-reinstall \ $(1)-configure \ + $(1)-cpe-info \ $(1)-depends \ $(1)-dirclean \ $(1)-external-deps \ diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk index 4fcb076e21..f1d085ece1 100644 --- a/package/pkg-utils.mk +++ b/package/pkg-utils.mk @@ -228,3 +228,11 @@ legal-deps = \ $(filter-out $(if $(1:host-%=),host-%),\ $(call non-virtual-deps,\ $($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)]) + +# +# cpe-info helper functions +# + +define cpe-manifest # cpe, pkg name, version, url + echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV) +endef