diff mbox series

package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_*

Message ID 20240228145129.416828-1-christian@klarinett.li
State Rejected
Headers show
Series package/arm-trusted-firmware: add ARM_TRUSTED_FIRMWARE_CPE_ID_* | expand

Commit Message

Christian Hitz Feb. 28, 2024, 2:51 p.m. UTC 
From: Christian Hitz <christian.hitz@bbv.ch>

cpe:2.3:o:arm:arm-trusted-firmware:2.4:-:*:*:*:*:*:* is a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/detail/78601535-610A-45A5-A5F0-AFC6A27A7F83

Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
---
 boot/arm-trusted-firmware/arm-trusted-firmware.mk | 2 ++
 1 file changed, 2 insertions(+)

Comments

Arnout Vandecappelle March 3, 2024, 5:07 p.m. UTC | #1 
On 28/02/2024 15:51, Christian Hitz via buildroot wrote:
> From: Christian Hitz <christian.hitz@bbv.ch>
> 
> cpe:2.3:o:arm:arm-trusted-firmware:2.4:-:*:*:*:*:*:* is a valid CPE
> identifier for this package:
> 
>    https://nvd.nist.gov/products/cpe/detail/78601535-610A-45A5-A5F0-AFC6A27A7F83

  This entry is from 2021, and they haven't added any entries for later versions 
(it's now at version 2.10).

  So I think this CPE entry is not relevant for any current version. If we add 
the CPE ID now, we will not notice if later they in fact name it e.g. 
trusted-firmware-arm. Note that the upstream repository is called 
trustedfirmware-a, and that there is a CPE entry for trusted_firmware-m [1] 
although that one also hasn't been updated for recent releases...

  So I don't think we should merge this.

  Regards,
  Arnout

[1] https://nvd.nist.gov/products/cpe/detail/2AF395D6-6367-4EFF-A0D0-C0CB6CA99E3E


> 
> Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
> ---
>   boot/arm-trusted-firmware/arm-trusted-firmware.mk | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> index 2d554c1da8..ebb9b8e9f6 100644
> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> @@ -24,6 +24,8 @@ ARM_TRUSTED_FIRMWARE_LICENSE = BSD-3-Clause
>   ARM_TRUSTED_FIRMWARE_LICENSE_FILES = docs/license.rst
>   endif
>   endif
> +ARM_TRUSTED_FIRMWARE_CPE_ID_VENDOR = arm
> +ARM_TRUSTED_FIRMWARE_CPE_ID_PREFIX = cpe:2.3:o
>   
>   ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE):$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT),y:y)
>   BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)
diff mbox series

Patch

diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 2d554c1da8..ebb9b8e9f6 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -24,6 +24,8 @@  ARM_TRUSTED_FIRMWARE_LICENSE = BSD-3-Clause
 ARM_TRUSTED_FIRMWARE_LICENSE_FILES = docs/license.rst
 endif
 endif
+ARM_TRUSTED_FIRMWARE_CPE_ID_VENDOR = arm
+ARM_TRUSTED_FIRMWARE_CPE_ID_PREFIX = cpe:2.3:o
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE):$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL)$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT),y:y)
 BR_NO_CHECK_HASH_FOR += $(ARM_TRUSTED_FIRMWARE_SOURCE)