From: Simon Falsig <sfalsig@verity.net>
To: ptxdist@pengutronix.de
Cc: Simon Falsig <sfalsig@verity.ch>
Subject: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
Date: Fri, 15 Sep 2023 12:14:30 +0200 [thread overview]
Message-ID: <20230915101430.54176-1-sfalsig@verity.net> (raw)
In-Reply-To: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com>
From: Simon Falsig <sfalsig@verity.ch>
If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
extracted into the fast report for that package. If no CPE is
specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
added.
By default, the existing VERSION is used, but can be overridden with
CPE_VERSION.
Constructed CPEs are validated against the official CPE regex.
The CPE (Common Platform Enumerator) allows matching CVEs to specific
packages, and see if these apply to a specific deployment.
---
rules/post/ptxd_make_world_common.make | 4 ++++
scripts/lib/ptxd_make_world_report.sh | 29 ++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
index 08120607a..0804f0b81 100644
--- a/rules/post/ptxd_make_world_common.make
+++ b/rules/post/ptxd_make_world_common.make
@@ -78,6 +78,10 @@ world/env/impl = \
pkg_PKG="$(call ptx/escape,$(1))" \
pkg_pkg="$(call ptx/escape,$($(1)))" \
pkg_version="$(call ptx/escape,$($(1)_VERSION))" \
+ pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \
+ pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \
+ pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \
+ pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \
pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \
pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \
pkg_path="$(call ptx/escape,$($(1)_PATH))" \
diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
index dbdae5736..11f17b405 100644
--- a/scripts/lib/ptxd_make_world_report.sh
+++ b/scripts/lib/ptxd_make_world_report.sh
@@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() {
awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${2}"
fi
}
+ do_build_cpe() {
+ prefix="${1}"
+ cpe="${2}"
+ vendor="${3}"
+ product="${4}"
+ version="${5}"
+ if [ -n "${cpe}" ]; then
+ # If a cpe is fully specified, then use that
+ :
+ elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; then
+ # Otherwise, if we have vendor, product and version, then build a CPE2.3 string from it
+ cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*"
+ fi
+ if [ -n "$cpe" ]; then
+ # Validate the resulting CPE string
+ # Regex taken from: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd
+ if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}'; then
+ echo "${prefix} ${cpe}"
+ else
+ >&2 echo "Error! $cpe is not valid CPE format string"
+ return 1
+ fi
+ fi
+ }
do_echo "name:" "${pkg_label}"
do_echo "rulefile:" "${pkg_makefile}"
do_list "extra-rulefiles:" "${pkg_extra_makefiles}"
@@ -39,6 +63,11 @@ ptxd_make_world_report_yaml() {
do_list "rundeps:" "${pkg_run_deps}"
do_echo "config:" "${pkg_config}"
do_echo "version:" "${pkg_version}"
+ if [ ! -n "${pkg_cpe_version}" ]; then
+ # Default to using pkg_version for the CPE string, unless _CPE_VERSION is explicitly specified
+ pkg_cpe_version="${pkg_version}";
+ fi
+ do_build_cpe "cpe:" "${pkg_cpe}" "${pkg_cpe_vendor}" "${pkg_cpe_product}" "${pkg_cpe_version}"
do_list "url:" "${pkg_url}"
do_echo "md5:" "${pkg_md5}"
do_echo "source:" "${pkg_src}"
--
2.25.1
next prev parent reply other threads:[~2023-09-15 10:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-13 16:05 [ptxdist] [PATCH 1/3] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 2/3] RFC: Add CPE for a few packages Simon Falsig
2023-09-15 10:15 ` [ptxdist] [PATCH] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 3/3] RFC: sbom_report: Add support Simon Falsig
2023-09-18 14:33 ` [ptxdist] [PATCH] " Simon Falsig
2023-10-21 13:52 ` Bruno Thomsen
2023-11-03 7:34 ` Simon Falsig
2023-09-13 21:16 ` [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages Christian Melki
2023-09-14 6:46 ` Simon Falsig
2023-09-15 10:14 ` Simon Falsig [this message]
2023-09-15 10:39 ` [ptxdist] [PATCH] " Michael Olbrich
2023-09-18 14:29 ` Simon Falsig
2023-09-18 14:37 ` Simon Falsig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230915101430.54176-1-sfalsig@verity.net \
--to=sfalsig@verity.net \
--cc=ptxdist@pengutronix.de \
--cc=sfalsig@verity.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox