From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 15 Sep 2023 12:15:26 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qh5rD-00G8lI-NR for lore@lore.pengutronix.de; Fri, 15 Sep 2023 12:15:26 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qh5rB-000162-0J; Fri, 15 Sep 2023 12:15:25 +0200 Received: from mail-zr0che01on2075.outbound.protection.outlook.com ([40.107.24.75] helo=CHE01-ZR0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qh5qp-00015b-Qj for ptxdist@pengutronix.de; Fri, 15 Sep 2023 12:15:05 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HzISjH7sW5Eu88QylzuLjDHLYEm5g0fBejaQNg0dIN/l44O/bmhMYIGD8M9iR/4ZGTnykHUvRuQTmCHkLGf+r1pSD0EJCwzi+eTgKSnMGfOXvY26vtz7LOOOlgKOw7f5s5+kkMGDmy+SSOd0OWL3g//GOCuUkX99fLysMoIGAiDIw3TmraXyYBLXWI5PWXzkVTXGrMnVF5ePp1P1+63xF8wQTv8bTy/MDxlcA7MTqwu9492L9DOLGIDgRPnMas+Co5Y2A6qbz7mszTU5IRykU9Gfz+yQZPanrVT1evptlW4uF0ufcWvPyV6YODnhlULm3RHrHd1ACqcAGsvPbixBJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hTli700zhxtddC24F3eIsrYJf3Vz0fnGErKmR2iUmd0=; b=NE6UL+T6/gxTQ/gfViPerlbLMa9Bkoy5j8Qd1lzat/S9Eh/GQuxdhGxsdkjcNXhqrcXi3Q1+BUULRQWi0+pYNngIFRWqcV8PCXBktcviCKz6va6+4fIFd2gaHEqfyA1i2kca+WQfJIwYyFvVMBPrDPj1A7ukY2SRYAM0TiGxyS3heAZFicubmHhziS/luCNyp/tbhCMmiXFKlwnLlUfJYXF4P5tHk3T/SMb7BZMVYSC2sjxkusxCPQIP8xlE90OfY4BT8uz3qpQaQQbbrJ54KYItQkckALLH0j3/d2QKhMHyjFzt1y5+NjlVLldhqel7+OTeEzS9psoJQOBFcMK+wA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hTli700zhxtddC24F3eIsrYJf3Vz0fnGErKmR2iUmd0=; b=iFcQK37MiExtQZ4E2jrb5bRezogdG6KK66rro+Z/zHPrsWlkR/Ysn5al5fMwiFp0t0iwp2lu9hU+uWKqXFLqxzlZEFSzW4p+pnbFdgtvVJZHsdXa7LCKgJN6bM2mIXEFfUthBAZ7Ap6RDvgws7kZQxA8D3hTBs3dReIQkmiPfBAKV0m94G2zO1vvmbyhV4raifciQSbxwLcVWc10ardAXSaFA12/dTwr+gDz1KcxJGL9VpxYecLclCt2WCzu1W7ExyGQ10MAyDxdoO7XupHYv9erTJjPL9KVULCmWXxeVeCAvIWitakV8hceZPjzOG7tSGXsGgP/pto050epNnXJkg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) by ZR0P278MB0800.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.21; Fri, 15 Sep 2023 10:15:01 +0000 Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::a5a5:a491:679b:42e]) by GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::a5a5:a491:679b:42e%6]) with mapi id 15.20.6792.021; Fri, 15 Sep 2023 10:15:01 +0000 From: Simon Falsig To: ptxdist@pengutronix.de Date: Fri, 15 Sep 2023 12:14:30 +0200 Message-Id: <20230915101430.54176-1-sfalsig@verity.net> X-Mailer: git-send-email 2.25.1 In-Reply-To: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com> References: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: ZRAP278CA0016.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:10::26) To GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: GV0P278MB0784:EE_|ZR0P278MB0800:EE_ X-MS-Office365-Filtering-Correlation-Id: d72f61e1-f6ae-4757-2e96-08dbb5d49f08 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tAeP5UUhxi/JFNnTyRNTuCBx9CgBpPl7EoFaWDECcLBSsP90MHiksqc9Qob+D9IQomiWlF9m/RtVCS2UXzIBqbE/DO/PAmC9HEylj6cp4Iw6zMnZX8FzTT69VnNCSeQbsUsqU/Fs7NneOaGDDOhdCL3FWJM6yu44gnSv4yH+zUHVEKzSgi45mvqLNV+Ip7Qojb1GhyR4WHnWrs0g1woJKpQFSBMK6tEEBdrm918ePOUBdjlB8hKZqREQb0tKenP5DxG3JXSqP1gb4hNuI5IgaSSjXZttYgZIq5jU+qhUaW4FxTIJdCnmPyOW2BTyioEUL5hDiJzuWJQ2ZImPRlWIL9ZGiUSezQwMgXdws38CZTuWAxWcA6hNtZiSDR1bJJ48E27kjORptXtOZvflP7qgv752DbkCfTbNCfKeQl4+Dm+ufKrhoz/5mDlsJ+roryDDnSfJ+xTFyRa6PaB5paB2HJfKe3smzy4Te1hJDkpCqR3ySZwJQkqM4GEtTSezhw80YtP4+3ofM5HqJHwiuJikwTspXjzlPqyN6T/NMrTEstda1ARRa+3gY/ok/qTRyGqOFjktXEBEj8ZwRg4vXEfWlzFhzuf2ruDdeGqVwEWZbyM= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(376002)(366004)(39840400004)(136003)(396003)(451199024)(186009)(1800799009)(52116002)(83380400001)(107886003)(26005)(1076003)(6506007)(2616005)(6666004)(6512007)(6486002)(38100700002)(38350700002)(2906002)(478600001)(86362001)(66476007)(66946007)(66556008)(5660300002)(6916009)(316002)(41300700001)(36756003)(966005)(8676002)(8936002)(4326008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Eb7WoxQu7osSaf+lNn8oJ/p6DHi4Sxo6awEz1Y+1fHnpuYrCnsP/iCP9QGru?= =?us-ascii?Q?I0qbRQDhWTHC3awnci1bNeqJQiCRj9mxzWuMMIMYdwcYXG0Ol9XZl1nbyN6T?= =?us-ascii?Q?wcKZoWRr7djheASy8EG8jDmLmZMoeMVB8+80j1WrXWC9o8GtIvWYdrC3ikOw?= =?us-ascii?Q?PZXHrxm3PIwD62e8lmFXmZg107mR7fpMvA/XS5Ts3GbJbGAe1BOzbS5FRs5S?= =?us-ascii?Q?1dVDeF9tFmoBJRit4vgMsq4kH6uiiXl0sd7jQwqQBwj8p/fpnOVD8p2a6LzE?= =?us-ascii?Q?urPskyfK6ziisxbjPA+BlSSI+LmHinpWR9pKtiKdkRMe6SZ7OI6rj28pLnxI?= =?us-ascii?Q?vOT34N66paKTiTem2K2zjqKgEqlPZ7oSnB1VJvVu3CpJcJX6j6BuRRezzwkN?= =?us-ascii?Q?9l/KpvErhL8gg/eyJSIXCC2p5YVigm3DF6p6gUTmuA77pZ+1ws1CNw1RTiLV?= =?us-ascii?Q?9d7jMmTCDujk6yYl//ySZBHk9WEV+d5AI0GRkQTyxevihSD2H7JPPn5SI7uF?= =?us-ascii?Q?M5lnDhdyZO/E7+mS4vnP4qgsXzbZLTh+DFNKfVopA0yw/OBCrcChXOpIXghG?= =?us-ascii?Q?VlD/43rhl4Kq5sCauM5CsJTH/l/W1971RJVcCqkjqfZBoAEzzua/i19f9I6f?= =?us-ascii?Q?XtYH/vPQotqjw4dQCkIrCyO78OTP8LTyC1ZeuEPeBFSrxZOPK02hxTWMN2Ud?= =?us-ascii?Q?tWPPq1hrlcQAkuHsEf+miRhknnnCZS4TBi42qXLLjhM0t+Wutpz06Yk4pznA?= =?us-ascii?Q?ttjlmCuo/UQXz3S1TWPgFtxA8RohAPTh4FhNy6KUgW+gbOUoBk7oNj7IJ9LO?= =?us-ascii?Q?S+6iODSSekVh5ko6ELgIgmYaYfTEM9HArTGNffFtYmi7HY1Sl6EpqwdSpJOg?= =?us-ascii?Q?llGafUNSbcgMcbvcY/1syRiJz/F0v6nGM+PyknGGmoNe9N05d4c6gFA312H+?= =?us-ascii?Q?uEcU89+5FsJdpfG7xnOVl5PYJM95Kn94LhLwaLsDO+EDUD5wJ2w2e8GBoWL2?= =?us-ascii?Q?JgllR2TU66dGH3fMTYsiAeVmdfRp6pvG9r8L8ju6ArukBiNywO4QVvsS1i8V?= =?us-ascii?Q?z96UtNcYVKKBSqg8SyF7xaQZcWmTuANiEFCB/HhOUrtY6cwLn0mZIpHMhNFg?= =?us-ascii?Q?5l3BaMuhtt5KRv0kAc3rRD8JAnWTXqO2JA52q7iBlR74DU3CBtggmccctpgD?= =?us-ascii?Q?oTRtrbZN3jDlC9GqrROcwW1aEoZQRWE9O09vFWu3Zj2FYDRoVf8+wgtWcbbW?= =?us-ascii?Q?id0fz6J1Bzbwwds3WTKVLYUvTOUuRpEVPuWXOaLZ/I7H9S6ZKkBeEmImmpcS?= =?us-ascii?Q?I3hS7beXoKl70jDFpbqV7WsVEw+vUC+4Y9H5RJ7esSidPdEXgVK75QOIvR0W?= =?us-ascii?Q?kEs7LF5awDZGdhd22w2pJ0VzBMGeP+kYU6MULA31Hfb0SDXcLBEB8sLqsbmu?= =?us-ascii?Q?KdPjWkphVVswpj+vRsYIDB/h91IT7wWRo70c2GCGbOZLIk2aEERp5S5g22+Q?= =?us-ascii?Q?lGrArbErYkvSjOEpfBKSrKQB7hkgI5L3Hfl0uLDQ+rOKOefIZl8HT82QO2rZ?= =?us-ascii?Q?qLCF/91E03xyKBTivsxUVrOeG0nSX0lLJEvRlFxQ?= X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-Network-Message-Id: d72f61e1-f6ae-4757-2e96-08dbb5d49f08 X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Sep 2023 10:15:01.1442 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3BhtCmHKKzCFpWAU7IWbhxfK2lyfMGrVq4w0wAbeKA9A2Lb1VHj5+j531lgUFQpzMNXyTlNm4LAxA8V7jX0Uhg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB0800 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Simon Falsig Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false From: Simon Falsig If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is extracted into the fast report for that package. If no CPE is specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is added. By default, the existing VERSION is used, but can be overridden with CPE_VERSION. Constructed CPEs are validated against the official CPE regex. The CPE (Common Platform Enumerator) allows matching CVEs to specific packages, and see if these apply to a specific deployment. --- rules/post/ptxd_make_world_common.make | 4 ++++ scripts/lib/ptxd_make_world_report.sh | 29 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make index 08120607a..0804f0b81 100644 --- a/rules/post/ptxd_make_world_common.make +++ b/rules/post/ptxd_make_world_common.make @@ -78,6 +78,10 @@ world/env/impl = \ pkg_PKG="$(call ptx/escape,$(1))" \ pkg_pkg="$(call ptx/escape,$($(1)))" \ pkg_version="$(call ptx/escape,$($(1)_VERSION))" \ + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \ + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \ + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \ + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \ pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \ pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \ pkg_path="$(call ptx/escape,$($(1)_PATH))" \ diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh index dbdae5736..11f17b405 100644 --- a/scripts/lib/ptxd_make_world_report.sh +++ b/scripts/lib/ptxd_make_world_report.sh @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() { awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${2}" fi } + do_build_cpe() { + prefix="${1}" + cpe="${2}" + vendor="${3}" + product="${4}" + version="${5}" + if [ -n "${cpe}" ]; then + # If a cpe is fully specified, then use that + : + elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; then + # Otherwise, if we have vendor, product and version, then build a CPE2.3 string from it + cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*" + fi + if [ -n "$cpe" ]; then + # Validate the resulting CPE string + # Regex taken from: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd + if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}'; then + echo "${prefix} ${cpe}" + else + >&2 echo "Error! $cpe is not valid CPE format string" + return 1 + fi + fi + } do_echo "name:" "${pkg_label}" do_echo "rulefile:" "${pkg_makefile}" do_list "extra-rulefiles:" "${pkg_extra_makefiles}" @@ -39,6 +63,11 @@ ptxd_make_world_report_yaml() { do_list "rundeps:" "${pkg_run_deps}" do_echo "config:" "${pkg_config}" do_echo "version:" "${pkg_version}" + if [ ! -n "${pkg_cpe_version}" ]; then + # Default to using pkg_version for the CPE string, unless _CPE_VERSION is explicitly specified + pkg_cpe_version="${pkg_version}"; + fi + do_build_cpe "cpe:" "${pkg_cpe}" "${pkg_cpe_vendor}" "${pkg_cpe_product}" "${pkg_cpe_version}" do_list "url:" "${pkg_url}" do_echo "md5:" "${pkg_md5}" do_echo "source:" "${pkg_src}" -- 2.25.1