From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 19 Feb 2024 17:56:50 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rc6wk-00Evrh-00 for lore@lore.pengutronix.de; Mon, 19 Feb 2024 17:56:50 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1rc6wj-00058s-ED; Mon, 19 Feb 2024 17:56:49 +0100 Received: from mail-gv0che01on2139.outbound.protection.outlook.com ([40.107.23.139] helo=CHE01-GV0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rc6wd-00058i-JG for ptxdist@pengutronix.de; Mon, 19 Feb 2024 17:56:44 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vf/Dzm4iKT75wXhH0qn1ueNGBjK6R0Q4B7bmKysbBSPqjyvELCWWfRwuk4UIfHSCyBMyHzK+1/XcMvPjnluxmPUUtLU9SK5ekcqKoLYqTaakJ62f/5W5DJBnBYuvz3LJk+wrj64x35Ypfiy5QVcol2kPer2LhvNHVt0HCUd2BpmMtRBgJeRPZ9+e0Bbv5kywCSIjsxXGOcqHW5cssJlVe8xuzDDZR1cria6kytXi9zu/oxYJ0M2xOjXiEaIsKKSIAeVR8TOHqfLJYht2LynOmgbf3YXF4S99MI2bInRTxD8d9Ox7df/PjZ1MzQ8FeCwUAlqjE1g4wkD8f4UQuf8ing== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bbdkMHL+UQtW9fMjEq/uDGiacNZbclUZUSbvUkyj3eY=; b=fVIRhKvAEQiiF7i5fYee15bPLIVJBc9L5emRaEVoImrVN/aaRyudecYJJiXGA6FwS7/bFOJWiJ9EFd+cY9YH4nUfFvc70DcuS6rmfNYEj7Z47aLiDqJAoj74YAYGSXj4WQsF9zPlQRoRrDid2NPQKLxnQNohvU8dz9Mv947Qyu0YWOnu/gIXmGAm+/s+dvUOzYewritllZt9dxx9lMPdGItotW91H+IMU6BtmzAz0KDSqgGSWbYD4RYxP8c1VrLs8bWD/il4HBwlKmPQIFttDFOxxJ2yhlTgYHhkJ12TC0fS4YmSh9CHzuOkveRC9FH4tjGyIB/wo5ke7NRt7CUSmQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bbdkMHL+UQtW9fMjEq/uDGiacNZbclUZUSbvUkyj3eY=; b=hlph3zAC+EoR3G5rIaNzKzk/0BLuqtUQg9ALVZE5vC+IglKeb3VZZv5ajAH/s9g98TPRiYNcufi5HSGzglrut7m9NZqnWyUNDePm1/JECzODg3VlEYUM/t2Zar8iP6jhMu+iGNlo0PIiHfRbMrTaPA/fVzEvNuy7yibELkkoW6b32A9HY6viZCf0XDKcznFq4Md8eGeoOeLKYs5iw5wpu8Vptc/SAxMSY8c3yLyMZoQ+tclHf9uUCd3FNUxrDW3vX0W+AQSM/l9ChPQXG8+HCUlFRMVUu7j1Hkuh14XMC8LVgBleaKjaiG3oP/7RaVmxOLLEIfr4ZydUiyeWqG276Q== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; Received: from ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:54::8) by ZR0P278MB1136.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:54::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.38; Mon, 19 Feb 2024 16:56:41 +0000 Received: from ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM ([fe80::11ae:207:fffc:fdd1]) by ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM ([fe80::11ae:207:fffc:fdd1%7]) with mapi id 15.20.7292.036; Mon, 19 Feb 2024 16:56:41 +0000 From: Simon Falsig To: ptxdist@pengutronix.de Date: Mon, 19 Feb 2024 17:56:15 +0100 Message-Id: <20240219165617.70971-1-sfalsig@verity.net> X-Mailer: git-send-email 2.25.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: ZR0P278CA0015.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:16::25) To ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:54::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: ZR0P278MB0991:EE_|ZR0P278MB1136:EE_ X-MS-Office365-Filtering-Correlation-Id: 4f227fa3-15f2-4543-654f-08dc316bbe63 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +BsVvgcBdU7Ra3B/yEyA+xgqFd7BTBtKsYAgFRaXX8D1PfLfS9eVlYiVNUjfJnO9kI1JKx4fIk+pdQsuNkvOEn/7o0EPC6DiPrcIP+Dvt7FlLVDqV1Ulyq++dxa2xQDaFp1aeJDBNcKtTTwrNWJuJXDT+kWqHdrF8sDR+MaV885wfr7TZpLERteMkOmlghH9g5gcEZ1wzj2EfdpkQMB1rcVDpfWyBRbePB7EHL5SWcFp6047v/iROAkT1NK6EzunoxjH6qxBtZMUFJg+wJKXYZw1O6YE+au6MSGFJwK3rPUQSgs2lAeCUcCvhly+BsqSdy+aAv5BMaM3voxAdXOFMU0karWHP2URw4aII8gPi3hmy+hiCXMv21hzW+5kZnnpQfEBEkMupA2poiXJY8T6e9Nm/OFkKWDViIlPLxgG9Fi4m4SWMklVDkAQ+G345j6zTzjgJpQY5zBFOmpVnGB/KnYspiyyqSa6DKSECmnAmgHrPas+WvySoGeOB6b3nx83oGKMGdn8ufOPy8vHifiWJt3Ll1uLrlfNsKdv6MSMN9yNHqd3H+C7MdOW3HuR0bquEvu5BUW+BWo2a5081B8arKFSLvXHLyLwXXbXb73y2ZV9xpDngBKByLDMK/3rNh8F X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(38350700005); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?St2IYwoN+dtD/KDZjjsCSV9Gru+WKo/TIY7HHu47z8siVOUdV0uLlwlzRbls?= =?us-ascii?Q?Yo+oyB9loPRxaGOw2hezq7ZovguK/aeT2qHfVvL9WoWARptIuvDs0OYhcyZ2?= =?us-ascii?Q?LDr3dOXdHZ78ufKbY1toulyjetSvhK8vo3JQ1fh+hbVSooUStP+C2KsWEXD4?= =?us-ascii?Q?ygyb7uSrcmp0bht7PKGyhr7R0x/0C392Kvo3F1V1RtgPBK6ZGOd/v1vXauc0?= =?us-ascii?Q?h7+oALggUn4w4pPIfjBp+MHGNziFIFQ1f0AFTOOlowo1r8Gw4/0CKl6BUJfy?= =?us-ascii?Q?RrOjAb6IubVgu0thUmLq6bYLP+r+W0X/mvOqhB0Sp9qfCB2z1MwHJpEUxTms?= =?us-ascii?Q?wn33qcICsQ3/qrz2Sd4aFGcLXmJYJ74iC6uZHiXYJiI8FEkweO+H+9tsfap6?= =?us-ascii?Q?KFldOgU7xWtaescfvD2/fWzr4K321hIeHDUnNmruRz0gvw5jX+Ka8TUw0yDs?= =?us-ascii?Q?rgvuyL3Oo3DwDpWIIHix9zs9ziF0ocLvET0+JEQIRlk5ltZO80dJTVJGUbbJ?= =?us-ascii?Q?5aIKAkgs+EG95VA0qrdETXkReWm8RYdYlK0zxgPrCKOgiLZZ77LEW8nz05hA?= =?us-ascii?Q?pZzkoBt3qs5i1JDsOBqP9IMpctsGhl947TTIgiKayY8omCjyZNOYOsCWaSZb?= =?us-ascii?Q?TAs2OcZtk4oxE7Ueh7rY+zp6fyw/NcouLoBEtQNYwSTMlCdoYrObbSxUMFYb?= =?us-ascii?Q?uIzRRMRmjyQIPubWaJ5XnB0kP7Uk0ypYixOs+cR/h1S98L72bTZiVS5Ky/VK?= =?us-ascii?Q?t3wS4V2nxUg6ayiKNVvfbINody6jGctfkzUAy0dLVBy9/0JvCQfhLpPfRZtk?= =?us-ascii?Q?bkUCHQr43JsmOpOOP5NYXZgkk95icGPKk4o7hCwg5F3B2Raw4bHDKfE/7Bck?= =?us-ascii?Q?8D6OWqpyPxps82xTEp5El8lOHvNpvHQLZtuC9Z6bnqFlD8DnuuxVuxQJ6ay5?= =?us-ascii?Q?W/Nu+0k+aLjFyT81hii6fk9D/S4njNK3a7tEetCgn9EtOd5Wd7F+7CqSr/K/?= =?us-ascii?Q?vuh2kyjz4EV1On+a0+icvwc6eHP1PNVOdZ1IGDqOuVUycopjVxWe4i0IXNI+?= =?us-ascii?Q?PouK4GdqHfzd74mnA9IfmehB+IPwVdgF1JA6EgjE1OS2+NuIRtnVc9Km5lCE?= =?us-ascii?Q?2Ggs8un8DWqZXKPsGDpwdmATD81lgDernjSYRcYy2NEM0RaMyDRsuxUkPgx5?= =?us-ascii?Q?Wfk2oh6VgAEKbGkKe49W82cbk1ElZl9n0uGrcKO/XGejmbezQms9FQ2WzaRd?= =?us-ascii?Q?DuW6UckULaYF2DlgA6Xq0c7Gdipta0vG3XSsb6ZBjB/gIwpcKHhQXOZV8D2k?= =?us-ascii?Q?vul0Dykp4s9UpBlfF2Y3nvk+8kSVIIECDNnhDceTb3qObZ1p5PeZsZYsiqg0?= =?us-ascii?Q?C0J6la828B8IVtrV1jl/dEgHuH7Ik1oxS92mQJFvtZmz9gtn1l4IXYpLZQsq?= =?us-ascii?Q?krdn5cHfqAxYjNKLTcGXUVLfGkmfex/D4XuN7TH3/C9pt+M9f03428mxr5et?= =?us-ascii?Q?NGzpqFGfyX9IIVlQWlBRGsawqErXCJ1N4RFi/0J/4YFxa9+2ohBSIoW6YEoQ?= =?us-ascii?Q?ksF+7KKJSPYpSl0870T1dOZLyzIhaiabB4THsBuy?= X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-Network-Message-Id: 4f227fa3-15f2-4543-654f-08dc316bbe63 X-MS-Exchange-CrossTenant-AuthSource: ZR0P278MB0991.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Feb 2024 16:56:40.6834 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: RLpPLmjmuJ760GY9T0KOCuGCG8pW2XDkE6BAHQdO6kpzTFW1eW+um+CokBd1WrixETG0X4Shg+0TG8RZzcH/Yw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB1136 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Simon Falsig Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is extracted into the fast report for that package. If no CPE is specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is added. By default, the existing VERSION is used, but can be overridden with CPE_VERSION. Constructed CPEs are validated against the official CPE regex. The CPE (Common Platform Enumerator) allows matching CVEs to specific packages, and see if these apply to a specific deployment. --- rules/post/ptxd_make_world_common.make | 4 ++++ scripts/lib/ptxd_make_world_report.sh | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make index 4b6f691b6..189bc4ec9 100644 --- a/rules/post/ptxd_make_world_common.make +++ b/rules/post/ptxd_make_world_common.make @@ -80,6 +80,10 @@ world/env/impl = \ pkg_PKG="$(call ptx/escape,$(1))" \ pkg_pkg="$(call ptx/escape,$($(1)))" \ pkg_version="$(call ptx/escape,$($(1)_VERSION))" \ + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \ + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \ + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \ + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \ pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \ pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \ pkg_cargo_lock="$(call ptx/escape,$($(1)_CARGO_LOCK))" \ diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh index 2c02e81f7..37fa2b89e 100644 --- a/scripts/lib/ptxd_make_world_report.sh +++ b/scripts/lib/ptxd_make_world_report.sh @@ -72,6 +72,15 @@ ptxd_make_world_report_yaml() { do_list "rundeps:" "${pkg_run_deps}" do_echo "config:" "${pkg_config}" do_echo "version:" "${pkg_version}" + if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then + # Default to using pkg_version for the CPE string, unless _CPE_VERSION or _CPE are explicitly + # specified. In the case of the latter, there's no need to keep track of the version separately. + pkg_cpe_version="${pkg_version}" + fi + do_echo "cpe:" "${pkg_cpe}" + do_echo "cpe_vendor:" "${pkg_cpe_vendor}" + do_echo "cpe_product:" "${pkg_cpe_product}" + do_echo "cpe_version:" "${pkg_cpe_version}" do_list "url:" "${pkg_url}" do_echo "md5:" "${pkg_md5}" do_echo "source:" "${pkg_src}" -- 2.25.1