From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 13 Sep 2023 23:17:43 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qgXF2-00ECFF-Ej for lore@lore.pengutronix.de; Wed, 13 Sep 2023 23:17:43 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qgXF0-0006Hq-LP; Wed, 13 Sep 2023 23:17:42 +0200 Received: from mail-am6eur05on2079.outbound.protection.outlook.com ([40.107.22.79] helo=EUR05-AM6-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qgXEe-0006EF-CJ for ptxdist@pengutronix.de; Wed, 13 Sep 2023 23:17:21 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=axhUydjuvdOk7jBVmI6knmKkSgLm5e0tKasgyuQP9hjjp66jg1GCg6BXCoK6O9BM+UhCQZMZPv5Ftyfp8M1Mv1SPAtei12OxlaH4OjltraGcSmioe3MorPEd9fOlHglH3hXf3em1Gu3stzGBH8iQGK2EmfQvcIkSz0Wlm+TGpOez4mDB7gqGHeDtzP/UqQvyohs9Fl1meBeMSEkvX8eiIynVMJyy/fRjF8hVs6DbeURxRy2n8+u+rMOm0bbLKZ42h4Y7S6sY2Z61fN+V+f8rTCXJMkhDHJT+sqH5g7KOV+VA93csJqq6FB/c29NglzCdJMHcASHiuz9B8GfOVarjCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MDPzOR2kiLp9gW7LMKYlv+B4ejym0ldEIloYthapg/U=; b=V0CVWZc4qh6OvT3CeaCgkG/6o7NIc2PQpQQ96MLijClYzEUyW60R8EVLohkGsXBGcE5tf/RR2WbJC3pnZsBEqKVGlSBisRl1TodFy3IpxP6epvBKoIDZ/c8ndPIS46lOUUSkPpH4QsSq3eBBZ+b0oiB9DS4I7Xb/H/MhI6or2psSkb8Y5MtvpFeXc6esvoNqBOolcwNuHHZz0rI+KnRaKm+jDSs+tO7lMvvuzau9tO0BcuZanED0mmGU83KUVkRGrR1coyHibCD19ynEpq3mWhK5BAs32TRFS7JeaVht7k6jz2dO1JWA5Llovb0+bPdsS2Yeym2nJ16AExfghCIzkA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MDPzOR2kiLp9gW7LMKYlv+B4ejym0ldEIloYthapg/U=; b=Rrc89C0431MqUdiYQ2bxGxO1RTuh7d9Fv8r2T84pYPbFIFM0gMZdqp4AMjABKbmz5nssy0+RlcqtrKwQd6YEEDIdRBxrkTzmb4fWTkQOLaE+MJiB3+TY5H4weD+4lNSHVA611yUHiuSF3hSwiPpZosbIFZStWJexvxtajbMhfqw= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t2data.com; Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by DU0P251MB0676.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:341::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.30; Wed, 13 Sep 2023 21:17:16 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::ba2b:f72d:8ac5:b2c1]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::ba2b:f72d:8ac5:b2c1%7]) with mapi id 15.20.6768.029; Wed, 13 Sep 2023 21:17:16 +0000 Message-ID: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com> Date: Wed, 13 Sep 2023 23:16:47 +0200 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Simon Falsig References: <20230913160546.71046-1-sfalsig@verity.net> From: Christian Melki In-Reply-To: <20230913160546.71046-1-sfalsig@verity.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ClientProxiedBy: GV3P280CA0059.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:9::12) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P251MB0618:EE_|DU0P251MB0676:EE_ X-MS-Office365-Filtering-Correlation-Id: b0a41333-f65c-4bd8-f776-08dbb49ece0a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5RvCFj7s9o7HT/5TPM3i9iy63+uP15MsAh6AE6d2NyXW036tzvlVcmB87Uso/HrQojC0SCUyUnezMtMB6e2QGZcMi7ErrRyD/Ue5LlaGUG1QMKbESixbSZFocCgfshthZOZGAZbl2xqDODOvjzbd0SBC3bMWpiyj2Si/AMB9hRqe8m1XOJzxZY60ZMSFSTf2ov6feuvDqH0qldXEgd9rw6g9eJjZntorPaiH+6PSvmQ0leXWJwizsmJjjn/CzYRMcPP68ACxfKHFW1DTJZ2lHQ3jU4ClpU5PTgHKpesK4OUC10EVmUjzdRLxfdSKMBdAqhGAPashRbgcqwIDko8rc/yuecRve/jL0ArpOoksBGxa1YjAw+WOgkfdMGBp+zZDjwd1/KVnt7BZzRqXuZYRnESFw/6ImX8ZD23Rm9HkJcv8ceKgfv5emgqAj2S5byCH0c69MdfxIiLDhxVWeI61wG7avUC7dsf1aHMhd2mjpLvPB5y2DcnJMihAMH95LjZoHgOywiIxVjF14e8L34QxLExWyg+R+Y7Fx8uThDyXgWP3ySMzRySchvDx86p+wxz/0LQXtZy++Mq/CFiYuqRor+UNN4HzxnQT1k6yX+KMJ0SwoKfyvthoVjMMYUoEEQh395VRaH9HfrwQJdikw7834Q== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(346002)(376002)(366004)(396003)(136003)(451199024)(186009)(1800799009)(44832011)(2616005)(5660300002)(6506007)(478600001)(6666004)(66556008)(66946007)(316002)(31686004)(6486002)(66476007)(6916009)(3450700001)(26005)(53546011)(6512007)(4326008)(8936002)(8676002)(41300700001)(2906002)(36756003)(38100700002)(86362001)(31696002)(45980500001)(43740500002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?dkdTeklEalRZRi8wS0hiK3ppT2ozN1AyQ2NmdWhHd3BTQ1hnVDV2N251aWN2?= =?utf-8?B?aEVmY2N5Ni80ZEZIdGcrb1R2U0lvWno2WGFCT01ReXNaZFJVWnhzcEZqSHZ4?= =?utf-8?B?dEdGQzdIUVVNWmxuOEorKzZnTnQ2QUlGeFYxZy9xN2R2QW5RVXlYQU9nMjV1?= =?utf-8?B?K3RIZTJhbllPUFpPWDhBSENDRWluVUgvTDBZM3k1TUlNd0VLT3RhZ0pSYVJY?= =?utf-8?B?Y2J1WWZDNTlYRFZyUWVLb0dmUkhoMnZRYXNFakNqak12K0QvVWVCVjJsOUhY?= =?utf-8?B?ZU0wUXRhdlk0RGNtM3pZeE14cTIrd3Y1aXY4MzkyYkNYaDVQZDBTTHp6a1hl?= =?utf-8?B?S2NmWktkcHhmOWgxY2Fpdi9ZdHJrU2FMVXAxc1E5cFQzQVNlbklyTGwxQnZw?= =?utf-8?B?TGU0TmtjejNXTHdXOVc1cHUrZ2lsVXNHcTBGanZud1VWb1JKeEQySXVNUGJO?= =?utf-8?B?WjNYdlg1US96WTJuRXpVMFdSdDlWZENnYlduWEw3RW5scTVDcVBUMnhRbG5u?= =?utf-8?B?UkdmSW5VNUtJdFlIQ0R0MzVsb1Q1alJ6OGZvN002NGhIdC9IT2piVXlBRTU5?= =?utf-8?B?MEhneTNCL1kvU3dwdTNBS1RQbmNVb3dLSFEzcWRmMDltMWtzcWJweGtkam5t?= =?utf-8?B?YVppaDV6MEloQVdxalk5NDBsMFR5WVRhSWphaGVzcm5UbThoYjE0Qk5LQm55?= =?utf-8?B?K3FNaG13ZnNqSzRmc1NMMklOL1VlbHZUakdtbkR3Y0F3U0JhcENvSlhYa2Zi?= =?utf-8?B?RFl3bGtDbVpDSkhUYUR1NUloWkE0QVVxNFMwRFpBMHBKZzEzcUN6VFJoYlVU?= =?utf-8?B?TDgzUFQ0TWhoenRoUE95clNtL0tGazQ1ZjFtMkhQcFFFWk9LWVkreUZPME9M?= =?utf-8?B?VVpLakxOTXByaVJmM0xib21CeStrQUxVNGorOXZOakFUL0VBVXozR1N1cUNu?= =?utf-8?B?MzVSSW92Skt4ZXQ5a1lsL2UzM0QxUXRJT2FpQlM2Wnl6a0R0bXdFcFErL245?= =?utf-8?B?US9TM2JQR3p0MEQ4WWNiOFYyalppVjdKRzI3a1B2QnhEL0Z5UnNMQVVvcExD?= =?utf-8?B?OXZUK29la2grcjgvaE5YamIvVzBOTFJ3UGtFMllEdjBLNWJLbng2NjdqbzJy?= =?utf-8?B?ZncxYXI3R1N1aGxZZlVab3ova3Q0UW9lcmJyUmJwVmdjbWhoaWd6RkZZVE9Q?= =?utf-8?B?S2psWVBGdzU4VmZTQm1pUXRNWVlJSVNQMEdhbDZiUEZxYzVld0FGSGZxQnR2?= =?utf-8?B?azBGbmVtbUlQR0NEcWhSbllWR1dKUE1ubWtHV1Jpb0wralo5OWN3RXlScFdM?= =?utf-8?B?cW5IT0RDeFNJWlhZL1hzY3dubVhjazAyM0h6NkM1Q3c3NnRvZWNBY0NBUmxi?= =?utf-8?B?TUxyREJVZG56MzRObTNpTzBWUVZNU2pvbnp6USttaE5tSklGRnhJSVJGRHRz?= =?utf-8?B?ZTZzTk0zYVFDTjhJWHliSmdsZjdSVUJzbDlFRzdYd0VhdlJSeXJ6VTB2NGFh?= =?utf-8?B?M3RGN3doZ0t0aDE5TjVUR29jdmpGS2xaNjdDaEFVTTRFMkZQWnRENzJ5N2gv?= =?utf-8?B?WDJDQnlyeVZ1azZQYWlQMlZzSkloc0grVFkyQU1FTDgzWk5qYVMyd25kV2V6?= =?utf-8?B?YWhKWitmaDdWdW5jOG1Sd3BLZ2prODZFU1U5YXZzd2lJbkhxbGc3eXpWRUIy?= =?utf-8?B?cFAvajBxNC9IUGQ3WStDU3M2Yis0YWsxYkhYS1E1RnpPZzJpeTVsdXBXRktU?= =?utf-8?B?M1lkd0lWTlJvdzhkaEx2REg5UVNlSFRXRDlwNnh6NEY1TGI1cjVRZnV1Z1J1?= =?utf-8?B?MGR0bWpONyszcDB6UEFETDVLL3Ird1hETUlIWVJXb2taK3pLZm0rQXZidzlX?= =?utf-8?B?RkJNSDR6ZkdOeHVrR0VGSUFxeG1FMWtoRjl6Y1pjdjU1TUMwTnVkK25FWll2?= =?utf-8?B?MEk5U0Vicy9wVjlxaE0zaDEwZEF0LzVFT0pYR1NWNWNJZ0lxOXdRRE5tSlps?= =?utf-8?B?aVNKTnVvRzVoNXk0WFdHbFFmbGZ2eTI4Ykp0dndpRVFGTko5ZCsvYytseXFU?= =?utf-8?B?R3NqU1RXMXdoakRoRE02cHIvMmZlekpVVk9Tb09zeUs2SHBvcGdWSzd1eEk3?= =?utf-8?B?dHhNY0NOb01vdXAvUlBHaU0vZ2NMZ0huc04wMnJXZDBCR1R6VitldlpVMWh3?= =?utf-8?B?U3c9PQ==?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: b0a41333-f65c-4bd8-f776-08dbb49ece0a X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2023 21:17:15.9333 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pGc4wlTWYHFShQ7hMDI4FX4A4Ge/KsqPbsP8IwMobNo/Z9MJj+FGZPn6U2IdqzcG94XcRG/Ovr2UM1pkL+m07wdkQlfsevn1G4NX5zZ7qsg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P251MB0676 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de, christian.melki@t2data.com Cc: "ptxdist@pengutronix.de" Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false On 9/13/23 18:05, Simon Falsig wrote: > From: Simon Falsig > > If a package specifies a CPE, this is extracted into the fast report for > that package. If no CPE is specified, then no value is added. > > The CPE (Common Platform Enumerator) allows matching CVEs to specific > packages, and see if these apply to a specific deployment. Hi Simon. I think this is a good thing going forward, but some minor nag. My objection would be that sticking full versioned CPE strings straight into the .make as an only-source just creates clutter. As an full CPE override, absolutely though. I suggest that some basic CPE modelling should be done by ptxdist, with possibly trivial hinting or nameing in the .make, with complete overrides as a last resort. That way ptxdist could start by filling most stuff and people could override on demand. I'd primarily poke the vendor:product tuple. Maybe ptxdist could do packagename:packagename as default. If you specify the smaller override it could be something like APPL_CPE_VENDOR and APPL_CPE_PRODUCT. Here you could use * or other strings. Overriding any of them or both. APPL_CPE would serve as the full override. That could help in hiding CPE format or other usages (subject to changes) in a lot of places. Hopefully, most packages won't require extra information to match. Regards, Christian > --- > rules/post/ptxd_make_world_common.make | 1 + > scripts/lib/ptxd_make_world_report.sh | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make > index 08120607a..6c646fb16 100644 > --- a/rules/post/ptxd_make_world_common.make > +++ b/rules/post/ptxd_make_world_common.make > @@ -78,6 +78,7 @@ world/env/impl = \ > pkg_PKG="$(call ptx/escape,$(1))" \ > pkg_pkg="$(call ptx/escape,$($(1)))" \ > pkg_version="$(call ptx/escape,$($(1)_VERSION))" \ > + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \ > pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \ > pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \ > pkg_path="$(call ptx/escape,$($(1)_PATH))" \ > diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh > index dbdae5736..2bfe4c201 100644 > --- a/scripts/lib/ptxd_make_world_report.sh > +++ b/scripts/lib/ptxd_make_world_report.sh > @@ -39,6 +39,7 @@ ptxd_make_world_report_yaml() { > do_list "rundeps:" "${pkg_run_deps}" > do_echo "config:" "${pkg_config}" > do_echo "version:" "${pkg_version}" > + do_echo "cpe:" "${pkg_cpe}" > do_list "url:" "${pkg_url}" > do_echo "md5:" "${pkg_md5}" > do_echo "source:" "${pkg_src}"