From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 08 Sep 2023 11:05:44 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qeXQv-0083j4-0O for lore@lore.pengutronix.de; Fri, 08 Sep 2023 11:05:44 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qeXQs-0006I5-CC; Fri, 08 Sep 2023 11:05:42 +0200 Received: from mail-zr0che01on2080.outbound.protection.outlook.com ([40.107.24.80] helo=CHE01-ZR0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qeXQe-0006Hw-Fd for ptxdist@pengutronix.de; Fri, 08 Sep 2023 11:05:29 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fpRIvc3GzVc92mXvPxxGoz3/bsvwk7mT2sQd86+yZnuOp+41fcCEg6eZmQYzNmh/psquk9l/uvSqZhpzEKXcutLBk69ZK4km2bzrQn8Ltdj1zfRSsOTcg8nCSGEScSIJ6a/4uCmCDdpLqGreV9zoQ2SymDhmTBUc0Kkalxo4VJit10D2cPWED+6SsuHXYfC1lVvQTdHG5DrFfw9SssaO+ocBY3bzlZKM3eFvLtCdJVtg4AQKzEAwxBB45QJ0+e2mR33w+b9AlIKdzu2L+H2zhQNO4RAqsqR7Ss2MMywwdp/Xku9mdihHnP5bcIpqxD2dXPQWFf/1kdbI1ZqpghSssA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UlE7DAxEJqNv7NZxU2vxW/iBd78mVysO7xql1fjRu/Q=; b=MTdfOS8uJyhaPmQxege03SfWBaNlwMAK6dKoy3L66a27hIhjmcVPO0UPYK5ee6idS4yyvmU9/mmzxQN0QkKOXuOHcWuPRiUSxTZiJ1r6Ogcq5vzItICSkehPbaqVmlJ+C3iqLi9E7On9eOxQMrrgKASyK6qfgrFQgbuGloPByQgmqqAMKj2DOASbmBVja28GE41gaLlF0PMPkQKnbl+IXE+DSaYojJ801uSkcRkiWR6iKnAJhjZJAKD031Ofv5jJJTpKxWF4yQWk73hkkFGyK3/mMqi3HfRq1BDBuzZDlI/5Wzgc9j/Tzav6Nt4SHhN1BFPndsTZJycc7yu6zUHDyg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UlE7DAxEJqNv7NZxU2vxW/iBd78mVysO7xql1fjRu/Q=; b=grVtZzSBS2uk7PbjjND82pKfzzyYEjFeulS9LG5ecKwXoz219DwUSSS2/r9t4KLC1GiruT0Ux2K4OfsD0thu02yRIjRs2iAx7bI5NwNltzFHc7N6dxgWB2eljnj3H74k52Wf7TAc06GJsIRbxT4vNCrANfrPgfEZoagrk27MpontY6GDE4/FKFIKYEssPwrQHGES7UZGocdsFrXFMa/JexW7rxHrP9O3oneg6PsFlOG/TfCeRkJ5RFf2ByULIc1cxTgBd17xhhDiWxPN8m8kZqtGQX++dHJOFF44JsoRZ/EUGbe7efXz9fxWaTTERjMpbcyV8DCHSCFUMpkRqs5BlQ== Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) by ZRAP278MB0031.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:12::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.30; Fri, 8 Sep 2023 09:05:26 +0000 Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::102f:6736:1508:d2f1]) by GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::102f:6736:1508:d2f1%4]) with mapi id 15.20.6768.029; Fri, 8 Sep 2023 09:05:26 +0000 From: Simon Falsig To: Alexander Dahl Thread-Topic: [ptxdist] SBOM support Thread-Index: AdnhnHsNiqon0zJeSR+/uNVF6SJp1AAC1pUAACJEHuA= Date: Fri, 8 Sep 2023 09:05:26 +0000 Message-ID: References: <20230907-jockstrap-dreamily-124aa43b7c7e@ifak-system.com> In-Reply-To: <20230907-jockstrap-dreamily-124aa43b7c7e@ifak-system.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0784:EE_|ZRAP278MB0031:EE_ x-ms-office365-filtering-correlation-id: 24f04b72-4492-4bb0-6101-08dbb04abde5 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Z00a3gJkd8zdoE3AKjvqgEw8z1RyWMdC3qeStyvNeRdhqpXrjuOiZ4UR4mGFWWEW5CQ4iwtgz+aPF2fqwp/s/j88Zx6KD1KpUh/UCyEEBpF9vT1Dy4K1v7gOgmz4KvKkX+qKbiA6TRxEgnnMYCfUiujz/Sp/Ml6AorIWXpZfYiPFZh3ZQl5tIuxf63cLZJcFnmOkP6/poMWM8X8fOEmocWilOtq4H/BbwpTpNfzdFKdWj9yjwoXwXt73KkQgAWQNG41P1y5uG7jHONWolIov21is2mu5esnhWUNfCNZNU6SP00eL8OvFnJvTN0vd8rGhut7IbcY1JPoQ9ygy2b6K3HDyy5GEJFHzCFz/j105fY23wFCIVDqPTa3oMnsKBqOhnjA3tOkbtbiFOTFUnRGGWYyTu3JDoDnBo6SsCt+ZnHZMOBzSdrZBLLzseLtHjMo/3hUpnLBXNraeiAUS5UU9IjWPHZfD9c4dw+EZ1vvS042M4hoMe3vuFwUUuEoVxPNIbTF/CJ2v4NqOB76p/ZmWq0gorZxLVKKj509w5Q+MubsWnLWSHr8YFJyUhMTiGnYJx4ty41oPqxo5j26v6pGHI6HlsB/xYqvPk86tF6CnJnPToTXP7wyzhrzhOeZi1Lhw x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(136003)(39840400004)(346002)(186009)(451199024)(1800799009)(41300700001)(71200400001)(6506007)(7696005)(9686003)(478600001)(52536014)(2906002)(83380400001)(26005)(76116006)(107886003)(41320700001)(4326008)(54906003)(6916009)(66446008)(64756008)(316002)(66476007)(66556008)(66946007)(5660300002)(8676002)(8936002)(86362001)(33656002)(38070700005)(55016003)(38100700002)(122000001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-2?Q?5TieHnhe3N6nVYWySZ2hga5ZdJ0kr4v32T5GESw82CBOzOwamxoX1Qy0Ym?= =?iso-8859-2?Q?b5YOSk2jz7OYy1QO3aeKvRAQ8XBhHvYm6cCWzv/mYkSbO+TLVbUdPGAjdV?= =?iso-8859-2?Q?FkgseIv331aT2kA8WxntlB4d2w+DRLyxp1ZX872tIqNZgE6iGjmVvF8qjh?= =?iso-8859-2?Q?A8I/cuxknciY2+WKLcLxBKOkE1PtfzC9bYwMNicxx6focc86wpcsh/fThb?= =?iso-8859-2?Q?7sWA5ssBk55pEjTx6M7oo3Q8td/gPaRPEPS/xgw9NPXf8Xx7lSUDlxTzKH?= =?iso-8859-2?Q?KNaVzhB5Q8/7giclpKc/aSs7FSCqQPWRJNU8RMW0tPUcYhrL0040bXwT4t?= =?iso-8859-2?Q?x3QvR3vlQaMahQSPQSdkFWaD6/x8aX7oYuQPUFJd1g28/hMib+sCGCp74D?= =?iso-8859-2?Q?V8/GQXY5ihpXvBd9qUC/PsHVpTMbSZr1RQivDu5j0AOkZGemkooVQPw16x?= =?iso-8859-2?Q?0uFCXFCnXMmrB0gyGCfm+ywJFCPYCEa0orHXdPmn0Zp3tcwxqwNigWyzbt?= =?iso-8859-2?Q?IZ+/jAVEpYsnU+19FqOgGGaNONhzHyzonpG69shS/NFal+w/SRhAxvZW3w?= =?iso-8859-2?Q?cstly1zxY2G6bT+KaAEy8lVQzY96aOvWiOfgmAbVu70Rpir4fiutO5pTK6?= =?iso-8859-2?Q?sy2J8IAUIGzNK56KwaE/C7Whkc3C7paWfOUqGt5uk6R1fd1aReTTowlTXY?= =?iso-8859-2?Q?lFdOZUp6fyn+yguBPvcxjvIpzLTjvN2wxJwXU6IXoO6APNF4f1dFKb5b5J?= =?iso-8859-2?Q?grKsp3mIoRpr4syxa4rSpEgW8DqqwL1GtckwK/z9jaap97TEh8eHqRIGNF?= =?iso-8859-2?Q?UJU9XIIEODSo04IYce7pqEGgHF2IetSWiVtd/WG6WyAcBQA1GmBrfCKmCw?= =?iso-8859-2?Q?VB/RYCN3F0nqKqxYYboVigaylOsMU2vnSNzoqBkcmjET2cPMhZ1VR3iSu2?= =?iso-8859-2?Q?TYGEoSdFcrDp+fCPxTNmFZ8QSR27egIW35SfWXbStXu75jvHYEb/GoeGmH?= =?iso-8859-2?Q?TVGPV4a02Lkwj7W4UpnRXts90/7LscJqK7+hCR+8GVplq7HXTjb8vZXsZk?= =?iso-8859-2?Q?D18pX9dpyQxEEwEkQIcmqbAIaoDDpyEWC4NQ21Vo2MIAIcWJav4SpAgGDD?= =?iso-8859-2?Q?gJAguKxxYJtlJ41kLR1LsucjSdzaXyAtw6v0JG7zJzQOIsTgyhES2Tr6Qm?= =?iso-8859-2?Q?A+zkbA5+oe7ESLuW2enIwaUwEhy39rxiIx2GnRF9bKgQr+kIu4v3ybdFMd?= =?iso-8859-2?Q?T3ByHdSzlAZIwimZGQGKJYHxlMq6LzH7NlirgP0tgFQbs6X5XSe1xBcA8b?= =?iso-8859-2?Q?AYzUI9Dbb4qMtfBdyHsIrQbFpXcIwL2oGMhltNdZZTecv4LmFEDa/5pVoh?= =?iso-8859-2?Q?S0Qif2CzjQqPWqhu0hevwnRLJ/EIy6sz7STBPiyBi2h3xqz8k5o6TK/+IP?= =?iso-8859-2?Q?hbJmI2I2A89oEq83j9q1tijDliJmWH2dxJU17x8ir/SsQxPcGWzWWvSZya?= =?iso-8859-2?Q?dQorrAC90/H8WP6XbMzeDSKnWIn5q0eVsMicFHjc+99eYEPdPbBazGwZJ0?= =?iso-8859-2?Q?Sr1v44BCkZ8RwEibJTfCNAd26163f1WTVl4vLCoUb0zk8siX2w66ghwwfY?= =?iso-8859-2?Q?wU0iMTTy6h/kb0yhOk/XKEg9+h/tkayokF?= Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 24f04b72-4492-4bb0-6101-08dbb04abde5 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2023 09:05:26.2486 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: GYlWqz6hojB7BNMZD58WtxvcbxB1NVPH+DQJSfSPjRy4Do5mZ7d9wkJPavb+nQFMSORltUNHxzKe1xVffOjZpA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZRAP278MB0031 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-1.6 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] SBOM support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: =?iso-8859-2?Q?Ji=F8i_Van=ECk?= , "ptxdist@pengutronix.de" Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Hi Alex, Thanks for your reply! I've never used Buildroot, so really good with some = hints as to how others solve this. >> My suggestion would be to add a _CPE variable to each package (built = from >> whatever other variables make sense, typically _VERSION). I managed t= o add this >> for the fast report (extracting it to pkg_cpe in rules/post/ptxd_make= _world_common.make, >> and adding it to the report in scripts/lib/ptxd_make_world_report.sh)= , but I >> wouldn't be surprised if there are other places/report that need to t= rack this >> also for consistency? >> Packages that specify _CPE would then have this included in their rep= ort, and >> there'd be no change for the packages that don't specify it. > > As far as I know buildroot [1] already has support for this. They constr= uct this from > defaults and override it with several different variables if defaults are= not sufficient > for a particular project: > > _CPE_ID_VENDOR > _CPE_ID_VERSION > _CPE_ID_UPDATE > _CPE_ID_PRODUCT > > And maybe more? Some quirks handling like this is probably necessary in = ptxdist, too? > > Greets > Alex I see - Buildroot essentially automatically creates the CPE based on existi= ng data in the package, and that can then be overridden if needed. I guess the benefit is = that this in many cases works directly out of the box without any further configuration = - but with the risk that a wrong CPE is generated. (From what I can see, ptxdist doesn't really provide any variable that can = be extracted for the VENDOR field though?) Explicitly specifying the CPE in each package would lower the risk of getti= ng wrong CPEs, as you'd instead just not get a CPE for packages that don't specify it. Personally, I'd probably lean towards the latter (rather no CVE than a wron= g one) for our usecase, but would be open to other ways if that can mean getting this upst= reamed? Thanks again! Simon