From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 18 Sep 2023 16:37:58 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qiFNv-00277W-BN for lore@lore.pengutronix.de; Mon, 18 Sep 2023 16:37:58 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qiFNt-0008Ps-MV; Mon, 18 Sep 2023 16:37:57 +0200 Received: from mail-gv0che01on2080.outbound.protection.outlook.com ([40.107.23.80] helo=CHE01-GV0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qiFNm-0008Lj-74 for ptxdist@pengutronix.de; Mon, 18 Sep 2023 16:37:50 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iaCxH0ICI0g76RRYPfCLlb0Q3w+VdPFsQh8mxK9UKxpROMfcDXZWj3nf718I9G4kVwlg8CqQH/La08IFO7xXSSPufYtAVXMZMadwySapBdwtMywv0fD+9SxxIGgotba/rs7SUG/uUIcK//TbZVTiNYZ2vPEHdx75xNHmVwXPKlTqus7Jd4m4bQqdY/CmvaRX6xAvzoiFv7infnoH5pPNPnPX+pP6lRRJqTeaDlg047SBVO4lk7MWOchc8uQzVEh6bHcGnN05HgvGomBfG5+P75uIX3L6edL9YwG9TU9VHOs7gAWy9IgpZwNRAZDkitqPeKobVnxpCc9kL0UPfYw84Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A1XLREo0xbOj/mbA+RbbghOgHmHp5XWU0GbWLWft8l4=; b=MAoW6YvcIIXeMkQjriItKXWS711FIJmh5bWk1c+2Fe5cgXlAe19XKIVzMa+c6oE0eERKaqiC1DgRDbt5NvfDUhxNpHgZim/sZXVEh0lKmb//344hhprGDWvxeKBPmqLoxWf+4i8/X2MW4KEgi5O24+kXwmaT2lo/4oersw2xAVnt1mnD4Zjbf7C7k6RpPxaXKAfsim9MwCrPDrRXronYdTVp34xmd1+vcrbEnmM6i47En/wHD7CySy6mb9JwenmAlKa4A2GxoiVpV98Ful91y/zfvokEKKk08BXr1w++Wpup9uAfArfOmcum1kywTydVYTLP/hPKx+FqFhTht7Z85w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A1XLREo0xbOj/mbA+RbbghOgHmHp5XWU0GbWLWft8l4=; b=fBuAUxOj/rQfPhx3hdSc1tTCh5RvbbAt3LMklMnr9yTfz65I+8C4sxE0REn/GGgDLA5apzDsD8dgn/t3dhAMJxf1PdbFHmzl6ajzZ5W/Gf39n/OTArD6JJ6Gp6CQxnKmQmhLYLwTyHNbCh0i5ET1Rm1jHAK4gmJhmejEzoBhcc7/dRH1ZtL7aTqg+ZKXZX+6xVLmHNBHD/0USKCX3rdPJWtAEBHPPyQ+eLN8hqO0Fpo72Gp+E548Yn1p4Sww9OjesfegBXSUb++lk/wVpJXkRwh6TJ88wEsun3Gp/QnAbseWGIw0Fnuce9v0djtmasQEKrTzXoD+RTf5RjiwTbjDOg== Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) by ZR0P278MB1153.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:55::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.26; Mon, 18 Sep 2023 14:37:48 +0000 Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::a5a5:a491:679b:42e]) by GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::a5a5:a491:679b:42e%6]) with mapi id 15.20.6792.026; Mon, 18 Sep 2023 14:37:48 +0000 From: Simon Falsig To: "ptxdist@pengutronix.de" Thread-Topic: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages Thread-Index: AQHZ5718aFGjGzUmU0SQUxu6NvsmiLAbsj0AgAT42NA= Date: Mon, 18 Sep 2023 14:37:48 +0000 Message-ID: References: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com> <20230915101430.54176-1-sfalsig@verity.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0784:EE_|ZR0P278MB1153:EE_ x-ms-office365-filtering-correlation-id: 76c1c96f-2b0f-472e-80e9-08dbb854d452 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: PkR9RpQebLGVOlEb145e5KkqZvjS1c4U2cdijUnzfAz3wg12eeZh8lSDaq1uZCFlcTukuUUI2u4ggrm1b17lRR+eE6SFWyLBQz15ouagtNpnsPM892+AM2uhAAMpqLdL0Gc2vRvqBbe15KamYQ7fz871w/62TTGsqSKv1X/r8P79O5s8jA/e8+CokHzcExXCzMl9ntaKLD94Tz1uIUeAc8qMfRUp56sEEFTDE5R2iE8JvVE08xDOlPV6VJtQz6r58k0MdBHr61vauzmd9nzYBrL9SV2WAKS7XcSFjYnHjPT0jJQCawjoIYf83ECqZXnOLAzcwD3ackVP2be5sXFiKFQyy96ajH/gZMWKk7X9Pt5WelB2hybf7oMy6tcPoVsyUSdNNi+9RIx6vm/dbbnE1eDxLNh2FLX/XUJgDqIRTSVp6LEfp7fQVw3cGBjQeKPoXroe+d81KmOybYJO0QY4vwodUkJn+8vPLXhysuCLPkw+a05RnwDc7VqKYm8txJJirXjFKKsNTH2n7TVkLffiYifxtmiGEUfuWcoGE10lpfX+BjNsMuoaTudhhPWXBDDwyu/eIMFNJ4V2nYZ4v1iFilAjJUUHX5+Ai8V83vEZVSg= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(376002)(136003)(396003)(366004)(39840400004)(451199024)(186009)(1800799009)(6506007)(7696005)(9686003)(966005)(71200400001)(478600001)(45080400002)(83380400001)(26005)(2906002)(76116006)(66556008)(66446008)(64756008)(6916009)(66476007)(66946007)(316002)(8676002)(52536014)(5660300002)(8936002)(41300700001)(86362001)(33656002)(55016003)(38100700002)(38070700005)(122000001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?OSLMieAZw+rm5NPYitWcRRsRysThA8RabO2KX/yEbO2iSEfNrGw+ierDdAys?= =?us-ascii?Q?hfgu7voY0xKzdfU7r+M5vJE7sfj5ncBO5drfuA5FqS0uilpJkqb6LQGnimh4?= =?us-ascii?Q?wgZZU+3DnkYGn5oyHztRhTe+SJWM2eTUv0l190YbvffzTsWS5ClJstTARvM1?= =?us-ascii?Q?tLQKML4uyMiGCMoPUKgn966eXXTTveg8kygb+zkK71dyTz06zqXYCNPjRRDh?= =?us-ascii?Q?P5mZyoCA86YwL5bwuiD5z5YJvysdImXmqnUVKHibFgcKO9YWuCqybvtAfhRq?= =?us-ascii?Q?YoxD/tsY2nf/LchfiLzfbLA1cvwn3Ra7+SlJC9y6eFYbujOfzogHwErYK5oO?= =?us-ascii?Q?dTbgplLf8IQwiXuycRjDDoc3ATAPBDy8OcIajlcqzsG16YLhNydDNXTeLWS4?= =?us-ascii?Q?QuTUYgdO3SakgIp4UwJTUcTM1ScsK9yFKFXv8QCsUM76dGrHoP7TmX86/x6v?= =?us-ascii?Q?IZaZ3H4NZZb2rD3/BN743aszZQZlfwUVDGwlUngoFSM8x8VenF2qMGIQFK+c?= =?us-ascii?Q?K+mLVJGAIk52IjXFOu+A1uSUCx3t0uGetRIIlAWiGsUHvHSSmb3vOwRLUaS6?= =?us-ascii?Q?4GMftgTwm+IgkSMNlietPvlWAoChTBi8bDTfZe5pA9MKoO50vzjHno0QifZ9?= =?us-ascii?Q?z5m3dOcz1eyKV7SuKm8rwuqmYrPgl50IK1mCDou+QpZvqI7H0XQnVD3Qkujs?= =?us-ascii?Q?oxcsJ4396tpngHxUJ18rgQLI5EiBCewjYRMH+5fwfHj4kA/9NZI495zAzdla?= =?us-ascii?Q?dPyGMkZEj2rPW2FQ+3kioo2fXdDkSG3P/jUwPnnpt8QxQGDZhRh8d+CWKaIN?= =?us-ascii?Q?BSH1A9l+Wfm9rpiW6m7/yIcpaZRtDFbvSVccY22Jra+4hJYMk76MgnlfRUOw?= =?us-ascii?Q?Xnadqh47CX/Uv1OIO0cA9rJ/0RKhaMa0m/Rg949hR8+EA5ibkCRSZaVXwsA4?= =?us-ascii?Q?CcAEEIeu8kH0UVE+XUQ/k+yWDk4jGtEQ1rMsHhAXMNwTxIYO8fC3Ch19ruJw?= =?us-ascii?Q?4EaFJAg4STRFgC3m2KYyxFv/AGH/oRq563TTM4T0E8AcvUZVWZkc0xSOaMWw?= =?us-ascii?Q?7XWjuDpO+PMvNRzgziAwin/vsyqb7a46llPIAzIcgnL7IvGGpB3aAlSjzMLG?= =?us-ascii?Q?GZj1Gt/RUFuW+JdAzh8dejDymQiAchVjuJ2ePe1zRRbMe8bCVxmigPcQzUyV?= =?us-ascii?Q?Ox5jyk08cSDVPaXXBmUPFbqE5fVBEychN5TGbk5Owv4lldSF6syT0QzQUhfW?= =?us-ascii?Q?fVftYgOgjRNdMv6ojW36dCwzyGLNG/jZRvGKB9upaDNIeZc78lPyxXxT4c+2?= =?us-ascii?Q?Mesz2XJzhXHNHvxPynsS1D8E0jYM4xqfb3W7FRDh/e9S3jRwiGTfYPwro6BJ?= =?us-ascii?Q?ihs3FT+rHXvrFONS6Lb86bxcGv0bOsawCY1aFLsqHZbM+3Kp0oSjXFdlgUI9?= =?us-ascii?Q?6pt4k5INB+bwpFbUO9nm/pW+64cEuVRYAdJsdiLtXNHSlSUNXq8VvFu8ejdK?= =?us-ascii?Q?OYsq62NgHCylyUrMi6pbtJ4bbgQJH1CJMuRz6zZW8z1+JC+xw/iTgj/JzuAa?= =?us-ascii?Q?nT+fwr/L6oWTeJuKyBtx14jhEWH9Z6Nj8VqXRsmG?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 76c1c96f-2b0f-472e-80e9-08dbb854d452 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2023 14:37:48.1902 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ZXnFYKdDXAp6uhV5pIvOm4SFW+6gvGpz6VGs4pfs0hIR1ZjDhmRE8/heDd9XfEbbBFUbDo5I2ibFs/Jttb/3cg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB1153 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Hi Michael, > From: ptxdist On Behalf Of Michael > Olbrich > Sent: Friday, September 15, 2023 12:39 > > On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote: > > From: Simon Falsig > > > > If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is > > extracted into the fast report for that package. If no CPE is > > specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is > > added. > > > > By default, the existing VERSION is used, but can be overridden with > > CPE_VERSION. > > > > Constructed CPEs are validated against the official CPE regex. > > > > The CPE (Common Platform Enumerator) allows matching CVEs to specific > > packages, and see if these apply to a specific deployment. > > --- > > rules/post/ptxd_make_world_common.make | 4 ++++ > > scripts/lib/ptxd_make_world_report.sh | 29 ++++++++++++++++++++++++++ > > 2 files changed, 33 insertions(+) > > > > diff --git a/rules/post/ptxd_make_world_common.make > > b/rules/post/ptxd_make_world_common.make > > index 08120607a..0804f0b81 100644 > > --- a/rules/post/ptxd_make_world_common.make > > +++ b/rules/post/ptxd_make_world_common.make > > @@ -78,6 +78,10 @@ world/env/impl =3D \ > > pkg_PKG=3D"$(call ptx/escape,$(1))" = \ > > pkg_pkg=3D"$(call ptx/escape,$($(1)))" = \ > > pkg_version=3D"$(call ptx/escape,$($(1)_VERSION))" = \ > > + pkg_cpe_vendor=3D"$(call ptx/escape,$($(1)_CPE_VENDOR))" > \ > > + pkg_cpe_product=3D"$(call ptx/escape,$($(1)_CPE_PRODUCT))" = \ > > + pkg_cpe_version=3D"$(call ptx/escape,$($(1)_CPE_VERSION))" = \ > > + pkg_cpe=3D"$(call ptx/escape,$($(1)_CPE))" = \ > > pkg_config=3D"$(call ptx/escape,$($(1)_CONFIG))" = \ > > pkg_ref_config=3D"$(call ptx/escape,$($(1)_REF_CONFIG))" > \ > > pkg_path=3D"$(call ptx/escape,$($(1)_PATH))" = \ > > diff --git a/scripts/lib/ptxd_make_world_report.sh > > b/scripts/lib/ptxd_make_world_report.sh > > index dbdae5736..11f17b405 100644 > > --- a/scripts/lib/ptxd_make_world_report.sh > > +++ b/scripts/lib/ptxd_make_world_report.sh > > @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() { > > awk "BEGIN { RS=3D\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" > <<<"${2}" > > fi > > } > > + do_build_cpe() { > > + prefix=3D"${1}" > > + cpe=3D"${2}" > > + vendor=3D"${3}" > > + product=3D"${4}" > > + version=3D"${5}" > > + if [ -n "${cpe}" ]; then > > + # If a cpe is fully specified, then use that > > + : > > + elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; > then > > + # Otherwise, if we have vendor, product and version, then > build a CPE2.3 string from it > > + > cpe=3D"cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*" > > + fi > > Hmmm, I think we should preserve the original data in the report. Buildin= g > the cpe string should happen in the SBOM script. So: > > cpe: .... > > or: > > cpe-vendor: ... > cpe-product: ... > > and maybe: > > cpe-version: ... > Makes sense - changed. > > + if [ -n "$cpe" ]; then > > + # Validate the resulting CPE string > > + # Regex taken from: > https://csrc.nis/ > t.gov%2Fschema%2Fcpe%2F2.3%2Fcpe- > naming_2.3.xsd&data=3D05%7C01%7Csfalsig%40verity.net%7Cc9dea8f344e64c0f2a= 570 > 8dbb5daf98c%7C06487c727d884632bf56071603defa0a%7C1%7C0%7C6383037243149952= 8 > 3%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1= h > aWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3DRQxWOHS3iGwu%2BUXaR%2Bc1FZRzo4= rHk > XX8U4fjSmWtalQ%3D&reserved=3D0 > > + if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\- > ](:(((\?*|\*?)([a-zA-Z0-9\- > \._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=3D>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*= \- > ])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\- > ]))(:(((\?*|\*?)([a-zA-Z0-9\- > \._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=3D>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\= *\- > ])){4}'; then > > + echo "${prefix} ${cpe}" > > + else > > + >&2 echo "Error! $cpe is not valid CPE format string" > > + return 1 > > + fi > > Hmmm, I'm not sure where the validation should take place. Here or the > SBOM script. I don't mind either way. > I've switched to do the validation in the SBOM script. Matches better with having the original cpe_... values in the individual reports, then building and validating the complete CPE when doing the full report. > FYI, your indention is wrong. Please check the rest of the script. I know > the style is a bit strange, but lets keep things consistent. Argh, sorry. I've tried fixing things up now - hope it's good! > > Michael Thanks for the input! - Simon