Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Simon Falsig <sfalsig@verity.net>
Cc: ptxdist@pengutronix.de, Simon Falsig <sfalsig@verity.ch>
Subject: Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
Date: Fri, 15 Sep 2023 12:39:10 +0200	[thread overview]
Message-ID: <ZQQ0Tj+oIFGMPsh3@pengutronix.de> (raw)
In-Reply-To: <20230915101430.54176-1-sfalsig@verity.net>

On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote:
> From: Simon Falsig <sfalsig@verity.ch>
> 
> If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
> extracted into the fast report for that package. If no CPE is
> specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
> added.
> 
> By default, the existing VERSION is used, but can be overridden with
> CPE_VERSION.
> 
> Constructed CPEs are validated against the official CPE regex.
> 
> The CPE (Common Platform Enumerator) allows matching CVEs to specific
> packages, and see if these apply to a specific deployment.
> ---
>  rules/post/ptxd_make_world_common.make |  4 ++++
>  scripts/lib/ptxd_make_world_report.sh  | 29 ++++++++++++++++++++++++++
>  2 files changed, 33 insertions(+)
> 
> diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
> index 08120607a..0804f0b81 100644
> --- a/rules/post/ptxd_make_world_common.make
> +++ b/rules/post/ptxd_make_world_common.make
> @@ -78,6 +78,10 @@ world/env/impl = \
>  	pkg_PKG="$(call ptx/escape,$(1))"					\
>  	pkg_pkg="$(call ptx/escape,$($(1)))"					\
>  	pkg_version="$(call ptx/escape,$($(1)_VERSION))"			\
> +	pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))"			\
> +	pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))"		\
> +	pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))"		\
> +	pkg_cpe="$(call ptx/escape,$($(1)_CPE))"				\
>  	pkg_config="$(call ptx/escape,$($(1)_CONFIG))"				\
>  	pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))"			\
>  	pkg_path="$(call ptx/escape,$($(1)_PATH))"				\
> diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
> index dbdae5736..11f17b405 100644
> --- a/scripts/lib/ptxd_make_world_report.sh
> +++ b/scripts/lib/ptxd_make_world_report.sh
> @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() {
>  	    awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${2}"
>  	fi
>      }
> +    do_build_cpe() {
> +        prefix="${1}"
> +        cpe="${2}"
> +        vendor="${3}"
> +        product="${4}"
> +        version="${5}"
> +        if [ -n "${cpe}" ]; then
> +            # If a cpe is fully specified, then use that
> +            :
> +        elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; then
> +            # Otherwise, if we have vendor, product and version, then build a CPE2.3 string from it
> +            cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*"
> +        fi

Hmmm, I think we should preserve the original data in the report. Building
the cpe string should happen in the SBOM script. So:

  cpe: ....

or:

  cpe-vendor: ...
  cpe-product: ...

and maybe:

  cpe-version: ...

> +        if [ -n "$cpe" ]; then
> +            # Validate the resulting CPE string
> +            # Regex taken from: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd
> +            if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}'; then
> +                echo "${prefix} ${cpe}"
> +            else
> +                >&2 echo "Error! $cpe is not valid CPE format string"
> +                return 1
> +            fi

Hmmm, I'm not sure where the validation should take place. Here or the SBOM
script. I don't mind either way.

FYI, your indention is wrong. Please check the rest of the script. I know
the style is a bit strange, but lets keep things consistent.

Michael

> +        fi
> +    }
>      do_echo "name:" "${pkg_label}"
>      do_echo "rulefile:" "${pkg_makefile}"
>      do_list "extra-rulefiles:" "${pkg_extra_makefiles}"
> @@ -39,6 +63,11 @@ ptxd_make_world_report_yaml() {
>      do_list "rundeps:" "${pkg_run_deps}"
>      do_echo "config:" "${pkg_config}"
>      do_echo "version:" "${pkg_version}"
> +    if [ ! -n "${pkg_cpe_version}" ]; then
> +    # Default to using pkg_version for the CPE string, unless _CPE_VERSION is explicitly specified
> +    pkg_cpe_version="${pkg_version}";
> +    fi
> +    do_build_cpe "cpe:" "${pkg_cpe}" "${pkg_cpe_vendor}" "${pkg_cpe_product}" "${pkg_cpe_version}"
>      do_list "url:" "${pkg_url}"
>      do_echo "md5:" "${pkg_md5}"
>      do_echo "source:" "${pkg_src}"
> -- 
> 2.25.1
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

next prev parent reply	other threads:[~2023-09-15 10:39 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-13 16:05 [ptxdist] [PATCH 1/3] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 2/3] RFC: Add CPE for a few packages Simon Falsig
2023-09-15 10:15   ` [ptxdist] [PATCH] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 3/3] RFC: sbom_report: Add support Simon Falsig
2023-09-18 14:33   ` [ptxdist] [PATCH] " Simon Falsig
2023-10-21 13:52     ` Bruno Thomsen
2023-11-03  7:34       ` Simon Falsig
2023-09-13 21:16 ` [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages Christian Melki
2023-09-14  6:46   ` Simon Falsig
2023-09-15 10:14   ` [ptxdist] [PATCH] " Simon Falsig
2023-09-15 10:39     ` Michael Olbrich [this message]
2023-09-18 14:29       ` Simon Falsig
2023-09-18 14:37       ` Simon Falsig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZQQ0Tj+oIFGMPsh3@pengutronix.de \
    --to=m.olbrich@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    --cc=sfalsig@verity.ch \
    --cc=sfalsig@verity.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox