From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Simon Falsig <sfalsig@verity.net>
Cc: ptxdist@pengutronix.de, Simon Falsig <sfalsig@verity.ch>
Subject: Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
Date: Fri, 15 Sep 2023 12:39:10 +0200 [thread overview]
Message-ID: <ZQQ0Tj+oIFGMPsh3@pengutronix.de> (raw)
In-Reply-To: <20230915101430.54176-1-sfalsig@verity.net>
On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote:
> From: Simon Falsig <sfalsig@verity.ch>
>
> If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
> extracted into the fast report for that package. If no CPE is
> specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
> added.
>
> By default, the existing VERSION is used, but can be overridden with
> CPE_VERSION.
>
> Constructed CPEs are validated against the official CPE regex.
>
> The CPE (Common Platform Enumerator) allows matching CVEs to specific
> packages, and see if these apply to a specific deployment.
> ---
> rules/post/ptxd_make_world_common.make | 4 ++++
> scripts/lib/ptxd_make_world_report.sh | 29 ++++++++++++++++++++++++++
> 2 files changed, 33 insertions(+)
>
> diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
> index 08120607a..0804f0b81 100644
> --- a/rules/post/ptxd_make_world_common.make
> +++ b/rules/post/ptxd_make_world_common.make
> @@ -78,6 +78,10 @@ world/env/impl = \
> pkg_PKG="$(call ptx/escape,$(1))" \
> pkg_pkg="$(call ptx/escape,$($(1)))" \
> pkg_version="$(call ptx/escape,$($(1)_VERSION))" \
> + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \
> + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \
> + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \
> + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \
> pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \
> pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \
> pkg_path="$(call ptx/escape,$($(1)_PATH))" \
> diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
> index dbdae5736..11f17b405 100644
> --- a/scripts/lib/ptxd_make_world_report.sh
> +++ b/scripts/lib/ptxd_make_world_report.sh
> @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() {
> awk "BEGIN { RS=\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<"${2}"
> fi
> }
> + do_build_cpe() {
> + prefix="${1}"
> + cpe="${2}"
> + vendor="${3}"
> + product="${4}"
> + version="${5}"
> + if [ -n "${cpe}" ]; then
> + # If a cpe is fully specified, then use that
> + :
> + elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; then
> + # Otherwise, if we have vendor, product and version, then build a CPE2.3 string from it
> + cpe="cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*:*"
> + fi
Hmmm, I think we should preserve the original data in the report. Building
the cpe string should happen in the SBOM script. So:
cpe: ....
or:
cpe-vendor: ...
cpe-product: ...
and maybe:
cpe-version: ...
> + if [ -n "$cpe" ]; then
> + # Validate the resulting CPE string
> + # Regex taken from: https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd
> + if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4}'; then
> + echo "${prefix} ${cpe}"
> + else
> + >&2 echo "Error! $cpe is not valid CPE format string"
> + return 1
> + fi
Hmmm, I'm not sure where the validation should take place. Here or the SBOM
script. I don't mind either way.
FYI, your indention is wrong. Please check the rest of the script. I know
the style is a bit strange, but lets keep things consistent.
Michael
> + fi
> + }
> do_echo "name:" "${pkg_label}"
> do_echo "rulefile:" "${pkg_makefile}"
> do_list "extra-rulefiles:" "${pkg_extra_makefiles}"
> @@ -39,6 +63,11 @@ ptxd_make_world_report_yaml() {
> do_list "rundeps:" "${pkg_run_deps}"
> do_echo "config:" "${pkg_config}"
> do_echo "version:" "${pkg_version}"
> + if [ ! -n "${pkg_cpe_version}" ]; then
> + # Default to using pkg_version for the CPE string, unless _CPE_VERSION is explicitly specified
> + pkg_cpe_version="${pkg_version}";
> + fi
> + do_build_cpe "cpe:" "${pkg_cpe}" "${pkg_cpe_vendor}" "${pkg_cpe_product}" "${pkg_cpe_version}"
> do_list "url:" "${pkg_url}"
> do_echo "md5:" "${pkg_md5}"
> do_echo "source:" "${pkg_src}"
> --
> 2.25.1
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2023-09-15 10:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-13 16:05 [ptxdist] [PATCH 1/3] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 2/3] RFC: Add CPE for a few packages Simon Falsig
2023-09-15 10:15 ` [ptxdist] [PATCH] " Simon Falsig
2023-09-13 16:05 ` [ptxdist] [PATCH 3/3] RFC: sbom_report: Add support Simon Falsig
2023-09-18 14:33 ` [ptxdist] [PATCH] " Simon Falsig
2023-10-21 13:52 ` Bruno Thomsen
2023-11-03 7:34 ` Simon Falsig
2023-09-13 21:16 ` [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages Christian Melki
2023-09-14 6:46 ` Simon Falsig
2023-09-15 10:14 ` [ptxdist] [PATCH] " Simon Falsig
2023-09-15 10:39 ` Michael Olbrich [this message]
2023-09-18 14:29 ` Simon Falsig
2023-09-18 14:37 ` Simon Falsig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZQQ0Tj+oIFGMPsh3@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=sfalsig@verity.ch \
--cc=sfalsig@verity.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox