From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 15 Sep 2023 12:39:22 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1qh6EO-00G9nG-1M
	for lore@lore.pengutronix.de; Fri, 15 Sep 2023 12:39:22 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1qh6EM-0000Uq-Mv; Fri, 15 Sep 2023 12:39:22 +0200
Received: from pty.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::c5])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1qh6EB-0000TI-0P; Fri, 15 Sep 2023 12:39:11 +0200
Received: from mol by pty.whiteo.stw.pengutronix.de with local (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1qh6EA-003hnM-99; Fri, 15 Sep 2023 12:39:10 +0200
Date: Fri, 15 Sep 2023 12:39:10 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Simon Falsig <sfalsig@verity.net>
Message-ID: <ZQQ0Tj+oIFGMPsh3@pengutronix.de>
Mail-Followup-To: Simon Falsig <sfalsig@verity.net>, ptxdist@pengutronix.de,
 Simon Falsig <sfalsig@verity.ch>
References: <655eabee-c6c3-4a88-bbe3-c71960f2d35f@t2data.com>
 <20230915101430.54176-1-sfalsig@verity.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <20230915101430.54176-1-sfalsig@verity.net>
X-Sent-From: Pengutronix Hildesheim
X-URL: http://www.pengutronix.de/
X-Accept-Language: de,en
X-Accept-Content-Type: text/plain
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.whiteo.stw.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.2
Subject: Re: [ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: ptxdist@pengutronix.de, Simon Falsig <sfalsig@verity.ch>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

On Fri, Sep 15, 2023 at 12:14:30PM +0200, Simon Falsig wrote:
> From: Simon Falsig <sfalsig@verity.ch>
>=20
> If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
> extracted into the fast report for that package. If no CPE is
> specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
> added.
>=20
> By default, the existing VERSION is used, but can be overridden with
> CPE_VERSION.
>=20
> Constructed CPEs are validated against the official CPE regex.
>=20
> The CPE (Common Platform Enumerator) allows matching CVEs to specific
> packages, and see if these apply to a specific deployment.
> ---
>  rules/post/ptxd_make_world_common.make |  4 ++++
>  scripts/lib/ptxd_make_world_report.sh  | 29 ++++++++++++++++++++++++++
>  2 files changed, 33 insertions(+)
>=20
> diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_mak=
e_world_common.make
> index 08120607a..0804f0b81 100644
> --- a/rules/post/ptxd_make_world_common.make
> +++ b/rules/post/ptxd_make_world_common.make
> @@ -78,6 +78,10 @@ world/env/impl =3D \
>  	pkg_PKG=3D"$(call ptx/escape,$(1))"					\
>  	pkg_pkg=3D"$(call ptx/escape,$($(1)))"					\
>  	pkg_version=3D"$(call ptx/escape,$($(1)_VERSION))"			\
> +	pkg_cpe_vendor=3D"$(call ptx/escape,$($(1)_CPE_VENDOR))"			\
> +	pkg_cpe_product=3D"$(call ptx/escape,$($(1)_CPE_PRODUCT))"		\
> +	pkg_cpe_version=3D"$(call ptx/escape,$($(1)_CPE_VERSION))"		\
> +	pkg_cpe=3D"$(call ptx/escape,$($(1)_CPE))"				\
>  	pkg_config=3D"$(call ptx/escape,$($(1)_CONFIG))"				\
>  	pkg_ref_config=3D"$(call ptx/escape,$($(1)_REF_CONFIG))"			\
>  	pkg_path=3D"$(call ptx/escape,$($(1)_PATH))"				\
> diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_mak=
e_world_report.sh
> index dbdae5736..11f17b405 100644
> --- a/scripts/lib/ptxd_make_world_report.sh
> +++ b/scripts/lib/ptxd_make_world_report.sh
> @@ -31,6 +31,30 @@ ptxd_make_world_report_yaml() {
>  	    awk "BEGIN { RS=3D\" \" } { if (\$1) print \"- '\" \$1 \"'\" }" <<<=
"${2}"
>  	fi
>      }
> +    do_build_cpe() {
> +        prefix=3D"${1}"
> +        cpe=3D"${2}"
> +        vendor=3D"${3}"
> +        product=3D"${4}"
> +        version=3D"${5}"
> +        if [ -n "${cpe}" ]; then
> +            # If a cpe is fully specified, then use that
> +            :
> +        elif [ -n "${vendor}" -a -n "${product}" -a -n "${version}" ]; t=
hen
> +            # Otherwise, if we have vendor, product and version, then bu=
ild a CPE2.3 string from it
> +            cpe=3D"cpe:2.3:a:${vendor}:${product}:${version}:*:*:*:*:*:*=
:*"
> +        fi

Hmmm, I think we should preserve the original data in the report. Building
the cpe string should happen in the SBOM script. So:

  cpe: ....

or:

  cpe-vendor: ...
  cpe-product: ...

and maybe:

  cpe-version: ...

> +        if [ -n "$cpe" ]; then
> +            # Validate the resulting CPE string
> +            # Regex taken from: https://csrc.nist.gov/schema/cpe/2.3/cpe=
-naming_2.3.xsd
> +            if echo "$cpe" | grep -Eq 'cpe:2\.3:[aho\*\-](:(((\?*|\*?)([=
a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\''\(\)\+,/:;<=3D>@\[\]\^`\{\|}~]))+(\?*|=
\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((=
\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&''\''\(\)\+,/:;<=3D>@\[\]\^`\{\|=
}~]))+(\?*|\*?))|[\*\-])){4}'; then
> +                echo "${prefix} ${cpe}"
> +            else
> +                >&2 echo "Error! $cpe is not valid CPE format string"
> +                return 1
> +            fi

Hmmm, I'm not sure where the validation should take place. Here or the SBOM
script. I don't mind either way.

FYI, your indention is wrong. Please check the rest of the script. I know
the style is a bit strange, but lets keep things consistent.

Michael

> +        fi
> +    }
>      do_echo "name:" "${pkg_label}"
>      do_echo "rulefile:" "${pkg_makefile}"
>      do_list "extra-rulefiles:" "${pkg_extra_makefiles}"
> @@ -39,6 +63,11 @@ ptxd_make_world_report_yaml() {
>      do_list "rundeps:" "${pkg_run_deps}"
>      do_echo "config:" "${pkg_config}"
>      do_echo "version:" "${pkg_version}"
> +    if [ ! -n "${pkg_cpe_version}" ]; then
> +    # Default to using pkg_version for the CPE string, unless _CPE_VERSI=
ON is explicitly specified
> +    pkg_cpe_version=3D"${pkg_version}";
> +    fi
> +    do_build_cpe "cpe:" "${pkg_cpe}" "${pkg_cpe_vendor}" "${pkg_cpe_prod=
uct}" "${pkg_cpe_version}"
>      do_list "url:" "${pkg_url}"
>      do_echo "md5:" "${pkg_md5}"
>      do_echo "source:" "${pkg_src}"
> --=20
> 2.25.1
>=20
>=20
>=20

--=20
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |