Re: [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Mon, Feb 19, 2024 at 05:56:15PM +0100, Simon Falsig wrote:
> If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
> extracted into the fast report for that package. If no CPE is
> specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
> added.
> 
> By default, the existing VERSION is used, but can be overridden with
> CPE_VERSION.
> 
> Constructed CPEs are validated against the official CPE regex.
> 
> The CPE (Common Platform Enumerator) allows matching CVEs to specific
> packages, and see if these apply to a specific deployment.

So we need to change the plan on how to do this a bit. I've looked into
this stuff some more. Specifically what yocto is doing here. This is a bit
of a mess. Take a look at this[1]:

[...]
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
[...]

There are packages that need multiple vendor/product combinations :-/. So
the product is a list. And if an entry contains a ':' then it's
<vendor>:<product>. Otherwise '*' is used for the vendor.

And please use _CVE_PRODUCT (instead of _CPE_PRODUCT) so it's called the
same.

[1] https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl_8.6.0.bb?id=efebd6a8824769137a21674e2bfe1c059a41758a#n20

> ---
>  rules/post/ptxd_make_world_common.make | 4 ++++
>  scripts/lib/ptxd_make_world_report.sh  | 9 +++++++++
>  2 files changed, 13 insertions(+)
> 
> diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
> index 4b6f691b6..189bc4ec9 100644
> --- a/rules/post/ptxd_make_world_common.make
> +++ b/rules/post/ptxd_make_world_common.make
> @@ -80,6 +80,10 @@ world/env/impl = \
>  	pkg_PKG="$(call ptx/escape,$(1))"					\
>  	pkg_pkg="$(call ptx/escape,$($(1)))"					\
>  	pkg_version="$(call ptx/escape,$($(1)_VERSION))"			\
> +	pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))"			\
> +	pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))"		\
> +	pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))"		\
> +	pkg_cpe="$(call ptx/escape,$($(1)_CPE))"				\
>  	pkg_config="$(call ptx/escape,$($(1)_CONFIG))"				\
>  	pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))"			\
>  	pkg_cargo_lock="$(call ptx/escape,$($(1)_CARGO_LOCK))"			\
> diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
> index 2c02e81f7..37fa2b89e 100644
> --- a/scripts/lib/ptxd_make_world_report.sh
> +++ b/scripts/lib/ptxd_make_world_report.sh
> @@ -72,6 +72,15 @@ ptxd_make_world_report_yaml() {
>      do_list "rundeps:" "${pkg_run_deps}"
>      do_echo "config:" "${pkg_config}"
>      do_echo "version:" "${pkg_version}"
> +    if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then
> +	# Default to using pkg_version for the CPE string, unless _CPE_VERSION or _CPE are explicitly
> +	# specified. In the case of the latter, there's no need to keep track of the version separately.
> +	pkg_cpe_version="${pkg_version}"
> +    fi

don't do this here. This fallback should be handled in the script.

> +    do_echo "cpe:" "${pkg_cpe}"

This should be a list in case we need more than one.

> +    do_echo "cpe_vendor:" "${pkg_cpe_vendor}"

Same here as described above.

Michael

> +    do_echo "cpe_product:" "${pkg_cpe_product}"
> +    do_echo "cpe_version:" "${pkg_cpe_version}"
>      do_list "url:" "${pkg_url}"
>      do_echo "md5:" "${pkg_md5}"
>      do_echo "source:" "${pkg_src}"
> -- 
> 2.25.1
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |