From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 04 Mar 2024 17:18:16 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rhB16-008TxD-0v for lore@lore.pengutronix.de; Mon, 04 Mar 2024 17:18:16 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1rhB16-0003TM-29; Mon, 04 Mar 2024 17:18:16 +0100 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rhB0x-0003SF-08; Mon, 04 Mar 2024 17:18:07 +0100 Received: from [2a0a:edc0:2:b01:1d::c5] (helo=pty.whiteo.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rhB0w-004O9S-Hj; Mon, 04 Mar 2024 17:18:06 +0100 Received: from mol by pty.whiteo.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1rhB0w-001xBb-1V; Mon, 04 Mar 2024 17:18:06 +0100 Date: Mon, 4 Mar 2024 17:18:06 +0100 From: Michael Olbrich To: Simon Falsig Message-ID: Mail-Followup-To: Simon Falsig , ptxdist@pengutronix.de References: <20240219165617.70971-1-sfalsig@verity.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240219165617.70971-1-sfalsig@verity.net> X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-Accept-Language: de,en X-Accept-Content-Type: text/plain Subject: Re: [ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false On Mon, Feb 19, 2024 at 05:56:15PM +0100, Simon Falsig wrote: > If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is > extracted into the fast report for that package. If no CPE is > specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is > added. > > By default, the existing VERSION is used, but can be overridden with > CPE_VERSION. > > Constructed CPEs are validated against the official CPE regex. > > The CPE (Common Platform Enumerator) allows matching CVEs to specific > packages, and see if these apply to a specific deployment. So we need to change the plan on how to do this a bit. I've looked into this stuff some more. Specifically what yocto is doing here. This is a bit of a mess. Take a look at this[1]: [...] CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" [...] There are packages that need multiple vendor/product combinations :-/. So the product is a list. And if an entry contains a ':' then it's :. Otherwise '*' is used for the vendor. And please use _CVE_PRODUCT (instead of _CPE_PRODUCT) so it's called the same. [1] https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl_8.6.0.bb?id=efebd6a8824769137a21674e2bfe1c059a41758a#n20 > --- > rules/post/ptxd_make_world_common.make | 4 ++++ > scripts/lib/ptxd_make_world_report.sh | 9 +++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make > index 4b6f691b6..189bc4ec9 100644 > --- a/rules/post/ptxd_make_world_common.make > +++ b/rules/post/ptxd_make_world_common.make > @@ -80,6 +80,10 @@ world/env/impl = \ > pkg_PKG="$(call ptx/escape,$(1))" \ > pkg_pkg="$(call ptx/escape,$($(1)))" \ > pkg_version="$(call ptx/escape,$($(1)_VERSION))" \ > + pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))" \ > + pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))" \ > + pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))" \ > + pkg_cpe="$(call ptx/escape,$($(1)_CPE))" \ > pkg_config="$(call ptx/escape,$($(1)_CONFIG))" \ > pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))" \ > pkg_cargo_lock="$(call ptx/escape,$($(1)_CARGO_LOCK))" \ > diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh > index 2c02e81f7..37fa2b89e 100644 > --- a/scripts/lib/ptxd_make_world_report.sh > +++ b/scripts/lib/ptxd_make_world_report.sh > @@ -72,6 +72,15 @@ ptxd_make_world_report_yaml() { > do_list "rundeps:" "${pkg_run_deps}" > do_echo "config:" "${pkg_config}" > do_echo "version:" "${pkg_version}" > + if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then > + # Default to using pkg_version for the CPE string, unless _CPE_VERSION or _CPE are explicitly > + # specified. In the case of the latter, there's no need to keep track of the version separately. > + pkg_cpe_version="${pkg_version}" > + fi don't do this here. This fallback should be handled in the script. > + do_echo "cpe:" "${pkg_cpe}" This should be a list in case we need more than one. > + do_echo "cpe_vendor:" "${pkg_cpe_vendor}" Same here as described above. Michael > + do_echo "cpe_product:" "${pkg_cpe_product}" > + do_echo "cpe_version:" "${pkg_cpe_version}" > do_list "url:" "${pkg_url}" > do_echo "md5:" "${pkg_md5}" > do_echo "source:" "${pkg_src}" > -- > 2.25.1 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |