From patchwork Fri Mar 8 22:04:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1053726 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44GM3q2xklz9s7h for ; Sat, 9 Mar 2019 09:04:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 5E88185E95; Fri, 8 Mar 2019 22:04:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBxIH37i3ELX; Fri, 8 Mar 2019 22:04:36 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 430F485E03; Fri, 8 Mar 2019 22:04:36 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 9CEFF1BF3A8 for ; Fri, 8 Mar 2019 22:04:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 97C9F221C6 for ; Fri, 8 Mar 2019 22:04:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6SP7uoGOLaO for ; Fri, 8 Mar 2019 22:04:29 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from secvs01.rockwellcollins.com (secvs01.rockwellcollins.com [205.175.225.240]) by silver.osuosl.org (Postfix) with ESMTPS id 89B541FF59 for ; Fri, 8 Mar 2019 22:04:29 +0000 (UTC) Received: from ofwgwc03.rockwellcollins.com (HELO dtulimr01.rockwellcollins.com) ([205.175.225.12]) by secvs01.rockwellcollins.com with ESMTP; 08 Mar 2019 16:04:28 -0600 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by dtulimr01.rockwellcollins.com (Postfix) with ESMTP id 3145F604FA; Fri, 8 Mar 2019 16:04:28 -0600 (CST) From: Matt Weber To: buildroot@buildroot.org Date: Fri, 8 Mar 2019 16:04:18 -0600 Message-Id: <1552082667-46877-1-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 Subject: [Buildroot] [PATCH v8 0/9] Package CPE Reporting X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This series adds new infrastructure to report a target's set of package CPE identifiers in a similar way to that of the legal info reporting. The addition of CPE IDs to packages can be a manual process but there is a default value which hopefully will match the string. A cpe-report tool is provided to help manage the accuracy of the CPE strings. Some existing fix-ups forthe CPE strings can be found in the following commit that eventually needs to be split up and applied. https://github.com/rc-matthew-l-weber/buildroot/commit/8ce8d4740b95672d8390799b611a35ea18a543e0 Changes from v7 - The pkg-stats CPE status update has been dropped as it seemed like a better feature to be integrated at the release-monitoring.org level. Or could be reopened with a new direction as part of GSoC. (http://patchwork.ozlabs.org/patch/985550/) - cpe-report script has been overhauled to provide preformatted xml for version updates to help accelerate sending those to NIST - A new security management section was added to the manual with details on CPE upkeep and manual CVE analysis tools. Matt Weber (8): cpe-info: new make target cpe-info: id prefix/suffix cpe-info: only report target pkgs cpe-info: cpe minor version support cpe-info: update manual for new pkg vars support/scripts/cpedb.py: new CPE XML helper support/scripts/cpe-report: new script docs/manual: new security management section Shruthi Singh (1): toolchain/toolchain-ext: glibc cpe-info support Makefile | 17 +- docs/manual/adding-packages-generic.txt | 111 ++++++++----- docs/manual/cpe-reporting.txt | 103 ++++++++++++ docs/manual/manual.txt | 2 + package/Makefile.in | 4 + package/pkg-generic.mk | 36 ++++ package/pkg-utils.mk | 8 + support/scripts/cpe-report | 70 ++++++++ support/scripts/cpedb.py | 185 +++++++++++++++++++++ .../toolchain-external/pkg-toolchain-external.mk | 7 + 10 files changed, 499 insertions(+), 44 deletions(-) create mode 100644 docs/manual/cpe-reporting.txt create mode 100755 support/scripts/cpe-report create mode 100644 support/scripts/cpedb.py