From patchwork Sat Feb 15 12:44:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Titouan Christophe <titouan.christophe@railnova.eu>
X-Patchwork-Id: 1238514
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=busybox.net (client-ip=140.211.166.133;
	helo=hemlock.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=railnova.eu
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=railnova-eu.20150623.gappssmtp.com
	header.i=@railnova-eu.20150623.gappssmtp.com
	header.a=rsa-sha256 header.s=20150623 header.b=lSX4ZnAu;
	dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48KVMF1RTBz9sP7
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Sat, 15 Feb 2020 23:44:54 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id A861285BE4;
	Sat, 15 Feb 2020 12:44:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id K2y6sWNVIcvu; Sat, 15 Feb 2020 12:44:50 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id E952388262;
	Sat, 15 Feb 2020 12:44:49 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	by ash.osuosl.org (Postfix) with ESMTP id 5483B1BF4E4
	for <buildroot@lists.busybox.net>;
	Sat, 15 Feb 2020 12:44:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 4E1A2203B0
	for <buildroot@lists.busybox.net>;
	Sat, 15 Feb 2020 12:44:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hns-PdectlU1 for <buildroot@lists.busybox.net>;
	Sat, 15 Feb 2020 12:44:46 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com
	[209.85.221.66])
	by silver.osuosl.org (Postfix) with ESMTPS id 1FCD52034D
	for <buildroot@buildroot.org>; Sat, 15 Feb 2020 12:44:46 +0000 (UTC)
Received: by mail-wr1-f66.google.com with SMTP id g3so14165054wrs.12
	for <buildroot@buildroot.org>; Sat, 15 Feb 2020 04:44:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=railnova-eu.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=KhxC7U4ee0tyJGf5iS0GhDi4UOTikTycjfj2/UF3TcU=;
	b=lSX4ZnAuopVVm8lxmiNJIXNoguv3rzYB40hRxXtjE/Tp1E8yhiYCb46+7x6fwxLujH
	3eh0NO6u1leheRCmXmDnWXSFTQPrAQipnjPh2uhz+ZF/QN7uYKvDL0rKOi1777wiYUgo
	nVvSoOmTDNhiLv6yUdOkVKnVUa5wkDBV6QklkneTWHCt518tTEoefy9iFAU49F9XWXT/
	tsgivIfmjOIZBtlatc0LNvYxEGgZq07s5hQoPPSvsuNBrvkQqq/mVLJPdGdz7etzWagE
	YyTxucaE7QeH0jLvuXc4XC9ymtuImVCHEzv90d6MAblyeZc1Szf6aai2ZQFmMQNxFZPI
	OJhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=KhxC7U4ee0tyJGf5iS0GhDi4UOTikTycjfj2/UF3TcU=;
	b=ctd8V6jfzeHg0qPaA220KgNtyw9GtY2y0TFZfXFhq3Tec4Dpn2ctwvzOeUJsLM1yOt
	VQB1M7sYc+QE29/+aBm29Rep9FwbGCR8eB0irtYfn2zFozfLkpwcod9h+x6XviU2qs36
	b/e2FY3Iyyxp3wlUAmwprK0Rpd7Z1XFai5+eRbGeMyMHVKxshKNjN/wEPXQdgsSYvu6l
	FmF4FI9LxcqHiD1PQcMTlYzMYLNqCDLrKx6jIMGy4E2E0zr2s8sTgNn1jBMyw4tgmVrW
	iMNzCICiEWPPbvhUCta4jYkEPy9to+OLSuL+47ApX4CDzqcMf9jYQyPckogt4EZ8vIMJ
	K1FA==
X-Gm-Message-State: APjAAAUiyKm4xLpfna2imk385OO+u9C9xECX7GRQjW8Lw8rvHmIDdYDt
	+MyDvkI7x6/a8KbpLQ0RWNo1/DRSob/f8Np+
X-Google-Smtp-Source: 
 APXvYqxG8Rz6jlPpV9J1z1Yvn0dpwL7fnR+gZ9rvlrKsvsLzXJSiJRPjr5ggl1yZjq5jaj6uyBMZew==
X-Received: by 2002:adf:e9d2:: with SMTP id
	l18mr10115421wrn.344.1581770684154;
	Sat, 15 Feb 2020 04:44:44 -0800 (PST)
Received: from localhost.localdomain
	([2a02:a03f:63cf:a300:720b:f5e1:9a40:4114])
	by smtp.gmail.com with ESMTPSA id
	c4sm11586464wml.7.2020.02.15.04.44.42
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Sat, 15 Feb 2020 04:44:43 -0800 (PST)
From: Titouan Christophe <titouan.christophe@railnova.eu>
To: buildroot@buildroot.org
Date: Sat, 15 Feb 2020 13:44:15 +0100
Message-Id: <20200215124417.236492-1-titouan.christophe@railnova.eu>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH v3 0/2] Add CVE reporting to pkg-stats
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>,
	Matt Weber <Matthew.Weber@rockwellcollins.com>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
	Titouan Christophe <titouan.christophe@railnova.eu>,
	Thomas De Schampheleire <patrickdepinguin+buildroot@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Hello,

This set of commit extends the pkg-stats tool to use the NVD database
(https://nvd.nist.gov/vuln/data-feeds) to see if the current version
of each Buildroot package is affected by a CVE.

An example result can be seen here:

 - Human readable HTML:       https://mypi.cz/pkg-stat.html
 - Machine parseable JSON:    https://mypi.cz/pkg-stat.json

Thanks to this, we can see that 84 of our packages are apparently
affected by a total of 252 CVEs.

A new per-package variable, <pkg>_IGNORE_CVES, is introduced, and
allows to tell the tool to ignore some CVEs, for example because it is
fixed by a local patch in Buildroot, or because the CVE does not apply
to the Buildroot package (the CVE only affects a non-Linux operating
system, or affect a functionality of the package that isn't built in
Buildroot).

Of course, the results are not perfect:

 - The NVD database product names certainly don't 100% match the
   Buildroot package names. We might have to add some extra metadata
   information in each package (CPE ID ?) to map to the correct NVD
   database product name.

   -> See for instance subversion, where all CVEs actually refer to
      a Jenkins plugin

 - Language-specific packages (for example: python-paho-mqtt and paho-mqtt-c)
   are probably not correctly handled.

 - Buildroot packages that have a version selection are not correctly
   handled.

But overall, it already provide useful results. The plan is of course
to implement e-mail notification to Buildroot developers in charge of
packages with unfixed CVEs, in a second step.

Thanks to Thomas Petazzoni, Thomas DS and all the reviewers for this effort !


Best regards,

Titouan
---
Thomas Petazzoni (2):
  support/scripts/pkg-stats: add support for CVE reporting
  docs/manual: describe the new <pkg>_IGNORE_CVES variable

 docs/manual/adding-packages-generic.txt |  14 +++
 support/scripts/pkg-stats               | 159 +++++++++++++++++++++++-
 2 files changed, 172 insertions(+), 1 deletion(-)