* [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs
@ 2020-10-06 13:42 Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 01/17] cpe-info: new make target Gregory CLEMENT
` (16 more replies)
0 siblings, 17 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Hello,
This is a first attempt for series adding CPE ID support for CVEs. For
now it needs to be discussed and it is not ready for merging.
It is based on the series sent by Matt Weber a few months ago:
http://patchwork.ozlabs.org/project/buildroot/list/?series=183798&state=*
I am including the full series but actually for the CVE check I only
needs a few patches: "cpe-info: new make target",
"toolchain/toolchain-ext: glibc cpe-info support" and "packages: fixup
of cpe info".
I only use $(PKG)_CPE_ID which contains vendor, name, version and
version minor information. I think it is enough to make a CVE matching
a package, but that can be discussed.
I added a new flag to know if a package has a verified CPEID. It is
done with patch "package/pkg-generic.mk: Create CPE ID information
only if verified". The generation of the $(PKG)_CPE_ID value depends
of $(PKG)_CPE_ID_VALID begin equal to y. Maybe we could just do an
ifdef on $(PKG)_CPE_ID, I am not sure of the best practice.
Then in the patch "packages: add new flag for CPE ID" I added the
$(PKG)_CPE_ID_VALID flag for the package with CPE ID fix, as for them
we are sure they are OK.
In "package/pkg-utils.mk: add the CPE ID in show-info", I added the
cpeid in the generated json to be used by the cve-checker.
With the patch "package/pkg-utils/cve.py: Add cpeid support" I added a
function managing cpeid that will be used by cve-checker and pkg-stat.
In the last 2 patches I added a new argument --cpeid in order to use
cpeid instead of name and version from the packages. I also made the
cpeid appearing in the output of the html or json file. For the HTML
output of cve-checker I put the background of the package name in red
if the cpeid is not valid.
The documentation has not been updated, so it is something remaining
to do.
While testing the output I realized that I didn't generate cpeid for
virtual package with show-info, but I am not sure that it was
something we want. In the same time, I generate cpeid for host package
and I don't know if we need it.
Another point to discuss, is that actually we can have the same cpeid
for different package. At least it is the case for the packages linux
and linux-headers. If both packages are present then the CVEs are
attached to only one of them. One solution could be to not considering
the host package as seen before.
During my first test, when all the CPE ID generated was considered as
valid, I noticed a few changes when running pkg-stat with cpeid:
- 'netsnmp' and 'xerces' got new CVEs because the buildroot name
didn't match the cpeid
- 'openssh' and 'sqlite' got new CVEs because thanks to a better
revision handling
- a wrong CVE for 'tftpd' was removed because of a false macth in
buildroot due to bad name (tfptd instead of tftpd-hpa),
- In the opposite rust didn't have anymore associated CVE because it
was called host-rust by the generated cpeid.
- uboot-tools got CVE because it has the same cpeid than u-boot, but
I am not sure it is correct.
Gregory
Gregory CLEMENT (7):
Support/scripts/cpedb.py: Convert to Python 3
package/pkg-generic.mk: Create CPE ID information only if verified
packages: add new flag for CPE ID
package/pkg-utils.mk: add the CPE ID in show-info
package/pkg-utils/cve.py: Add cpeid support
support/script/cve-checker: Allow to use cpeid
support/script/pkg-stats: Allow to use CPEID for managing CVEs
Matt Weber (9):
cpe-info: new make target
cpe-info: id prefix/suffix
cpe-info: only report target pkgs
cpe-info: cpe minor version support
cpe-info: update manual for new pkg vars
support/scripts/cpedb.py: new CPE XML helper
support/scripts/cpe-report: new script
docs/manual: new security management section
packages: fixup of cpe info
Shruthi Singh (1):
toolchain/toolchain-ext: glibc cpe-info support
Makefile | 17 +-
boot/grub2/grub2.mk | 2 +
boot/uboot/uboot.mk | 3 +
docs/manual/adding-packages-generic.txt | 111 +++++++----
docs/manual/cpe-reporting.txt | 107 ++++++++++
docs/manual/manual.txt | 2 +
linux/linux.mk | 3 +
package/Makefile.in | 4 +
package/audit/audit.mk | 3 +
package/aufs/aufs.mk | 2 +
package/bash/bash.mk | 2 +
package/bc/bc.mk | 2 +
package/bind/bind.mk | 2 +
package/boost/boost.mk | 2 +
package/bridge-utils/bridge-utils.mk | 2 +
package/busybox/busybox.mk | 2 +
package/bzip2/bzip2.mk | 2 +
package/clang/clang.mk | 1 +
package/collectd/collectd.mk | 2 +
package/conntrack-tools/conntrack-tools.mk | 2 +
package/coreutils/coreutils.mk | 2 +
package/crda/crda.mk | 2 +
package/davici/davici.mk | 2 +
package/dbus-glib/dbus-glib.mk | 2 +
package/dbus/dbus.mk | 3 +
package/dhcp/dhcp.mk | 2 +
package/dnsmasq/dnsmasq.mk | 2 +
package/dropbear/dropbear.mk | 3 +
package/ebtables/ebtables.mk | 1 +
package/ethtool/ethtool.mk | 2 +
package/expat/expat.mk | 2 +
package/gdb/gdb.mk | 2 +
package/gesftpserver/gesftpserver.mk | 3 +
package/glibc/glibc.mk | 2 +
package/gmp/gmp.mk | 2 +
package/gnupg/gnupg.mk | 2 +
package/gnutls/gnutls.mk | 2 +
package/grep/grep.mk | 2 +
package/gtest/gtest.mk | 3 +
package/gzip/gzip.mk | 2 +
package/hostapd/hostapd.mk | 2 +
package/ifupdown/ifupdown.mk | 2 +
package/iperf/iperf.mk | 3 +
package/iperf3/iperf3.mk | 2 +
package/ipset/ipset.mk | 2 +
package/iptables/iptables.mk | 2 +
package/iw/iw.mk | 2 +
package/kmod/kmod.mk | 3 +
package/libarchive/libarchive.mk | 2 +
package/libcurl/libcurl.mk | 3 +
package/libestr/libestr.mk | 2 +
package/libfastjson/libfastjson.mk | 2 +
package/libfcgi/libfcgi.mk | 3 +
package/libffi/libffi.mk | 3 +
package/libgcrypt/libgcrypt.mk | 2 +
package/libglib2/libglib2.mk | 3 +
package/libgpg-error/libgpg-error.mk | 2 +
package/liblogging/liblogging.mk | 2 +
package/libmbim/libmbim.mk | 2 +
package/libmnl/libmnl.mk | 2 +
.../libnetfilter_conntrack.mk | 2 +
.../libnetfilter_cthelper.mk | 2 +
.../libnetfilter_cttimeout.mk | 2 +
.../libnetfilter_queue/libnetfilter_queue.mk | 2 +
package/libnfnetlink/libnfnetlink.mk | 2 +
package/libopenssl/Config.in | 11 ++
package/libopenssl/libopenssl.mk | 3 +
package/libpcap/libpcap.mk | 2 +
package/libselinux/libselinux.mk | 2 +
package/libsemanage/libsemanage.mk | 2 +
package/libsepol/libsepol.mk | 2 +
package/libssh2/libssh2.mk | 2 +
package/libsysfs/libsysfs.mk | 3 +
package/libtasn1/libtasn1.mk | 2 +
package/libunistring/libunistring.mk | 2 +
package/libxml2/libxml2.mk | 2 +
package/libxslt/libxslt.mk | 2 +
package/libzlib/libzlib.mk | 3 +
package/lighttpd/lighttpd.mk | 2 +
package/linux-firmware/linux-firmware.mk | 3 +
package/linux-headers/linux-headers.mk | 3 +
package/linux-pam/linux-pam.mk | 3 +
package/llvm/llvm.mk | 2 +
package/lxc/lxc.mk | 2 +
package/lz4/lz4.mk | 2 +
package/memtester/memtester.mk | 2 +
package/mii-diag/mii-diag.mk | 2 +
package/mpfr/mpfr.mk | 2 +
package/mrouted/mrouted.mk | 2 +
package/mtd/mtd.mk | 3 +
package/ncurses/ncurses.mk | 2 +
package/netsnmp/netsnmp.mk | 3 +
package/nfs-utils/nfs-utils.mk | 3 +
package/openssh/openssh.mk | 4 +
package/pax-utils/pax-utils.mk | 2 +
package/paxtest/paxtest.mk | 2 +
package/pcre/pcre.mk | 2 +
package/pixman/pixman.mk | 2 +
package/pkg-generic.mk | 38 ++++
package/pkg-utils.mk | 9 +
package/policycoreutils/policycoreutils.mk | 2 +
package/pppd/pppd.mk | 3 +
package/proftpd/proftpd.mk | 3 +
package/protobuf/protobuf.mk | 2 +
package/pure-ftpd/pure-ftpd.mk | 2 +
package/python-lxml/python-lxml.mk | 3 +
.../python-setuptools/python-setuptools.mk | 3 +
package/python/python.mk | 2 +
package/qemu/qemu.mk | 2 +
package/rapidjson/rapidjson.mk | 2 +
package/readline/readline.mk | 2 +
package/refpolicy/refpolicy.mk | 2 +
package/rsyslog/rsyslog.mk | 2 +
package/rt-tests/rt-tests.mk | 2 +
package/sed/sed.mk | 2 +
package/setools/setools.mk | 2 +
package/setserial/setserial.mk | 1 +
package/smcroute/smcroute.mk | 2 +
package/spawn-fcgi/spawn-fcgi.mk | 2 +
package/sqlite/sqlite.mk | 3 +
package/strongswan/strongswan.mk | 2 +
package/tar/tar.mk | 2 +
package/tcl/tcl.mk | 2 +
package/tcpdump/tcpdump.mk | 2 +
package/tftpd/tftpd.mk | 3 +
package/uboot-tools/uboot-tools.mk | 3 +
package/util-linux/util-linux.mk | 2 +
package/valgrind/valgrind.mk | 2 +
package/vim/vim.mk | 2 +
package/wget/wget.mk | 2 +
package/wireless-regdb/wireless-regdb.mk | 2 +
package/wireless_tools/wireless_tools.mk | 3 +
package/wpa_supplicant/wpa_supplicant.mk | 2 +
package/xerces/xerces.mk | 3 +
package/xz/xz.mk | 2 +
support/scripts/cpe-report | 70 +++++++
support/scripts/cpedb.py | 185 ++++++++++++++++++
support/scripts/cve-checker | 48 ++++-
support/scripts/cve.py | 13 +-
support/scripts/pkg-stats | 46 ++++-
.../pkg-toolchain-external.mk | 7 +
141 files changed, 896 insertions(+), 56 deletions(-)
create mode 100644 docs/manual/cpe-reporting.txt
create mode 100755 support/scripts/cpe-report
create mode 100644 support/scripts/cpedb.py
--
2.28.0
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 01/17] cpe-info: new make target
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 21:14 ` Akshay Bhat
2020-10-06 13:42 ` [Buildroot] [PATCH 02/17] cpe-info: id prefix/suffix Gregory CLEMENT
` (15 subsequent siblings)
16 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Similar to make legal-info, produce a csv delimited file containing
all selected packages CPE identification.
By default, support the pkg infra defining a set of CPE_ID_* defaults
using the package name for the vendor and name as most CPE IDs seem
to align with that assumption. Plus initially, use the pkg version as
the CPE ID's version field.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Makefile | 17 ++++++++++++++++-
package/pkg-generic.mk | 13 +++++++++++++
package/pkg-utils.mk | 8 ++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 9648fa58d8..9b788cf937 100644
--- a/Makefile
+++ b/Makefile
@@ -141,7 +141,7 @@ nobuild_targets := source %-source \
clean distclean help show-targets graph-depends \
%-graph-depends %-show-depends %-show-version \
graph-build graph-size list-defconfigs \
- savedefconfig update-defconfig printvars
+ savedefconfig update-defconfig printvars cpe-info %-cpe-info
ifeq ($(MAKECMDGOALS),)
BR_BUILDING = y
else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),)
@@ -228,6 +228,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv
LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv
LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings
LEGAL_REPORT = $(LEGAL_INFO_DIR)/README
+CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv
BR2_CONFIG = $(CONFIG_DIR)/.config
@@ -873,6 +874,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all
mv .legal-info.sha256 legal-info.sha256)
@echo "Legal info produced in $(LEGAL_INFO_DIR)"
+.PHONY: cpe-info-clean
+cpe-info-clean:
+ @rm -f $(CPE_MANIFEST_CSV)
+
+.PHONY: cpe-info-prepare
+cpe-info-prepare:
+ @$(call MESSAGE,"Gathering CPE info")
+ @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
+
+.PHONY: cpe-info
+cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
+ @echo "CPE info produced in $(CPE_MANIFEST_CSV)"
+
.PHONY: show-targets
show-targets:
@echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS))
@@ -1154,6 +1168,7 @@ help:
@echo ' legal-info - generate info about license compliance'
@echo ' show-info - generate info about packages, as a JSON blurb'
@echo ' printvars - dump internal variables selected with VARS=...'
+ @echo ' cpe-info - generate info about security CPE identification'
@echo
@echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build'
@echo ' make O=dir - Locate all output files in "dir", including .config'
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 54de03da03..01df3a3a4f 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -970,6 +970,18 @@ else
$(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
endif
+$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
+$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
+$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+
+$(1)-cpe-info: PKG=$(2)
+$(1)-cpe-info:
+ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+ @$$(call MESSAGE,"Collecting cpe info")
+ $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+
# legal-info: declare dependencies and set values used later for the manifest
ifneq ($$($(2)_LICENSE_FILES),)
$(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
@@ -1121,6 +1133,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-system-dependency,$$($(2)_SOURCE))
$(1)-clean-for-reconfigure \
$(1)-clean-for-reinstall \
$(1)-configure \
+ $(1)-cpe-info \
$(1)-depends \
$(1)-dirclean \
$(1)-external-deps \
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index 4fcb076e21..f1d085ece1 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -228,3 +228,11 @@ legal-deps = \
$(filter-out $(if $(1:host-%=),host-%),\
$(call non-virtual-deps,\
$($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)])
+
+#
+# cpe-info helper functions
+#
+
+define cpe-manifest # cpe, pkg name, version, url
+ echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV)
+endef
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 02/17] cpe-info: id prefix/suffix
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 01/17] cpe-info: new make target Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 03/17] cpe-info: only report target pkgs Gregory CLEMENT
` (14 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
There are two types of software CPE prefixes applicable for software,
one for applications and one for operating systems.
Note: The third type is for hardware.
This patchset determines which should be used and stores that
information with the package for later use when assembling the CPE
report.
Refs:
https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
https://cpe.mitre.org/specification/
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/Makefile.in | 4 ++++
package/pkg-generic.mk | 8 +++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/package/Makefile.in b/package/Makefile.in
index 51f5cbce4f..c6a21276a2 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -373,6 +373,10 @@ TARGET_CONFIGURE_ARGS = \
################################################################################
+CPE_PREFIX_OS = cpe:2.3:o
+CPE_PREFIX_APP = cpe:2.3:a
+CPE_SUFFIX = *:*:*:*:*:*:*
+
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
NLS_OPTS = --enable-nls
TARGET_NLS_DEPENDENCIES = host-gettext
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 01df3a3a4f..63bd8720eb 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -975,11 +975,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+ifneq ($(filter linux linux-headers,$(1)),)
+$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
+else
+$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
+endif
+
$(1)-cpe-info: PKG=$(2)
$(1)-cpe-info:
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
- $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+ $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
# legal-info: declare dependencies and set values used later for the manifest
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 03/17] cpe-info: only report target pkgs
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 01/17] cpe-info: new make target Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 02/17] cpe-info: id prefix/suffix Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 04/17] cpe-info: cpe minor version support Gregory CLEMENT
` (13 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
The reporting of host packages causes some duplication and complicates
what is really in the targets configuration. For the purpose of the
first version of this patchset, its assumed that host packages aren't
relevant for the configuration and we only report the target's
contents.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/pkg-generic.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 63bd8720eb..1372dc6e4d 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -983,10 +983,12 @@ endif
$(1)-cpe-info: PKG=$(2)
$(1)-cpe-info:
+ifeq ($$($(2)_TYPE),target)
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+endif # ifeq ($$($(2)_TYPE),target)
# legal-info: declare dependencies and set values used later for the manifest
ifneq ($$($(2)_LICENSE_FILES),)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 04/17] cpe-info: cpe minor version support
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (2 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 03/17] cpe-info: only report target pkgs Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 05/17] toolchain/toolchain-ext: glibc cpe-info support Gregory CLEMENT
` (12 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Minor version are used to allow -rc, - and other variants of
representing a sub release in the CPE dictionary.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/Makefile.in | 2 +-
package/pkg-generic.mk | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/package/Makefile.in b/package/Makefile.in
index c6a21276a2..f66f7041ee 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -375,7 +375,7 @@ TARGET_CONFIGURE_ARGS = \
CPE_PREFIX_OS = cpe:2.3:o
CPE_PREFIX_APP = cpe:2.3:a
-CPE_SUFFIX = *:*:*:*:*:*:*
+CPE_SUFFIX = *:*:*:*:*:*
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
NLS_OPTS = --enable-nls
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 1372dc6e4d..489918b1eb 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -973,7 +973,8 @@ endif
$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
-$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+$(2)_CPE_ID_VERSION_MINOR ?= *
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR)
ifneq ($(filter linux linux-headers,$(1)),)
$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 05/17] toolchain/toolchain-ext: glibc cpe-info support
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (3 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 04/17] cpe-info: cpe minor version support Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 06/17] cpe-info: update manual for new pkg vars Gregory CLEMENT
` (11 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Shruthi Singh <shruthi.singh@rockwellcollins.com>
This commit adds the correct CPE string for glibc, describing CPE ID,
VERSION, PACKAGE NAME and URL.
Signed-off-by: Shruthi Singh shruthi.singh at rockwellcollins.com
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/pkg-generic.mk | 14 ++++++++++++++
.../toolchain-external/pkg-toolchain-external.mk | 7 +++++++
2 files changed, 21 insertions(+)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 489918b1eb..dba03a8119 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -983,8 +983,22 @@ $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
endif
$(1)-cpe-info: PKG=$(2)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
+$(1)-cpe-info: toolchain
+endif
$(1)-cpe-info:
ifeq ($$($(2)_TYPE),target)
+ifneq ($$($(2)_NAME),toolchain-external)
+ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y)
+ $$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
+ $$(eval $(2)_CPE_ID_VENDOR = gnu)
+ $$(eval $(2)_CPE_ID_NAME = glibc)
+ $$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
+ $$(eval $(2)_RAWNAME = glibc)
+endif # ifeq ($(BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC),y)
+endif # ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+endif # ifneq ($$($(2)_NAME),toolchain-external)
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
index 6d91cb5d1e..14065345d7 100644
--- a/toolchain/toolchain-external/pkg-toolchain-external.mk
+++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
@@ -453,6 +453,13 @@ define TOOLCHAIN_EXTERNAL_INSTALL_SYSROOT_LIBS
$(call copy_toolchain_sysroot,$${SYSROOT_DIR},$${ARCH_SYSROOT_DIR},$${ARCH_SUBDIR},$${ARCH_LIB_DIR},$${SUPPORT_LIB_DIR})
endef
+define TOOLCHAIN_CPE_INFO
+ ARCH_SYSROOT_DIR="$(call toolchain_find_sysroot,$(TOOLCHAIN_EXTERNAL_CC) $(TOOLCHAIN_EXTERNAL_CFLAGS))" ; \
+ MAJ=`awk '{ if ($$1 = /#define/ && ($$2= /__GLIBC__/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+ MIN=`awk '{ if ($$1 = /#define/ && ($$2 = /_GLIBC_MINOR/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+ echo $${MAJ}.$${MIN}
+endef
+
# Create a symlink from (usr/)$(ARCH_LIB_DIR) to lib.
# Note: the skeleton package additionally creates lib32->lib or lib64->lib
# (as appropriate)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 06/17] cpe-info: update manual for new pkg vars
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (4 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 05/17] toolchain/toolchain-ext: glibc cpe-info support Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 07/17] support/scripts/cpedb.py: new CPE XML helper Gregory CLEMENT
` (10 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
docs/manual/adding-packages-generic.txt | 111 +++++++++++++++---------
1 file changed, 68 insertions(+), 43 deletions(-)
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
index b8bfcb4aff..94b2313600 100644
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts.
09: LIBFOO_SITE = http://www.foosoftware.org/download
10: LIBFOO_LICENSE = GPL-3.0+
11: LIBFOO_LICENSE_FILES = COPYING
-12: LIBFOO_INSTALL_STAGING = YES
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
-15:
-16: define LIBFOO_BUILD_CMDS
-17: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
-18: endef
-19:
-20: define LIBFOO_INSTALL_STAGING_CMDS
-21: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
-22: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
-23: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
-24: endef
-25:
-26: define LIBFOO_INSTALL_TARGET_CMDS
-27: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
-28: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
-29: endef
-30:
-31: define LIBFOO_USERS
-32: foo -1 libfoo -1 * - - - LibFoo daemon
-33: endef
-34:
-35: define LIBFOO_DEVICES
-36: /dev/foo c 666 0 0 42 0 - - -
-37: endef
-38:
-39: define LIBFOO_PERMISSIONS
-40: /bin/foo f 4755 foo libfoo - - - - -
-41: endef
-42:
-43: $(eval $(generic-package))
+12: LIBFOO_CPE_ID_VENDOR = foosoftware
+13: LIBFOO_INSTALL_STAGING = YES
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
+16:
+17: define LIBFOO_BUILD_CMDS
+18: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
+19: endef
+20:
+21: define LIBFOO_INSTALL_STAGING_CMDS
+22: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
+23: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
+24: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
+25: endef
+26:
+27: define LIBFOO_INSTALL_TARGET_CMDS
+28: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
+29: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
+30: endef
+31:
+32: define LIBFOO_USERS
+33: foo -1 libfoo -1 * - - - LibFoo daemon
+34: endef
+35:
+36: define LIBFOO_DEVICES
+37: /dev/foo c 666 0 0 42 0 - - -
+38: endef
+39:
+40: define LIBFOO_PERMISSIONS
+41: /bin/foo f 4755 foo libfoo - - - - -
+42: endef
+43:
+44: $(eval $(generic-package))
--------------------------------
-The Makefile begins on line 7 to 11 with metadata information: the
+The Makefile begins on line 7 to 12 with metadata information: the
version of the package (+LIBFOO_VERSION+), the name of the
tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)
the Internet location at which the tarball can be downloaded from
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
the same prefix, +LIBFOO_+ in this case. This prefix is always the
uppercased version of the package name (see below to understand where
the package name is defined).
-On line 12, we specify that this package wants to install something to
+On line 13, we specify that this package wants to install something to
the staging space. This is often needed for libraries, since they must
install header files and other development files in the staging space.
This will ensure that the commands listed in the
+LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
-On line 13, we specify that there is some fixing to be done to some
+On line 14, we specify that there is some fixing to be done to some
of the 'libfoo-config' files that were installed during
+LIBFOO_INSTALL_STAGING_CMDS+ phase.
These *-config files are executable shell script files that are
@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \
--------------------------------
================================
-On line 14, we specify the list of dependencies this package relies
+On line 15, we specify the list of dependencies this package relies
on. These dependencies are listed in terms of lower-case package names,
which can be packages for the target (without the +host-+
prefix) or packages for the host (with the +host-+) prefix).
Buildroot will ensure that all these packages are built and installed
'before' the current package starts its configuration.
-The rest of the Makefile, lines 16..29, defines what should be done
+The rest of the Makefile, lines 17..29, defines what should be done
at the different steps of the package configuration, compilation and
installation.
+LIBFOO_BUILD_CMDS+ tells what steps should be performed to
@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which
contains the directory where the source code of the package has been
extracted.
-On lines 31..33, we define a user that is used by this package (e.g.
+On lines 31..44, we define a user that is used by this package (e.g.
to run a daemon as non-root) (+LIBFOO_USERS+).
-On line 35..37, we define a device-node file used by this package
+On line 36..38, we define a device-node file used by this package
(+LIBFOO_DEVICES+).
-On line 39..41, we define the permissions to set to specific files
+On line 40..42, we define the permissions to set to specific files
installed by this package (+LIBFOO_PERMISSIONS+).
-Finally, on line 43, we call the +generic-package+ function, which
+Finally, on line 44, we call the +generic-package+ function, which
generates, according to the variables defined previously, all the
Makefile code necessary to make your package working.
@@ -502,6 +504,29 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345
LIBFOO_IGNORE_CVES += CVE-2020-54321
----------------------
+* +LIBFOO_CPE_ID_VENDOR+
+ This variable is optional. It only must be defined if the package name
+ does not match what the CPE ID uses for the vendor. By default it's set
+ to <pkg-name>_project.
+
+* +LIBFOO_CPE_ID_NAME+
+ This variable is optional. It only must be defined if the package name
+ does not match what the CPE ID uses for the name. By default it's set
+ to <pkg-name>.
+
+* +LIBFOO_CPE_ID_VERSION+
+ This variable is optional. By default it's set to <pkg-version>.
+
+* +LIBFOO_CPE_ID_VERSION_MINOR+
+ This variable is optional. By default it's set to *.
+
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
+ default case of a single package's Common Product Enumeration (CPE)
+ identification string. +make cpe-info+ copies all of these into a
+ +cpe-manifest.csv+ file. To identify a package's possible CPE,
+ the National Vunerability Database can be searched at
+ https://nvd.nist.gov/products/cpe/search.
+
The recommended way to define these variables is to use the following
syntax:
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 07/17] support/scripts/cpedb.py: new CPE XML helper
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (5 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 06/17] cpe-info: update manual for new pkg vars Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script Gregory CLEMENT
` (9 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Python class which consumes a NIST CPE XML and provides helper
functions to access and search the db's data.
- Defines the CPE as a object with operations / formats
- Processing of CPE dictionary
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
support/scripts/cpedb.py | 185 +++++++++++++++++++++++++++++++++++++++
1 file changed, 185 insertions(+)
create mode 100644 support/scripts/cpedb.py
diff --git a/support/scripts/cpedb.py b/support/scripts/cpedb.py
new file mode 100644
index 0000000000..0369536f6f
--- /dev/null
+++ b/support/scripts/cpedb.py
@@ -0,0 +1,185 @@
+import sys
+import urllib2
+from collections import OrderedDict
+import xmltodict
+import gzip
+from StringIO import StringIO
+import os
+import pickle
+
+VALID_REFS = ['VENDOR', 'VERSION', 'CHANGE_LOG', 'PRODUCT', 'PROJECT', 'ADVISORY']
+
+
+class CPE:
+ cpe_str = None
+ cpe_str_short = None
+ cpe_desc = None
+ cpe_cur_ver = None
+ titles = {}
+ references = {}
+
+ def __init__(self, cpe_str, titles=None, refs=None):
+ self.cpe_str = cpe_str
+ self.cpe_str_short = ":".join(self.cpe_str.split(":")[:6])
+ self.titles = titles
+ self.references = refs
+ self.cpe_cur_ver = "".join(self.cpe_str.split(":")[5:6])
+
+ def to_dict(self, cpe_str):
+ cpe_short_name = ":".join(cpe_str.split(":")[2:6])
+ cpe_new_ver = "".join(cpe_str.split(":")[5:6])
+ self.titles[0]['#text'] = self.titles[0]['#text'].replace(self.cpe_cur_ver, cpe_new_ver)
+ cpe_dict = OrderedDict([
+ ('cpe-item', OrderedDict([
+ ('@name', 'cpe:/' + cpe_short_name),
+ ('title', self.titles),
+ ('references', OrderedDict([('reference', self.references)])),
+ ('cpe-23:cpe23-item', OrderedDict([
+ ('@name', cpe_str)
+ ]))
+ ]))
+ ])
+ return cpe_dict
+
+
+class CPEDB:
+ all_cpes = dict()
+ all_cpes_no_version = dict()
+
+ def get_xml_dict(self, url):
+ print("CPE: Setting up NIST dictionary")
+ # Setup location to save dict and xmls, if it exists, assume we're
+ # reusing the previous dict
+ if not os.path.exists("cpe"):
+ os.makedirs("cpe")
+ self.get_new_xml_dict(url)
+ else:
+ print("CPE: Loading CACHED dictionary")
+ cpe_file = open('cpe/.all_cpes.pkl', 'rb')
+ self.all_cpes = pickle.load(cpe_file)
+ cpe_file.close()
+ cpe_file = open('cpe/.all_cpes_no_version.pkl', 'rb')
+ self.all_cpes_no_version = pickle.load(cpe_file)
+ cpe_file.close()
+
+ def get_new_xml_dict(self, url):
+ print("CPE: Fetching xml manifest from [" + url + "]")
+ try:
+ compressed_cpe_file = urllib2.urlopen(url)
+ print("CPE: Unzipping xml manifest...")
+ nist_cpe_file = gzip.GzipFile(fileobj=StringIO(compressed_cpe_file.read())).read()
+ print("CPE: Converting xml manifest to dict...")
+ all_cpedb = xmltodict.parse(nist_cpe_file)
+
+ # Cycle through the dict and build two dict to be used for custom
+ # lookups of partial and complete CPE objects
+ # The objects are then used to create new proposed XML updates if
+ # if is determined one is required
+ for cpe in all_cpedb['cpe-list']['cpe-item']:
+ cpe_titles = cpe['title']
+ # There maybe multiple titles or one. Make sure this is
+ # always a list
+ if not isinstance(cpe_titles, (list,)):
+ cpe_titles = [cpe_titles]
+ # Out of the different language titles, select English
+ for title in cpe_titles:
+ if title['@xml:lang'] is 'en-US':
+ cpe_titles = [title]
+ # Some older CPE don't include references, if they do, make
+ # sure we handle the case of one ref needing to be packed
+ # in a list
+ if 'references' in cpe:
+ cpe_ref = cpe['references']['reference']
+ if not isinstance(cpe_ref, (list,)):
+ cpe_ref = [cpe_ref]
+ # The reference text has not been consistantly upper case
+ # in the NIST dict but they now require it. So force upper
+ # and then check for compliance to a specific tagging
+ for ref_href in cpe_ref:
+ ref_href['#text'] = ref_href['#text'].upper()
+ if ref_href['#text'] not in VALID_REFS:
+ ref_href['#text'] = ref_href['#text'] + "-- UPDATE this entry, here are some exmaples and just one word should be used -- " + ' '.join(VALID_REFS)
+ cpe_str = cpe['cpe-23:cpe23-item']['@name']
+ item = CPE(cpe_str, cpe_titles, cpe_ref)
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ # This dict must have a unique key for every CPE version
+ # which allows matching to the specific obj data of that
+ # NIST dict entry
+ self.all_cpes.update({cpe_str: item})
+ # This dict has one entry for every CPE (w/o version) to allow
+ # partial match (no valid version) check (the obj is saved and
+ # used as seed for suggested xml updates. By updating the same
+ # non-version'd entry, it assumes the last update here is the
+ # latest version in the NIST dict)
+ self.all_cpes_no_version.update({cpe_str_no_version: item})
+
+ except urllib2.HTTPError:
+ print("CPE: HTTP Error: %s" % url)
+ sys.exit(1)
+ except urllib2.URLError:
+ print("CPE: URL Error: %s" % url)
+ sys.exit(1)
+
+ print("CPE: Caching dictionary")
+ cpes_file = open('cpe/.all_cpes.pkl', 'wb')
+ pickle.dump(self.all_cpes, cpes_file)
+ cpes_file.close()
+ cpes_file = open('cpe/.all_cpes_no_version.pkl', 'wb')
+ pickle.dump(self.all_cpes_no_version, cpes_file)
+ cpes_file.close()
+
+ def find_partial(self, cpe_str):
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ if cpe_str_no_version in self.all_cpes_no_version:
+ return cpe_str_no_version
+
+ def find_partial_obj(self, cpe_str):
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ if cpe_str_no_version in self.all_cpes_no_version:
+ return self.all_cpes_no_version[cpe_str_no_version]
+
+ def find_partial_latest_version(self, cpe_str_partial):
+ cpe_obj = self.find_partial_obj(cpe_str_partial)
+ return cpe_obj.cpe_cur_ver
+
+ def find(self, cpe_str):
+ if self.find_partial(cpe_str):
+ if cpe_str in self.all_cpes:
+ return cpe_str
+
+ def update(self, cpe_str):
+ to_update = self.find_partial_obj(cpe_str)
+ xml = self.__gen_xml__(to_update.to_dict(cpe_str))
+ fp = open(os.path.join('cpe', self.get_cpe_name(cpe_str) + '-' + self.get_cpe_version(cpe_str) + '.xml'), 'w+')
+ fp.write(xmltodict.unparse(xml, pretty=True))
+ fp.close()
+
+ def get_nvd_url(self, cpe_str):
+ return "https://nvd.nist.gov/products/cpe/search/results?keyword=" + \
+ urllib2.quote(cpe_str) + \
+ "&status=FINAL&orderBy=CPEURI&namingFormat=2.3"
+
+ def get_cpe_no_version(self, cpe):
+ return ":".join(cpe.split(":")[:5])
+
+ def get_cpe_name(self, cpe_str):
+ return "".join(cpe_str.split(":")[4])
+
+ def get_cpe_version(self, cpe_str):
+ return "".join(cpe_str.split(":")[5])
+
+ def __gen_xml__(self, cpe_list):
+ list_header = {
+ "cpe-list": {
+ "@xmlns:config": "http://scap.nist.gov/schema/configuration/0.1",
+ "@xmlns": "http://cpe.mitre.org/dictionary/2.0",
+ "@xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
+ "@xmlnsscap-core": "http://scap.nist.gov/schema/scap-core/0.3",
+ "@xmlns:cpe-23": "http://scap.nist.gov/schema/cpe-extension/2.3",
+ "@xmlns:ns6": "http://scap.nist.gov/schema/scap-core/0.1",
+ "@xmlns:meta": "http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2",
+ "@xsi:schemaLocation": "http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"
+ }
+ }
+ list_header['cpe-list'].update(cpe_list)
+ return list_header
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (6 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 07/17] support/scripts/cpedb.py: new CPE XML helper Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-07 8:11 ` Heiko Thiery
2020-10-06 13:42 ` [Buildroot] [PATCH 09/17] docs/manual: new security management section Gregory CLEMENT
` (8 subsequent siblings)
16 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
The script supports looking up all the CPEs provided in a
make cpe-info csv file export from a target Buildroot build.
It checks the current version and suggests a CPE needs update
or possibly an initial submission is required to NIST.
Adds option to allow alternate locations for the dictionary
URL and caching of a processed dictionary to speed up execution.
Outputs a cpe/ folder with propsed xml generated from the
dictionary contents to propose updated versions to NIST.
For missing CPE matches, a cpe-report-missing.txt is created
by the script that can be used later to manually create proposed
new NIST dictionary entries.
Ref: NIST has a group email (cpe_dictionary at nist.gov) used to
recieve these version update and new entry xml files. They do
process the XML and provide feedback. In some cases they will
propose back something different where the vendor or version is
slightly different.
Limitations
- Currently any use of non-number version identifiers isn't
supported by NIST as they use ranges to determine impact
of a CVE
- Any Linux version from a non-upstream is also not supported
without manually adjusting the information as the custom
kernel will more then likely not match the upstream version
used in the dictionary
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
support/scripts/cpe-report | 70 ++++++++++++++++++++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100755 support/scripts/cpe-report
diff --git a/support/scripts/cpe-report b/support/scripts/cpe-report
new file mode 100755
index 0000000000..7242a372b2
--- /dev/null
+++ b/support/scripts/cpe-report
@@ -0,0 +1,70 @@
+#!/usr/bin/env python
+
+import argparse
+import sys
+import csv
+from cpedb import CPEDB
+
+CPE_XML_URL = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz"
+
+
+def get_target_cpe_report(cpe_report_file, cpedb):
+ report_cpe_exact_match = ""
+ report_cpe_needing_update = ""
+ report_cpe_needing_update_list = ""
+ report_cpe_missing = ""
+
+ print("CPE: Checking for matches...")
+ try:
+ with open(cpe_report_file) as cpe_file:
+ cpe_list = csv.reader(cpe_file)
+ next(cpe_list) # make cpe-info has a one line header
+ for cpe in cpe_list:
+ result = cpedb.find(cpe[0])
+ if not result:
+ result = cpedb.find_partial(cpedb.get_cpe_no_version(cpe[0]))
+ if not result:
+ report_cpe_missing += cpe[0] + "," + cpe[1] + "," + cpe[3] + "\n"
+ else:
+ latest_version = cpedb.find_partial_latest_version(cpedb.get_cpe_no_version(cpe[0]))
+ report_cpe_needing_update += cpe[0] + ", Latest Version Guess from Dict[" + latest_version + "]\n"
+ report_cpe_needing_update_list += cpe[0] + "\n"
+ else:
+ report_cpe_exact_match += cpe[0] + "\n"
+ except (OSError, IOError) as e:
+ print("CPE: report csv file (%s): %s" % (e.errno, e.strerror))
+ sys.exit(1)
+
+ print("CPE: Found but may REQUIRE an UPDATE:\n" + report_cpe_needing_update)
+ print("CPE: Not found:\n" + report_cpe_missing)
+
+ fp = open('cpe-report-missing.txt', 'w+')
+ fp.write(report_cpe_missing)
+ fp.close()
+
+ for cpe in report_cpe_needing_update_list.splitlines():
+ cpedb.update(cpe)
+ print("XML Generation Complete of NIST update files, see ./cpe/*")
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-c', dest='cpe_report', action='store', required=True,
+ help='CPE Report generated by make cpe-info (csv format)')
+ parser.add_argument('-u', dest='url', action='store', required=False,
+ help='(optional)URL to the NIST dict (official-cpe-dictionary_v2.3.xml.gz)')
+ return parser.parse_args()
+
+
+def __main__():
+ args = parse_args()
+ cpedb = CPEDB()
+ url = CPE_XML_URL
+ if args.url:
+ url = args.url
+ cpedb.get_xml_dict(url)
+ print("Performing Target CPE Report Analysis...")
+ get_target_cpe_report(args.cpe_report, cpedb)
+
+
+__main__()
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 09/17] docs/manual: new security management section
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (7 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 10/17] packages: fixup of cpe info Gregory CLEMENT
` (7 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
This changeset captures an initial discussion on the use of CPE
reporting within a target build. It notes the reporting limitations
and provides actions a user could take to improve upon the current
report information.
There is also an example of how one might do CVE analysis using the
CPE report information.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
docs/manual/cpe-reporting.txt | 107 ++++++++++++++++++++++++++++++++++
docs/manual/manual.txt | 2 +
2 files changed, 109 insertions(+)
create mode 100644 docs/manual/cpe-reporting.txt
diff --git a/docs/manual/cpe-reporting.txt b/docs/manual/cpe-reporting.txt
new file mode 100644
index 0000000000..11da979345
--- /dev/null
+++ b/docs/manual/cpe-reporting.txt
@@ -0,0 +1,107 @@
+// -*- mode:doc; -*-
+// vim: set syntax=asciidoc:
+
+[[cpe-info]]
+
+== Security Vulnerability Management
+
+There are many different vulnerability databases (open/paid). This
+section documents the use of the National Vulnerability Database(NVD)
+provided by the National Institute of Standards and Technology (NIST).
+
+Within Buildroot, the intent is to provide good reporting of the build
+configuration's inventory of software. The vulnerability analysis is
+assumed to occur outside of the Buildroot environment (at this time).
+
+=== Common Platform Enumeration (CPE) Reporting
+
+Buildroot consists of a series of upstream packages. Each of those
+packages may have a CPE definition used to map vulnerabilities to Common
+Vulnerabilities and Exposures (CVE). A single package CPE has many versions
+and each version may have a suite of CVEs associated.
+
+To make the gathering of the software inventory of CPE easier, Buildroot can
+collect for you all the CPE related to the configured defconfig. To produce
+this material, after you have configured Buildroot with +make menuconfig+,
++make xconfig+ or +make gconfig+, run:
+
+--------------------
+make cpe-info
+--------------------
+
+Buildroot then collects and writes the +$(TOPDIR)/cpe-manifest.csv+. This file
+can be used for manual inspection against a CVE database or provided to
+external tools which perform CVE inventory/analysis.
+
+*CPE Maintenance*
+
+To maintain these CPE strings for version changes against the NIST dictionary,
+the manifest can be further processed. First, navigate to your Buildroot
+directory and execute the script below. The script has some optional arguments
+for providing a alternate dictionary URL or caching a processed dictionary.
+
+--------------------
+support/scripts/cpe-report -c $(TOPDIR)/cpe-manifest.csv
+--------------------
+
+This script retrieves the NIST dictionary and classifies each CPE as either
+matched, requires version update or missing. Based on this analysis, the script
+automatically uses the NIST dictionary entries to produce a draft of XML which
+can be submitted to NIST to update a version of an entry in the dictionary. It
+is important to review the generated xml files in the cpe folder as they may
+need refined reference tags and adjustments to how the version is represented
+in the title.
+
+In the case of missing items, a +cpe-report-missing.txt+ report is output by
+the script and can be used as a starting point to manually create a xml file
+to submit. Note, some manual analysis using the NIST search engine (https://nvd.nist.gov/products/cpe/search)
+is suggested for these missing item as the Buildroot +CPE_ID_+ variables maybe
+slightly incorrect and cause the cpe-report script to catagorize the package
+as missing. If that is the case, a change can be made by adjusting the default
+CPE variables in the specific package's +.mk+. See xref:_infrastructure_for_packages_with_specific_build_systems[]
+discussion on the use of +LIBFOO_CPE_*+.
+If the package is truely missing, the package's Kconfig help material and .mk
+should provide most of the information to construct a new NIST submission.
+
+To submit a new entry or updated entry to NIST, create an request email to the
+cpe_dictionary at nist.gov recipient and attach a individual xml file per package
+being added/updated. It is OK to have multiple version updates in a single
+file as long as they are all for the same package. For reference the guidance
+can be found on the NIST CPE site (https://nvd.nist.gov/products/cpe).
+
+*Limitations*
+
+Buildroot does not produce or accurately present some of the CPE material. Items
+such as any versions which are non-number/hash are not compliant with the CPE
+string specification and would require a manual analysis to update the CPE list
+before any external CVE analysis should occur. This is a similar situation for
+packages like the Linux kernel or U-Boot which may not have a version which
+directly maps to a CPE.
+
+There is an assumed default CPE string for each package which is auto-generated
+using existing package information. The output of +make cpe-info+ is based on
+this default information and the packages which have been individually tailored
+to match existing CPE strings. The Buildroot developers try to do their best to
+keep those declarative statements as accurate as possible, to the best of their
+knowledge. However, it is very well possible that those declarative statements
+are not all fully accurate nor exhaustive. Similar to legal-info, it is your
+responsibility to verify this information.
+
+=== Common Vulnerability and Exposures (CVE) Anaylsis
+The Common Vulnerabilities and Exposures (CVE) system provides a
+reference-method for publicly known information-security vulnerabilities and
+exposures. (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
+
+Like previously stated, there are many tools and methods to perform this
+analysis. The most basic example is to do a manual CVE analysis by navigating
+to the NVD search engine (https://nvd.nist.gov/vuln/search) and using the CPE
+string identified in the first field of the +$(TOPDIR)/cpe-manifest.csv+.
+Here's an example for tcpdump.
+
+CPE ID: "cpe:2.3:a:tcpdump:tcpdump:4.9.1:*:*:*:*:*:*:*"
+
+Result: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Atcpdump%3Atcpdump%3A4.9.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*&search_type=all
+
+Beyond the manual search approach, the next step would be a more centralized
+shared database with multi-feed support (NVD+). The cve-search project aims
+to offer that type of solution (https://github.com/cve-search/cve-search).
diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt
index b5cc044805..9297cbd599 100644
--- a/docs/manual/manual.txt
+++ b/docs/manual/manual.txt
@@ -48,6 +48,8 @@ include::legal-notice.txt[]
include::beyond-buildroot.txt[]
+include::cpe-reporting.txt[]
+
= Developer guide
include::how-buildroot-works.txt[]
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 10/17] packages: fixup of cpe info
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (8 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 09/17] docs/manual: new security management section Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3 Gregory CLEMENT
` (6 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
boot/grub2/grub2.mk | 1 +
boot/uboot/uboot.mk | 2 ++
linux/linux.mk | 2 ++
package/audit/audit.mk | 2 ++
package/aufs/aufs.mk | 1 +
package/bash/bash.mk | 1 +
package/bc/bc.mk | 1 +
package/bind/bind.mk | 1 +
package/boost/boost.mk | 1 +
package/bridge-utils/bridge-utils.mk | 1 +
package/busybox/busybox.mk | 1 +
package/bzip2/bzip2.mk | 1 +
package/clang/clang.mk | 1 +
package/collectd/collectd.mk | 1 +
package/conntrack-tools/conntrack-tools.mk | 1 +
package/coreutils/coreutils.mk | 1 +
package/crda/crda.mk | 1 +
package/davici/davici.mk | 1 +
package/dbus-glib/dbus-glib.mk | 1 +
package/dbus/dbus.mk | 2 ++
package/dhcp/dhcp.mk | 1 +
package/dnsmasq/dnsmasq.mk | 1 +
package/dropbear/dropbear.mk | 2 ++
package/ebtables/ebtables.mk | 1 +
package/ethtool/ethtool.mk | 1 +
package/expat/expat.mk | 1 +
package/gdb/gdb.mk | 1 +
package/gesftpserver/gesftpserver.mk | 2 ++
package/glibc/glibc.mk | 1 +
package/gmp/gmp.mk | 1 +
package/gnupg/gnupg.mk | 1 +
package/gnutls/gnutls.mk | 1 +
package/grep/grep.mk | 1 +
package/gtest/gtest.mk | 2 ++
package/gzip/gzip.mk | 1 +
package/hostapd/hostapd.mk | 1 +
package/ifupdown/ifupdown.mk | 1 +
package/iperf/iperf.mk | 2 ++
package/iperf3/iperf3.mk | 1 +
package/ipset/ipset.mk | 1 +
package/iptables/iptables.mk | 1 +
package/iw/iw.mk | 1 +
package/kmod/kmod.mk | 2 ++
package/libarchive/libarchive.mk | 1 +
package/libcurl/libcurl.mk | 2 ++
package/libestr/libestr.mk | 1 +
package/libfastjson/libfastjson.mk | 1 +
package/libfcgi/libfcgi.mk | 2 ++
package/libffi/libffi.mk | 2 ++
package/libgcrypt/libgcrypt.mk | 1 +
package/libglib2/libglib2.mk | 2 ++
package/libgpg-error/libgpg-error.mk | 1 +
package/liblogging/liblogging.mk | 1 +
package/libmbim/libmbim.mk | 1 +
package/libmnl/libmnl.mk | 1 +
.../libnetfilter_conntrack/libnetfilter_conntrack.mk | 1 +
.../libnetfilter_cthelper/libnetfilter_cthelper.mk | 1 +
.../libnetfilter_cttimeout/libnetfilter_cttimeout.mk | 1 +
package/libnetfilter_queue/libnetfilter_queue.mk | 1 +
package/libnfnetlink/libnfnetlink.mk | 1 +
package/libopenssl/Config.in | 11 +++++++++++
package/libopenssl/libopenssl.mk | 2 ++
package/libpcap/libpcap.mk | 1 +
package/libselinux/libselinux.mk | 1 +
package/libsemanage/libsemanage.mk | 1 +
package/libsepol/libsepol.mk | 1 +
package/libssh2/libssh2.mk | 1 +
package/libsysfs/libsysfs.mk | 2 ++
package/libtasn1/libtasn1.mk | 1 +
package/libunistring/libunistring.mk | 1 +
package/libxml2/libxml2.mk | 1 +
package/libxslt/libxslt.mk | 1 +
package/libzlib/libzlib.mk | 2 ++
package/lighttpd/lighttpd.mk | 1 +
package/linux-firmware/linux-firmware.mk | 2 ++
| 2 ++
package/linux-pam/linux-pam.mk | 2 ++
package/llvm/llvm.mk | 1 +
package/lxc/lxc.mk | 1 +
package/lz4/lz4.mk | 1 +
package/memtester/memtester.mk | 1 +
package/mii-diag/mii-diag.mk | 1 +
package/mpfr/mpfr.mk | 1 +
package/mrouted/mrouted.mk | 1 +
package/mtd/mtd.mk | 2 ++
package/ncurses/ncurses.mk | 1 +
package/netsnmp/netsnmp.mk | 2 ++
package/nfs-utils/nfs-utils.mk | 2 ++
package/openssh/openssh.mk | 3 +++
package/pax-utils/pax-utils.mk | 1 +
package/paxtest/paxtest.mk | 1 +
package/pcre/pcre.mk | 1 +
package/pixman/pixman.mk | 1 +
package/policycoreutils/policycoreutils.mk | 1 +
package/pppd/pppd.mk | 2 ++
package/proftpd/proftpd.mk | 1 +
package/protobuf/protobuf.mk | 1 +
package/pure-ftpd/pure-ftpd.mk | 1 +
package/python-lxml/python-lxml.mk | 2 ++
package/python-setuptools/python-setuptools.mk | 2 ++
package/python/python.mk | 1 +
package/qemu/qemu.mk | 1 +
package/rapidjson/rapidjson.mk | 1 +
package/readline/readline.mk | 1 +
package/refpolicy/refpolicy.mk | 1 +
package/rsyslog/rsyslog.mk | 1 +
package/rt-tests/rt-tests.mk | 1 +
package/sed/sed.mk | 1 +
package/setools/setools.mk | 1 +
package/setserial/setserial.mk | 1 +
package/smcroute/smcroute.mk | 1 +
package/spawn-fcgi/spawn-fcgi.mk | 1 +
package/sqlite/sqlite.mk | 2 ++
package/strongswan/strongswan.mk | 1 +
package/tar/tar.mk | 1 +
package/tcl/tcl.mk | 1 +
package/tcpdump/tcpdump.mk | 1 +
package/tftpd/tftpd.mk | 2 ++
package/uboot-tools/uboot-tools.mk | 2 ++
package/util-linux/util-linux.mk | 1 +
package/valgrind/valgrind.mk | 1 +
package/vim/vim.mk | 1 +
package/wget/wget.mk | 1 +
package/wireless-regdb/wireless-regdb.mk | 1 +
package/wireless_tools/wireless_tools.mk | 2 ++
package/wpa_supplicant/wpa_supplicant.mk | 1 +
package/xerces/xerces.mk | 2 ++
package/xz/xz.mk | 1 +
128 files changed, 170 insertions(+)
diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 5fca2315ee..9686815f4d 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -37,6 +37,7 @@ GRUB2_INSTALL_TARGET = YES
else
GRUB2_INSTALL_TARGET = NO
endif
+GRUB2_CPE_ID_VENDOR = gnu
GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
index 1831466780..1de0b7b16a 100644
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+
ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
endif
+UBOOT_CPE_ID_VENDOR = denx
+UBOOT_CPE_ID_NAME = u-boot
UBOOT_INSTALL_IMAGES = YES
diff --git a/linux/linux.mk b/linux/linux.mk
index e07e014d1e..648f6ea2a5 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
+LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
define LINUX_HELP_CMDS
@echo ' linux-menuconfig - Run Linux kernel menuconfig'
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index 652e0fcd56..a20767d24b 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
AUDIT_LICENSE_FILES = COPYING COPYING.LIB
# 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
AUDIT_AUTORECONF = YES
+AUDIT_CPE_ID_VENDOR = linux_audit_project
+AUDIT_CPE_ID_NAME = linux_audit
AUDIT_INSTALL_STAGING = YES
diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
index 4e95a350a0..495e94e606 100644
--- a/package/aufs/aufs.mk
+++ b/package/aufs/aufs.mk
@@ -7,6 +7,7 @@
AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
AUFS_LICENSE = GPL-2.0
AUFS_LICENSE_FILES = COPYING
+AUFS_CPE_ID_VERSION = 4.1
ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index 1843862e49..b4681c1085 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
BASH_LICENSE = GPL-3.0+
BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VENDOR = gnu
BASH_CONF_ENV += \
ac_cv_rl_prefix="$(STAGING_DIR)" \
diff --git a/package/bc/bc.mk b/package/bc/bc.mk
index fdfacb6c89..06b6feae4f 100644
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
BC_DEPENDENCIES = host-flex
BC_LICENSE = GPL-2.0+, LGPL-2.1+
BC_LICENSE_FILES = COPYING COPYING.LIB
+BC_CPE_ID_VENDOR = gnu
BC_CONF_ENV = MAKEINFO=true
# 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 18fc4845f9..41b3146da1 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
BIND_LICENSE = MPL-2.0
BIND_LICENSE_FILES = COPYRIGHT
+BIND_CPE_ID_VENDOR = isc
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 82fe42d6b2..d5c404a13c 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
BOOST_INSTALL_STAGING = YES
BOOST_LICENSE = BSL-1.0
BOOST_LICENSE_FILES = LICENSE_1_0.txt
+BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
# CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
# while in fact it affects Drupal (a module called boost in there).
diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
index 9d63b3ef30..fa71c3a64e 100644
--- a/package/bridge-utils/bridge-utils.mk
+++ b/package/bridge-utils/bridge-utils.mk
@@ -10,6 +10,7 @@ BRIDGE_UTILS_SITE = \
BRIDGE_UTILS_AUTORECONF = YES
BRIDGE_UTILS_LICENSE = GPL-2.0+
BRIDGE_UTILS_LICENSE_FILES = COPYING
+BRIDGE_UTILS_CPE_ID_VENDOR = kernel
# Avoid using the host's headers. Location is not important as
# required headers will anyway be found from within the sysroot.
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 7862beb790..a88168416f 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPL-2.0
BUSYBOX_LICENSE_FILES = LICENSE
+BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
define BUSYBOX_HELP_CMDS
@echo ' busybox-menuconfig - Run BusyBox menuconfig'
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index b4d8eea25e..c2e5f7610e 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
BZIP2_INSTALL_STAGING = YES
BZIP2_LICENSE = bzip2 license
BZIP2_LICENSE_FILES = LICENSE
+BZIP2_CPE_ID_VENDOR = bzip
ifeq ($(BR2_STATIC_LIBS),)
define BZIP2_BUILD_SHARED_CMDS
diff --git a/package/clang/clang.mk b/package/clang/clang.mk
index d740af5322..672c9fb3fa 100644
--- a/package/clang/clang.mk
+++ b/package/clang/clang.mk
@@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
CLANG_LICENSE = Apache-2.0 with exceptions
CLANG_LICENSE_FILES = LICENSE.TXT
+CLANG_CVE_ID_VENDOR = llvm
CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
CLANG_INSTALL_STAGING = YES
diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
index 00e33f27df..83bf01109a 100644
--- a/package/collectd/collectd.mk
+++ b/package/collectd/collectd.mk
@@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
COLLECTD_INSTALL_STAGING = YES
COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
COLLECTD_LICENSE_FILES = COPYING
+COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
# These require unmet dependencies, are fringe, pointless or deprecated
COLLECTD_PLUGINS_DISABLE = \
diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
index 145b6d785f..55ea407924 100644
--- a/package/conntrack-tools/conntrack-tools.mk
+++ b/package/conntrack-tools/conntrack-tools.mk
@@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
libnetfilter_queue host-bison host-flex
CONNTRACK_TOOLS_LICENSE = GPL-2.0+
CONNTRACK_TOOLS_LICENSE_FILES = COPYING
+CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 3866b76243..18e9052dfd 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
COREUTILS_LICENSE = GPL-3.0+
COREUTILS_LICENSE_FILES = COPYING
+COREUTILS_CPE_ID_VENDOR = gnu
COREUTILS_CONF_OPTS = --disable-rpath \
$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
diff --git a/package/crda/crda.mk b/package/crda/crda.mk
index c5880797be..31a64d004b 100644
--- a/package/crda/crda.mk
+++ b/package/crda/crda.mk
@@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
CRDA_LICENSE = ISC
CRDA_LICENSE_FILES = LICENSE
+CRDA_CPE_ID_VENDOR = kernel
define CRDA_BUILD_CMDS
$(TARGET_CONFIGURE_OPTS) \
diff --git a/package/davici/davici.mk b/package/davici/davici.mk
index 5c08bbe0da..6c8df48b6a 100644
--- a/package/davici/davici.mk
+++ b/package/davici/davici.mk
@@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
DAVICI_LICENSE = LGPL-2.1+
DAVICI_LICENSE_FILES = COPYING
+DAVICI_CPE_ID_VENDOR = strongswan
DAVICI_DEPENDENCIES = strongswan
DAVICI_INSTALL_STAGING = YES
DAVICI_AUTORECONF = YES
diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
index 372942e1c3..5eb158d954 100644
--- a/package/dbus-glib/dbus-glib.mk
+++ b/package/dbus-glib/dbus-glib.mk
@@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
DBUS_GLIB_INSTALL_STAGING = YES
DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
DBUS_GLIB_LICENSE_FILES = COPYING
+DBUS_GLIB_CPE_ID_VENDOR = freedesktop
DBUS_GLIB_CONF_ENV = \
ac_cv_have_abstract_sockets=yes \
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index 70f2c6fef4..ae480f3bb2 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.18
DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
DBUS_LICENSE_FILES = COPYING
+DBUS_CPE_ID_VENDOR = d-bus_project
+DBUS_CPE_ID_NAME = d-bus
DBUS_INSTALL_STAGING = YES
define DBUS_PERMISSIONS
diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
index ad59804d3b..988c7792dc 100644
--- a/package/dhcp/dhcp.mk
+++ b/package/dhcp/dhcp.mk
@@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
DHCP_LICENSE = MPL-2.0
DHCP_LICENSE_FILES = LICENSE
DHCP_DEPENDENCIES = bind
+DHCP_CPE_ID_VENDOR = isc
# use libtool-enabled configure.ac
define DHCP_LIBTOOL_AUTORECONF
diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index 4a7218a2b7..e0e8bed5aa 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
+DNSMASQ_CPE_ID_VENDOR = thekelleys
DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 3eaa98d0a4..d965b2eaf2 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
DROPBEAR_LICENSE_FILES = LICENSE
DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
+DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
+DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
# Disable hardening flags added by dropbear configure.ac, and let
# Buildroot add them when the relevant options are enabled. This
diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
index 117cd5e99e..2f1e291c03 100644
--- a/package/ebtables/ebtables.mk
+++ b/package/ebtables/ebtables.mk
@@ -9,6 +9,7 @@ EBTABLES_SOURCE = ebtables-v$(EBTABLES_VERSION).tar.gz
EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
EBTABLES_LICENSE = GPL-2.0+
EBTABLES_LICENSE_FILES = COPYING
+EBTABLES_CVE_ID_VENDOR = netfilter
EBTABLES_STATIC = $(if $(BR2_STATIC_LIBS),static)
EBTABLES_K64U32 = $(if $(BR2_KERNEL_64_USERLAND_32),-DKERNEL_64_USERSPACE_32)
diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
index 1668171f3a..0e94a918c2 100644
--- a/package/ethtool/ethtool.mk
+++ b/package/ethtool/ethtool.mk
@@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
ETHTOOL_LICENSE = GPL-2.0
ETHTOOL_LICENSE_FILES = LICENSE COPYING
+ETHTOOL_CPE_ID_VENDOR = kernel
ETHTOOL_CONF_OPTS = \
$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 38e5dee75d..af3088b80c 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
HOST_EXPAT_DEPENDENCIES = host-pkgconf
EXPAT_LICENSE = MIT
EXPAT_LICENSE_FILES = COPYING
+EXPAT_CPE_ID_VENDOR = libexpat
EXPAT_CONF_OPTS = --without-docbook
HOST_EXPAT_CONF_OPTS = --without-docbook
diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
index 6b63a6214b..de11b1e5e8 100644
--- a/package/gdb/gdb.mk
+++ b/package/gdb/gdb.mk
@@ -22,6 +22,7 @@ endif
GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
+GDB_CPE_ID_VENDOR = gnu
# We only want gdbserver and not the entire debugger.
ifeq ($(BR2_PACKAGE_GDB_DEBUGGER),)
diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
index ff7ce768ae..07718a4c42 100644
--- a/package/gesftpserver/gesftpserver.mk
+++ b/package/gesftpserver/gesftpserver.mk
@@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING
# "Missing prototype" warning treated as error
GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
+GESFTPSERVER_CPE_ID_VENDOR = green_end
+GESFTPSERVER_CPE_ID_NAME = sftpserver
# forgets to link against pthread when cross compiling
GESFTPSERVER_CONF_ENV = LIBS=-lpthread
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index f2b5b4caf6..032e642bb8 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -31,6 +31,7 @@ endif
GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
+GLIBC_CPE_ID_VENDOR = gnu
# glibc is part of the toolchain so disable the toolchain dependency
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index d124463a98..a79d5b7d9a 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
GMP_INSTALL_STAGING = YES
GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
+GMP_CPE_ID_VENDOR = gmplib
GMP_DEPENDENCIES = host-m4
HOST_GMP_DEPENDENCIES = host-m4
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index 617def884e..ba424fed96 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG_LICENSE = GPL-3.0+
GNUPG_LICENSE_FILES = COPYING
GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
GNUPG_CONF_OPTS = \
--disable-rpath \
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index 9f53150004..65bb4893e8 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
endif
GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_CPE_ID_VENDOR = gnu
GNUTLS_CONF_OPTS = \
--disable-doc \
--disable-guile \
diff --git a/package/grep/grep.mk b/package/grep/grep.mk
index ef1bbb4487..204c74f3b8 100644
--- a/package/grep/grep.mk
+++ b/package/grep/grep.mk
@@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
GREP_LICENSE = GPL-3.0+
GREP_LICENSE_FILES = COPYING
+GREP_CPE_ID_VENDOR = gnu
GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
# install into /bin like busybox grep
GREP_CONF_OPTS = --exec-prefix=/
diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
index 7f967b8bfb..fc51d9f7a2 100644
--- a/package/gtest/gtest.mk
+++ b/package/gtest/gtest.mk
@@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES
GTEST_INSTALL_TARGET = NO
GTEST_LICENSE = BSD-3-Clause
GTEST_LICENSE_FILES = googletest/LICENSE
+GTEST_CPE_ID_VENDOR = google
+GTEST_CPE_ID_NAME = google_test
ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
GTEST_DEPENDENCIES += host-gtest
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index 17b27b497c..c8fd3ddb7a 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
GZIP_CONF_OPTS = --exec-prefix=/
GZIP_LICENSE = GPL-3.0+
GZIP_LICENSE_FILES = COPYING
+GZIP_CPE_ID_VENDOR = gnu
GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
# configure substitutes $(SHELL) for the shell shebang in scripts like
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index 676e36d8ba..efeefd8b35 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -23,6 +23,7 @@ HOSTAPD_IGNORE_CVES += CVE-2019-16275
# 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
HOSTAPD_IGNORE_CVES += CVE-2020-12695
+HOSTAPD_CPE_ID_VENDOR = w1.fi
HOSTAPD_CONFIG_SET =
HOSTAPD_CONFIG_ENABLE = \
diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
index 84d24aedab..e62c2a79c5 100644
--- a/package/ifupdown/ifupdown.mk
+++ b/package/ifupdown/ifupdown.mk
@@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
IFUPDOWN_LICENSE = GPL-2.0+
IFUPDOWN_LICENSE_FILES = COPYING
+IFUPDOWN_CPE_ID_VENDOR = debian
define IFUPDOWN_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
index 7088b0f152..f1e65e7545 100644
--- a/package/iperf/iperf.mk
+++ b/package/iperf/iperf.mk
@@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13
IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
IPERF_LICENSE = MIT-like
IPERF_LICENSE_FILES = COPYING
+IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
+IPERF_CPE_ID_NAME = $(IPERF_NAME)2
IPERF_CONF_OPTS = \
--disable-web100
diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
index 7d5a10cdef..234e04eae0 100644
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
IPERF3_LICENSE_FILES = LICENSE
+IPERF3_CPE_ID_VENDOR = es
IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index 869763d322..cea3ee0e05 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
IPSET_CONF_OPTS = --with-kmod=no
IPSET_LICENSE = GPL-2.0
IPSET_LICENSE_FILES = COPYING
+IPSET_CPE_ID_VENDOR = netfilter
IPSET_INSTALL_STAGING = YES
$(eval $(autotools-package))
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index 442639f159..053d0e3964 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
IPTABLES_LICENSE = GPL-2.0
IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_CPE_ID_VENDOR = netfilter
# Building static causes ugly warnings on some plugins
IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
$(if $(BR2_STATIC_LIBS),,--disable-static)
diff --git a/package/iw/iw.mk b/package/iw/iw.mk
index 2250ea413b..a232cc8baa 100644
--- a/package/iw/iw.mk
+++ b/package/iw/iw.mk
@@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
IW_LICENSE = ISC
IW_LICENSE_FILES = COPYING
+IW_CPE_ID_VENDOR = kernel
IW_DEPENDENCIES = host-pkgconf libnl
IW_MAKE_ENV = \
$(TARGET_MAKE_ENV) \
diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
index 0a79b2cf4d..c44764ea18 100644
--- a/package/kmod/kmod.mk
+++ b/package/kmod/kmod.mk
@@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
KMOD_LICENSE = LGPL-2.1+ (library)
KMOD_LICENSE_FILES = libkmod/COPYING
+KMOD_CPE_ID_VENDOR = kernel
+
# --gc-sections triggers binutils ld segfault
# https://sourceware.org/bugzilla/show_bug.cgi?id=21180
ifeq ($(BR2_microblaze),y)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 708ce637c2..71c8a2e4cf 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
LIBARCHIVE_INSTALL_STAGING = YES
LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
LIBARCHIVE_LICENSE_FILES = COPYING
+LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
ifeq ($(BR2_STATIC_LIBS),y)
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index ea7e06e27e..969325a485 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
LIBCURL_LICENSE = curl
LIBCURL_LICENSE_FILES = COPYING
+LIBCURL_CPE_ID_VENDOR = haxx
+LIBCURL_CPE_ID_NAME = libcurl
LIBCURL_INSTALL_STAGING = YES
# We disable NTLM support because it uses fork(), which doesn't work
diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
index 30960f7257..6ce22efae2 100644
--- a/package/libestr/libestr.mk
+++ b/package/libestr/libestr.mk
@@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
LIBESTR_SITE = http://libestr.adiscon.com/files/download
LIBESTR_LICENSE = LGPL-2.1+
LIBESTR_LICENSE_FILES = COPYING
+LIBESTR_CPE_ID_VENDOR = adiscon
LIBESTR_INSTALL_STAGING = YES
$(eval $(autotools-package))
diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
index ecca72f56c..37dbd7e03e 100644
--- a/package/libfastjson/libfastjson.mk
+++ b/package/libfastjson/libfastjson.mk
@@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
LIBFASTJSON_AUTORECONF = YES
LIBFASTJSON_LICENSE = MIT
LIBFASTJSON_LICENSE_FILES = COPYING
+LIBFASTJSON_CPE_ID_VENDOR = rsyslog
$(eval $(autotools-package))
diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
index c158df2395..c40d9c5970 100644
--- a/package/libfcgi/libfcgi.mk
+++ b/package/libfcgi/libfcgi.mk
@@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2
LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
LIBFCGI_LICENSE = OML
LIBFCGI_LICENSE_FILES = LICENSE.TERMS
+LIBFCGI_CPE_ID_VENDOR = fastcgi
+LIBFCGI_CPE_ID_NAME = fcgi
LIBFCGI_INSTALL_STAGING = YES
LIBFCGI_AUTORECONF = YES
diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
index 722a03dca0..e87a024040 100644
--- a/package/libffi/libffi.mk
+++ b/package/libffi/libffi.mk
@@ -6,6 +6,8 @@
LIBFFI_VERSION = 3.3
LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
+LIBFFI_CPE_ID_VERSION = 3.3
+LIBFFI_CPE_ID_VERSION_MINOR = rc0
LIBFFI_LICENSE = MIT
LIBFFI_LICENSE_FILES = LICENSE
LIBFFI_INSTALL_STAGING = YES
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index b2c1ea3cbe..d928d2fd80 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
LIBGCRYPT_INSTALL_STAGING = YES
LIBGCRYPT_DEPENDENCIES = libgpg-error
LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
+LIBGCRYPT_CPE_ID_VENDOR = gnupg
# Patching acinclude.m4 in 0001
# Patching configure.ac and Makefile.am in 0002
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index fda04334f5..7f726df29b 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
LIBGLIB2_LICENSE = LGPL-2.1+
LIBGLIB2_LICENSE_FILES = COPYING
+LIBGLIB2_CPE_ID_VENDOR = gnome
+LIBGLIB2_CPE_ID_NAME = glib
LIBGLIB2_INSTALL_STAGING = YES
LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
index 6281faa662..05c7f710f2 100644
--- a/package/libgpg-error/libgpg-error.mk
+++ b/package/libgpg-error/libgpg-error.mk
@@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
+LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
LIBGPG_ERROR_INSTALL_STAGING = YES
LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
index c756891a86..24375b56b4 100644
--- a/package/liblogging/liblogging.mk
+++ b/package/liblogging/liblogging.mk
@@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
LIBLOGGING_LICENSE = BSD-2-Clause
LIBLOGGING_LICENSE_FILES = COPYING
+LIBLOGGING_CPE_ID_VENDOR = adiscon
LIBLOGGING_INSTALL_STAGING = YES
LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
index f9c1ec9953..2cf245e6b6 100644
--- a/package/libmbim/libmbim.mk
+++ b/package/libmbim/libmbim.mk
@@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
+LIBMBIM_CPE_ID_VENDOR = freedesktop
LIBMBIM_INSTALL_STAGING = YES
LIBMBIM_DEPENDENCIES = libglib2
diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
index 7fcce4c21f..d3b33db2e0 100644
--- a/package/libmnl/libmnl.mk
+++ b/package/libmnl/libmnl.mk
@@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
LIBMNL_INSTALL_STAGING = YES
LIBMNL_LICENSE = LGPL-2.1+
LIBMNL_LICENSE_FILES = COPYING
+LIBMNL_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
index 8beefefb51..0a5a94be8f 100644
--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
+++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
@@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
+LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
index 61d6acd07c..d74ea4d0fd 100644
--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
+++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTHELPER_AUTORECONF = YES
LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
+LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
index 9c4c951687..f5c5067b64 100644
--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
+++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
+LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
index 2bb4dd376d..6cd35baea1 100644
--- a/package/libnetfilter_queue/libnetfilter_queue.mk
+++ b/package/libnetfilter_queue/libnetfilter_queue.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_QUEUE_AUTORECONF = YES
LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
+LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
index 13f5d72c87..a5ad47b85e 100644
--- a/package/libnfnetlink/libnfnetlink.mk
+++ b/package/libnfnetlink/libnfnetlink.mk
@@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES
LIBNFNETLINK_INSTALL_STAGING = YES
LIBNFNETLINK_LICENSE = GPL-2.0
LIBNFNETLINK_LICENSE_FILES = COPYING
+LIBNFNETLINK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 8909e36b9e..dd03de7674 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
Install additional encryption engine libraries.
endif # BR2_PACKAGE_LIBOPENSSL
+# See package/openssl/Config.in for the actual kconfig
+# of this package. This file provides a URL for CPE use.
+
+# help
+# A collaborative effort to develop a robust, commercial-grade,
+# fully featured, and Open Source toolkit implementing the
+# Secure Sockets Layer (SSL v2/v3) and Transport Security
+# (TLS v1) as well as a full-strength general-purpose
+# cryptography library.
+#
+# http://www.openssl.org/
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..bb4747f4c0 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
+LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
ifeq ($(BR2_m68k_cf),y)
# relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
index 881a109a0a..e323461529 100644
--- a/package/libpcap/libpcap.mk
+++ b/package/libpcap/libpcap.mk
@@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
LIBPCAP_SITE = http://www.tcpdump.org/release
LIBPCAP_LICENSE = BSD-3-Clause
LIBPCAP_LICENSE_FILES = LICENSE
+LIBPCAP_CPE_ID_VENDOR = tcpdump
LIBPCAP_INSTALL_STAGING = YES
LIBPCAP_DEPENDENCIES = host-flex host-bison
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index c96b5a4431..9bb1e57db6 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.1
LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
LIBSELINUX_LICENSE = Public Domain
LIBSELINUX_LICENSE_FILES = LICENSE
+LIBSELINUX_CPE_ID_VENDOR = selinuxproject
LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 3ea0603f53..48e2bbbc8b 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
LIBSEMANAGE_LICENSE = LGPL-2.1+
LIBSEMANAGE_LICENSE_FILES = COPYING
LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
+LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
LIBSEMANAGE_INSTALL_STAGING = YES
LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 7d8b7b2063..a4398bdc42 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.1
LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
LIBSEPOL_LICENSE = LGPL-2.1+
LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_CPE_ID_VENDOR = selinuxproject
LIBSEPOL_INSTALL_STAGING = YES
LIBSEPOL_DEPENDENCIES = host-flex
diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
index c03fe0db55..eb66ab5643 100644
--- a/package/libssh2/libssh2.mk
+++ b/package/libssh2/libssh2.mk
@@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
LIBSSH2_SITE = https://www.libssh2.org/download
LIBSSH2_LICENSE = BSD
LIBSSH2_LICENSE_FILES = COPYING
+LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
LIBSSH2_INSTALL_STAGING = YES
LIBSSH2_CONF_OPTS = --disable-examples-build
diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
index 13edc9a4ea..fd8bfa6724 100644
--- a/package/libsysfs/libsysfs.mk
+++ b/package/libsysfs/libsysfs.mk
@@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
LIBSYSFS_INSTALL_STAGING = YES
LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
+LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
+LIBSYSFS_CPE_ID_NAME = sysfsutils
$(eval $(autotools-package))
diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
index d5a6c69965..a354716824 100644
--- a/package/libtasn1/libtasn1.mk
+++ b/package/libtasn1/libtasn1.mk
@@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
+LIBTASN1_CPE_ID_VENDOR = gnu
LIBTASN1_INSTALL_STAGING = YES
# We're patching fuzz/Makefile.am
diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
index fa51447170..1ed7ecf906 100644
--- a/package/libunistring/libunistring.mk
+++ b/package/libunistring/libunistring.mk
@@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
LIBUNISTRING_INSTALL_STAGING = YES
LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
+LIBUNISTRING_CPE_ID_VENDOR = gnu
$(eval $(autotools-package))
$(eval $(host-autotools-package))
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index acbdfb7728..c531934dc3 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -13,6 +13,7 @@ LIBXML2_LICENSE_FILES = COPYING
LIBXML2_IGNORE_CVES += CVE-2020-7595
# 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
LIBXML2_IGNORE_CVES += CVE-2019-20388
+LIBXML2_CPE_ID_VENDOR = xmlsoft
LIBXML2_CONFIG_SCRIPTS = xml2-config
# relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 2f37f303ac..3c603ad9f6 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
LIBXSLT_INSTALL_STAGING = YES
LIBXSLT_LICENSE = MIT
LIBXSLT_LICENSE_FILES = COPYING
+LIBXSLT_CPE_ID_VENDOR = xmlsoft
LIBXSLT_CONF_OPTS = \
--with-gnu-ld \
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index eea0c12f22..a1e2640bac 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib
LIBZLIB_LICENSE_FILES = README
LIBZLIB_INSTALL_STAGING = YES
LIBZLIB_PROVIDES = zlib
+LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
# It is not possible to build only a shared version of zlib, so we build both
# shared and static, unless we only want the static libs, and we eventually
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 7181465c66..39600ef94b 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
+LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
--without-wolfssl \
diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
index 2af8d09f40..938daf0ccd 100644
--- a/package/linux-firmware/linux-firmware.mk
+++ b/package/linux-firmware/linux-firmware.mk
@@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122
LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
LINUX_FIRMWARE_SITE_METHOD = git
+LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
+
# Intel SST DSP
ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
--git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
index 4c3cb716b3..4496295f2a 100644
--- a/package/linux-headers/linux-headers.mk
+++ b/package/linux-headers/linux-headers.mk
@@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_HEADERS_CPE_ID_VENDOR = linux
+LINUX_HEADERS_CPE_ID_NAME = linux_kernel
LINUX_HEADERS_INSTALL_STAGING = YES
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 57fb2c9cfd..ecd4a723c4 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -23,6 +23,8 @@ LINUX_PAM_LICENSE_FILES = Copyright
# We're patching configure.ac
LINUX_PAM_AUTORECONF = YES
LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
+LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
+LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
LINUX_PAM_CONF_OPTS += --enable-selinux
diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
index 24d033d124..177fff71bb 100644
--- a/package/llvm/llvm.mk
+++ b/package/llvm/llvm.mk
@@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
LLVM_LICENSE = Apache-2.0 with exceptions
LLVM_LICENSE_FILES = LICENSE.TXT
+LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
LLVM_INSTALL_STAGING = YES
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index 82b8793546..fbf0b28759 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -8,6 +8,7 @@ LXC_VERSION = 4.0.4
LXC_SITE = https://linuxcontainers.org/downloads/lxc
LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
+LXC_CPE_ID_VENDOR = linuxcontainers
LXC_DEPENDENCIES = host-pkgconf
LXC_INSTALL_STAGING = YES
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index fa309e8dbb..7c91b6eecc 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
+LZ4_CPE_ID_VENDOR = yann_collet
# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
# 1.9.2, while in fact this issue has been fixed since lz4-r130:
diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
index 0e64d8cde2..ec821adbe8 100644
--- a/package/memtester/memtester.mk
+++ b/package/memtester/memtester.mk
@@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.3.0
MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
MEMTESTER_LICENSE = GPL-2.0
MEMTESTER_LICENSE_FILES = COPYING
+MEMTESTER_CPE_ID_VENDOR = pryopus
MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
index 6efd5be80d..a7c6483221 100644
--- a/package/mii-diag/mii-diag.mk
+++ b/package/mii-diag/mii-diag.mk
@@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
MII_DIAG_LICENSE = GPL # No version specified
MII_DIAG_LICENSE_FILES = mii-diag.c
+MII_DIAG_CPE_ID_VENDOR = debian
MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
index ef2999eb16..837aff3aa5 100644
--- a/package/mpfr/mpfr.mk
+++ b/package/mpfr/mpfr.mk
@@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
MPFR_LICENSE = LGPL-3.0+
MPFR_LICENSE_FILES = COPYING.LESSER
+MPFR_CPE_ID_VENDOR = gnu
MPFR_INSTALL_STAGING = YES
MPFR_DEPENDENCIES = gmp
HOST_MPFR_DEPENDENCIES = host-gmp
diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
index b9a4eaba45..6ee7fd5dfd 100644
--- a/package/mrouted/mrouted.mk
+++ b/package/mrouted/mrouted.mk
@@ -9,6 +9,7 @@ MROUTED_SITE = $(call github,troglobit,mrouted,$(MROUTED_VERSION))
MROUTED_DEPENDENCIES = host-bison
MROUTED_LICENSE = BSD-3-Clause
MROUTED_LICENSE_FILES = LICENSE
+MROUTED_CPE_ID_VENDOR = troglobit
define MROUTED_CONFIGURE_CMDS
(cd $(@D); \
diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index 1186fa52d5..bbae4e13b2 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
MTD_LICENSE = GPL-2.0
MTD_LICENSE_FILES = COPYING
+MTD_CPE_ID_VENDOR = mtd-utils_project
+MTD_CPE_ID_NAME = mtd-utils
MTD_INSTALL_STAGING = YES
ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index c11650c766..5c5e497488 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
NCURSES_DEPENDENCIES = host-ncurses
NCURSES_LICENSE = MIT with advertising clause
NCURSES_LICENSE_FILES = COPYING
+NCURSES_CPE_ID_VENDOR = gnu
NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
NCURSES_PATCH = \
$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 904279d1fb..09ca33f754 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
NETSNMP_LICENSE = Various BSD-like
NETSNMP_LICENSE_FILES = COPYING
+NETSNMP_CPE_ID_VENDOR = net-snmp
+NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
NETSNMP_INSTALL_STAGING = YES
NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
NETSNMP_CONF_OPTS = \
diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
index da85cb178f..67f178cbff 100644
--- a/package/nfs-utils/nfs-utils.mk
+++ b/package/nfs-utils/nfs-utils.mk
@@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
NFS_UTILS_LICENSE = GPL-2.0+
NFS_UTILS_LICENSE_FILES = COPYING
NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
+NFS_UTILS_CPE_ID_VENDOR = linux-nfs
+NFS_UTILS_AUTORECONF = YES
NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64ac22181b..c8937229ab 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -5,6 +5,8 @@
################################################################################
OPENSSH_VERSION = 8.3p1
+OPENSSH_CPE_ID_VERSION = 8.3
+OPENSSH_CPE_ID_VERSION_MINOR = p1
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
OPENSSH_LICENSE_FILES = LICENCE
@@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_CFLAGS)" \
LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_CPE_ID_VENDOR = openbsd
OPENSSH_CONF_OPTS = \
--sysconfdir=/etc/ssh \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
index b31468eca2..a6618851ba 100644
--- a/package/pax-utils/pax-utils.mk
+++ b/package/pax-utils/pax-utils.mk
@@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
PAX_UTILS_LICENSE = GPL-2.0
PAX_UTILS_LICENSE_FILES = COPYING
+PAX_UTILS_CPE_ID_VENDOR = gentoo
PAX_UTILS_DEPENDENCIES = host-pkgconf
PAX_UTILS_CONF_OPTS = --without-python
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
index e632e222c3..1b8d6699b6 100644
--- a/package/paxtest/paxtest.mk
+++ b/package/paxtest/paxtest.mk
@@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
PAXTEST_SITE = https://www.grsecurity.net/~spender
PAXTEST_LICENSE = GPL-2.0+
PAXTEST_LICENSE_FILES = README
+PAXTEST_CPE_ID_VENDOR = grsecurity
define PAXTEST_BUILD_CMDS
$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index 3c280e593f..b37a2ca9b7 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
PCRE_LICENSE = BSD-3-Clause
PCRE_LICENSE_FILES = LICENCE
+PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
PCRE_INSTALL_STAGING = YES
PCRE_CONFIG_SCRIPTS = pcre-config
diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index a446ebca46..52d4e36f2e 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
PIXMAN_LICENSE = MIT
PIXMAN_LICENSE_FILES = COPYING
+PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
PIXMAN_INSTALL_STAGING = YES
PIXMAN_DEPENDENCIES = host-pkgconf
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 4c0fdc71a7..0dfdc7af03 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.1
POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
POLICYCOREUTILS_LICENSE = GPL-2.0
POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 685666a200..118f9fc334 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
PPPD_LICENSE_FILES = \
pppd/tdb.c pppd/plugins/pppoatm/COPYING \
pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
+PPPD_CPE_ID_VENDOR = samba
+PPPD_CPE_ID_NAME = ppp
# 0001-pppd-Fix-bounds-check.patch
PPPD_IGNORE_CVES += CVE-2020-8597
diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
index e126d0e0a4..94276233c8 100644
--- a/package/proftpd/proftpd.mk
+++ b/package/proftpd/proftpd.mk
@@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c
PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
PROFTPD_LICENSE = GPL-2.0+
PROFTPD_LICENSE_FILES = COPYING
+PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
PROFTPD_CONF_ENV = \
ac_cv_func_setpgrp_void=yes \
diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
index 04fea3063e..82c814b65b 100644
--- a/package/protobuf/protobuf.mk
+++ b/package/protobuf/protobuf.mk
@@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
PROTOBUF_LICENSE = BSD-3-Clause
PROTOBUF_LICENSE_FILES = LICENSE
+PROTOBUF_CPE_ID_VENDOR = google
# N.B. Need to use host protoc during cross compilation.
PROTOBUF_DEPENDENCIES = host-protobuf
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7b7c7d9637..7e3d18b433 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
PURE_FTPD_LICENSE = ISC
PURE_FTPD_LICENSE_FILES = COPYING
+PURE_FTPD_CPE_ID_VENDOR = pureftpd
PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index 7e727a6753..0b95cf4dc6 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \
doc/licenses/BSD.txt \
doc/licenses/elementtree.txt \
src/lxml/isoschematron/resources/rng/iso-schematron.rng
+PYTHON_LXML_CPE_ID_VENDOR = lxml
+PYTHON_LXML_CPE_ID_NAME = lxml
# python-lxml can use either setuptools, or distutils as a fallback.
# So, we use setuptools.
diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
index 2cb575ae22..ade5ca5521 100644
--- a/package/python-setuptools/python-setuptools.mk
+++ b/package/python-setuptools/python-setuptools.mk
@@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
PYTHON_SETUPTOOLS_LICENSE = MIT
PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
+PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
+PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
diff --git a/package/python/python.mk b/package/python/python.mk
index ccaaadd012..2d4c5a3721 100644
--- a/package/python/python.mk
+++ b/package/python/python.mk
@@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
PYTHON_LICENSE = Python-2.0, others
PYTHON_LICENSE_FILES = LICENSE
+PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
PYTHON_LIBTOOL_PATCH = NO
# Python needs itself to be built, so in order to cross-compile
diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index 69850ec938..a4b5688605 100644
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
# NOTE: there is no top-level license file for non-(L)GPL licenses;
# the non-(L)GPL license texts are specified in the affected
# individual source files.
+QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
#-------------------------------------------------------------
# Target-qemu
diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
index 9f1c82ce40..d3bcef7df1 100644
--- a/package/rapidjson/rapidjson.mk
+++ b/package/rapidjson/rapidjson.mk
@@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
RAPIDJSON_LICENSE = MIT
RAPIDJSON_LICENSE_FILES = license.txt
+RAPIDJSON_CPE_ID_VENDOR = tencent
# rapidjson is a header-only C++ library
RAPIDJSON_INSTALL_TARGET = NO
diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index f5d7d5bf9e..04872ac868 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
READLINE_CONF_OPTS = --disable-install-examples
READLINE_LICENSE = GPL-3.0+
READLINE_LICENSE_FILES = COPYING
+READLINE_CPE_ID_VENDOR = gnu
define READLINE_INSTALL_INPUTRC
$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index e1924f3c2d..63a1713e35 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -6,6 +6,7 @@
REFPOLICY_LICENSE = GPL-2.0
REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_CPE_ID_VENDOR = tresys
REFPOLICY_INSTALL_STAGING = YES
REFPOLICY_DEPENDENCIES = \
host-m4 \
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 90f21559f8..f9e1a0443a 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
+RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
index c17b7fe982..a52cfff3c3 100644
--- a/package/rt-tests/rt-tests.mk
+++ b/package/rt-tests/rt-tests.mk
@@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.8
RT_TESTS_LICENSE = GPL-2.0+
RT_TESTS_LICENSE_FILES = COPYING
RT_TESTS_DEPENDENCIES = numactl
+RT_TESTS_CPE_ID_VENDOR = kernel
define RT_TESTS_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
diff --git a/package/sed/sed.mk b/package/sed/sed.mk
index 6bb3220553..64fb2035b0 100644
--- a/package/sed/sed.mk
+++ b/package/sed/sed.mk
@@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
SED_SITE = $(BR2_GNU_MIRROR)/sed
SED_LICENSE = GPL-3.0
SED_LICENSE_FILES = COPYING
+SED_CPE_ID_VENDOR = gnu
SED_CONF_OPTS = \
--bindir=/bin \
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index c1a3a909cb..a07b1367a2 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
SETOOLS_INSTALL_STAGING = YES
SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_CPE_ID_VENDOR = selinuxproject
SETOOLS_SETUP_TYPE = setuptools
HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
HOST_SETOOLS_NEEDS_HOST_PYTHON = python3
diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
index 66ca59d79d..2e29e4c803 100644
--- a/package/setserial/setserial.mk
+++ b/package/setserial/setserial.mk
@@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
SETSERIAL_LICENSE = GPL-2.0
SETSERIAL_LICENSE_FILES = debian/copyright
+
# make all also builds setserial.cat which needs nroff
SETSERIAL_MAKE_OPTS = setserial
diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
index 1a36c75d47..0db0e084f6 100644
--- a/package/smcroute/smcroute.mk
+++ b/package/smcroute/smcroute.mk
@@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
SMCROUTE_LICENSE = GPL-2.0+
SMCROUTE_LICENSE_FILES = COPYING
+SMCROUTE_CPE_ID_VENDOR = troglobit
SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
#BUG:The package Makefile uses CC?= even though the package is autotools based
diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
index ed97d0a7b4..8caa1e2b3c 100644
--- a/package/spawn-fcgi/spawn-fcgi.mk
+++ b/package/spawn-fcgi/spawn-fcgi.mk
@@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
SPAWN_FCGI_LICENSE = BSD-3-Clause
SPAWN_FCGI_LICENSE_FILES = COPYING
+SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
$(eval $(autotools-package))
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index c8b9ba3150..796292178c 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -5,11 +5,13 @@
################################################################################
SQLITE_VERSION = 3320300
+SQLITE_CPE_ID_VERSION = 3.31.1
SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
SQLITE_SITE = https://www.sqlite.org/2020
SQLITE_LICENSE = Public domain
SQLITE_LICENSE_FILES = tea/license.terms
SQLITE_INSTALL_STAGING = YES
+SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 7f1752ce57..1f7437fa31 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -12,6 +12,7 @@ STRONGSWAN_PATCH = \
$(STRONGSWAN_SITE)/patches/28_gmp_pkcs1_overflow_patch/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
STRONGSWAN_LICENSE = GPL-2.0+
STRONGSWAN_LICENSE_FILES = COPYING LICENSE
+STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
STRONGSWAN_DEPENDENCIES = host-pkgconf
STRONGSWAN_INSTALL_STAGING = YES
STRONGSWAN_CONF_OPTS += \
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 9e0a40e561..643eff1cbc 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
TAR_CONF_OPTS = --exec-prefix=/
TAR_LICENSE = GPL-3.0+
TAR_LICENSE_FILES = COPYING
+TAR_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_ACL),y)
TAR_DEPENDENCIES += acl
diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
index 6d750b3cd2..913891e897 100644
--- a/package/tcl/tcl.mk
+++ b/package/tcl/tcl.mk
@@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
TCL_LICENSE = TCL
TCL_LICENSE_FILES = license.terms
+TCL_CPE_ID_VENDOR = $(TCL_NAME)
TCL_SUBDIR = unix
TCL_INSTALL_STAGING = YES
TCL_AUTORECONF = YES
diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 01a46b9b5f..9687e3c497 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
TCPDUMP_SITE = http://www.tcpdump.org/release
TCPDUMP_LICENSE = BSD-3-Clause
TCPDUMP_LICENSE_FILES = LICENSE
+TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
TCPDUMP_CONF_ENV = \
ac_cv_linux_vers=2 \
td_cv_buggygetaddrinfo=no \
diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
index 57905fda05..301a222e39 100644
--- a/package/tftpd/tftpd.mk
+++ b/package/tftpd/tftpd.mk
@@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
TFTPD_CONF_OPTS = --without-tcpwrappers
TFTPD_LICENSE = BSD-4-Clause
TFTPD_LICENSE_FILES = tftpd/tftpd.c
+TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
+TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
define TFTPD_INSTALL_TARGET_CMDS
$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
index a06c25998f..61e22f6ae8 100644
--- a/package/uboot-tools/uboot-tools.mk
+++ b/package/uboot-tools/uboot-tools.mk
@@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
UBOOT_TOOLS_LICENSE = GPL-2.0+
UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
+UBOOT_TOOLS_CPE_ID_VENDOR = denx
+UBOOT_TOOLS_CPE_ID_NAME = u-boot
UBOOT_TOOLS_INSTALL_STAGING = YES
# u-boot 2020.01+ needs make 4.0+
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 4356b2b569..96596fd8da 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -24,6 +24,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
Documentation/licenses/COPYING.ISC \
Documentation/licenses/COPYING.LGPL-2.1-or-later
+UTIL_LINUX_CPE_ID_VENDOR = kernel
UTIL_LINUX_INSTALL_STAGING = YES
UTIL_LINUX_DEPENDENCIES = \
host-pkgconf \
diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
index 7fd3278614..7d0070a974 100644
--- a/package/valgrind/valgrind.mk
+++ b/package/valgrind/valgrind.mk
@@ -9,6 +9,7 @@ VALGRIND_SITE = https://sourceware.org/pub/valgrind
VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
+VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
VALGRIND_CONF_OPTS = \
--disable-ubsan \
--without-mpicc
diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 1fbb6a6b86..2bd3d437e4 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -23,6 +23,7 @@ VIM_CONF_ENV = \
VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
VIM_LICENSE = Charityware
VIM_LICENSE_FILES = README.txt
+VIM_CPE_ID_VENDOR = $(VIM_NAME)
ifeq ($(BR2_PACKAGE_ACL),y)
VIM_CONF_OPTS += --enable-acl
diff --git a/package/wget/wget.mk b/package/wget/wget.mk
index ed3f1fdff9..65c132e453 100644
--- a/package/wget/wget.mk
+++ b/package/wget/wget.mk
@@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
WGET_DEPENDENCIES = host-pkgconf
WGET_LICENSE = GPL-3.0+
WGET_LICENSE_FILES = COPYING
+WGET_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_GNUTLS),y)
WGET_CONF_OPTS += --with-ssl=gnutls
diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
index 52a0e0cffc..aaab7fc28b 100644
--- a/package/wireless-regdb/wireless-regdb.mk
+++ b/package/wireless-regdb/wireless-regdb.mk
@@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
WIRELESS_REGDB_LICENSE = ISC
WIRELESS_REGDB_LICENSE_FILES = LICENSE
+WIRELESS_REGDB_CPE_ID_VENDOR = kernel
ifeq ($(BR2_PACKAGE_CRDA),y)
define WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
index b87ab20fb2..01d03218d6 100644
--- a/package/wireless_tools/wireless_tools.mk
+++ b/package/wireless_tools/wireless_tools.mk
@@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
WIRELESS_TOOLS_LICENSE = GPL-2.0
WIRELESS_TOOLS_LICENSE_FILES = COPYING
+WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
+WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
WIRELESS_TOOLS_INSTALL_STAGING = YES
WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 7170db0d07..955f7fb98f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
WPA_SUPPLICANT_SITE = http://w1.fi/releases
WPA_SUPPLICANT_LICENSE = BSD-3-Clause
WPA_SUPPLICANT_LICENSE_FILES = README
+WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
WPA_SUPPLICANT_SUBDIR = wpa_supplicant
WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index ae42b1e62f..5caf421132 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
XERCES_LICENSE = Apache-2.0
XERCES_LICENSE_FILES = LICENSE
+XERCES_CPE_ID_VENDOR = apache
+XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
XERCES_INSTALL_STAGING = YES
define XERCES_DISABLE_SAMPLES
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index 487dac461b..ffbae4c873 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_CPE_ID_VENDOR = tukaani
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
XZ_CONF_OPTS = --enable-threads
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (9 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 10/17] packages: fixup of cpe info Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-07 9:12 ` Heiko Thiery
2020-10-06 13:42 ` [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified Gregory CLEMENT
` (5 subsequent siblings)
16 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Switch the script to be used with pyhton 3
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/cpedb.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/support/scripts/cpedb.py b/support/scripts/cpedb.py
index 0369536f6f..6e48772b5e 100644
--- a/support/scripts/cpedb.py
+++ b/support/scripts/cpedb.py
@@ -1,9 +1,9 @@
import sys
-import urllib2
+import urllib3
from collections import OrderedDict
import xmltodict
import gzip
-from StringIO import StringIO
+from io import StringIO
import os
import pickle
@@ -65,7 +65,7 @@ class CPEDB:
def get_new_xml_dict(self, url):
print("CPE: Fetching xml manifest from [" + url + "]")
try:
- compressed_cpe_file = urllib2.urlopen(url)
+ compressed_cpe_file = urllib3.urlopen(url)
print("CPE: Unzipping xml manifest...")
nist_cpe_file = gzip.GzipFile(fileobj=StringIO(compressed_cpe_file.read())).read()
print("CPE: Converting xml manifest to dict...")
@@ -113,10 +113,10 @@ class CPEDB:
# latest version in the NIST dict)
self.all_cpes_no_version.update({cpe_str_no_version: item})
- except urllib2.HTTPError:
+ except urllib3.HTTPError:
print("CPE: HTTP Error: %s" % url)
sys.exit(1)
- except urllib2.URLError:
+ except urllib3.URLError:
print("CPE: URL Error: %s" % url)
sys.exit(1)
@@ -156,7 +156,7 @@ class CPEDB:
def get_nvd_url(self, cpe_str):
return "https://nvd.nist.gov/products/cpe/search/results?keyword=" + \
- urllib2.quote(cpe_str) + \
+ urllib3.quote(cpe_str) + \
"&status=FINAL&orderBy=CPEURI&namingFormat=2.3"
def get_cpe_no_version(self, cpe):
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (10 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3 Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 17:25 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 13/17] packages: add new flag for CPE ID Gregory CLEMENT
` (4 subsequent siblings)
16 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
The CPE ID are created automatically based on the information provided
by the buildroot package. However, it may not match the official
cpeid. To be able to know if it can be trusted, only generate this CPE
ID when a CPE_ID_VALID flag has been added to the package.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
package/pkg-generic.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index dba03a8119..55084bc7d9 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -970,6 +970,7 @@ else
$(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
endif
+ifeq ($$($(2)_CPE_ID_VALID),y)
$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
@@ -981,6 +982,7 @@ $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
else
$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
endif
+endif
$(1)-cpe-info: PKG=$(2)
ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 13/17] packages: add new flag for CPE ID
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (11 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info Gregory CLEMENT
` (3 subsequent siblings)
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
All the packages having cpeid fixup has CPE ID that has been
validated, so add the flag _CPE_ID_VALID.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
boot/grub2/grub2.mk | 1 +
boot/uboot/uboot.mk | 1 +
linux/linux.mk | 1 +
package/audit/audit.mk | 1 +
package/aufs/aufs.mk | 1 +
package/bash/bash.mk | 1 +
package/bc/bc.mk | 1 +
package/bind/bind.mk | 1 +
package/boost/boost.mk | 1 +
package/bridge-utils/bridge-utils.mk | 1 +
package/busybox/busybox.mk | 1 +
package/bzip2/bzip2.mk | 1 +
package/collectd/collectd.mk | 1 +
package/conntrack-tools/conntrack-tools.mk | 1 +
package/coreutils/coreutils.mk | 1 +
package/crda/crda.mk | 1 +
package/davici/davici.mk | 1 +
package/dbus-glib/dbus-glib.mk | 1 +
package/dbus/dbus.mk | 1 +
package/dhcp/dhcp.mk | 1 +
package/dnsmasq/dnsmasq.mk | 1 +
package/dropbear/dropbear.mk | 1 +
package/ethtool/ethtool.mk | 1 +
package/expat/expat.mk | 1 +
package/gdb/gdb.mk | 1 +
package/gesftpserver/gesftpserver.mk | 1 +
package/glibc/glibc.mk | 1 +
package/gmp/gmp.mk | 1 +
package/gnupg/gnupg.mk | 1 +
package/gnutls/gnutls.mk | 1 +
package/grep/grep.mk | 1 +
package/gtest/gtest.mk | 1 +
package/gzip/gzip.mk | 1 +
package/hostapd/hostapd.mk | 1 +
package/ifupdown/ifupdown.mk | 1 +
package/iperf/iperf.mk | 1 +
package/iperf3/iperf3.mk | 1 +
package/ipset/ipset.mk | 1 +
package/iptables/iptables.mk | 1 +
package/iw/iw.mk | 1 +
package/kmod/kmod.mk | 1 +
package/libarchive/libarchive.mk | 1 +
package/libcurl/libcurl.mk | 1 +
package/libestr/libestr.mk | 1 +
package/libfastjson/libfastjson.mk | 1 +
package/libfcgi/libfcgi.mk | 1 +
package/libffi/libffi.mk | 1 +
package/libgcrypt/libgcrypt.mk | 1 +
package/libglib2/libglib2.mk | 1 +
package/libgpg-error/libgpg-error.mk | 1 +
package/liblogging/liblogging.mk | 1 +
package/libmbim/libmbim.mk | 1 +
package/libmnl/libmnl.mk | 1 +
package/libnetfilter_conntrack/libnetfilter_conntrack.mk | 1 +
package/libnetfilter_cthelper/libnetfilter_cthelper.mk | 1 +
package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk | 1 +
package/libnetfilter_queue/libnetfilter_queue.mk | 1 +
package/libnfnetlink/libnfnetlink.mk | 1 +
package/libopenssl/libopenssl.mk | 1 +
package/libpcap/libpcap.mk | 1 +
package/libselinux/libselinux.mk | 1 +
package/libsemanage/libsemanage.mk | 1 +
package/libsepol/libsepol.mk | 1 +
package/libssh2/libssh2.mk | 1 +
package/libsysfs/libsysfs.mk | 1 +
package/libtasn1/libtasn1.mk | 1 +
package/libunistring/libunistring.mk | 1 +
package/libxml2/libxml2.mk | 1 +
package/libxslt/libxslt.mk | 1 +
package/libzlib/libzlib.mk | 1 +
package/lighttpd/lighttpd.mk | 1 +
package/linux-firmware/linux-firmware.mk | 1 +
| 1 +
package/linux-pam/linux-pam.mk | 1 +
package/llvm/llvm.mk | 1 +
package/lxc/lxc.mk | 1 +
package/lz4/lz4.mk | 1 +
package/memtester/memtester.mk | 1 +
package/mii-diag/mii-diag.mk | 1 +
package/mpfr/mpfr.mk | 1 +
package/mrouted/mrouted.mk | 1 +
package/mtd/mtd.mk | 1 +
package/ncurses/ncurses.mk | 1 +
package/netsnmp/netsnmp.mk | 1 +
package/nfs-utils/nfs-utils.mk | 1 +
package/openssh/openssh.mk | 1 +
package/pax-utils/pax-utils.mk | 1 +
package/paxtest/paxtest.mk | 1 +
package/pcre/pcre.mk | 1 +
package/pixman/pixman.mk | 1 +
package/policycoreutils/policycoreutils.mk | 1 +
package/pppd/pppd.mk | 1 +
package/proftpd/proftpd.mk | 2 ++
package/protobuf/protobuf.mk | 1 +
package/pure-ftpd/pure-ftpd.mk | 1 +
package/python-lxml/python-lxml.mk | 1 +
package/python-setuptools/python-setuptools.mk | 1 +
package/python/python.mk | 1 +
package/qemu/qemu.mk | 1 +
package/rapidjson/rapidjson.mk | 1 +
package/readline/readline.mk | 1 +
package/refpolicy/refpolicy.mk | 1 +
package/rsyslog/rsyslog.mk | 1 +
package/rt-tests/rt-tests.mk | 1 +
package/sed/sed.mk | 1 +
package/setools/setools.mk | 1 +
package/smcroute/smcroute.mk | 1 +
package/spawn-fcgi/spawn-fcgi.mk | 1 +
package/sqlite/sqlite.mk | 1 +
package/strongswan/strongswan.mk | 1 +
package/tar/tar.mk | 1 +
package/tcl/tcl.mk | 1 +
package/tcpdump/tcpdump.mk | 1 +
package/tftpd/tftpd.mk | 1 +
package/uboot-tools/uboot-tools.mk | 1 +
package/util-linux/util-linux.mk | 1 +
package/valgrind/valgrind.mk | 1 +
package/vim/vim.mk | 1 +
package/wget/wget.mk | 1 +
package/wireless-regdb/wireless-regdb.mk | 1 +
package/wireless_tools/wireless_tools.mk | 1 +
package/wpa_supplicant/wpa_supplicant.mk | 1 +
package/xerces/xerces.mk | 1 +
package/xz/xz.mk | 1 +
124 files changed, 125 insertions(+)
diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 9686815f4d..266bc9ad4e 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -37,6 +37,7 @@ GRUB2_INSTALL_TARGET = YES
else
GRUB2_INSTALL_TARGET = NO
endif
+GRUB2_CPE_ID_VALID = y
GRUB2_CPE_ID_VENDOR = gnu
GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
index 1de0b7b16a..c193469a75 100644
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -11,6 +11,7 @@ UBOOT_LICENSE = GPL-2.0+
ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
endif
+UBOOT_CPE_ID_VALID = y
UBOOT_CPE_ID_VENDOR = denx
UBOOT_CPE_ID_NAME = u-boot
diff --git a/linux/linux.mk b/linux/linux.mk
index 648f6ea2a5..27dc49f3a2 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -12,6 +12,7 @@ LINUX_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_CPE_ID_VALID = y
LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index a20767d24b..d0ff6b1b78 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -10,6 +10,7 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
AUDIT_LICENSE_FILES = COPYING COPYING.LIB
# 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
AUDIT_AUTORECONF = YES
+AUDIT_CPE_ID_VALID = y
AUDIT_CPE_ID_VENDOR = linux_audit_project
AUDIT_CPE_ID_NAME = linux_audit
diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
index 495e94e606..ec5d1aa78f 100644
--- a/package/aufs/aufs.mk
+++ b/package/aufs/aufs.mk
@@ -7,6 +7,7 @@
AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
AUFS_LICENSE = GPL-2.0
AUFS_LICENSE_FILES = COPYING
+AUFS_CPE_ID_VALID = y
AUFS_CPE_ID_VERSION = 4.1
ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index b4681c1085..938462040a 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
BASH_LICENSE = GPL-3.0+
BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VALID = y
BASH_CPE_ID_VENDOR = gnu
BASH_CONF_ENV += \
diff --git a/package/bc/bc.mk b/package/bc/bc.mk
index 06b6feae4f..be3b9665b2 100644
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
BC_DEPENDENCIES = host-flex
BC_LICENSE = GPL-2.0+, LGPL-2.1+
BC_LICENSE_FILES = COPYING COPYING.LIB
+BC_CPE_ID_VALID = y
BC_CPE_ID_VENDOR = gnu
BC_CONF_ENV = MAKEINFO=true
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 41b3146da1..abe6cb4d93 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
BIND_LICENSE = MPL-2.0
BIND_LICENSE_FILES = COPYRIGHT
+BIND_CPE_ID_VALID = y
BIND_CPE_ID_VENDOR = isc
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index d5c404a13c..27f404cda2 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
BOOST_INSTALL_STAGING = YES
BOOST_LICENSE = BSL-1.0
BOOST_LICENSE_FILES = LICENSE_1_0.txt
+BOOST_CPE_ID_VALID = y
BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
# CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
index fa71c3a64e..1d022af2a4 100644
--- a/package/bridge-utils/bridge-utils.mk
+++ b/package/bridge-utils/bridge-utils.mk
@@ -10,6 +10,7 @@ BRIDGE_UTILS_SITE = \
BRIDGE_UTILS_AUTORECONF = YES
BRIDGE_UTILS_LICENSE = GPL-2.0+
BRIDGE_UTILS_LICENSE_FILES = COPYING
+BRIDGE_UTILS_CPE_ID_VALID = y
BRIDGE_UTILS_CPE_ID_VENDOR = kernel
# Avoid using the host's headers. Location is not important as
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index a88168416f..184753b7c5 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPL-2.0
BUSYBOX_LICENSE_FILES = LICENSE
+BUSYBOX_CPE_ID_VALID = y
BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
define BUSYBOX_HELP_CMDS
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index c2e5f7610e..4033c2bf6d 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
BZIP2_INSTALL_STAGING = YES
BZIP2_LICENSE = bzip2 license
BZIP2_LICENSE_FILES = LICENSE
+BZIP2_CPE_ID_VALID = y
BZIP2_CPE_ID_VENDOR = bzip
ifeq ($(BR2_STATIC_LIBS),)
diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
index 83bf01109a..4339ec418e 100644
--- a/package/collectd/collectd.mk
+++ b/package/collectd/collectd.mk
@@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
COLLECTD_INSTALL_STAGING = YES
COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
COLLECTD_LICENSE_FILES = COPYING
+COLLECTD_CPE_ID_VALID = y
COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
# These require unmet dependencies, are fringe, pointless or deprecated
diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
index 55ea407924..7adbd6aaa0 100644
--- a/package/conntrack-tools/conntrack-tools.mk
+++ b/package/conntrack-tools/conntrack-tools.mk
@@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
libnetfilter_queue host-bison host-flex
CONNTRACK_TOOLS_LICENSE = GPL-2.0+
CONNTRACK_TOOLS_LICENSE_FILES = COPYING
+CONNTRACK_TOOLS_CPE_ID_VALID = y
CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 18e9052dfd..7257ffc89a 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
COREUTILS_LICENSE = GPL-3.0+
COREUTILS_LICENSE_FILES = COPYING
+COREUTILS_CPE_ID_VALID = y
COREUTILS_CPE_ID_VENDOR = gnu
COREUTILS_CONF_OPTS = --disable-rpath \
diff --git a/package/crda/crda.mk b/package/crda/crda.mk
index 31a64d004b..20f9925a10 100644
--- a/package/crda/crda.mk
+++ b/package/crda/crda.mk
@@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
CRDA_LICENSE = ISC
CRDA_LICENSE_FILES = LICENSE
+CRDA_CPE_ID_VALID = y
CRDA_CPE_ID_VENDOR = kernel
define CRDA_BUILD_CMDS
diff --git a/package/davici/davici.mk b/package/davici/davici.mk
index 6c8df48b6a..1aaa5cdb66 100644
--- a/package/davici/davici.mk
+++ b/package/davici/davici.mk
@@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
DAVICI_LICENSE = LGPL-2.1+
DAVICI_LICENSE_FILES = COPYING
+DAVICI_CPE_ID_VALID = y
DAVICI_CPE_ID_VENDOR = strongswan
DAVICI_DEPENDENCIES = strongswan
DAVICI_INSTALL_STAGING = YES
diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
index 5eb158d954..c60256d5e7 100644
--- a/package/dbus-glib/dbus-glib.mk
+++ b/package/dbus-glib/dbus-glib.mk
@@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
DBUS_GLIB_INSTALL_STAGING = YES
DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
DBUS_GLIB_LICENSE_FILES = COPYING
+DBUS_GLIB_CPE_ID_VALID = y
DBUS_GLIB_CPE_ID_VENDOR = freedesktop
DBUS_GLIB_CONF_ENV = \
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index ae480f3bb2..7ff023b7ab 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -8,6 +8,7 @@ DBUS_VERSION = 1.12.18
DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
DBUS_LICENSE_FILES = COPYING
+DBUS_CPE_ID_VALID = y
DBUS_CPE_ID_VENDOR = d-bus_project
DBUS_CPE_ID_NAME = d-bus
DBUS_INSTALL_STAGING = YES
diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
index 988c7792dc..85e0676677 100644
--- a/package/dhcp/dhcp.mk
+++ b/package/dhcp/dhcp.mk
@@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
DHCP_LICENSE = MPL-2.0
DHCP_LICENSE_FILES = LICENSE
DHCP_DEPENDENCIES = bind
+DHCP_CPE_ID_VALID = y
DHCP_CPE_ID_VENDOR = isc
# use libtool-enabled configure.ac
diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index e0e8bed5aa..679a7f8b91 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
+DNSMASQ_CPE_ID_VALID = y
DNSMASQ_CPE_ID_VENDOR = thekelleys
DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index d965b2eaf2..e8fb240ad0 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -11,6 +11,7 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
DROPBEAR_LICENSE_FILES = LICENSE
DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
+DROPBEAR_CPE_ID_VALID = y
DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
index 0e94a918c2..87730eda9f 100644
--- a/package/ethtool/ethtool.mk
+++ b/package/ethtool/ethtool.mk
@@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
ETHTOOL_LICENSE = GPL-2.0
ETHTOOL_LICENSE_FILES = LICENSE COPYING
+ETHTOOL_CPE_ID_VALID = y
ETHTOOL_CPE_ID_VENDOR = kernel
ETHTOOL_CONF_OPTS = \
$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index af3088b80c..3a1da2c7b6 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
HOST_EXPAT_DEPENDENCIES = host-pkgconf
EXPAT_LICENSE = MIT
EXPAT_LICENSE_FILES = COPYING
+EXPAT_CPE_ID_VALID = y
EXPAT_CPE_ID_VENDOR = libexpat
EXPAT_CONF_OPTS = --without-docbook
diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
index de11b1e5e8..b3900e2587 100644
--- a/package/gdb/gdb.mk
+++ b/package/gdb/gdb.mk
@@ -22,6 +22,7 @@ endif
GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
+GDB_CPE_ID_VALID = y
GDB_CPE_ID_VENDOR = gnu
# We only want gdbserver and not the entire debugger.
diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
index 07718a4c42..9a660c313a 100644
--- a/package/gesftpserver/gesftpserver.mk
+++ b/package/gesftpserver/gesftpserver.mk
@@ -12,6 +12,7 @@ GESFTPSERVER_LICENSE_FILES = COPYING
# "Missing prototype" warning treated as error
GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
+GESFTPSERVER_CPE_ID_VALID = y
GESFTPSERVER_CPE_ID_VENDOR = green_end
GESFTPSERVER_CPE_ID_NAME = sftpserver
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 032e642bb8..90cbd38d44 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -31,6 +31,7 @@ endif
GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
+GLIBC_CPE_ID_VALID = y
GLIBC_CPE_ID_VENDOR = gnu
# glibc is part of the toolchain so disable the toolchain dependency
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index a79d5b7d9a..b2db9be2ea 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
GMP_INSTALL_STAGING = YES
GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
+GMP_CPE_ID_VALID = y
GMP_CPE_ID_VENDOR = gmplib
GMP_DEPENDENCIES = host-m4
HOST_GMP_DEPENDENCIES = host-m4
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index ba424fed96..4ba9e6d691 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG_LICENSE = GPL-3.0+
GNUPG_LICENSE_FILES = COPYING
GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+GNUPG_CPE_ID_VALID = y
GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
GNUPG_CONF_OPTS = \
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index 65bb4893e8..cab3897ffe 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
endif
GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_CPE_ID_VALID = y
GNUTLS_CPE_ID_VENDOR = gnu
GNUTLS_CONF_OPTS = \
--disable-doc \
diff --git a/package/grep/grep.mk b/package/grep/grep.mk
index 204c74f3b8..f3d2b35fa3 100644
--- a/package/grep/grep.mk
+++ b/package/grep/grep.mk
@@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
GREP_LICENSE = GPL-3.0+
GREP_LICENSE_FILES = COPYING
+GREP_CPE_ID_VALID = y
GREP_CPE_ID_VENDOR = gnu
GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
# install into /bin like busybox grep
diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
index fc51d9f7a2..f103854bc9 100644
--- a/package/gtest/gtest.mk
+++ b/package/gtest/gtest.mk
@@ -10,6 +10,7 @@ GTEST_INSTALL_STAGING = YES
GTEST_INSTALL_TARGET = NO
GTEST_LICENSE = BSD-3-Clause
GTEST_LICENSE_FILES = googletest/LICENSE
+GTEST_CPE_ID_VALID = y
GTEST_CPE_ID_VENDOR = google
GTEST_CPE_ID_NAME = google_test
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index c8fd3ddb7a..4fcab5817c 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
GZIP_CONF_OPTS = --exec-prefix=/
GZIP_LICENSE = GPL-3.0+
GZIP_LICENSE_FILES = COPYING
+GZIP_CPE_ID_VALID = y
GZIP_CPE_ID_VENDOR = gnu
GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index efeefd8b35..980757c4c2 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -23,6 +23,7 @@ HOSTAPD_IGNORE_CVES += CVE-2019-16275
# 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
HOSTAPD_IGNORE_CVES += CVE-2020-12695
+HOSTAPD_CPE_ID_VALID = y
HOSTAPD_CPE_ID_VENDOR = w1.fi
HOSTAPD_CONFIG_SET =
diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
index e62c2a79c5..f92950f3ee 100644
--- a/package/ifupdown/ifupdown.mk
+++ b/package/ifupdown/ifupdown.mk
@@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
IFUPDOWN_LICENSE = GPL-2.0+
IFUPDOWN_LICENSE_FILES = COPYING
+IFUPDOWN_CPE_ID_VALID = y
IFUPDOWN_CPE_ID_VENDOR = debian
define IFUPDOWN_BUILD_CMDS
diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
index f1e65e7545..0080c04e09 100644
--- a/package/iperf/iperf.mk
+++ b/package/iperf/iperf.mk
@@ -8,6 +8,7 @@ IPERF_VERSION = 2.0.13
IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
IPERF_LICENSE = MIT-like
IPERF_LICENSE_FILES = COPYING
+IPERF_CPE_ID_VALID = y
IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
IPERF_CPE_ID_NAME = $(IPERF_NAME)2
diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
index 234e04eae0..18a0c55860 100644
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
IPERF3_LICENSE_FILES = LICENSE
+IPERF3_CPE_ID_VALID = y
IPERF3_CPE_ID_VENDOR = es
IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index cea3ee0e05..108fb29986 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
IPSET_CONF_OPTS = --with-kmod=no
IPSET_LICENSE = GPL-2.0
IPSET_LICENSE_FILES = COPYING
+IPSET_CPE_ID_VALID = y
IPSET_CPE_ID_VENDOR = netfilter
IPSET_INSTALL_STAGING = YES
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index 053d0e3964..7d18c0bc52 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
IPTABLES_LICENSE = GPL-2.0
IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_CPE_ID_VALID = y
IPTABLES_CPE_ID_VENDOR = netfilter
# Building static causes ugly warnings on some plugins
IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
diff --git a/package/iw/iw.mk b/package/iw/iw.mk
index a232cc8baa..d72eafa09e 100644
--- a/package/iw/iw.mk
+++ b/package/iw/iw.mk
@@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
IW_LICENSE = ISC
IW_LICENSE_FILES = COPYING
+IW_CPE_ID_VALID = y
IW_CPE_ID_VENDOR = kernel
IW_DEPENDENCIES = host-pkgconf libnl
IW_MAKE_ENV = \
diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
index c44764ea18..8f11adfd2b 100644
--- a/package/kmod/kmod.mk
+++ b/package/kmod/kmod.mk
@@ -15,6 +15,7 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
KMOD_LICENSE = LGPL-2.1+ (library)
KMOD_LICENSE_FILES = libkmod/COPYING
+KMOD_CPE_ID_VALID = y
KMOD_CPE_ID_VENDOR = kernel
# --gc-sections triggers binutils ld segfault
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 71c8a2e4cf..2a057acd8c 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
LIBARCHIVE_INSTALL_STAGING = YES
LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
LIBARCHIVE_LICENSE_FILES = COPYING
+LIBARCHIVE_CPE_ID_VALID = y
LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 969325a485..5ac444cf20 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -12,6 +12,7 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
LIBCURL_LICENSE = curl
LIBCURL_LICENSE_FILES = COPYING
+LIBCURL_CPE_ID_VALID = y
LIBCURL_CPE_ID_VENDOR = haxx
LIBCURL_CPE_ID_NAME = libcurl
LIBCURL_INSTALL_STAGING = YES
diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
index 6ce22efae2..da612cb853 100644
--- a/package/libestr/libestr.mk
+++ b/package/libestr/libestr.mk
@@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
LIBESTR_SITE = http://libestr.adiscon.com/files/download
LIBESTR_LICENSE = LGPL-2.1+
LIBESTR_LICENSE_FILES = COPYING
+LIBESTR_CPE_ID_VALID = y
LIBESTR_CPE_ID_VENDOR = adiscon
LIBESTR_INSTALL_STAGING = YES
diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
index 37dbd7e03e..a7f60d988e 100644
--- a/package/libfastjson/libfastjson.mk
+++ b/package/libfastjson/libfastjson.mk
@@ -12,6 +12,7 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
LIBFASTJSON_AUTORECONF = YES
LIBFASTJSON_LICENSE = MIT
LIBFASTJSON_LICENSE_FILES = COPYING
+LIBFASTJSON_CPE_ID_VALID = y
LIBFASTJSON_CPE_ID_VENDOR = rsyslog
$(eval $(autotools-package))
diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
index c40d9c5970..79a1b52be8 100644
--- a/package/libfcgi/libfcgi.mk
+++ b/package/libfcgi/libfcgi.mk
@@ -8,6 +8,7 @@ LIBFCGI_VERSION = 2.4.2
LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
LIBFCGI_LICENSE = OML
LIBFCGI_LICENSE_FILES = LICENSE.TERMS
+LIBFCGI_CPE_ID_VALID = y
LIBFCGI_CPE_ID_VENDOR = fastcgi
LIBFCGI_CPE_ID_NAME = fcgi
LIBFCGI_INSTALL_STAGING = YES
diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
index e87a024040..2231fa7b71 100644
--- a/package/libffi/libffi.mk
+++ b/package/libffi/libffi.mk
@@ -6,6 +6,7 @@
LIBFFI_VERSION = 3.3
LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
+LIBFFI_CPE_ID_VALID = y
LIBFFI_CPE_ID_VERSION = 3.3
LIBFFI_CPE_ID_VERSION_MINOR = rc0
LIBFFI_LICENSE = MIT
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index d928d2fd80..b0cbae98c6 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
LIBGCRYPT_INSTALL_STAGING = YES
LIBGCRYPT_DEPENDENCIES = libgpg-error
LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
+LIBGCRYPT_CPE_ID_VALID = y
LIBGCRYPT_CPE_ID_VENDOR = gnupg
# Patching acinclude.m4 in 0001
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index 7f726df29b..c396f4392f 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -10,6 +10,7 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
LIBGLIB2_LICENSE = LGPL-2.1+
LIBGLIB2_LICENSE_FILES = COPYING
+LIBGLIB2_CPE_ID_VALID = y
LIBGLIB2_CPE_ID_VENDOR = gnome
LIBGLIB2_CPE_ID_NAME = glib
LIBGLIB2_INSTALL_STAGING = YES
diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
index 05c7f710f2..f5e73fdf67 100644
--- a/package/libgpg-error/libgpg-error.mk
+++ b/package/libgpg-error/libgpg-error.mk
@@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
+LIBGPG_ERROR_CPE_ID_VALID = y
LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
LIBGPG_ERROR_INSTALL_STAGING = YES
LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
index 24375b56b4..32cd4bf7d2 100644
--- a/package/liblogging/liblogging.mk
+++ b/package/liblogging/liblogging.mk
@@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
LIBLOGGING_LICENSE = BSD-2-Clause
LIBLOGGING_LICENSE_FILES = COPYING
+LIBLOGGING_CPE_ID_VALID = y
LIBLOGGING_CPE_ID_VENDOR = adiscon
LIBLOGGING_INSTALL_STAGING = YES
LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
index 2cf245e6b6..9c38c38a61 100644
--- a/package/libmbim/libmbim.mk
+++ b/package/libmbim/libmbim.mk
@@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
+LIBMBIM_CPE_ID_VALID = y
LIBMBIM_CPE_ID_VENDOR = freedesktop
LIBMBIM_INSTALL_STAGING = YES
diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
index d3b33db2e0..98dae41de6 100644
--- a/package/libmnl/libmnl.mk
+++ b/package/libmnl/libmnl.mk
@@ -10,6 +10,7 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
LIBMNL_INSTALL_STAGING = YES
LIBMNL_LICENSE = LGPL-2.1+
LIBMNL_LICENSE_FILES = COPYING
+LIBMNL_CPE_ID_VALID = y
LIBMNL_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
index 0a5a94be8f..650a24f74d 100644
--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
+++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
@@ -11,6 +11,7 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
+LIBNETFILTER_CONNTRACK_CPE_ID_VALID = y
LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
index d74ea4d0fd..01b886eb91 100644
--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
+++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
@@ -12,6 +12,7 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTHELPER_AUTORECONF = YES
LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
+LIBNETFILTER_CTHELPER_CPE_ID_VALID = y
LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
index f5c5067b64..b68a3e0520 100644
--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
+++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
@@ -12,6 +12,7 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
+LIBNETFILTER_CTTIMEOUT_CPE_ID_VALID = y
LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
index 6cd35baea1..a301a040a0 100644
--- a/package/libnetfilter_queue/libnetfilter_queue.mk
+++ b/package/libnetfilter_queue/libnetfilter_queue.mk
@@ -12,6 +12,7 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_QUEUE_AUTORECONF = YES
LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
+LIBNETFILTER_QUEUE_CPE_ID_VALID = y
LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
index a5ad47b85e..81efbe263f 100644
--- a/package/libnfnetlink/libnfnetlink.mk
+++ b/package/libnfnetlink/libnfnetlink.mk
@@ -11,6 +11,7 @@ LIBNFNETLINK_AUTORECONF = YES
LIBNFNETLINK_INSTALL_STAGING = YES
LIBNFNETLINK_LICENSE = GPL-2.0
LIBNFNETLINK_LICENSE_FILES = COPYING
+LIBNFNETLINK_CPE_ID_VALID = y
LIBNFNETLINK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index bb4747f4c0..3d58e69cff 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -15,6 +15,7 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_CPE_ID_VALID = y
LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
index e323461529..b011290a42 100644
--- a/package/libpcap/libpcap.mk
+++ b/package/libpcap/libpcap.mk
@@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
LIBPCAP_SITE = http://www.tcpdump.org/release
LIBPCAP_LICENSE = BSD-3-Clause
LIBPCAP_LICENSE_FILES = LICENSE
+LIBPCAP_CPE_ID_VALID = y
LIBPCAP_CPE_ID_VENDOR = tcpdump
LIBPCAP_INSTALL_STAGING = YES
LIBPCAP_DEPENDENCIES = host-flex host-bison
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index 9bb1e57db6..d79da928ce 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.1
LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
LIBSELINUX_LICENSE = Public Domain
LIBSELINUX_LICENSE_FILES = LICENSE
+LIBSELINUX_CPE_ID_VALID = y
LIBSELINUX_CPE_ID_VENDOR = selinuxproject
LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 48e2bbbc8b..e07b0d15ee 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
LIBSEMANAGE_LICENSE = LGPL-2.1+
LIBSEMANAGE_LICENSE_FILES = COPYING
LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
+LIBSEMANAGE_CPE_ID_VALID = y
LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
LIBSEMANAGE_INSTALL_STAGING = YES
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index a4398bdc42..4f421de5cf 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.1
LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
LIBSEPOL_LICENSE = LGPL-2.1+
LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_CPE_ID_VALID = y
LIBSEPOL_CPE_ID_VENDOR = selinuxproject
LIBSEPOL_INSTALL_STAGING = YES
diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
index eb66ab5643..ed80408109 100644
--- a/package/libssh2/libssh2.mk
+++ b/package/libssh2/libssh2.mk
@@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
LIBSSH2_SITE = https://www.libssh2.org/download
LIBSSH2_LICENSE = BSD
LIBSSH2_LICENSE_FILES = COPYING
+LIBSSH2_CPE_ID_VALID = y
LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
LIBSSH2_INSTALL_STAGING = YES
LIBSSH2_CONF_OPTS = --disable-examples-build
diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
index fd8bfa6724..2417dd3b62 100644
--- a/package/libsysfs/libsysfs.mk
+++ b/package/libsysfs/libsysfs.mk
@@ -10,6 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
LIBSYSFS_INSTALL_STAGING = YES
LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
+LIBSYSFS_CPE_ID_VALID = y
LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
LIBSYSFS_CPE_ID_NAME = sysfsutils
diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
index a354716824..e9336cec1f 100644
--- a/package/libtasn1/libtasn1.mk
+++ b/package/libtasn1/libtasn1.mk
@@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
+LIBTASN1_CPE_ID_VALID = y
LIBTASN1_CPE_ID_VENDOR = gnu
LIBTASN1_INSTALL_STAGING = YES
diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
index 1ed7ecf906..eb592132b8 100644
--- a/package/libunistring/libunistring.mk
+++ b/package/libunistring/libunistring.mk
@@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
LIBUNISTRING_INSTALL_STAGING = YES
LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
+LIBUNISTRING_CPE_ID_VALID = y
LIBUNISTRING_CPE_ID_VENDOR = gnu
$(eval $(autotools-package))
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index c531934dc3..c7a2e8d9aa 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -13,6 +13,7 @@ LIBXML2_LICENSE_FILES = COPYING
LIBXML2_IGNORE_CVES += CVE-2020-7595
# 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
LIBXML2_IGNORE_CVES += CVE-2019-20388
+LIBXML2_CPE_ID_VALID = y
LIBXML2_CPE_ID_VENDOR = xmlsoft
LIBXML2_CONFIG_SCRIPTS = xml2-config
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 3c603ad9f6..0c22013e9e 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
LIBXSLT_INSTALL_STAGING = YES
LIBXSLT_LICENSE = MIT
LIBXSLT_LICENSE_FILES = COPYING
+LIBXSLT_CPE_ID_VALID = y
LIBXSLT_CPE_ID_VENDOR = xmlsoft
LIBXSLT_CONF_OPTS = \
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index a1e2640bac..1ea41c55df 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,6 +11,7 @@ LIBZLIB_LICENSE = Zlib
LIBZLIB_LICENSE_FILES = README
LIBZLIB_INSTALL_STAGING = YES
LIBZLIB_PROVIDES = zlib
+LIBZLIB_CPE_ID_VALID = y
LIBZLIB_CPE_ID_VENDOR = gnu
LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 39600ef94b..848bc1eaf1 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
+LIGHTTPD_CPE_ID_VALID = y
LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
index 938daf0ccd..dbfa3fd00b 100644
--- a/package/linux-firmware/linux-firmware.mk
+++ b/package/linux-firmware/linux-firmware.mk
@@ -8,6 +8,7 @@ LINUX_FIRMWARE_VERSION = 20200122
LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
LINUX_FIRMWARE_SITE_METHOD = git
+LINUX_FIRMWARE_CPE_ID_VALID = y
LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
# Intel SST DSP
--git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
index 4496295f2a..1486ed723a 100644
--- a/package/linux-headers/linux-headers.mk
+++ b/package/linux-headers/linux-headers.mk
@@ -102,6 +102,7 @@ LINUX_HEADERS_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_HEADERS_CPE_ID_VALID = y
LINUX_HEADERS_CPE_ID_VENDOR = linux
LINUX_HEADERS_CPE_ID_NAME = linux_kernel
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index ecd4a723c4..7edea5990c 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -23,6 +23,7 @@ LINUX_PAM_LICENSE_FILES = Copyright
# We're patching configure.ac
LINUX_PAM_AUTORECONF = YES
LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
+LINUX_PAM_CPE_ID_VALID = y
LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
index 177fff71bb..2d39156900 100644
--- a/package/llvm/llvm.mk
+++ b/package/llvm/llvm.mk
@@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
LLVM_LICENSE = Apache-2.0 with exceptions
LLVM_LICENSE_FILES = LICENSE.TXT
+LLVM_CPE_ID_VALID = y
LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
LLVM_INSTALL_STAGING = YES
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index fbf0b28759..359b3c671c 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -8,6 +8,7 @@ LXC_VERSION = 4.0.4
LXC_SITE = https://linuxcontainers.org/downloads/lxc
LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
+LXC_CPE_ID_VALID = y
LXC_CPE_ID_VENDOR = linuxcontainers
LXC_DEPENDENCIES = host-pkgconf
LXC_INSTALL_STAGING = YES
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 7c91b6eecc..0436e615c3 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
+LZ4_CPE_ID_VALID = y
LZ4_CPE_ID_VENDOR = yann_collet
# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
index ec821adbe8..1b4dd7516f 100644
--- a/package/memtester/memtester.mk
+++ b/package/memtester/memtester.mk
@@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.3.0
MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
MEMTESTER_LICENSE = GPL-2.0
MEMTESTER_LICENSE_FILES = COPYING
+MEMTESTER_CPE_ID_VALID = y
MEMTESTER_CPE_ID_VENDOR = pryopus
MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
index a7c6483221..eb1fa1b6f8 100644
--- a/package/mii-diag/mii-diag.mk
+++ b/package/mii-diag/mii-diag.mk
@@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
MII_DIAG_LICENSE = GPL # No version specified
MII_DIAG_LICENSE_FILES = mii-diag.c
+MII_DIAG_CPE_ID_VALID = y
MII_DIAG_CPE_ID_VENDOR = debian
MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
index 837aff3aa5..4630960c83 100644
--- a/package/mpfr/mpfr.mk
+++ b/package/mpfr/mpfr.mk
@@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
MPFR_LICENSE = LGPL-3.0+
MPFR_LICENSE_FILES = COPYING.LESSER
+MPFR_CPE_ID_VALID = y
MPFR_CPE_ID_VENDOR = gnu
MPFR_INSTALL_STAGING = YES
MPFR_DEPENDENCIES = gmp
diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
index 6ee7fd5dfd..342ce22d53 100644
--- a/package/mrouted/mrouted.mk
+++ b/package/mrouted/mrouted.mk
@@ -9,6 +9,7 @@ MROUTED_SITE = $(call github,troglobit,mrouted,$(MROUTED_VERSION))
MROUTED_DEPENDENCIES = host-bison
MROUTED_LICENSE = BSD-3-Clause
MROUTED_LICENSE_FILES = LICENSE
+MROUTED_CPE_ID_VALID = y
MROUTED_CPE_ID_VENDOR = troglobit
define MROUTED_CONFIGURE_CMDS
diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index bbae4e13b2..aaa5c28beb 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -9,6 +9,7 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
MTD_LICENSE = GPL-2.0
MTD_LICENSE_FILES = COPYING
+MTD_CPE_ID_VALID = y
MTD_CPE_ID_VENDOR = mtd-utils_project
MTD_CPE_ID_NAME = mtd-utils
MTD_INSTALL_STAGING = YES
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index 5c5e497488..ab46b50cb2 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
NCURSES_DEPENDENCIES = host-ncurses
NCURSES_LICENSE = MIT with advertising clause
NCURSES_LICENSE_FILES = COPYING
+NCURSES_CPE_ID_VALID = y
NCURSES_CPE_ID_VENDOR = gnu
NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
NCURSES_PATCH = \
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 09ca33f754..c8eead6988 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -9,6 +9,7 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
NETSNMP_LICENSE = Various BSD-like
NETSNMP_LICENSE_FILES = COPYING
+NETSNMP_CPE_ID_VALID = y
NETSNMP_CPE_ID_VENDOR = net-snmp
NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
NETSNMP_INSTALL_STAGING = YES
diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
index 67f178cbff..8ca3278a65 100644
--- a/package/nfs-utils/nfs-utils.mk
+++ b/package/nfs-utils/nfs-utils.mk
@@ -10,6 +10,7 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
NFS_UTILS_LICENSE = GPL-2.0+
NFS_UTILS_LICENSE_FILES = COPYING
NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
+NFS_UTILS_CPE_ID_VALID = y
NFS_UTILS_CPE_ID_VENDOR = linux-nfs
NFS_UTILS_AUTORECONF = YES
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index c8937229ab..c0447e5d1a 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -5,6 +5,7 @@
################################################################################
OPENSSH_VERSION = 8.3p1
+OPENSSH_CPE_ID_VALID = y
OPENSSH_CPE_ID_VERSION = 8.3
OPENSSH_CPE_ID_VERSION_MINOR = p1
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
index a6618851ba..9e2584faca 100644
--- a/package/pax-utils/pax-utils.mk
+++ b/package/pax-utils/pax-utils.mk
@@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
PAX_UTILS_LICENSE = GPL-2.0
PAX_UTILS_LICENSE_FILES = COPYING
+PAX_UTILS_CPE_ID_VALID = y
PAX_UTILS_CPE_ID_VENDOR = gentoo
PAX_UTILS_DEPENDENCIES = host-pkgconf
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
index 1b8d6699b6..fee8a84ddd 100644
--- a/package/paxtest/paxtest.mk
+++ b/package/paxtest/paxtest.mk
@@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
PAXTEST_SITE = https://www.grsecurity.net/~spender
PAXTEST_LICENSE = GPL-2.0+
PAXTEST_LICENSE_FILES = README
+PAXTEST_CPE_ID_VALID = y
PAXTEST_CPE_ID_VENDOR = grsecurity
define PAXTEST_BUILD_CMDS
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index b37a2ca9b7..b0ff7a499c 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
PCRE_LICENSE = BSD-3-Clause
PCRE_LICENSE_FILES = LICENCE
+PCRE_CPE_ID_VALID = y
PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
PCRE_INSTALL_STAGING = YES
PCRE_CONFIG_SCRIPTS = pcre-config
diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index 52d4e36f2e..f08e954652 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
PIXMAN_LICENSE = MIT
PIXMAN_LICENSE_FILES = COPYING
+PIXMAN_CPE_ID_VALID = y
PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
PIXMAN_INSTALL_STAGING = YES
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 0dfdc7af03..5307564145 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.1
POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
POLICYCOREUTILS_LICENSE = GPL-2.0
POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_CPE_ID_VALID = y
POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 118f9fc334..297de6aae6 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -10,6 +10,7 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
PPPD_LICENSE_FILES = \
pppd/tdb.c pppd/plugins/pppoatm/COPYING \
pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
+PPPD_CPE_ID_VALID = y
PPPD_CPE_ID_VENDOR = samba
PPPD_CPE_ID_NAME = ppp
diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
index 94276233c8..35fe2f2605 100644
--- a/package/proftpd/proftpd.mk
+++ b/package/proftpd/proftpd.mk
@@ -8,6 +8,8 @@ PROFTPD_VERSION = 1.3.6c
PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
PROFTPD_LICENSE = GPL-2.0+
PROFTPD_LICENSE_FILES = COPYING
+PROFTPD_CPE_ID_VALID = y
+PROFTPD_CPE_ID_VALID = y
PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
PROFTPD_CONF_ENV = \
diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
index 82c814b65b..16bcb57bbc 100644
--- a/package/protobuf/protobuf.mk
+++ b/package/protobuf/protobuf.mk
@@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
PROTOBUF_LICENSE = BSD-3-Clause
PROTOBUF_LICENSE_FILES = LICENSE
+PROTOBUF_CPE_ID_VALID = y
PROTOBUF_CPE_ID_VENDOR = google
# N.B. Need to use host protoc during cross compilation.
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7e3d18b433..5852c48ee0 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
PURE_FTPD_LICENSE = ISC
PURE_FTPD_LICENSE_FILES = COPYING
+PURE_FTPD_CPE_ID_VALID = y
PURE_FTPD_CPE_ID_VENDOR = pureftpd
PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index 0b95cf4dc6..6721579311 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -15,6 +15,7 @@ PYTHON_LXML_LICENSE_FILES = \
doc/licenses/BSD.txt \
doc/licenses/elementtree.txt \
src/lxml/isoschematron/resources/rng/iso-schematron.rng
+PYTHON_LXML_CPE_ID_VALID = y
PYTHON_LXML_CPE_ID_VENDOR = lxml
PYTHON_LXML_CPE_ID_NAME = lxml
diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
index ade5ca5521..55e54bf52f 100644
--- a/package/python-setuptools/python-setuptools.mk
+++ b/package/python-setuptools/python-setuptools.mk
@@ -11,6 +11,7 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
PYTHON_SETUPTOOLS_LICENSE = MIT
PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
+PYTHON_SETUPTOOLS_CPE_ID_VALID = y
PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
diff --git a/package/python/python.mk b/package/python/python.mk
index 2d4c5a3721..fd58e8bc7c 100644
--- a/package/python/python.mk
+++ b/package/python/python.mk
@@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
PYTHON_LICENSE = Python-2.0, others
PYTHON_LICENSE_FILES = LICENSE
+PYTHON_CPE_ID_VALID = y
PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
PYTHON_LIBTOOL_PATCH = NO
diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index a4b5688605..937f627b18 100644
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
# NOTE: there is no top-level license file for non-(L)GPL licenses;
# the non-(L)GPL license texts are specified in the affected
# individual source files.
+QEMU_CPE_ID_VALID = y
QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
#-------------------------------------------------------------
diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
index d3bcef7df1..3316e71d98 100644
--- a/package/rapidjson/rapidjson.mk
+++ b/package/rapidjson/rapidjson.mk
@@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
RAPIDJSON_LICENSE = MIT
RAPIDJSON_LICENSE_FILES = license.txt
+RAPIDJSON_CPE_ID_VALID = y
RAPIDJSON_CPE_ID_VENDOR = tencent
# rapidjson is a header-only C++ library
diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index 04872ac868..2624ddcdf9 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
READLINE_CONF_OPTS = --disable-install-examples
READLINE_LICENSE = GPL-3.0+
READLINE_LICENSE_FILES = COPYING
+READLINE_CPE_ID_VALID = y
READLINE_CPE_ID_VENDOR = gnu
define READLINE_INSTALL_INPUTRC
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 63a1713e35..b212330924 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -6,6 +6,7 @@
REFPOLICY_LICENSE = GPL-2.0
REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_CPE_ID_VALID = y
REFPOLICY_CPE_ID_VENDOR = tresys
REFPOLICY_INSTALL_STAGING = YES
REFPOLICY_DEPENDENCIES = \
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index f9e1a0443a..4e1019e8bf 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
+RSYSLOG_CPE_ID_VALID = y
RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
index a52cfff3c3..9010119e47 100644
--- a/package/rt-tests/rt-tests.mk
+++ b/package/rt-tests/rt-tests.mk
@@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.8
RT_TESTS_LICENSE = GPL-2.0+
RT_TESTS_LICENSE_FILES = COPYING
RT_TESTS_DEPENDENCIES = numactl
+RT_TESTS_CPE_ID_VALID = y
RT_TESTS_CPE_ID_VENDOR = kernel
define RT_TESTS_BUILD_CMDS
diff --git a/package/sed/sed.mk b/package/sed/sed.mk
index 64fb2035b0..f9e53c129e 100644
--- a/package/sed/sed.mk
+++ b/package/sed/sed.mk
@@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
SED_SITE = $(BR2_GNU_MIRROR)/sed
SED_LICENSE = GPL-3.0
SED_LICENSE_FILES = COPYING
+SED_CPE_ID_VALID = y
SED_CPE_ID_VENDOR = gnu
SED_CONF_OPTS = \
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index a07b1367a2..ce81fa959f 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
SETOOLS_INSTALL_STAGING = YES
SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_CPE_ID_VALID = y
SETOOLS_CPE_ID_VENDOR = selinuxproject
SETOOLS_SETUP_TYPE = setuptools
HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
index 0db0e084f6..2fa0cd02af 100644
--- a/package/smcroute/smcroute.mk
+++ b/package/smcroute/smcroute.mk
@@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
SMCROUTE_LICENSE = GPL-2.0+
SMCROUTE_LICENSE_FILES = COPYING
+SMCROUTE_CPE_ID_VALID = y
SMCROUTE_CPE_ID_VENDOR = troglobit
SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
index 8caa1e2b3c..6cec9bbe04 100644
--- a/package/spawn-fcgi/spawn-fcgi.mk
+++ b/package/spawn-fcgi/spawn-fcgi.mk
@@ -9,6 +9,7 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
SPAWN_FCGI_LICENSE = BSD-3-Clause
SPAWN_FCGI_LICENSE_FILES = COPYING
+SPAWN_FCGI_CPE_ID_VALID = y
SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
$(eval $(autotools-package))
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index 796292178c..24f32854e4 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -5,6 +5,7 @@
################################################################################
SQLITE_VERSION = 3320300
+SQLITE_CPE_ID_VALID = y
SQLITE_CPE_ID_VERSION = 3.31.1
SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
SQLITE_SITE = https://www.sqlite.org/2020
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 1f7437fa31..7b699a9a22 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -12,6 +12,7 @@ STRONGSWAN_PATCH = \
$(STRONGSWAN_SITE)/patches/28_gmp_pkcs1_overflow_patch/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
STRONGSWAN_LICENSE = GPL-2.0+
STRONGSWAN_LICENSE_FILES = COPYING LICENSE
+STRONGSWAN_CPE_ID_VALID = y
STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
STRONGSWAN_DEPENDENCIES = host-pkgconf
STRONGSWAN_INSTALL_STAGING = YES
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 643eff1cbc..cba24607af 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
TAR_CONF_OPTS = --exec-prefix=/
TAR_LICENSE = GPL-3.0+
TAR_LICENSE_FILES = COPYING
+TAR_CPE_ID_VALID = y
TAR_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_ACL),y)
diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
index 913891e897..82774cc2ac 100644
--- a/package/tcl/tcl.mk
+++ b/package/tcl/tcl.mk
@@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
TCL_LICENSE = TCL
TCL_LICENSE_FILES = license.terms
+TCL_CPE_ID_VALID = y
TCL_CPE_ID_VENDOR = $(TCL_NAME)
TCL_SUBDIR = unix
TCL_INSTALL_STAGING = YES
diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 9687e3c497..5a02a0c94f 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
TCPDUMP_SITE = http://www.tcpdump.org/release
TCPDUMP_LICENSE = BSD-3-Clause
TCPDUMP_LICENSE_FILES = LICENSE
+TCPDUMP_CPE_ID_VALID = y
TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
TCPDUMP_CONF_ENV = \
ac_cv_linux_vers=2 \
diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
index 301a222e39..7f7be4aef7 100644
--- a/package/tftpd/tftpd.mk
+++ b/package/tftpd/tftpd.mk
@@ -10,6 +10,7 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
TFTPD_CONF_OPTS = --without-tcpwrappers
TFTPD_LICENSE = BSD-4-Clause
TFTPD_LICENSE_FILES = tftpd/tftpd.c
+TFTPD_CPE_ID_VALID = y
TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
index 61e22f6ae8..6a063e910b 100644
--- a/package/uboot-tools/uboot-tools.mk
+++ b/package/uboot-tools/uboot-tools.mk
@@ -9,6 +9,7 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
UBOOT_TOOLS_LICENSE = GPL-2.0+
UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
+UBOOT_TOOLS_CPE_ID_VALID = y
UBOOT_TOOLS_CPE_ID_VENDOR = denx
UBOOT_TOOLS_CPE_ID_NAME = u-boot
UBOOT_TOOLS_INSTALL_STAGING = YES
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 96596fd8da..402d4de1a1 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -24,6 +24,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
Documentation/licenses/COPYING.ISC \
Documentation/licenses/COPYING.LGPL-2.1-or-later
+UTIL_LINUX_CPE_ID_VALID = y
UTIL_LINUX_CPE_ID_VENDOR = kernel
UTIL_LINUX_INSTALL_STAGING = YES
UTIL_LINUX_DEPENDENCIES = \
diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
index 7d0070a974..198fb2c728 100644
--- a/package/valgrind/valgrind.mk
+++ b/package/valgrind/valgrind.mk
@@ -9,6 +9,7 @@ VALGRIND_SITE = https://sourceware.org/pub/valgrind
VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
+VALGRIND_CPE_ID_VALID = y
VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
VALGRIND_CONF_OPTS = \
--disable-ubsan \
diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 2bd3d437e4..f496332e74 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -23,6 +23,7 @@ VIM_CONF_ENV = \
VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
VIM_LICENSE = Charityware
VIM_LICENSE_FILES = README.txt
+VIM_CPE_ID_VALID = y
VIM_CPE_ID_VENDOR = $(VIM_NAME)
ifeq ($(BR2_PACKAGE_ACL),y)
diff --git a/package/wget/wget.mk b/package/wget/wget.mk
index 65c132e453..0fbbc9c23c 100644
--- a/package/wget/wget.mk
+++ b/package/wget/wget.mk
@@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
WGET_DEPENDENCIES = host-pkgconf
WGET_LICENSE = GPL-3.0+
WGET_LICENSE_FILES = COPYING
+WGET_CPE_ID_VALID = y
WGET_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_GNUTLS),y)
diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
index aaab7fc28b..acb40ca76d 100644
--- a/package/wireless-regdb/wireless-regdb.mk
+++ b/package/wireless-regdb/wireless-regdb.mk
@@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
WIRELESS_REGDB_LICENSE = ISC
WIRELESS_REGDB_LICENSE_FILES = LICENSE
+WIRELESS_REGDB_CPE_ID_VALID = y
WIRELESS_REGDB_CPE_ID_VENDOR = kernel
ifeq ($(BR2_PACKAGE_CRDA),y)
diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
index 01d03218d6..631d04d460 100644
--- a/package/wireless_tools/wireless_tools.mk
+++ b/package/wireless_tools/wireless_tools.mk
@@ -10,6 +10,7 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
WIRELESS_TOOLS_LICENSE = GPL-2.0
WIRELESS_TOOLS_LICENSE_FILES = COPYING
+WIRELESS_TOOLS_CPE_ID_VALID = y
WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
WIRELESS_TOOLS_INSTALL_STAGING = YES
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 955f7fb98f..62149d255f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
WPA_SUPPLICANT_SITE = http://w1.fi/releases
WPA_SUPPLICANT_LICENSE = BSD-3-Clause
WPA_SUPPLICANT_LICENSE_FILES = README
+WPA_SUPPLICANT_CPE_ID_VALID = y
WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
WPA_SUPPLICANT_SUBDIR = wpa_supplicant
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index 5caf421132..1eb80224d1 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -9,6 +9,7 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
XERCES_LICENSE = Apache-2.0
XERCES_LICENSE_FILES = LICENSE
+XERCES_CPE_ID_VALID = y
XERCES_CPE_ID_VENDOR = apache
XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
XERCES_INSTALL_STAGING = YES
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index ffbae4c873..9f90de485f 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_CPE_ID_VALID = y
XZ_CPE_ID_VENDOR = tukaani
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (12 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 13/17] packages: add new flag for CPE ID Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 17:27 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 15/17] package/pkg-utils/cve.py: Add cpeid support Gregory CLEMENT
` (2 subsequent siblings)
16 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Add the CPE ID of each package.
This information will be useful for a cve-checker.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
package/pkg-utils.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index f1d085ece1..99000a3043 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -130,6 +130,7 @@ define _json-info-pkg-details
"version": "$($(1)_DL_VERSION)",
"licenses": "$($(1)_LICENSE)",
"dl_dir": "$($(1)_DL_SUBDIR)",
+ "cpeid": "$($(1)_CPE_ID)",
"downloads": [
$(foreach dl,$(sort $($(1)_ALL_DOWNLOADS)),
{
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 15/17] package/pkg-utils/cve.py: Add cpeid support
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (13 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 16/17] support/script/cve-checker: Allow to use cpeid Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 17/17] support/script/pkg-stats: Allow to use CPEID for managing CVEs Gregory CLEMENT
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Add function allowing to use cpeid as argument instead of only using
name and version.
Also add a new return value (CPEID_UNKNOWN), if there is no cpeid
value.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/cve.py | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 3cc01248b2..de2f5d5701 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -52,6 +52,7 @@ class CVE:
CVE_AFFECTS = 1
CVE_DOESNT_AFFECT = 2
CVE_UNKNOWN = 3
+ CPEID_UNKNOWN = 4
def __init__(self, nvd_cve):
"""Initialize a CVE from its NVD JSON representation"""
@@ -190,7 +191,7 @@ class CVE:
"""The set of package names referred by this CVE definition"""
return set(p['product'] for p in self.each_cpe())
- def affects(self, name, version, cve_ignore_list):
+ def __affects(self, name, version, cve_ignore_list):
"""
True if the Buildroot Package object passed as argument is affected
by this CVE.
@@ -247,3 +248,13 @@ class CVE:
return self.CVE_UNKNOWN
else:
return self.CVE_DOESNT_AFFECT
+
+ def affects(self, name, version, cve_ignore_list):
+ return self.__affects(name, version, cve_ignore_list)
+
+ def affects_cpeid(self, cpeid, cve_ignore_list):
+ try:
+ product, version = cpeid.split(':')[1:3]
+ except:
+ return self.CPEID_UNKNOWN
+ return self.__affects(product, version, cve_ignore_list)
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 16/17] support/script/cve-checker: Allow to use cpeid
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (14 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 15/17] package/pkg-utils/cve.py: Add cpeid support Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 17/17] support/script/pkg-stats: Allow to use CPEID for managing CVEs Gregory CLEMENT
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Add a argument to cve-checker allowing to use the cpeid instead of the
internal name and version from buildroot. It should allow to have
more accurate CVE status.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/cve-checker | 48 +++++++++++++++++++++++++++++++------
1 file changed, 41 insertions(+), 7 deletions(-)
diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index b32e036d76..d1bce65b0c 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -26,23 +26,26 @@ import cve as cvecheck
class Package:
- def __init__(self, name, version, ignored_cves):
+ def __init__(self, name, version, cpeid, ignored_cves):
self.name = name
self.version = version
+ self.cpeid = cpeid
self.cves = list()
self.cves_to_check = list()
self.ignored_cves = ignored_cves
-def check_package_cves(nvd_path, packages):
+def check_package_cves(nvd_path, packages, use_cpeid):
if not os.path.isdir(nvd_path):
os.makedirs(nvd_path)
-
for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
for pkg_name in cve.pkg_names:
pkg = packages.get(pkg_name, '')
if pkg:
- affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
+ if use_cpeid:
+ affected = cve.affects_cpeid(pkg.cpeid, pkg.ignored_cves)
+ else:
+ affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
if (affected == cve.CVE_UNKNOWN):
pkg.cves_to_check.append(cve.identifier)
elif affected == cve.CVE_AFFECTS:
@@ -91,7 +94,14 @@ if (typeof sorttable === \"object\") {
def dump_html_pkg(f, pkg):
f.write(" <tr>\n")
- f.write(" <td>%s</td>\n" % pkg.name)
+ td_class = ["left"]
+ if len(pkg.cpeid) != 0:
+ td_class.append("correct")
+ else:
+ td_class.append("wrong")
+ f.write(" <td class=\"%s\">\n" % " ".join(td_class))
+ f.write(" %s\n" % pkg.name)
+ f.write(" </td>\n")
# Current version
if len(pkg.version) > 20:
@@ -122,6 +132,16 @@ def dump_html_pkg(f, pkg):
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
f.write(" </td>\n")
+ # CPEID valid
+ td_class = ["left"]
+ if len(pkg.cpeid) != 0:
+ td_class.append("correct")
+ else:
+ td_class.append("wrong")
+ f.write(" <td class=\"%s\">\n" % " ".join(td_class))
+ f.write(" %s\n" % pkg.cpeid)
+ f.write(" </td>\n")
+
f.write(" </tr>\n")
@@ -133,6 +153,7 @@ def dump_html_all_pkgs(f, packages):
<td class=\"centered\">Version</td>
<td class=\"centered\">CVEs</td>
<td class=\"centered\">CVEs to check</td>
+<td class=\"centered\">CPEID valid</td>
</tr>
""")
for pkg in packages:
@@ -158,6 +179,7 @@ def dump_json(packages, date, output):
pkg.name: {
"version": pkg.version,
"cves": pkg.cves,
+ "cpeid": pkg.cpeid,
} for pkg in packages
}
# The actual structure to dump, add date to it
@@ -182,25 +204,37 @@ def parse_args():
parser.add_argument('--nvd-path', dest='nvd_path',
help='Path to the local NVD database', type=resolvepath,
required=True)
+ parser.add_argument("--cpeid", action='store_true')
args = parser.parse_args()
if not args.html and not args.json:
parser.error('at least one of --html or --json (or both) is required')
return args
+def cpeid_name(pkg):
+ try:
+ return pkg.cpeid.split(':')[1]
+ except:
+ return ''
def __main__():
packages = list()
content = json.load(sys.stdin)
for item in content:
pkg = content[item]
- p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
+ p = Package(item, pkg.get('version', ''), pkg.get('cpeid', ''), pkg.get('ignore_cves', ''))
packages.append(p)
args = parse_args()
+ if args.cpeid:
+ print("going to use strict cpeid")
date = datetime.datetime.utcnow()
print("Checking packages CVEs")
- check_package_cves(args.nvd_path, {p.name: p for p in packages})
+ if args.cpeid:
+ check_package_cves(args.nvd_path, {cpeid_name(p): p for p in packages}, args.cpeid)
+ else:
+ check_package_cves(args.nvd_path, {p.name: p for p in packages}, args.cpeid)
+
if args.html:
print("Write HTML")
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 17/17] support/script/pkg-stats: Allow to use CPEID for managing CVEs
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
` (15 preceding siblings ...)
2020-10-06 13:42 ` [Buildroot] [PATCH 16/17] support/script/cve-checker: Allow to use cpeid Gregory CLEMENT
@ 2020-10-06 13:42 ` Gregory CLEMENT
16 siblings, 0 replies; 25+ messages in thread
From: Gregory CLEMENT @ 2020-10-06 13:42 UTC (permalink / raw)
To: buildroot
Add CPEID information by retrieving it from the package.
Also introduce a new argument --cpeid to use valid cpeid instead of
buildroot name and version to check if a pacakge is affected by a
CVEs.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/pkg-stats | 46 +++++++++++++++++++++++++++++++++++----
1 file changed, 42 insertions(+), 4 deletions(-)
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 69edeedec0..e2e328847f 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -76,6 +76,7 @@ class Package:
all_license_files = list()
all_versions = dict()
all_ignored_cves = dict()
+ all_cpeids = dict ()
# This is the list of all possible checks. Add new checks to this list so
# a tool that post-processeds the json output knows the checks before
# iterating over the packages.
@@ -96,6 +97,7 @@ class Package:
self.current_version = None
self.url = None
self.url_worker = None
+ self.cpeid = ''
self.cves = list()
self.cves_to_check = list()
self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
@@ -211,6 +213,14 @@ class Package:
if var in self.all_versions:
self.current_version = self.all_versions[var]
+ def set_cpeid(self):
+ """
+ Fills in the .cpeid field
+ """
+ var = self.pkgvar()
+ if var in self.all_cpeids:
+ self.cpeid = self.all_cpeids[var]
+
def set_check_package_warnings(self):
"""
Fills in the .warnings and .status['pkg-check'] fields
@@ -334,7 +344,7 @@ def get_pkglist(npackages, package_list):
def package_init_make_info():
# Fetch all variables at once
variables = subprocess.check_output(["make", "BR2_HAVE_DOT_CONFIG=y", "-s", "printvars",
- "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES"])
+ "VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES %_CPE_ID"])
variable_list = variables.decode().splitlines()
# We process first the host package VERSION, and then the target
@@ -372,6 +382,9 @@ def package_init_make_info():
pkgvar = pkgvar[:-12]
Package.all_ignored_cves[pkgvar] = value.split()
+ elif pkgvar.endswith("_CPE_ID"):
+ pkgvar = pkgvar[:-7]
+ Package.all_cpeids[pkgvar] = value
check_url_count = 0
@@ -528,7 +541,7 @@ async def check_package_latest_version(packages):
await asyncio.wait(tasks)
-def check_package_cves(nvd_path, packages):
+def check_package_cves(nvd_path, packages, use_cpeid):
if not os.path.isdir(nvd_path):
os.makedirs(nvd_path)
@@ -536,7 +549,11 @@ def check_package_cves(nvd_path, packages):
for pkg_name in cve.pkg_names:
if pkg_name in packages:
pkg = packages[pkg_name]
- affected = cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves)
+ print("check_package", pkg.cpeid)
+ if use_cpeid:
+ affected = cve.affects_cpeid(pkg.cpeid, pkg.ignored_cves)
+ else:
+ affected = cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves)
if affected == cve.CVE_UNKNOWN:
pkg.cves_to_check.append(cve.identifier)
if affected == cve.CVE_AFFECTS:
@@ -818,6 +835,16 @@ def dump_html_pkg(f, pkg):
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
f.write(" </td>\n")
+ # CPEID valid
+ td_class = ["left"]
+ if len(pkg.cpeid) != 0:
+ td_class.append("correct")
+ else:
+ td_class.append("wrong")
+ f.write(" <td class=\"%s\">\n" % " ".join(td_class))
+ f.write(" %s\n" % pkg.cpeid)
+ f.write(" </td>\n")
+
f.write(" </tr>\n")
@@ -837,6 +864,7 @@ def dump_html_all_pkgs(f, packages):
<td class=\"centered\">Upstream URL</td>
<td class=\"centered\">CVEs</td>
<td class=\"centered\">CVEs to check</td>
+<td class=\"centered\">CPEID valid</td>
</tr>
""")
for pkg in sorted(packages):
@@ -955,11 +983,17 @@ def parse_args():
help='List of packages (comma separated)')
parser.add_argument('--nvd-path', dest='nvd_path',
help='Path to the local NVD database', type=resolvepath)
+ parser.add_argument("--cpeid", action='store_true')
args = parser.parse_args()
if not args.html and not args.json:
parser.error('at least one of --html or --json (or both) is required')
return args
+def cpeid_name(pkg):
+ try:
+ return pkg.cpeid.split(':')[1]
+ except:
+ return ''
def __main__():
args = parse_args()
@@ -988,6 +1022,7 @@ def __main__():
pkg.set_patch_count()
pkg.set_check_package_warnings()
pkg.set_current_version()
+ pkg.set_cpeid()
pkg.set_url()
pkg.set_developers(developers)
print("Checking URL status")
@@ -998,7 +1033,10 @@ def __main__():
loop.run_until_complete(check_package_latest_version(packages))
if args.nvd_path:
print("Checking packages CVEs")
- check_package_cves(args.nvd_path, {p.name: p for p in packages})
+ if args.cpeid:
+ check_package_cves(args.nvd_path, {cpeid_name(p): p for p in packages}, args.cpeid)
+ else:
+ check_package_cves(args.nvd_path, {p.name: p for p in packages}, args.cpeid)
print("Calculate stats")
stats = calculate_stats(packages)
if args.html:
--
2.28.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified
2020-10-06 13:42 ` [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified Gregory CLEMENT
@ 2020-10-06 17:25 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-10-06 17:25 UTC (permalink / raw)
To: buildroot
Greg,
On Tue, Oct 6, 2020 at 8:44 AM Gregory CLEMENT
<gregory.clement@bootlin.com> wrote:
>
> The CPE ID are created automatically based on the information provided
> by the buildroot package. However, it may not match the official
> cpeid. To be able to know if it can be trusted, only generate this CPE
> ID when a CPE_ID_VALID flag has been added to the package.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> ---
> package/pkg-generic.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index dba03a8119..55084bc7d9 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -970,6 +970,7 @@ else
> $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
> endif
>
> +ifeq ($$($(2)_CPE_ID_VALID),y)
> $(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> @@ -981,6 +982,7 @@ $(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> else
> $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> endif
> +endif
This will limit the maintenance of CPE as well since you can't
generate a full report of all CPE in a build or all of Buildroot
without having this set. I would suggest making this determination in
the CVE analysis scripts by using the show vars information about the
package. Then keep the CPE reporting as it is with the full listing
and process to maintain any needed updates to those CPE values.
Best Regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info
2020-10-06 13:42 ` [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info Gregory CLEMENT
@ 2020-10-06 17:27 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-10-06 17:27 UTC (permalink / raw)
To: buildroot
Greg,
On Tue, Oct 6, 2020 at 8:46 AM Gregory CLEMENT
<gregory.clement@bootlin.com> wrote:
>
> Add the CPE ID of each package.
>
> This information will be useful for a cve-checker.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> ---
> package/pkg-utils.mk | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
> index f1d085ece1..99000a3043 100644
> --- a/package/pkg-utils.mk
> +++ b/package/pkg-utils.mk
> @@ -130,6 +130,7 @@ define _json-info-pkg-details
> "version": "$($(1)_DL_VERSION)",
> "licenses": "$($(1)_LICENSE)",
> "dl_dir": "$($(1)_DL_SUBDIR)",
> + "cpeid": "$($(1)_CPE_ID)",
Here's the point where I'd also suggest getting that valid variable
for use by the scripts.
Regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 01/17] cpe-info: new make target
2020-10-06 13:42 ` [Buildroot] [PATCH 01/17] cpe-info: new make target Gregory CLEMENT
@ 2020-10-06 21:14 ` Akshay Bhat
2020-10-16 13:07 ` Matthew Weber
0 siblings, 1 reply; 25+ messages in thread
From: Akshay Bhat @ 2020-10-06 21:14 UTC (permalink / raw)
To: buildroot
On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT
<gregory.clement@bootlin.com> wrote:
>
> From: Matt Weber <matthew.weber@rockwellcollins.com>
<snip>
> +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
Overall this is a big step in the right direction :)
A future enhancement would be to support multiple CPE_ID's for the same package:
Example 1: CVE can be reported against a library or utility
https://nvd.nist.gov/vuln/detail/CVE-2019-3823
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2019-5482
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
See below of how Yocto handles the same:
The format they follow is space separated CPE_VENDOR:CPE_NAME for all
combinations to be checked:
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15
Note: Curl is the worst case offender, because older curl CVEs used to
have a different vendor!
Here are few examples of packages needing multiple mappings:
https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24
https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123
Other naming inconsistencies examples of the top of my head:
xorg-server vs x_server
https://nvd.nist.gov/vuln/detail/CVE-2019-17624
cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
libsdl vs simple_directmedia_layer
https://nvd.nist.gov/vuln/detail/CVE-2019-13626
cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:*
https://nvd.nist.gov/vuln/detail/CVE-2019-12222
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
While some of these should be reported to NVD and fixed, practically
the number of such CVEs is significant to follow and fixup. Might be
easier to add tooling support to query multiple CPE_ID*'s like how
Yocto does.
This could be a future enhancement given the proposal here is
definitely better than what currently exists in Buildroot :)
Thanks,
Akshay
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script
2020-10-06 13:42 ` [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script Gregory CLEMENT
@ 2020-10-07 8:11 ` Heiko Thiery
2020-10-07 12:20 ` Matthew Weber
0 siblings, 1 reply; 25+ messages in thread
From: Heiko Thiery @ 2020-10-07 8:11 UTC (permalink / raw)
To: buildroot
Hi Gregory, Hi Matt,
Am Di., 6. Okt. 2020 um 15:44 Uhr schrieb Gregory CLEMENT
<gregory.clement@bootlin.com>:
>
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> The script supports looking up all the CPEs provided in a
> make cpe-info csv file export from a target Buildroot build.
> It checks the current version and suggests a CPE needs update
> or possibly an initial submission is required to NIST.
Is there a way to create this kind of list/output also for all
packages in buildroot and not only the one that is generated by a
configuration?
> Adds option to allow alternate locations for the dictionary
> URL and caching of a processed dictionary to speed up execution.
>
> Outputs a cpe/ folder with propsed xml generated from the
> dictionary contents to propose updated versions to NIST.
>
> For missing CPE matches, a cpe-report-missing.txt is created
> by the script that can be used later to manually create proposed
> new NIST dictionary entries.
>
> Ref: NIST has a group email (cpe_dictionary at nist.gov) used to
> recieve these version update and new entry xml files. They do
> process the XML and provide feedback. In some cases they will
> propose back something different where the vendor or version is
> slightly different.
>
> Limitations
> - Currently any use of non-number version identifiers isn't
> supported by NIST as they use ranges to determine impact
> of a CVE
> - Any Linux version from a non-upstream is also not supported
> without manually adjusting the information as the custom
> kernel will more then likely not match the upstream version
> used in the dictionary
>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> ---
> support/scripts/cpe-report | 70 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 70 insertions(+)
> create mode 100755 support/scripts/cpe-report
>
> diff --git a/support/scripts/cpe-report b/support/scripts/cpe-report
> new file mode 100755
> index 0000000000..7242a372b2
> --- /dev/null
> +++ b/support/scripts/cpe-report
> @@ -0,0 +1,70 @@
> +#!/usr/bin/env python
Shouldn't we use python3 here?
> +
> +import argparse
> +import sys
> +import csv
> +from cpedb import CPEDB
> +
> +CPE_XML_URL = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz"
> +
> +
> +def get_target_cpe_report(cpe_report_file, cpedb):
> + report_cpe_exact_match = ""
> + report_cpe_needing_update = ""
> + report_cpe_needing_update_list = ""
> + report_cpe_missing = ""
> +
> + print("CPE: Checking for matches...")
> + try:
> + with open(cpe_report_file) as cpe_file:
> + cpe_list = csv.reader(cpe_file)
> + next(cpe_list) # make cpe-info has a one line header
> + for cpe in cpe_list:
> + result = cpedb.find(cpe[0])
> + if not result:
> + result = cpedb.find_partial(cpedb.get_cpe_no_version(cpe[0]))
> + if not result:
> + report_cpe_missing += cpe[0] + "," + cpe[1] + "," + cpe[3] + "\n"
> + else:
> + latest_version = cpedb.find_partial_latest_version(cpedb.get_cpe_no_version(cpe[0]))
> + report_cpe_needing_update += cpe[0] + ", Latest Version Guess from Dict[" + latest_version + "]\n"
> + report_cpe_needing_update_list += cpe[0] + "\n"
> + else:
> + report_cpe_exact_match += cpe[0] + "\n"
> + except (OSError, IOError) as e:
> + print("CPE: report csv file (%s): %s" % (e.errno, e.strerror))
> + sys.exit(1)
> +
> + print("CPE: Found but may REQUIRE an UPDATE:\n" + report_cpe_needing_update)
> + print("CPE: Not found:\n" + report_cpe_missing)
> +
> + fp = open('cpe-report-missing.txt', 'w+')
> + fp.write(report_cpe_missing)
> + fp.close()
> +
> + for cpe in report_cpe_needing_update_list.splitlines():
> + cpedb.update(cpe)
> + print("XML Generation Complete of NIST update files, see ./cpe/*")
> +
> +
> +def parse_args():
> + parser = argparse.ArgumentParser()
> + parser.add_argument('-c', dest='cpe_report', action='store', required=True,
> + help='CPE Report generated by make cpe-info (csv format)')
> + parser.add_argument('-u', dest='url', action='store', required=False,
> + help='(optional)URL to the NIST dict (official-cpe-dictionary_v2.3.xml.gz)')
> + return parser.parse_args()
> +
> +
> +def __main__():
> + args = parse_args()
> + cpedb = CPEDB()
> + url = CPE_XML_URL
> + if args.url:
> + url = args.url
> + cpedb.get_xml_dict(url)
> + print("Performing Target CPE Report Analysis...")
> + get_target_cpe_report(args.cpe_report, cpedb)
> +
> +
> +__main__()
--
Heiko
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3
2020-10-06 13:42 ` [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3 Gregory CLEMENT
@ 2020-10-07 9:12 ` Heiko Thiery
0 siblings, 0 replies; 25+ messages in thread
From: Heiko Thiery @ 2020-10-07 9:12 UTC (permalink / raw)
To: buildroot
Hi Gregory, Hi Matt,
Am Di., 6. Okt. 2020 um 15:43 Uhr schrieb Gregory CLEMENT
<gregory.clement@bootlin.com>:
>
> Switch the script to be used with pyhton 3
I tried to use the cpe-report script with python 3 but get some errors
with the urllib3. It seems that this lib does not provide the urlopen
methods compared to the urllib2.
I added a new function that replaces the download, decompress and xml
parse stuff and now it works for me with python3.
--- [snip ---
def _get_cpedb(self, url):
print("CPE: Fetching xml manifest from [" + url + "]")
c = urllib3.PoolManager()
try:
rsp = c.request('GET', url)
except urllib3.exceptions.HTTPError:
print("CPE: HTTP Error: %s" % url)
sys.exit(1)
print("CPE: Unzipping xml manifest...")
nist_cpe_file = gzip.decompress(rsp.data)
print("CPE: Converting xml manifest to dict...")
all_cpedb = xmltodict.parse(nist_cpe_file)
return all_cpedb
--- [snip ---]
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> ---
> support/scripts/cpedb.py | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/support/scripts/cpedb.py b/support/scripts/cpedb.py
> index 0369536f6f..6e48772b5e 100644
> --- a/support/scripts/cpedb.py
> +++ b/support/scripts/cpedb.py
> @@ -1,9 +1,9 @@
> import sys
> -import urllib2
> +import urllib3
> from collections import OrderedDict
> import xmltodict
> import gzip
> -from StringIO import StringIO
> +from io import StringIO
> import os
> import pickle
>
> @@ -65,7 +65,7 @@ class CPEDB:
> def get_new_xml_dict(self, url):
> print("CPE: Fetching xml manifest from [" + url + "]")
> try:
> - compressed_cpe_file = urllib2.urlopen(url)
> + compressed_cpe_file = urllib3.urlopen(url)
> print("CPE: Unzipping xml manifest...")
> nist_cpe_file = gzip.GzipFile(fileobj=StringIO(compressed_cpe_file.read())).read()
> print("CPE: Converting xml manifest to dict...")
> @@ -113,10 +113,10 @@ class CPEDB:
> # latest version in the NIST dict)
> self.all_cpes_no_version.update({cpe_str_no_version: item})
>
> - except urllib2.HTTPError:
> + except urllib3.HTTPError:
> print("CPE: HTTP Error: %s" % url)
> sys.exit(1)
> - except urllib2.URLError:
> + except urllib3.URLError:
> print("CPE: URL Error: %s" % url)
> sys.exit(1)
>
> @@ -156,7 +156,7 @@ class CPEDB:
>
> def get_nvd_url(self, cpe_str):
> return "https://nvd.nist.gov/products/cpe/search/results?keyword=" + \
> - urllib2.quote(cpe_str) + \
> + urllib3.quote(cpe_str) + \
> "&status=FINAL&orderBy=CPEURI&namingFormat=2.3"
>
> def get_cpe_no_version(self, cpe):
> --
> 2.28.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script
2020-10-07 8:11 ` Heiko Thiery
@ 2020-10-07 12:20 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-10-07 12:20 UTC (permalink / raw)
To: buildroot
Heiko,
On Wed, Oct 7, 2020 at 3:13 AM Heiko Thiery <heiko.thiery@gmail.com> wrote:
>
> Hi Gregory, Hi Matt,
>
> Am Di., 6. Okt. 2020 um 15:44 Uhr schrieb Gregory CLEMENT
> <gregory.clement@bootlin.com>:
> >
> > From: Matt Weber <matthew.weber@rockwellcollins.com>
> >
> > The script supports looking up all the CPEs provided in a
> > make cpe-info csv file export from a target Buildroot build.
> > It checks the current version and suggests a CPE needs update
> > or possibly an initial submission is required to NIST.
>
> Is there a way to create this kind of list/output also for all
> packages in buildroot and not only the one that is generated by a
> configuration?
Yeah. The CPE maintaining tooling can look at whatever list of CPE
you feed it, so we'd just need to add an option to dump the complete
CPE listing similar to how pkg-stats does it. There was some debate
on just using "show vars" directly by the tooling and not generating
this in between csv file. I'm still of the argument that having this
hand-off file in some format is still valuable for 3rd party analysis
of the pkg listing (similar to what we have with the legal info
csv's). However if we allow full package list dumps of CPE and the
current defconfig, it may make sense to convert the CPE tools to just
directly use the "show vars" and have a command line option to select
the type of analysis. Then the tool could be improved to also output
an optional report similar to the CSV. This would allow us to remove
the cpe-info make target and simplify the buildsystem changeset.
Regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [PATCH 01/17] cpe-info: new make target
2020-10-06 21:14 ` Akshay Bhat
@ 2020-10-16 13:07 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-10-16 13:07 UTC (permalink / raw)
To: buildroot
All,
On Tue, Oct 6, 2020 at 4:16 PM Akshay Bhat <akshay.bhat@timesys.com> wrote:
>
> On Tue, Oct 6, 2020 at 9:43 AM Gregory CLEMENT
> <gregory.clement@bootlin.com> wrote:
> >
> > From: Matt Weber <matthew.weber@rockwellcollins.com>
> <snip>
> > +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> > +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> > +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> > +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>
> Overall this is a big step in the right direction :)
>
> A future enhancement would be to support multiple CPE_ID's for the same package:
> Example 1: CVE can be reported against a library or utility
> https://nvd.nist.gov/vuln/detail/CVE-2019-3823
> cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2019-5482
> cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
>
> See below of how Yocto handles the same:
> The format they follow is space separated CPE_VENDOR:CPE_NAME for all
> combinations to be checked:
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-support/curl/curl_7.72.0.bb#L15
> Note: Curl is the worst case offender, because older curl CVEs used to
> have a different vendor!
I wonder if this could be as simple as the way we build the CPE ID
variable. Maybe for these cases we can just set the full list of CPE
vendor:name values to be checked. Where as by default the CPE ID is
constructed like it is today but with one item in the list.
>
> Here are few examples of packages needing multiple mappings:
> https://github.com/OSSystems/meta-browser/blob/master/recipes-browser/chromium/chromium.inc#L4
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb#L32
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-lib/libxfont2_2.0.4.bb#L24
> https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-extended/ghostscript/ghostscript_9.52.bb#L123
>
> Other naming inconsistencies examples of the top of my head:
> xorg-server vs x_server
> https://nvd.nist.gov/vuln/detail/CVE-2019-17624
> cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2018-14665
> cpe:2.3:a:x.org:xorg-server:*:*:*:*:*:*:*:*
> libsdl vs simple_directmedia_layer
> https://nvd.nist.gov/vuln/detail/CVE-2019-13626
> cpe:2.3:a:libsdl:libsdl:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/detail/CVE-2019-12222
> cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
>
> While some of these should be reported to NVD and fixed, practically
> the number of such CVEs is significant to follow and fixup. Might be
> easier to add tooling support to query multiple CPE_ID*'s like how
> Yocto does.
> This could be a future enhancement given the proposal here is
> definitely better than what currently exists in Buildroot :)
>
Thanks for bringing this multiple ID case up as I know I didn't
originally address it in the original CPE series Greg amends.
Regards,
Matt Weber
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2020-10-16 13:07 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-06 13:42 [Buildroot] [PATCH 00/17] Adding CPE ID support for CVEs Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 01/17] cpe-info: new make target Gregory CLEMENT
2020-10-06 21:14 ` Akshay Bhat
2020-10-16 13:07 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 02/17] cpe-info: id prefix/suffix Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 03/17] cpe-info: only report target pkgs Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 04/17] cpe-info: cpe minor version support Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 05/17] toolchain/toolchain-ext: glibc cpe-info support Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 06/17] cpe-info: update manual for new pkg vars Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 07/17] support/scripts/cpedb.py: new CPE XML helper Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script Gregory CLEMENT
2020-10-07 8:11 ` Heiko Thiery
2020-10-07 12:20 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 09/17] docs/manual: new security management section Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 10/17] packages: fixup of cpe info Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 11/17] Support/scripts/cpedb.py: Convert to Python 3 Gregory CLEMENT
2020-10-07 9:12 ` Heiko Thiery
2020-10-06 13:42 ` [Buildroot] [PATCH 12/17] package/pkg-generic.mk: Create CPE ID information only if verified Gregory CLEMENT
2020-10-06 17:25 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 13/17] packages: add new flag for CPE ID Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 14/17] package/pkg-utils.mk: add the CPE ID in show-info Gregory CLEMENT
2020-10-06 17:27 ` Matthew Weber
2020-10-06 13:42 ` [Buildroot] [PATCH 15/17] package/pkg-utils/cve.py: Add cpeid support Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 16/17] support/script/cve-checker: Allow to use cpeid Gregory CLEMENT
2020-10-06 13:42 ` [Buildroot] [PATCH 17/17] support/script/pkg-stats: Allow to use CPEID for managing CVEs Gregory CLEMENT
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.