[Buildroot] [next,v2 0/8] Package CPE Reporting

[Buildroot] [next,v2 0/8] Package CPE Reporting

[Matt Weber]

This series adds new infrastructure to report
a packages CPE identifier in a similar way
that the legal info is currently reported.

The addition of CPE IDs to the packages is a
manual process, but in a later patchset
additions are planned to the pkg-stats script
to automate maintenance the process.


v2
- Used pkg infra to hid the common CPE ID definition
- Misc cleanup of Makefile approach

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>


Matt Weber (8):
  cpe-info: new make target
  cpe-info: id prefix/suffix
  cpe-info: only report target pkgs
  cpe-info: infra defines CPE_ID_* defaults
  cpe-info: update manual for new pkg vars
  bash: add CPE id
  e2fsprogs: add CPE id
  boa: add CPE id

 Makefile                                |  17 ++++-
 docs/manual/adding-packages-generic.txt | 119 ++++++++++++++++++++------------
 package/bash/bash.mk                    |   1 +
 package/boa/boa.mk                      |   1 +
 package/e2fsprogs/e2fsprogs.mk          |   2 +
 package/pkg-generic.mk                  |  28 ++++++++
 package/pkg-utils.mk                    |   8 +++
 7 files changed, 132 insertions(+), 44 deletions(-)

-- 
1.9.1

[Buildroot] [next,v2 1/8] cpe-info: new make target

[Matt Weber]

Similar to make legal-info, produce a csv delimited
file containing all selected packages CPE
identification.

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - Moved comment on conditionals back to this patchset where
   the conditional is created vs later
---
 Makefile               | 17 ++++++++++++++++-
 package/pkg-generic.mk | 13 +++++++++++++
 package/pkg-utils.mk   |  8 ++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 5fe3a34..1630e81 100644
--- a/Makefile
+++ b/Makefile
@@ -146,7 +146,7 @@ nobuild_targets := source %-source \
 	clean distclean help show-targets graph-depends \
 	%-graph-depends %-show-depends %-show-version \
 	graph-build graph-size list-defconfigs \
-	savedefconfig printvars
+	savedefconfig printvars cpe-info %-cpe-info
 ifeq ($(MAKECMDGOALS),)
 BR_BUILDING = y
 else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),)
@@ -230,6 +230,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv
 LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv
 LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings
 LEGAL_REPORT = $(LEGAL_INFO_DIR)/README
+CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv
 
 ################################################################################
 #
@@ -788,6 +789,19 @@ legal-info: dirs legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p
 		mv .legal-info.sha256 legal-info.sha256)
 	@echo "Legal info produced in $(LEGAL_INFO_DIR)"
 
+.PHONY: cpe-info-clean
+cpe-info-clean:
+	@rm -f $(CPE_MANIFEST_CSV)
+
+.PHONY: cpe-info-prepare
+cpe-info-prepare:
+	@$(call MESSAGE,"Gathering CPE info")
+	@$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
+
+.PHONY: cpe-info
+cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
+	@echo "CPE info produced in $(CPE_MANIFEST_CSV)"
+
 .PHONY: show-targets
 show-targets:
 	@echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS))
@@ -1047,6 +1061,7 @@ help:
 	@echo '  source                 - download all sources needed for offline-build'
 	@echo '  external-deps          - list external packages used'
 	@echo '  legal-info             - generate info about license compliance'
+	@echo '  cpe-info               - generate info about security CPE identification'
 	@echo '  printvars              - dump all the internal variables'
 	@echo
 	@echo '  make V=0|1             - 0 => quiet build (default), 1 => verbose build'
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index a2a12e7..4481ae2 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -830,6 +830,18 @@ else
 $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
 endif
 
+$(1)-cpe-info: PKG=$(2)
+$(1)-cpe-info:
+ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+	@$$(call MESSAGE,"Collecting cpe info")
+ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
+	$(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+else
+	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
+endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
+endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+
+
 # legal-info: declare dependencies and set values used later for the manifest
 ifneq ($$($(2)_LICENSE_FILES),)
 $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
@@ -972,6 +984,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-dependency,$$($(2)_SOURCE))
 	$(1)-clean-for-reconfigure \
 	$(1)-clean-for-reinstall \
 	$(1)-configure \
+	$(1)-cpe-info \
 	$(1)-depends \
 	$(1)-dirclean \
 	$(1)-external-deps \
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index c3acc22..11a2457 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -95,3 +95,11 @@ define legal-license-file # pkgname, pkgname-pkgver, pkgdir, filename, file-full
 	} && \
 	cp $(5) $(LICENSE_FILES_DIR_$(6))/$(2)/$(4)
 endef
+
+#
+# cpe-info helper functions
+#
+
+define cpe-manifest # cpe, cve patched, pkg name, version, url
+	echo '"$(1)","$(2)","$(3)","$(4)","$(5)"' >>$(CPE_MANIFEST_CSV)
+endef
-- 
1.9.1

[Buildroot] [next,v2 2/8] cpe-info: id prefix/suffix

[Matt Weber]

There are two types of software cpe prefixes, one for
applications and one for operating systems. Note: There
is a third type for hardware.

This patchset determines which should be used and stores
that information with the package for later use when
assembling the CPE report.

There is also a suffix which we just default to wildcards
at this point.

Refs:
   https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
   https://cpe.mitre.org/specification/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - Change to using a filter on pkg name value vs ifelse
---
 package/pkg-generic.mk | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 4481ae2..21a353e 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -550,6 +550,10 @@ ifndef $(2)_LICENSE_FILES
  endif
 endif
 
+CPE_PREFIX_OS = cpe:2.3:o
+CPE_PREFIX_APP = cpe:2.3:a
+CPE_SUFFIX = *:*:*:*:*:*:*
+
 ifndef $(2)_REDISTRIBUTE
  ifdef $(3)_REDISTRIBUTE
   $(2)_REDISTRIBUTE = $$($(3)_REDISTRIBUTE)
@@ -830,6 +834,13 @@ else
 $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
 endif
 
+ifneq ($(filter linux linux-headers,$(1)),)
+$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
+else
+$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
+endif
+
+
 $(1)-cpe-info: PKG=$(2)
 $(1)-cpe-info:
 ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@@ -837,11 +848,10 @@ ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
 	$(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
 else
-	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$(id),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
+	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
 endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
 endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 
-
 # legal-info: declare dependencies and set values used later for the manifest
 ifneq ($$($(2)_LICENSE_FILES),)
 $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
-- 
1.9.1

[Buildroot] [next,v2 3/8] cpe-info: only report target pkgs

[Matt Weber]

The reporting of host packages causes some duplication
and complicates what is really in the targets configuration.
For the purpose of the first version of this patchset,
its assumed that host packages aren't relevant for the
configuration and we only report the target's contents.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - select if target vs selecting not host
---
 package/pkg-generic.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 21a353e..f84a270 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -841,6 +841,7 @@ $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
 endif
 
 
+ifeq ($$($(2)_TYPE),target)
 $(1)-cpe-info: PKG=$(2)
 $(1)-cpe-info:
 ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@@ -851,6 +852,7 @@ else
 	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
 endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
 endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+endif # ifeq ($$($(2)_TYPE),target)
 
 # legal-info: declare dependencies and set values used later for the manifest
 ifneq ($$($(2)_LICENSE_FILES),)
-- 
1.9.1

[Buildroot] [next, v2 4/8] cpe-info: infra defines CPE_ID_* defaults

[Matt Weber]

Default to using the package name for the vendor
and name as most CPE IDs seem to align with that
assumption. Also use the pkg version as the CPE IDs
initial version field.

---
Changes
v1 - no patch

v2
[Thomas P
 - Created patch per suggestion to use infra
   to cleanup common case in individual pkg
   CPE_ID definition.
---
 package/pkg-generic.mk | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index f84a270..6ccf511 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -840,17 +840,20 @@ else
 $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
 endif
 
+$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
+$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
 
 ifeq ($$($(2)_TYPE),target)
 $(1)-cpe-info: PKG=$(2)
 $(1)-cpe-info:
 ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 	@$$(call MESSAGE,"Collecting cpe info")
-ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
+ifeq ($$(call qstrip,$$($(2)_CPE_ID_VENDOR)),)
 	$(Q)$$(call cpe-manifest,"unknown",$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
 else
 	$(Q)$$(foreach id,$$($(2)_CPE_ID),$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$(id):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))$$(sep))
-endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID)),)
+endif # ifeq ($$(call qstrip,$$($(2)_CPE_ID_VENDOR)),)
 endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
 endif # ifeq ($$($(2)_TYPE),target)
 
-- 
1.9.1

[Buildroot] [next, v2 5/8] cpe-info: update manual for new pkg vars

[Matt Weber]

Provide guidance on setting up the <pkgname>_CPE_ID*
and <pkgname>_CVE_PATCHED variables.

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - Reworded LIBFOO_CVE_PATCHED description

[Matt W
 - Added definition for new preset variables to auto-gen
   the CPE ID
 - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
---
 docs/manual/adding-packages-generic.txt | 119 ++++++++++++++++++++------------
 1 file changed, 76 insertions(+), 43 deletions(-)

diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
index 63ea51b..410e2da 100644
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts.
 09: LIBFOO_SITE = http://www.foosoftware.org/download
 10: LIBFOO_LICENSE = GPL-3.0+
 11: LIBFOO_LICENSE_FILES = COPYING
-12: LIBFOO_INSTALL_STAGING = YES
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
-15:
-16: define LIBFOO_BUILD_CMDS
-17:	$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
-18: endef
-19:
-20: define LIBFOO_INSTALL_STAGING_CMDS
-21:	$(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
-22:	$(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
-23:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
-24: endef
-25:
-26: define LIBFOO_INSTALL_TARGET_CMDS
-27:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
-28:	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
-29: endef
-30:
-31: define LIBFOO_USERS
-32:	foo -1 libfoo -1 * - - - LibFoo daemon
-33: endef
-34:
-35: define LIBFOO_DEVICES
-36:	/dev/foo  c  666  0  0	42  0  -  -  -
-37: endef
-38:
-39: define LIBFOO_PERMISSIONS
-40:	/bin/foo  f  4755  foo  libfoo	 -  -  -  -  -
-41: endef
-42:
-43: $(eval $(generic-package))
+12: LIBFOO_CPE_ID_VENDOR = foosoftware
+13: LIBFOO_INSTALL_STAGING = YES
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
+16:
+17: define LIBFOO_BUILD_CMDS
+18:	$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
+19: endef
+20:
+21: define LIBFOO_INSTALL_STAGING_CMDS
+22:	$(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
+23:	$(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
+24:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
+25: endef
+26:
+27: define LIBFOO_INSTALL_TARGET_CMDS
+28:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
+29:	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
+30: endef
+31:
+32: define LIBFOO_USERS
+33:	foo -1 libfoo -1 * - - - LibFoo daemon
+34: endef
+35:
+36: define LIBFOO_DEVICES
+37:	/dev/foo  c  666  0  0	42  0  -  -  -
+38: endef
+39:
+40: define LIBFOO_PERMISSIONS
+41:	/bin/foo  f  4755  foo  libfoo	 -  -  -  -  -
+42: endef
+43:
+44: $(eval $(generic-package))
 --------------------------------
 
-The Makefile begins on line 7 to 11 with metadata information: the
+The Makefile begins on line 7 to 12 with metadata information: the
 version of the package (+LIBFOO_VERSION+), the name of the
 tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)
 the Internet location at which the tarball can be downloaded from
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
 the same prefix, +LIBFOO_+ in this case. This prefix is always the
 uppercased version of the package name (see below to understand where
 the package name is defined).
 
-On line 12, we specify that this package wants to install something to
+On line 13, we specify that this package wants to install something to
 the staging space. This is often needed for libraries, since they must
 install header files and other development files in the staging space.
 This will ensure that the commands listed in the
 +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
 
-On line 13, we specify that there is some fixing to be done to some
+On line 14, we specify that there is some fixing to be done to some
 of the 'libfoo-config' files that were installed during
 +LIBFOO_INSTALL_STAGING_CMDS+ phase.
 These *-config files are executable shell script files that are
@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \
 --------------------------------
 ================================
 
-On line 14, we specify the list of dependencies this package relies
+On line 15, we specify the list of dependencies this package relies
 on. These dependencies are listed in terms of lower-case package names,
 which can be packages for the target (without the +host-+
 prefix) or packages for the host (with the +host-+) prefix).
 Buildroot will ensure that all these packages are built and installed
 'before' the current package starts its configuration.
 
-The rest of the Makefile, lines 16..29, defines what should be done
+The rest of the Makefile, lines 17..29, defines what should be done
 at the different steps of the package configuration, compilation and
 installation.
 +LIBFOO_BUILD_CMDS+ tells what steps should be performed to
@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which
 contains the directory where the source code of the package has been
 extracted.
 
-On lines 31..43, we define a user that is used by this package (e.g.
+On lines 32..44, we define a user that is used by this package (e.g.
 to run a daemon as non-root) (+LIBFOO_USERS+).
 
-On line 35..37, we define a device-node file used by this package
+On line 36..38, we define a device-node file used by this package
 (+LIBFOO_DEVICES+).
 
-On line 39..41, we define the permissions to set to specific files
+On line 40..42, we define the permissions to set to specific files
 installed by this package (+LIBFOO_PERMISSIONS+).
 
-Finally, on line 43, we call the +generic-package+ function, which
+Finally, on line 44, we call the +generic-package+ function, which
 generates, according to the variables defined previously, all the
 Makefile code necessary to make your package working.
 
@@ -453,6 +455,37 @@ information is (assuming the package name is +libfoo+) :
   FLAT binary format is only 4k bytes. If the application consumes more stack,
   append the required number here.
 
+* +LIBFOO_CPE_ID_VENDOR+
+  This variable is optional. If it is not defined, +unknown+ will appear in
+  the +CPI ID+ field of the manifest file for this package.  This variable
+  is used by the package infrastructure to determine if it should include
+  a CPE information for the respective package.  Eventually when all
+  packages include CPE info, this can be cleaned up in the packages which
+  use the common vendoring and package naming sceme.
+
+* +LIBFOO_CPE_ID_NAME+
+  This variable is optional. By default it's set to the package's name.
+
+* +LIBFOO_CPE_ID_VERSION+
+  This variable is optional. By default it's set to the package's version.
+
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
+  default case of a single package's Common Product Enumeration (CPE)
+  identification string. If a package has more then one CPE, a
+  space-separated list can be defined to the respective package.
+  +make cpe-info+ copies all of these into a +cpe-manifest.csv+ file.
+  To identify a package's possible CPE(s), the National Vunerability
+  Database can be searched at https://nvd.nist.gov/products/cpe/search.
+
+* +LIBFOO_CVE_PATCHED+ is a space-separated list of the package's Common
+  Vunerability Enumeration (CVE) identification strings. This list
+  enumerates CVEs which are fixed by patches added in Buildroot. This
+  allows the CPE reporting to provide additional detail on CVEs which
+  have been fixed, even if Buildroot is not yet using an updated upstream
+  release including the fix. This variable is optional. If it is not
+  defined, the +CVE PATCHED+ field will appear empty in the manifest
+  file for this package.
+
 The recommended way to define these variables is to use the following
 syntax:
 
-- 
1.9.1

[Buildroot] [next,v2 6/8] bash: add CPE id

[Matt Weber]

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - Updated how the ID is generated.
---
 package/bash/bash.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index e938491..26da481 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -12,6 +12,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison \
 BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
 BASH_LICENSE = GPL-3.0+
 BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VENDOR = gnu
 
 BASH_CONF_ENV += \
 	ac_cv_rl_prefix="$(STAGING_DIR)" \
-- 
1.9.1

[Buildroot] [next,v2 7/8] e2fsprogs: add CPE id

[Matt Weber]

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Matt W
 - Added second CPE ID
---
 package/e2fsprogs/e2fsprogs.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/e2fsprogs/e2fsprogs.mk b/package/e2fsprogs/e2fsprogs.mk
index 99019c7..285c032 100644
--- a/package/e2fsprogs/e2fsprogs.mk
+++ b/package/e2fsprogs/e2fsprogs.mk
@@ -10,6 +10,8 @@ E2FSPROGS_SITE = $(BR2_KERNEL_MIRROR)/linux/kernel/people/tytso/e2fsprogs/v$(E2F
 E2FSPROGS_LICENSE = GPL-2.0, MIT-like with advertising clause (libss and libet)
 E2FSPROGS_LICENSE_FILES = NOTICE lib/ss/mit-sipb-copyright.h lib/et/internal.h
 E2FSPROGS_INSTALL_STAGING = YES
+E3FSPROGS_CPE_ID_VENDOR = e2fsprogs_project
+E2FSPROGS_CPE_ID = e2fsprogs_project:$(E2FSPROGS_NAME):$(E2FSPROGS_VERSION) ext2_filesystems_utilities:$(E2FSPROGS_NAME):$(E2FSPROGS_VERSION)
 
 # Use libblkid and libuuid from util-linux for host and target packages.
 # This prevents overriding them with e2fsprogs' ones, which may cause
-- 
1.9.1

[Buildroot] [next,v2 8/8] boa: add CPE id

[Matt Weber]

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
[Thomas P
 - Updated how the ID is generated.
 - Added back in newline before the *_INSTALL_TARGET_CMD
---
 package/boa/boa.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/boa/boa.mk b/package/boa/boa.mk
index d8bcaa1..2141fb2 100644
--- a/package/boa/boa.mk
+++ b/package/boa/boa.mk
@@ -8,6 +8,7 @@ BOA_VERSION = 0.94.14rc21
 BOA_SITE = http://www.boa.org
 BOA_LICENSE = GPL-2.0+
 BOA_LICENSE_FILES = COPYING
+BOA_CPE_ID_VENDOR = $(BOE_NAME)
 
 define BOA_INSTALL_TARGET_CMDS
 	$(INSTALL) -D -m 755 $(@D)/src/boa $(TARGET_DIR)/usr/sbin/boa
-- 
1.9.1

[Buildroot] [next, v2 4/8] cpe-info: infra defines CPE_ID_* defaults

[Thomas Petazzoni]

Hello,

On Wed, 28 Feb 2018 23:23:35 -0600, Matt Weber wrote:
> Default to using the package name for the vendor
> and name as most CPE IDs seem to align with that
> assumption. Also use the pkg version as the CPE IDs
> initial version field.

Nits:

 - You're wrapping the lines too short. Funnily, the common mistake is
   to not wrap, or wrap too long. But here, you wrap too short. 72
   characters is the good length :)

 - Missing SoB.

> v2
> [Thomas P
>  - Created patch per suggestion to use infra
>    to cleanup common case in individual pkg
>    CPE_ID definition.

I'm surprised, because I thought the conclusion of our discussion was
that it was not desirable to have such default, because then we
couldn't make the difference between packages that have had their CPE
ID explicitly added/verified by someone, and packages that have their
CPE ID defined by default, and which may be incorrect.

Have you changed your mind about this ?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
http://bootlin.com

[Buildroot] [next, v2 4/8] cpe-info: infra defines CPE_ID_* defaults

[Matthew Weber]

Thomas,

On Thu, Mar 1, 2018 at 3:17 AM, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Wed, 28 Feb 2018 23:23:35 -0600, Matt Weber wrote:
> > Default to using the package name for the vendor
> > and name as most CPE IDs seem to align with that
> > assumption. Also use the pkg version as the CPE IDs
> > initial version field.
>
> Nits:
>
>  - You're wrapping the lines too short. Funnily, the common mistake is
>    to not wrap, or wrap too long. But here, you wrap too short. 72
>    characters is the good length :)
>
>  - Missing SoB.

Noted.

>
> > v2
> > [Thomas P
> >  - Created patch per suggestion to use infra
> >    to cleanup common case in individual pkg
> >    CPE_ID definition.
>
> I'm surprised, because I thought the conclusion of our discussion was
> that it was not desirable to have such default, because then we
> couldn't make the difference between packages that have had their CPE
> ID explicitly added/verified by someone, and packages that have their
> CPE ID defined by default, and which may be incorrect.
>

I took your suggestion and made one change.  I use the _CPE_ID_VENDOR
as my criteria to note a CPE should be considered(default or custom)
for reporting.   So if it isn't explicit defined, I default to unknown
in my report.  This is clunky now but eventually we could go through
and remove all the _CPE_ID_VENDOR = $(pkg_NAME) entries.

I should have commented on it in the commit description and change
log.  I'll make note for v3.

Example of a basic target config.  Util-linux shows the double CPE, pv
is the nothing defined and the rest are a combination of vendor as
name and/or specified.  Should I add an example in the manual of the
output?  I need to look how detailed the manual is for legal
reporting.
https://pastebin.com/XuJrXRat

Matt