* [Buildroot] [RFC v9 01/10] cpe-info: new make target
@ 2020-06-16 17:03 Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
` (10 more replies)
0 siblings, 11 replies; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
Similar to make legal-info, produce a csv delimited file containing
all selected packages CPE identification.
By default, support the pkg infra defining a set of CPE_ID_* defaults
using the package name for the vendor and name as most CPE IDs seem
to align with that assumption. Plus initially, use the pkg version as
the CPE ID's version field.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v9
- Rebase
v8
- Removed CVE patched list as this isn't implmented.
v4 -> v7
- No change
v3
[Thomas P
- Merged infra define CPE_ID_* into this patch
- Report all packages vs restricting to just allowing based on if
the VENDOR was set (v2). This now represents Thomas P's original
idea to report everything. At first I felt I should restrict
the reporting to those CPE IDs we had made sure were correct.
Turns out we should have actually let the script handle fixing
the CPEs and just make a complete design of this up front.
[Matt
- Moved to using the _project on all vendors instead of just name
v2
[Thomas P
- Moved comment on conditionals back to this patchset where
the conditional is created vs later
---
Makefile | 17 ++++++++++++++++-
package/pkg-generic.mk | 13 +++++++++++++
package/pkg-utils.mk | 8 ++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ce1c08a6f6..3dcc47efa8 100644
--- a/Makefile
+++ b/Makefile
@@ -135,7 +135,7 @@ nobuild_targets := source %-source \
clean distclean help show-targets graph-depends \
%-graph-depends %-show-depends %-show-version \
graph-build graph-size list-defconfigs \
- savedefconfig update-defconfig printvars
+ savedefconfig update-defconfig printvars cpe-info %-cpe-info
ifeq ($(MAKECMDGOALS),)
BR_BUILDING = y
else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),)
@@ -222,6 +222,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv
LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv
LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings
LEGAL_REPORT = $(LEGAL_INFO_DIR)/README
+CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv
BR2_CONFIG = $(CONFIG_DIR)/.config
@@ -864,6 +865,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all
mv .legal-info.sha256 legal-info.sha256)
@echo "Legal info produced in $(LEGAL_INFO_DIR)"
+.PHONY: cpe-info-clean
+cpe-info-clean:
+ @rm -f $(CPE_MANIFEST_CSV)
+
+.PHONY: cpe-info-prepare
+cpe-info-prepare:
+ @$(call MESSAGE,"Gathering CPE info")
+ @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
+
+.PHONY: cpe-info
+cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
+ @echo "CPE info produced in $(CPE_MANIFEST_CSV)"
+
.PHONY: show-targets
show-targets:
@echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS))
@@ -1145,6 +1159,7 @@ help:
@echo ' legal-info - generate info about license compliance'
@echo ' show-info - generate info about packages, as a JSON blurb'
@echo ' printvars - dump internal variables selected with VARS=...'
+ @echo ' cpe-info - generate info about security CPE identification'
@echo
@echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build'
@echo ' make O=dir - Locate all output files in "dir", including .config'
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index f9385177ac..1408845613 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -971,6 +971,18 @@ else
$(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
endif
+$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
+$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
+$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+
+$(1)-cpe-info: PKG=$(2)
+$(1)-cpe-info:
+ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+ @$$(call MESSAGE,"Collecting cpe info")
+ $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+
# legal-info: declare dependencies and set values used later for the manifest
ifneq ($$($(2)_LICENSE_FILES),)
$(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
@@ -1116,6 +1128,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-system-dependency,$$($(2)_SOURCE))
$(1)-clean-for-reconfigure \
$(1)-clean-for-reinstall \
$(1)-configure \
+ $(1)-cpe-info \
$(1)-depends \
$(1)-dirclean \
$(1)-external-deps \
diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
index d88a14ab0f..9818eda12d 100644
--- a/package/pkg-utils.mk
+++ b/package/pkg-utils.mk
@@ -223,3 +223,11 @@ legal-deps = \
$(filter-out $(if $(1:host-%=),host-%),\
$(call non-virtual-deps,\
$($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)])
+
+#
+# cpe-info helper functions
+#
+
+define cpe-manifest # cpe, pkg name, version, url
+ echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV)
+endef
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-21 9:23 ` Yann E. MORIN
2020-06-25 11:04 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
` (9 subsequent siblings)
10 siblings, 2 replies; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
There are two types of software CPE prefixes applicable for software,
one for applications and one for operating systems.
Note: The third type is for hardware.
This patchset determines which should be used and stores that
information with the package for later use when assembling the CPE
report.
Refs:
https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
https://cpe.mitre.org/specification/
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v8
- Rebase
v4 -> v7
- None
v3
[Arnout
- Moved CPE prefix and suffix defines to package/Makefile.in
v1 -> v2
[Thomas P
- Change to using a filter on pkg name value vs ifelse
---
package/Makefile.in | 4 ++++
package/pkg-generic.mk | 8 +++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/package/Makefile.in b/package/Makefile.in
index 51f5cbce4f..c6a21276a2 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -373,6 +373,10 @@ TARGET_CONFIGURE_ARGS = \
################################################################################
+CPE_PREFIX_OS = cpe:2.3:o
+CPE_PREFIX_APP = cpe:2.3:a
+CPE_SUFFIX = *:*:*:*:*:*:*
+
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
NLS_OPTS = --enable-nls
TARGET_NLS_DEPENDENCIES = host-gettext
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 1408845613..7d892ca1d6 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+ifneq ($(filter linux linux-headers,$(1)),)
+$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
+else
+$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
+endif
+
$(1)-cpe-info: PKG=$(2)
$(1)-cpe-info:
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
- $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+ $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
# legal-info: declare dependencies and set values used later for the manifest
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-21 8:56 ` Yann E. MORIN
2020-06-16 17:03 ` [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support Matt Weber
` (8 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
The reporting of host packages causes some duplication and complicates
what is really in the targets configuration. For the purpose of the
first version of this patchset, its assumed that host packages aren't
relevant for the configuration and we only report the target's
contents.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v4 -> v8
- None
v3
- Fixed host build error because cpe-info wasn't defined
v1 -> v2
[Thomas P
- select if target vs selecting not host
---
package/pkg-generic.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 7d892ca1d6..efdde0ad94 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -984,10 +984,12 @@ endif
$(1)-cpe-info: PKG=$(2)
$(1)-cpe-info:
+ifeq ($$($(2)_TYPE),target)
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
+endif # ifeq ($$($(2)_TYPE),target)
# legal-info: declare dependencies and set values used later for the manifest
ifneq ($$($(2)_LICENSE_FILES),)
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
` (7 subsequent siblings)
10 siblings, 0 replies; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
Minor version are used to allow -rc, - and other variants of
representing a sub release in the CPE dictionary.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v8
- New support to allow rc, -, and p# minor versions as the CPE dict
currently uses these on a number of packages.
---
package/Makefile.in | 2 +-
package/pkg-generic.mk | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/package/Makefile.in b/package/Makefile.in
index c6a21276a2..f66f7041ee 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -375,7 +375,7 @@ TARGET_CONFIGURE_ARGS = \
CPE_PREFIX_OS = cpe:2.3:o
CPE_PREFIX_APP = cpe:2.3:a
-CPE_SUFFIX = *:*:*:*:*:*:*
+CPE_SUFFIX = *:*:*:*:*:*
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
NLS_OPTS = --enable-nls
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index efdde0ad94..3bc9567652 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -974,7 +974,8 @@ endif
$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
-$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+$(2)_CPE_ID_VERSION_MINOR ?= *
+$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR)
ifneq ($(filter linux linux-headers,$(1)),)
$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (2 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-25 11:09 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
` (6 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
From: Shruthi Singh <shruthi.singh@rockwellcollins.com>
This commit adds the correct CPE string for glibc, describing CPE ID,
VERSION, PACKAGE NAME and URL.
Signed-off-by: Shruthi Singh shruthi.singh at rockwellcollins.com
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v8
- No change
v7
- New
---
package/pkg-generic.mk | 14 ++++++++++++++
.../toolchain-external/pkg-toolchain-external.mk | 7 +++++++
2 files changed, 21 insertions(+)
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 3bc9567652..21e510365e 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -984,8 +984,22 @@ $(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
endif
$(1)-cpe-info: PKG=$(2)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
+$(1)-cpe-info: toolchain
+endif
$(1)-cpe-info:
ifeq ($$($(2)_TYPE),target)
+ifneq ($$($(2)_NAME),toolchain-external)
+ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y)
+ $$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
+ $$(eval $(2)_CPE_ID_VENDOR = gnu)
+ $$(eval $(2)_CPE_ID_NAME = glibc)
+ $$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
+ $$(eval $(2)_RAWNAME = glibc)
+endif # ifeq ($(BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC),y)
+endif # ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
+endif # ifneq ($$($(2)_NAME),toolchain-external)
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
index 6d91cb5d1e..14065345d7 100644
--- a/toolchain/toolchain-external/pkg-toolchain-external.mk
+++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
@@ -453,6 +453,13 @@ define TOOLCHAIN_EXTERNAL_INSTALL_SYSROOT_LIBS
$(call copy_toolchain_sysroot,$${SYSROOT_DIR},$${ARCH_SYSROOT_DIR},$${ARCH_SUBDIR},$${ARCH_LIB_DIR},$${SUPPORT_LIB_DIR})
endef
+define TOOLCHAIN_CPE_INFO
+ ARCH_SYSROOT_DIR="$(call toolchain_find_sysroot,$(TOOLCHAIN_EXTERNAL_CC) $(TOOLCHAIN_EXTERNAL_CFLAGS))" ; \
+ MAJ=`awk '{ if ($$1 = /#define/ && ($$2= /__GLIBC__/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+ MIN=`awk '{ if ($$1 = /#define/ && ($$2 = /_GLIBC_MINOR/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \
+ echo $${MAJ}.$${MIN}
+endef
+
# Create a symlink from (usr/)$(ARCH_LIB_DIR) to lib.
# Note: the skeleton package additionally creates lib32->lib or lib64->lib
# (as appropriate)
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (3 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-25 11:12 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
` (5 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v9
- Rebase
v8
- Added note about minor version
- Removed CVE patch listing as the backend has not be implemented
(LIBFOO_CVE_PATCHED)
v4 -> v7
- None
v3
- Updated to make *_CPE_VENDOR optional
- Changed wording around _CPE_ID as there is only one defined now
v2
[Thomas P
- Reworded LIBFOO_CVE_PATCHED description
[Matt W
- Added definition for new preset variables to auto-gen the CPE ID
- Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
---
docs/manual/adding-packages-generic.txt | 111 +++++++++++++++---------
1 file changed, 68 insertions(+), 43 deletions(-)
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
index b8bfcb4aff..94b2313600 100644
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts.
09: LIBFOO_SITE = http://www.foosoftware.org/download
10: LIBFOO_LICENSE = GPL-3.0+
11: LIBFOO_LICENSE_FILES = COPYING
-12: LIBFOO_INSTALL_STAGING = YES
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
-15:
-16: define LIBFOO_BUILD_CMDS
-17: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
-18: endef
-19:
-20: define LIBFOO_INSTALL_STAGING_CMDS
-21: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
-22: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
-23: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
-24: endef
-25:
-26: define LIBFOO_INSTALL_TARGET_CMDS
-27: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
-28: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
-29: endef
-30:
-31: define LIBFOO_USERS
-32: foo -1 libfoo -1 * - - - LibFoo daemon
-33: endef
-34:
-35: define LIBFOO_DEVICES
-36: /dev/foo c 666 0 0 42 0 - - -
-37: endef
-38:
-39: define LIBFOO_PERMISSIONS
-40: /bin/foo f 4755 foo libfoo - - - - -
-41: endef
-42:
-43: $(eval $(generic-package))
+12: LIBFOO_CPE_ID_VENDOR = foosoftware
+13: LIBFOO_INSTALL_STAGING = YES
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
+16:
+17: define LIBFOO_BUILD_CMDS
+18: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
+19: endef
+20:
+21: define LIBFOO_INSTALL_STAGING_CMDS
+22: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
+23: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
+24: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
+25: endef
+26:
+27: define LIBFOO_INSTALL_TARGET_CMDS
+28: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
+29: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
+30: endef
+31:
+32: define LIBFOO_USERS
+33: foo -1 libfoo -1 * - - - LibFoo daemon
+34: endef
+35:
+36: define LIBFOO_DEVICES
+37: /dev/foo c 666 0 0 42 0 - - -
+38: endef
+39:
+40: define LIBFOO_PERMISSIONS
+41: /bin/foo f 4755 foo libfoo - - - - -
+42: endef
+43:
+44: $(eval $(generic-package))
--------------------------------
-The Makefile begins on line 7 to 11 with metadata information: the
+The Makefile begins on line 7 to 12 with metadata information: the
version of the package (+LIBFOO_VERSION+), the name of the
tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)
the Internet location at which the tarball can be downloaded from
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
the same prefix, +LIBFOO_+ in this case. This prefix is always the
uppercased version of the package name (see below to understand where
the package name is defined).
-On line 12, we specify that this package wants to install something to
+On line 13, we specify that this package wants to install something to
the staging space. This is often needed for libraries, since they must
install header files and other development files in the staging space.
This will ensure that the commands listed in the
+LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
-On line 13, we specify that there is some fixing to be done to some
+On line 14, we specify that there is some fixing to be done to some
of the 'libfoo-config' files that were installed during
+LIBFOO_INSTALL_STAGING_CMDS+ phase.
These *-config files are executable shell script files that are
@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \
--------------------------------
================================
-On line 14, we specify the list of dependencies this package relies
+On line 15, we specify the list of dependencies this package relies
on. These dependencies are listed in terms of lower-case package names,
which can be packages for the target (without the +host-+
prefix) or packages for the host (with the +host-+) prefix).
Buildroot will ensure that all these packages are built and installed
'before' the current package starts its configuration.
-The rest of the Makefile, lines 16..29, defines what should be done
+The rest of the Makefile, lines 17..29, defines what should be done
at the different steps of the package configuration, compilation and
installation.
+LIBFOO_BUILD_CMDS+ tells what steps should be performed to
@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which
contains the directory where the source code of the package has been
extracted.
-On lines 31..33, we define a user that is used by this package (e.g.
+On lines 31..44, we define a user that is used by this package (e.g.
to run a daemon as non-root) (+LIBFOO_USERS+).
-On line 35..37, we define a device-node file used by this package
+On line 36..38, we define a device-node file used by this package
(+LIBFOO_DEVICES+).
-On line 39..41, we define the permissions to set to specific files
+On line 40..42, we define the permissions to set to specific files
installed by this package (+LIBFOO_PERMISSIONS+).
-Finally, on line 43, we call the +generic-package+ function, which
+Finally, on line 44, we call the +generic-package+ function, which
generates, according to the variables defined previously, all the
Makefile code necessary to make your package working.
@@ -502,6 +504,29 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345
LIBFOO_IGNORE_CVES += CVE-2020-54321
----------------------
+* +LIBFOO_CPE_ID_VENDOR+
+ This variable is optional. It only must be defined if the package name
+ does not match what the CPE ID uses for the vendor. By default it's set
+ to <pkg-name>_project.
+
+* +LIBFOO_CPE_ID_NAME+
+ This variable is optional. It only must be defined if the package name
+ does not match what the CPE ID uses for the name. By default it's set
+ to <pkg-name>.
+
+* +LIBFOO_CPE_ID_VERSION+
+ This variable is optional. By default it's set to <pkg-version>.
+
+* +LIBFOO_CPE_ID_VERSION_MINOR+
+ This variable is optional. By default it's set to *.
+
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
+ default case of a single package's Common Product Enumeration (CPE)
+ identification string. +make cpe-info+ copies all of these into a
+ +cpe-manifest.csv+ file. To identify a package's possible CPE,
+ the National Vunerability Database can be searched at
+ https://nvd.nist.gov/products/cpe/search.
+
The recommended way to define these variables is to use the following
syntax:
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (4 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-25 11:14 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
` (4 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
Python class which consumes a NIST CPE XML and provides helper
functions to access and search the db's data.
- Defines the CPE as a object with operations / formats
- Processing of CPE dictionary
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
v8
- Added support for generation of update xml to maintain the
NIST dictionary for any Buildroot package version bumps
- Dropped searching of the Config.in files for URLs, instead
assuming the first time a package is added to NIST, the xml is
manually filled out with reference urls. Any updates to versions
after that will use the proposed autogen xml that mines the URLS
from the NIST dict file.
- Caching support for a processed dictionary to speed up subsequent
runs when testing, as a db doesn't update more then once a day
v5 -> v7
- No change
v5
[Ricardo
- Fixed typo in join/split of cpe str without version
- Removed extra prints as they aren't needed when we have the
output reports/stdout
- Updated v4 comments about general flake formatting cleanup
- Incorporated parts of patch 1/2 suggestions for optimizations
[Arnout
- added pre-processing of cpe values into two sets, one with
and one without version
- Collectly with Ricardo, decided to move cpe class to this
seperate script
v1 -> v4
- No version
---
support/scripts/cpedb.py | 185 +++++++++++++++++++++++++++++++++++++++
1 file changed, 185 insertions(+)
create mode 100644 support/scripts/cpedb.py
diff --git a/support/scripts/cpedb.py b/support/scripts/cpedb.py
new file mode 100644
index 0000000000..0369536f6f
--- /dev/null
+++ b/support/scripts/cpedb.py
@@ -0,0 +1,185 @@
+import sys
+import urllib2
+from collections import OrderedDict
+import xmltodict
+import gzip
+from StringIO import StringIO
+import os
+import pickle
+
+VALID_REFS = ['VENDOR', 'VERSION', 'CHANGE_LOG', 'PRODUCT', 'PROJECT', 'ADVISORY']
+
+
+class CPE:
+ cpe_str = None
+ cpe_str_short = None
+ cpe_desc = None
+ cpe_cur_ver = None
+ titles = {}
+ references = {}
+
+ def __init__(self, cpe_str, titles=None, refs=None):
+ self.cpe_str = cpe_str
+ self.cpe_str_short = ":".join(self.cpe_str.split(":")[:6])
+ self.titles = titles
+ self.references = refs
+ self.cpe_cur_ver = "".join(self.cpe_str.split(":")[5:6])
+
+ def to_dict(self, cpe_str):
+ cpe_short_name = ":".join(cpe_str.split(":")[2:6])
+ cpe_new_ver = "".join(cpe_str.split(":")[5:6])
+ self.titles[0]['#text'] = self.titles[0]['#text'].replace(self.cpe_cur_ver, cpe_new_ver)
+ cpe_dict = OrderedDict([
+ ('cpe-item', OrderedDict([
+ ('@name', 'cpe:/' + cpe_short_name),
+ ('title', self.titles),
+ ('references', OrderedDict([('reference', self.references)])),
+ ('cpe-23:cpe23-item', OrderedDict([
+ ('@name', cpe_str)
+ ]))
+ ]))
+ ])
+ return cpe_dict
+
+
+class CPEDB:
+ all_cpes = dict()
+ all_cpes_no_version = dict()
+
+ def get_xml_dict(self, url):
+ print("CPE: Setting up NIST dictionary")
+ # Setup location to save dict and xmls, if it exists, assume we're
+ # reusing the previous dict
+ if not os.path.exists("cpe"):
+ os.makedirs("cpe")
+ self.get_new_xml_dict(url)
+ else:
+ print("CPE: Loading CACHED dictionary")
+ cpe_file = open('cpe/.all_cpes.pkl', 'rb')
+ self.all_cpes = pickle.load(cpe_file)
+ cpe_file.close()
+ cpe_file = open('cpe/.all_cpes_no_version.pkl', 'rb')
+ self.all_cpes_no_version = pickle.load(cpe_file)
+ cpe_file.close()
+
+ def get_new_xml_dict(self, url):
+ print("CPE: Fetching xml manifest from [" + url + "]")
+ try:
+ compressed_cpe_file = urllib2.urlopen(url)
+ print("CPE: Unzipping xml manifest...")
+ nist_cpe_file = gzip.GzipFile(fileobj=StringIO(compressed_cpe_file.read())).read()
+ print("CPE: Converting xml manifest to dict...")
+ all_cpedb = xmltodict.parse(nist_cpe_file)
+
+ # Cycle through the dict and build two dict to be used for custom
+ # lookups of partial and complete CPE objects
+ # The objects are then used to create new proposed XML updates if
+ # if is determined one is required
+ for cpe in all_cpedb['cpe-list']['cpe-item']:
+ cpe_titles = cpe['title']
+ # There maybe multiple titles or one. Make sure this is
+ # always a list
+ if not isinstance(cpe_titles, (list,)):
+ cpe_titles = [cpe_titles]
+ # Out of the different language titles, select English
+ for title in cpe_titles:
+ if title['@xml:lang'] is 'en-US':
+ cpe_titles = [title]
+ # Some older CPE don't include references, if they do, make
+ # sure we handle the case of one ref needing to be packed
+ # in a list
+ if 'references' in cpe:
+ cpe_ref = cpe['references']['reference']
+ if not isinstance(cpe_ref, (list,)):
+ cpe_ref = [cpe_ref]
+ # The reference text has not been consistantly upper case
+ # in the NIST dict but they now require it. So force upper
+ # and then check for compliance to a specific tagging
+ for ref_href in cpe_ref:
+ ref_href['#text'] = ref_href['#text'].upper()
+ if ref_href['#text'] not in VALID_REFS:
+ ref_href['#text'] = ref_href['#text'] + "-- UPDATE this entry, here are some exmaples and just one word should be used -- " + ' '.join(VALID_REFS)
+ cpe_str = cpe['cpe-23:cpe23-item']['@name']
+ item = CPE(cpe_str, cpe_titles, cpe_ref)
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ # This dict must have a unique key for every CPE version
+ # which allows matching to the specific obj data of that
+ # NIST dict entry
+ self.all_cpes.update({cpe_str: item})
+ # This dict has one entry for every CPE (w/o version) to allow
+ # partial match (no valid version) check (the obj is saved and
+ # used as seed for suggested xml updates. By updating the same
+ # non-version'd entry, it assumes the last update here is the
+ # latest version in the NIST dict)
+ self.all_cpes_no_version.update({cpe_str_no_version: item})
+
+ except urllib2.HTTPError:
+ print("CPE: HTTP Error: %s" % url)
+ sys.exit(1)
+ except urllib2.URLError:
+ print("CPE: URL Error: %s" % url)
+ sys.exit(1)
+
+ print("CPE: Caching dictionary")
+ cpes_file = open('cpe/.all_cpes.pkl', 'wb')
+ pickle.dump(self.all_cpes, cpes_file)
+ cpes_file.close()
+ cpes_file = open('cpe/.all_cpes_no_version.pkl', 'wb')
+ pickle.dump(self.all_cpes_no_version, cpes_file)
+ cpes_file.close()
+
+ def find_partial(self, cpe_str):
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ if cpe_str_no_version in self.all_cpes_no_version:
+ return cpe_str_no_version
+
+ def find_partial_obj(self, cpe_str):
+ cpe_str_no_version = self.get_cpe_no_version(cpe_str)
+ if cpe_str_no_version in self.all_cpes_no_version:
+ return self.all_cpes_no_version[cpe_str_no_version]
+
+ def find_partial_latest_version(self, cpe_str_partial):
+ cpe_obj = self.find_partial_obj(cpe_str_partial)
+ return cpe_obj.cpe_cur_ver
+
+ def find(self, cpe_str):
+ if self.find_partial(cpe_str):
+ if cpe_str in self.all_cpes:
+ return cpe_str
+
+ def update(self, cpe_str):
+ to_update = self.find_partial_obj(cpe_str)
+ xml = self.__gen_xml__(to_update.to_dict(cpe_str))
+ fp = open(os.path.join('cpe', self.get_cpe_name(cpe_str) + '-' + self.get_cpe_version(cpe_str) + '.xml'), 'w+')
+ fp.write(xmltodict.unparse(xml, pretty=True))
+ fp.close()
+
+ def get_nvd_url(self, cpe_str):
+ return "https://nvd.nist.gov/products/cpe/search/results?keyword=" + \
+ urllib2.quote(cpe_str) + \
+ "&status=FINAL&orderBy=CPEURI&namingFormat=2.3"
+
+ def get_cpe_no_version(self, cpe):
+ return ":".join(cpe.split(":")[:5])
+
+ def get_cpe_name(self, cpe_str):
+ return "".join(cpe_str.split(":")[4])
+
+ def get_cpe_version(self, cpe_str):
+ return "".join(cpe_str.split(":")[5])
+
+ def __gen_xml__(self, cpe_list):
+ list_header = {
+ "cpe-list": {
+ "@xmlns:config": "http://scap.nist.gov/schema/configuration/0.1",
+ "@xmlns": "http://cpe.mitre.org/dictionary/2.0",
+ "@xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
+ "@xmlnsscap-core": "http://scap.nist.gov/schema/scap-core/0.3",
+ "@xmlns:cpe-23": "http://scap.nist.gov/schema/cpe-extension/2.3",
+ "@xmlns:ns6": "http://scap.nist.gov/schema/scap-core/0.1",
+ "@xmlns:meta": "http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2",
+ "@xsi:schemaLocation": "http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd"
+ }
+ }
+ list_header['cpe-list'].update(cpe_list)
+ return list_header
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (5 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-25 11:18 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 09/10] docs/manual: new security management section Matt Weber
` (3 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
The script supports looking up all the CPEs provided in a
make cpe-info csv file export from a target Buildroot build.
It checks the current version and suggests a CPE needs update
or possibly an initial submission is required to NIST.
Adds option to allow alternate locations for the dictionary
URL and caching of a processed dictionary to speed up execution.
Outputs a cpe/ folder with propsed xml generated from the
dictionary contents to propose updated versions to NIST.
For missing CPE matches, a cpe-report-missing.txt is created
by the script that can be used later to manually create proposed
new NIST dictionary entries.
Ref: NIST has a group email (cpe_dictionary at nist.gov) used to
recieve these version update and new entry xml files. They do
process the XML and provide feedback. In some cases they will
propose back something different where the vendor or version is
slightly different.
Limitations
- Currently any use of non-number version identifiers isn't
supported by NIST as they use ranges to determine impact
of a CVE
- Any Linux version from a non-upstream is also not supported
without manually adjusting the information as the custom
kernel will more then likely not match the upstream version
used in the dictionary
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes
v8
- Updated to just output missing and needs version update
- Optional processed dictionary caching support
- Optional dictionary URL
- Creation of a missing status file (cpe-report-missing.txt)
- Adjusted index used in CSV for removal of CVE patched item
v5 -> v7
- No change
v5
[Ricardo
- Updated v4 comments about general flake formatting cleanup
- Incorporated parts of patch 1/2 suggestions for optimizations
[Ricardo/Arnout
- Collectly, decided to move cpe report analysis to this
script and use a seperate module cpedb class
[Arnout
- Rename cpe_dict to instead be cpedb
v1 -> v4
- Patch did not exist and was part of pkg-stats file
---
support/scripts/cpe-report | 70 ++++++++++++++++++++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100755 support/scripts/cpe-report
diff --git a/support/scripts/cpe-report b/support/scripts/cpe-report
new file mode 100755
index 0000000000..7242a372b2
--- /dev/null
+++ b/support/scripts/cpe-report
@@ -0,0 +1,70 @@
+#!/usr/bin/env python
+
+import argparse
+import sys
+import csv
+from cpedb import CPEDB
+
+CPE_XML_URL = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz"
+
+
+def get_target_cpe_report(cpe_report_file, cpedb):
+ report_cpe_exact_match = ""
+ report_cpe_needing_update = ""
+ report_cpe_needing_update_list = ""
+ report_cpe_missing = ""
+
+ print("CPE: Checking for matches...")
+ try:
+ with open(cpe_report_file) as cpe_file:
+ cpe_list = csv.reader(cpe_file)
+ next(cpe_list) # make cpe-info has a one line header
+ for cpe in cpe_list:
+ result = cpedb.find(cpe[0])
+ if not result:
+ result = cpedb.find_partial(cpedb.get_cpe_no_version(cpe[0]))
+ if not result:
+ report_cpe_missing += cpe[0] + "," + cpe[1] + "," + cpe[3] + "\n"
+ else:
+ latest_version = cpedb.find_partial_latest_version(cpedb.get_cpe_no_version(cpe[0]))
+ report_cpe_needing_update += cpe[0] + ", Latest Version Guess from Dict[" + latest_version + "]\n"
+ report_cpe_needing_update_list += cpe[0] + "\n"
+ else:
+ report_cpe_exact_match += cpe[0] + "\n"
+ except (OSError, IOError) as e:
+ print("CPE: report csv file (%s): %s" % (e.errno, e.strerror))
+ sys.exit(1)
+
+ print("CPE: Found but may REQUIRE an UPDATE:\n" + report_cpe_needing_update)
+ print("CPE: Not found:\n" + report_cpe_missing)
+
+ fp = open('cpe-report-missing.txt', 'w+')
+ fp.write(report_cpe_missing)
+ fp.close()
+
+ for cpe in report_cpe_needing_update_list.splitlines():
+ cpedb.update(cpe)
+ print("XML Generation Complete of NIST update files, see ./cpe/*")
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-c', dest='cpe_report', action='store', required=True,
+ help='CPE Report generated by make cpe-info (csv format)')
+ parser.add_argument('-u', dest='url', action='store', required=False,
+ help='(optional)URL to the NIST dict (official-cpe-dictionary_v2.3.xml.gz)')
+ return parser.parse_args()
+
+
+def __main__():
+ args = parse_args()
+ cpedb = CPEDB()
+ url = CPE_XML_URL
+ if args.url:
+ url = args.url
+ cpedb.get_xml_dict(url)
+ print("Performing Target CPE Report Analysis...")
+ get_target_cpe_report(args.cpe_report, cpedb)
+
+
+__main__()
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 09/10] docs/manual: new security management section
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (6 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 10/10] packages: fixup of cpe info Matt Weber
` (2 subsequent siblings)
10 siblings, 0 replies; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
This changeset captures an initial discussion on the use of CPE
reporting within a target build. It notes the reporting limitations
and provides actions a user could take to improve upon the current
report information.
There is also an example of how one might do CVE analysis using the
CPE report information.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v8
- Updated for cpe-report changes
- Added notes on doing CVE searches and submissions
v7
- New
---
docs/manual/cpe-reporting.txt | 107 ++++++++++++++++++++++++++++++++++
docs/manual/manual.txt | 2 +
2 files changed, 109 insertions(+)
create mode 100644 docs/manual/cpe-reporting.txt
diff --git a/docs/manual/cpe-reporting.txt b/docs/manual/cpe-reporting.txt
new file mode 100644
index 0000000000..11da979345
--- /dev/null
+++ b/docs/manual/cpe-reporting.txt
@@ -0,0 +1,107 @@
+// -*- mode:doc; -*-
+// vim: set syntax=asciidoc:
+
+[[cpe-info]]
+
+== Security Vulnerability Management
+
+There are many different vulnerability databases (open/paid). This
+section documents the use of the National Vulnerability Database(NVD)
+provided by the National Institute of Standards and Technology (NIST).
+
+Within Buildroot, the intent is to provide good reporting of the build
+configuration's inventory of software. The vulnerability analysis is
+assumed to occur outside of the Buildroot environment (at this time).
+
+=== Common Platform Enumeration (CPE) Reporting
+
+Buildroot consists of a series of upstream packages. Each of those
+packages may have a CPE definition used to map vulnerabilities to Common
+Vulnerabilities and Exposures (CVE). A single package CPE has many versions
+and each version may have a suite of CVEs associated.
+
+To make the gathering of the software inventory of CPE easier, Buildroot can
+collect for you all the CPE related to the configured defconfig. To produce
+this material, after you have configured Buildroot with +make menuconfig+,
++make xconfig+ or +make gconfig+, run:
+
+--------------------
+make cpe-info
+--------------------
+
+Buildroot then collects and writes the +$(TOPDIR)/cpe-manifest.csv+. This file
+can be used for manual inspection against a CVE database or provided to
+external tools which perform CVE inventory/analysis.
+
+*CPE Maintenance*
+
+To maintain these CPE strings for version changes against the NIST dictionary,
+the manifest can be further processed. First, navigate to your Buildroot
+directory and execute the script below. The script has some optional arguments
+for providing a alternate dictionary URL or caching a processed dictionary.
+
+--------------------
+support/scripts/cpe-report -c $(TOPDIR)/cpe-manifest.csv
+--------------------
+
+This script retrieves the NIST dictionary and classifies each CPE as either
+matched, requires version update or missing. Based on this analysis, the script
+automatically uses the NIST dictionary entries to produce a draft of XML which
+can be submitted to NIST to update a version of an entry in the dictionary. It
+is important to review the generated xml files in the cpe folder as they may
+need refined reference tags and adjustments to how the version is represented
+in the title.
+
+In the case of missing items, a +cpe-report-missing.txt+ report is output by
+the script and can be used as a starting point to manually create a xml file
+to submit. Note, some manual analysis using the NIST search engine (https://nvd.nist.gov/products/cpe/search)
+is suggested for these missing item as the Buildroot +CPE_ID_+ variables maybe
+slightly incorrect and cause the cpe-report script to catagorize the package
+as missing. If that is the case, a change can be made by adjusting the default
+CPE variables in the specific package's +.mk+. See xref:_infrastructure_for_packages_with_specific_build_systems[]
+discussion on the use of +LIBFOO_CPE_*+.
+If the package is truely missing, the package's Kconfig help material and .mk
+should provide most of the information to construct a new NIST submission.
+
+To submit a new entry or updated entry to NIST, create an request email to the
+cpe_dictionary at nist.gov recipient and attach a individual xml file per package
+being added/updated. It is OK to have multiple version updates in a single
+file as long as they are all for the same package. For reference the guidance
+can be found on the NIST CPE site (https://nvd.nist.gov/products/cpe).
+
+*Limitations*
+
+Buildroot does not produce or accurately present some of the CPE material. Items
+such as any versions which are non-number/hash are not compliant with the CPE
+string specification and would require a manual analysis to update the CPE list
+before any external CVE analysis should occur. This is a similar situation for
+packages like the Linux kernel or U-Boot which may not have a version which
+directly maps to a CPE.
+
+There is an assumed default CPE string for each package which is auto-generated
+using existing package information. The output of +make cpe-info+ is based on
+this default information and the packages which have been individually tailored
+to match existing CPE strings. The Buildroot developers try to do their best to
+keep those declarative statements as accurate as possible, to the best of their
+knowledge. However, it is very well possible that those declarative statements
+are not all fully accurate nor exhaustive. Similar to legal-info, it is your
+responsibility to verify this information.
+
+=== Common Vulnerability and Exposures (CVE) Anaylsis
+The Common Vulnerabilities and Exposures (CVE) system provides a
+reference-method for publicly known information-security vulnerabilities and
+exposures. (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
+
+Like previously stated, there are many tools and methods to perform this
+analysis. The most basic example is to do a manual CVE analysis by navigating
+to the NVD search engine (https://nvd.nist.gov/vuln/search) and using the CPE
+string identified in the first field of the +$(TOPDIR)/cpe-manifest.csv+.
+Here's an example for tcpdump.
+
+CPE ID: "cpe:2.3:a:tcpdump:tcpdump:4.9.1:*:*:*:*:*:*:*"
+
+Result: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Atcpdump%3Atcpdump%3A4.9.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*&search_type=all
+
+Beyond the manual search approach, the next step would be a more centralized
+shared database with multi-feed support (NVD+). The cve-search project aims
+to offer that type of solution (https://github.com/cve-search/cve-search).
diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt
index 48de65ee10..fcc087f6f1 100644
--- a/docs/manual/manual.txt
+++ b/docs/manual/manual.txt
@@ -46,6 +46,8 @@ include::legal-notice.txt[]
include::beyond-buildroot.txt[]
+include::cpe-reporting.txt[]
+
= Developer guide
include::how-buildroot-works.txt[]
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 10/10] packages: fixup of cpe info
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (7 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 09/10] docs/manual: new security management section Matt Weber
@ 2020-06-16 17:03 ` Matt Weber
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
2020-06-25 11:00 ` Thomas Petazzoni
10 siblings, 0 replies; 25+ messages in thread
From: Matt Weber @ 2020-06-16 17:03 UTC (permalink / raw)
To: buildroot
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
boot/grub2/grub2.mk | 1 +
boot/uboot/uboot.mk | 2 ++
linux/linux.mk | 2 ++
package/audit/audit.mk | 2 ++
package/aufs/aufs.mk | 1 +
package/bash/bash.mk | 1 +
package/bc/bc.mk | 1 +
package/bind/bind.mk | 1 +
package/boost/boost.mk | 1 +
package/bridge-utils/bridge-utils.mk | 1 +
package/busybox/busybox.mk | 1 +
package/bzip2/bzip2.mk | 1 +
package/clang/clang.mk | 1 +
package/collectd/collectd.mk | 1 +
package/conntrack-tools/conntrack-tools.mk | 1 +
package/coreutils/coreutils.mk | 1 +
package/crda/crda.mk | 1 +
package/davici/davici.mk | 1 +
package/dbus-glib/dbus-glib.mk | 1 +
package/dbus/dbus.mk | 2 ++
package/dhcp/dhcp.mk | 1 +
package/dnsmasq/dnsmasq.mk | 1 +
package/dropbear/dropbear.mk | 2 ++
package/ebtables/ebtables.mk | 1 +
package/ethtool/ethtool.mk | 1 +
package/expat/expat.mk | 1 +
package/gdb/gdb.mk | 1 +
package/gesftpserver/gesftpserver.mk | 2 ++
package/glibc/glibc.mk | 1 +
package/gmp/gmp.mk | 1 +
package/gnupg/gnupg.mk | 1 +
package/gnutls/gnutls.mk | 1 +
package/grep/grep.mk | 1 +
package/gtest/gtest.mk | 2 ++
package/gzip/gzip.mk | 1 +
package/hostapd/hostapd.mk | 1 +
package/ifupdown/ifupdown.mk | 1 +
package/iperf/iperf.mk | 2 ++
package/iperf3/iperf3.mk | 1 +
package/ipset/ipset.mk | 1 +
package/iptables/iptables.mk | 1 +
package/iw/iw.mk | 1 +
package/kmod/kmod.mk | 2 ++
package/libarchive/libarchive.mk | 1 +
package/libcurl/libcurl.mk | 2 ++
package/libestr/libestr.mk | 1 +
package/libfastjson/libfastjson.mk | 1 +
package/libfcgi/libfcgi.mk | 2 ++
package/libffi/libffi.mk | 2 ++
package/libgcrypt/libgcrypt.mk | 1 +
package/libglib2/libglib2.mk | 2 ++
package/libgpg-error/libgpg-error.mk | 1 +
package/liblogging/liblogging.mk | 1 +
package/libmbim/libmbim.mk | 1 +
package/libmnl/libmnl.mk | 1 +
.../libnetfilter_conntrack/libnetfilter_conntrack.mk | 1 +
.../libnetfilter_cthelper/libnetfilter_cthelper.mk | 1 +
.../libnetfilter_cttimeout/libnetfilter_cttimeout.mk | 1 +
package/libnetfilter_queue/libnetfilter_queue.mk | 1 +
package/libnfnetlink/libnfnetlink.mk | 1 +
package/libopenssl/Config.in | 11 +++++++++++
package/libopenssl/libopenssl.mk | 2 ++
package/libpcap/libpcap.mk | 1 +
package/libselinux/libselinux.mk | 1 +
package/libsemanage/libsemanage.mk | 1 +
package/libsepol/libsepol.mk | 1 +
package/libssh2/libssh2.mk | 1 +
package/libsysfs/libsysfs.mk | 2 ++
package/libtasn1/libtasn1.mk | 1 +
package/libunistring/libunistring.mk | 1 +
package/libxml2/libxml2.mk | 1 +
package/libxslt/libxslt.mk | 1 +
package/libzlib/libzlib.mk | 2 ++
package/lighttpd/lighttpd.mk | 1 +
package/linux-firmware/linux-firmware.mk | 2 ++
| 2 ++
package/linux-pam/linux-pam.mk | 2 ++
package/llvm/llvm.mk | 1 +
package/lxc/lxc.mk | 1 +
package/lz4/lz4.mk | 1 +
package/memtester/memtester.mk | 1 +
package/mii-diag/mii-diag.mk | 1 +
package/mpfr/mpfr.mk | 1 +
package/mrouted/mrouted.mk | 1 +
package/mtd/mtd.mk | 2 ++
package/ncurses/ncurses.mk | 1 +
package/netsnmp/netsnmp.mk | 2 ++
package/nfs-utils/nfs-utils.mk | 2 ++
package/openssh/openssh.mk | 3 +++
package/pax-utils/pax-utils.mk | 1 +
package/paxtest/paxtest.mk | 1 +
package/pcre/pcre.mk | 1 +
package/pixman/pixman.mk | 1 +
package/policycoreutils/policycoreutils.mk | 1 +
package/pppd/pppd.mk | 2 ++
package/proftpd/proftpd.mk | 1 +
package/protobuf/protobuf.mk | 1 +
package/pure-ftpd/pure-ftpd.mk | 1 +
package/python-lxml/python-lxml.mk | 2 ++
package/python-setuptools/python-setuptools.mk | 2 ++
package/python/python.mk | 1 +
package/qemu/qemu.mk | 1 +
package/rapidjson/rapidjson.mk | 1 +
package/readline/readline.mk | 1 +
package/refpolicy/refpolicy.mk | 1 +
package/rsyslog/rsyslog.mk | 1 +
package/rt-tests/rt-tests.mk | 1 +
package/sed/sed.mk | 1 +
package/setools/setools.mk | 1 +
package/setserial/setserial.mk | 1 +
package/smcroute/smcroute.mk | 1 +
package/spawn-fcgi/spawn-fcgi.mk | 1 +
package/sqlite/sqlite.mk | 2 ++
package/strongswan/strongswan.mk | 1 +
package/tar/tar.mk | 1 +
package/tcl/tcl.mk | 1 +
package/tcpdump/tcpdump.mk | 1 +
package/tftpd/tftpd.mk | 2 ++
package/uboot-tools/uboot-tools.mk | 2 ++
package/util-linux/util-linux.mk | 1 +
package/valgrind/valgrind.mk | 1 +
package/vim/vim.mk | 1 +
package/wget/wget.mk | 1 +
package/wireless-regdb/wireless-regdb.mk | 1 +
package/wireless_tools/wireless_tools.mk | 2 ++
package/wpa_supplicant/wpa_supplicant.mk | 1 +
package/xerces/xerces.mk | 2 ++
package/xz/xz.mk | 1 +
128 files changed, 170 insertions(+)
diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index f77dc0f9d7..ec99945cb8 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -26,6 +26,7 @@ GRUB2_INSTALL_TARGET = YES
else
GRUB2_INSTALL_TARGET = NO
endif
+GRUB2_CPE_ID_VENDOR = gnu
GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
index 71689207e3..894c20576a 100644
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+
ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
endif
+UBOOT_CPE_ID_VENDOR = denx
+UBOOT_CPE_ID_NAME = u-boot
UBOOT_INSTALL_IMAGES = YES
diff --git a/linux/linux.mk b/linux/linux.mk
index b90b032bb9..583e2fef99 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
+LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
define LINUX_HELP_CMDS
@echo ' linux-menuconfig - Run Linux kernel menuconfig'
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index 652e0fcd56..a20767d24b 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
AUDIT_LICENSE_FILES = COPYING COPYING.LIB
# 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
AUDIT_AUTORECONF = YES
+AUDIT_CPE_ID_VENDOR = linux_audit_project
+AUDIT_CPE_ID_NAME = linux_audit
AUDIT_INSTALL_STAGING = YES
diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
index 4e95a350a0..495e94e606 100644
--- a/package/aufs/aufs.mk
+++ b/package/aufs/aufs.mk
@@ -7,6 +7,7 @@
AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
AUFS_LICENSE = GPL-2.0
AUFS_LICENSE_FILES = COPYING
+AUFS_CPE_ID_VERSION = 4.1
ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index 1843862e49..b4681c1085 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
BASH_LICENSE = GPL-3.0+
BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VENDOR = gnu
BASH_CONF_ENV += \
ac_cv_rl_prefix="$(STAGING_DIR)" \
diff --git a/package/bc/bc.mk b/package/bc/bc.mk
index fdfacb6c89..06b6feae4f 100644
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
BC_DEPENDENCIES = host-flex
BC_LICENSE = GPL-2.0+, LGPL-2.1+
BC_LICENSE_FILES = COPYING COPYING.LIB
+BC_CPE_ID_VENDOR = gnu
BC_CONF_ENV = MAKEINFO=true
# 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 362a26dce6..806ece6ccd 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
BIND_LICENSE = MPL-2.0
BIND_LICENSE_FILES = COPYRIGHT
+BIND_CPE_ID_VENDOR = isc
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index ef638fc9df..e5824424cb 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
BOOST_INSTALL_STAGING = YES
BOOST_LICENSE = BSL-1.0
BOOST_LICENSE_FILES = LICENSE_1_0.txt
+BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
# CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
# while in fact it affects Drupal (a module called boost in there).
diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
index 2519227471..288de8c373 100644
--- a/package/bridge-utils/bridge-utils.mk
+++ b/package/bridge-utils/bridge-utils.mk
@@ -10,6 +10,7 @@ BRIDGE_UTILS_SOURCE = bridge-utils-1.6.tar.xz
BRIDGE_UTILS_AUTORECONF = YES
BRIDGE_UTILS_LICENSE = GPL-2.0+
BRIDGE_UTILS_LICENSE_FILES = COPYING
+BRIDGE_UTILS_CPE_ID_VENDOR = kernel
# Avoid using the host's headers. Location is not important as
# required headers will anyway be found from within the sysroot.
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 24f3ba3b19..eae8aa3276 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPL-2.0
BUSYBOX_LICENSE_FILES = LICENSE
+BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
define BUSYBOX_HELP_CMDS
@echo ' busybox-menuconfig - Run BusyBox menuconfig'
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index b4d8eea25e..c2e5f7610e 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
BZIP2_INSTALL_STAGING = YES
BZIP2_LICENSE = bzip2 license
BZIP2_LICENSE_FILES = LICENSE
+BZIP2_CPE_ID_VENDOR = bzip
ifeq ($(BR2_STATIC_LIBS),)
define BZIP2_BUILD_SHARED_CMDS
diff --git a/package/clang/clang.mk b/package/clang/clang.mk
index d740af5322..672c9fb3fa 100644
--- a/package/clang/clang.mk
+++ b/package/clang/clang.mk
@@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
CLANG_LICENSE = Apache-2.0 with exceptions
CLANG_LICENSE_FILES = LICENSE.TXT
+CLANG_CVE_ID_VENDOR = llvm
CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
CLANG_INSTALL_STAGING = YES
diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
index 24cdad7e1b..18c69369c6 100644
--- a/package/collectd/collectd.mk
+++ b/package/collectd/collectd.mk
@@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
COLLECTD_INSTALL_STAGING = YES
COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
COLLECTD_LICENSE_FILES = COPYING
+COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
# These require unmet dependencies, are fringe, pointless or deprecated
COLLECTD_PLUGINS_DISABLE = \
diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
index 145b6d785f..55ea407924 100644
--- a/package/conntrack-tools/conntrack-tools.mk
+++ b/package/conntrack-tools/conntrack-tools.mk
@@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
libnetfilter_queue host-bison host-flex
CONNTRACK_TOOLS_LICENSE = GPL-2.0+
CONNTRACK_TOOLS_LICENSE_FILES = COPYING
+CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 3866b76243..18e9052dfd 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
COREUTILS_LICENSE = GPL-3.0+
COREUTILS_LICENSE_FILES = COPYING
+COREUTILS_CPE_ID_VENDOR = gnu
COREUTILS_CONF_OPTS = --disable-rpath \
$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
diff --git a/package/crda/crda.mk b/package/crda/crda.mk
index c5880797be..31a64d004b 100644
--- a/package/crda/crda.mk
+++ b/package/crda/crda.mk
@@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
CRDA_LICENSE = ISC
CRDA_LICENSE_FILES = LICENSE
+CRDA_CPE_ID_VENDOR = kernel
define CRDA_BUILD_CMDS
$(TARGET_CONFIGURE_OPTS) \
diff --git a/package/davici/davici.mk b/package/davici/davici.mk
index 5c08bbe0da..6c8df48b6a 100644
--- a/package/davici/davici.mk
+++ b/package/davici/davici.mk
@@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
DAVICI_LICENSE = LGPL-2.1+
DAVICI_LICENSE_FILES = COPYING
+DAVICI_CPE_ID_VENDOR = strongswan
DAVICI_DEPENDENCIES = strongswan
DAVICI_INSTALL_STAGING = YES
DAVICI_AUTORECONF = YES
diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
index 372942e1c3..5eb158d954 100644
--- a/package/dbus-glib/dbus-glib.mk
+++ b/package/dbus-glib/dbus-glib.mk
@@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
DBUS_GLIB_INSTALL_STAGING = YES
DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
DBUS_GLIB_LICENSE_FILES = COPYING
+DBUS_GLIB_CPE_ID_VENDOR = freedesktop
DBUS_GLIB_CONF_ENV = \
ac_cv_have_abstract_sockets=yes \
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index 5c2a5fb2cc..70785a6b63 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.18
DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
DBUS_LICENSE_FILES = COPYING
+DBUS_CPE_ID_VENDOR = d-bus_project
+DBUS_CPE_ID_NAME = d-bus
DBUS_INSTALL_STAGING = YES
define DBUS_PERMISSIONS
diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
index ad59804d3b..988c7792dc 100644
--- a/package/dhcp/dhcp.mk
+++ b/package/dhcp/dhcp.mk
@@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
DHCP_LICENSE = MPL-2.0
DHCP_LICENSE_FILES = LICENSE
DHCP_DEPENDENCIES = bind
+DHCP_CPE_ID_VENDOR = isc
# use libtool-enabled configure.ac
define DHCP_LIBTOOL_AUTORECONF
diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index 4a7218a2b7..e0e8bed5aa 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
+DNSMASQ_CPE_ID_VENDOR = thekelleys
DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 1070a410b9..72c6928c7a 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause
DROPBEAR_LICENSE_FILES = LICENSE
DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
+DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
+DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
# Disable hardening flags added by dropbear configure.ac, and let
# Buildroot add them when the relevant options are enabled. This
diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
index 117cd5e99e..2f1e291c03 100644
--- a/package/ebtables/ebtables.mk
+++ b/package/ebtables/ebtables.mk
@@ -9,6 +9,7 @@ EBTABLES_SOURCE = ebtables-v$(EBTABLES_VERSION).tar.gz
EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
EBTABLES_LICENSE = GPL-2.0+
EBTABLES_LICENSE_FILES = COPYING
+EBTABLES_CVE_ID_VENDOR = netfilter
EBTABLES_STATIC = $(if $(BR2_STATIC_LIBS),static)
EBTABLES_K64U32 = $(if $(BR2_KERNEL_64_USERLAND_32),-DKERNEL_64_USERSPACE_32)
diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
index 40abe57918..d6427b9d09 100644
--- a/package/ethtool/ethtool.mk
+++ b/package/ethtool/ethtool.mk
@@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
ETHTOOL_LICENSE = GPL-2.0
ETHTOOL_LICENSE_FILES = LICENSE COPYING
+ETHTOOL_CPE_ID_VENDOR = kernel
ETHTOOL_CONF_OPTS = \
$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index 38e5dee75d..af3088b80c 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
HOST_EXPAT_DEPENDENCIES = host-pkgconf
EXPAT_LICENSE = MIT
EXPAT_LICENSE_FILES = COPYING
+EXPAT_CPE_ID_VENDOR = libexpat
EXPAT_CONF_OPTS = --without-docbook
HOST_EXPAT_CONF_OPTS = --without-docbook
diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
index 8c74a0e2f6..ea4ec7bdc6 100644
--- a/package/gdb/gdb.mk
+++ b/package/gdb/gdb.mk
@@ -22,6 +22,7 @@ endif
GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
+GDB_CPE_ID_VENDOR = gnu
# We only want gdbserver and not the entire debugger.
ifeq ($(BR2_PACKAGE_GDB_DEBUGGER),)
diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
index ff7ce768ae..07718a4c42 100644
--- a/package/gesftpserver/gesftpserver.mk
+++ b/package/gesftpserver/gesftpserver.mk
@@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING
# "Missing prototype" warning treated as error
GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
+GESFTPSERVER_CPE_ID_VENDOR = green_end
+GESFTPSERVER_CPE_ID_NAME = sftpserver
# forgets to link against pthread when cross compiling
GESFTPSERVER_CONF_ENV = LIBS=-lpthread
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index f1c846b727..c2cfeec30d 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -29,6 +29,7 @@ endif
GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
+GLIBC_CPE_ID_VENDOR = gnu
# glibc is part of the toolchain so disable the toolchain dependency
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index d124463a98..a79d5b7d9a 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
GMP_INSTALL_STAGING = YES
GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
+GMP_CPE_ID_VENDOR = gmplib
GMP_DEPENDENCIES = host-m4
HOST_GMP_DEPENDENCIES = host-m4
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index 617def884e..ba424fed96 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG_LICENSE = GPL-3.0+
GNUPG_LICENSE_FILES = COPYING
GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
GNUPG_CONF_OPTS = \
--disable-rpath \
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index a1dfce62a2..1e98746441 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
endif
GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_CPE_ID_VENDOR = gnu
GNUTLS_CONF_OPTS = \
--disable-doc \
--disable-guile \
diff --git a/package/grep/grep.mk b/package/grep/grep.mk
index ef1bbb4487..204c74f3b8 100644
--- a/package/grep/grep.mk
+++ b/package/grep/grep.mk
@@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
GREP_LICENSE = GPL-3.0+
GREP_LICENSE_FILES = COPYING
+GREP_CPE_ID_VENDOR = gnu
GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
# install into /bin like busybox grep
GREP_CONF_OPTS = --exec-prefix=/
diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
index 7f967b8bfb..fc51d9f7a2 100644
--- a/package/gtest/gtest.mk
+++ b/package/gtest/gtest.mk
@@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES
GTEST_INSTALL_TARGET = NO
GTEST_LICENSE = BSD-3-Clause
GTEST_LICENSE_FILES = googletest/LICENSE
+GTEST_CPE_ID_VENDOR = google
+GTEST_CPE_ID_NAME = google_test
ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
GTEST_DEPENDENCIES += host-gtest
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index 17b27b497c..c8fd3ddb7a 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
GZIP_CONF_OPTS = --exec-prefix=/
GZIP_LICENSE = GPL-3.0+
GZIP_LICENSE_FILES = COPYING
+GZIP_CPE_ID_VENDOR = gnu
GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
# configure substitutes $(SHELL) for the shell shebang in scripts like
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index b94a0e4578..61576c9323 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -16,6 +16,7 @@ HOSTAPD_LICENSE_FILES = README
# 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
HOSTAPD_IGNORE_CVES += CVE-2019-16275
+HOSTAPD_CPE_ID_VENDOR = w1.fi
HOSTAPD_CONFIG_SET =
HOSTAPD_CONFIG_ENABLE = \
diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
index 84d24aedab..e62c2a79c5 100644
--- a/package/ifupdown/ifupdown.mk
+++ b/package/ifupdown/ifupdown.mk
@@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
IFUPDOWN_LICENSE = GPL-2.0+
IFUPDOWN_LICENSE_FILES = COPYING
+IFUPDOWN_CPE_ID_VENDOR = debian
define IFUPDOWN_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
index 7088b0f152..f1e65e7545 100644
--- a/package/iperf/iperf.mk
+++ b/package/iperf/iperf.mk
@@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13
IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
IPERF_LICENSE = MIT-like
IPERF_LICENSE_FILES = COPYING
+IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
+IPERF_CPE_ID_NAME = $(IPERF_NAME)2
IPERF_CONF_OPTS = \
--disable-web100
diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
index 3537b23824..d29eb8505e 100644
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
IPERF3_LICENSE_FILES = LICENSE
+IPERF3_CPE_ID_VENDOR = es
IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index 869763d322..cea3ee0e05 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
IPSET_CONF_OPTS = --with-kmod=no
IPSET_LICENSE = GPL-2.0
IPSET_LICENSE_FILES = COPYING
+IPSET_CPE_ID_VENDOR = netfilter
IPSET_INSTALL_STAGING = YES
$(eval $(autotools-package))
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index 4dc7a174a1..bea9b0b4c8 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
IPTABLES_LICENSE = GPL-2.0
IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_CPE_ID_VENDOR = netfilter
# Building static causes ugly warnings on some plugins
IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
$(if $(BR2_STATIC_LIBS),,--disable-static)
diff --git a/package/iw/iw.mk b/package/iw/iw.mk
index 2250ea413b..a232cc8baa 100644
--- a/package/iw/iw.mk
+++ b/package/iw/iw.mk
@@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
IW_LICENSE = ISC
IW_LICENSE_FILES = COPYING
+IW_CPE_ID_VENDOR = kernel
IW_DEPENDENCIES = host-pkgconf libnl
IW_MAKE_ENV = \
$(TARGET_MAKE_ENV) \
diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
index 0a79b2cf4d..c44764ea18 100644
--- a/package/kmod/kmod.mk
+++ b/package/kmod/kmod.mk
@@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
KMOD_LICENSE = LGPL-2.1+ (library)
KMOD_LICENSE_FILES = libkmod/COPYING
+KMOD_CPE_ID_VENDOR = kernel
+
# --gc-sections triggers binutils ld segfault
# https://sourceware.org/bugzilla/show_bug.cgi?id=21180
ifeq ($(BR2_microblaze),y)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 708ce637c2..71c8a2e4cf 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
LIBARCHIVE_INSTALL_STAGING = YES
LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
LIBARCHIVE_LICENSE_FILES = COPYING
+LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
ifeq ($(BR2_STATIC_LIBS),y)
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index cc2ca0aa65..d0491510cc 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
LIBCURL_LICENSE = curl
LIBCURL_LICENSE_FILES = COPYING
+LIBCURL_CPE_ID_VENDOR = haxx
+LIBCURL_CPE_ID_NAME = libcurl
LIBCURL_INSTALL_STAGING = YES
# We disable NTLM support because it uses fork(), which doesn't work
diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
index 30960f7257..6ce22efae2 100644
--- a/package/libestr/libestr.mk
+++ b/package/libestr/libestr.mk
@@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
LIBESTR_SITE = http://libestr.adiscon.com/files/download
LIBESTR_LICENSE = LGPL-2.1+
LIBESTR_LICENSE_FILES = COPYING
+LIBESTR_CPE_ID_VENDOR = adiscon
LIBESTR_INSTALL_STAGING = YES
$(eval $(autotools-package))
diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
index ecca72f56c..37dbd7e03e 100644
--- a/package/libfastjson/libfastjson.mk
+++ b/package/libfastjson/libfastjson.mk
@@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
LIBFASTJSON_AUTORECONF = YES
LIBFASTJSON_LICENSE = MIT
LIBFASTJSON_LICENSE_FILES = COPYING
+LIBFASTJSON_CPE_ID_VENDOR = rsyslog
$(eval $(autotools-package))
diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
index c158df2395..c40d9c5970 100644
--- a/package/libfcgi/libfcgi.mk
+++ b/package/libfcgi/libfcgi.mk
@@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2
LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
LIBFCGI_LICENSE = OML
LIBFCGI_LICENSE_FILES = LICENSE.TERMS
+LIBFCGI_CPE_ID_VENDOR = fastcgi
+LIBFCGI_CPE_ID_NAME = fcgi
LIBFCGI_INSTALL_STAGING = YES
LIBFCGI_AUTORECONF = YES
diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
index 722a03dca0..e87a024040 100644
--- a/package/libffi/libffi.mk
+++ b/package/libffi/libffi.mk
@@ -6,6 +6,8 @@
LIBFFI_VERSION = 3.3
LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
+LIBFFI_CPE_ID_VERSION = 3.3
+LIBFFI_CPE_ID_VERSION_MINOR = rc0
LIBFFI_LICENSE = MIT
LIBFFI_LICENSE_FILES = LICENSE
LIBFFI_INSTALL_STAGING = YES
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index d21513bd39..12fdcab422 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
LIBGCRYPT_INSTALL_STAGING = YES
LIBGCRYPT_DEPENDENCIES = libgpg-error
LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
+LIBGCRYPT_CPE_ID_VENDOR = gnupg
# Patching acinclude.m4 in 0001
# Patching configure.ac and Makefile.am in 0002
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index d1c75d8a43..a2bdc32816 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
LIBGLIB2_LICENSE = LGPL-2.1+
LIBGLIB2_LICENSE_FILES = COPYING
+LIBGLIB2_CPE_ID_VENDOR = gnome
+LIBGLIB2_CPE_ID_NAME = glib
LIBGLIB2_INSTALL_STAGING = YES
LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
index 6281faa662..05c7f710f2 100644
--- a/package/libgpg-error/libgpg-error.mk
+++ b/package/libgpg-error/libgpg-error.mk
@@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
+LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
LIBGPG_ERROR_INSTALL_STAGING = YES
LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
index c756891a86..24375b56b4 100644
--- a/package/liblogging/liblogging.mk
+++ b/package/liblogging/liblogging.mk
@@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
LIBLOGGING_LICENSE = BSD-2-Clause
LIBLOGGING_LICENSE_FILES = COPYING
+LIBLOGGING_CPE_ID_VENDOR = adiscon
LIBLOGGING_INSTALL_STAGING = YES
LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
index 67cfd2bc0b..c61315ea68 100644
--- a/package/libmbim/libmbim.mk
+++ b/package/libmbim/libmbim.mk
@@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
+LIBMBIM_CPE_ID_VENDOR = freedesktop
LIBMBIM_INSTALL_STAGING = YES
LIBMBIM_DEPENDENCIES = libglib2
diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
index 7fcce4c21f..d3b33db2e0 100644
--- a/package/libmnl/libmnl.mk
+++ b/package/libmnl/libmnl.mk
@@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
LIBMNL_INSTALL_STAGING = YES
LIBMNL_LICENSE = LGPL-2.1+
LIBMNL_LICENSE_FILES = COPYING
+LIBMNL_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
index 8beefefb51..0a5a94be8f 100644
--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
+++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
@@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
+LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
index 61d6acd07c..d74ea4d0fd 100644
--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
+++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTHELPER_AUTORECONF = YES
LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
+LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
index 9c4c951687..f5c5067b64 100644
--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
+++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
+LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
index 302f9a2575..5556969fde 100644
--- a/package/libnetfilter_queue/libnetfilter_queue.mk
+++ b/package/libnetfilter_queue/libnetfilter_queue.mk
@@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
LIBNETFILTER_QUEUE_AUTORECONF = YES
LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
+LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
index 13f5d72c87..a5ad47b85e 100644
--- a/package/libnfnetlink/libnfnetlink.mk
+++ b/package/libnfnetlink/libnfnetlink.mk
@@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES
LIBNFNETLINK_INSTALL_STAGING = YES
LIBNFNETLINK_LICENSE = GPL-2.0
LIBNFNETLINK_LICENSE_FILES = COPYING
+LIBNFNETLINK_CPE_ID_VENDOR = netfilter
$(eval $(autotools-package))
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 881518d1cb..3aa5b88017 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
Install additional encryption engine libraries.
endif # BR2_PACKAGE_LIBOPENSSL
+# See package/openssl/Config.in for the actual kconfig
+# of this package. This file provides a URL for CPE use.
+
+# help
+# A collaborative effort to develop a robust, commercial-grade,
+# fully featured, and Open Source toolkit implementing the
+# Secure Sockets Layer (SSL v2/v3) and Transport Security
+# (TLS v1) as well as a full-strength general-purpose
+# cryptography library.
+#
+# http://www.openssl.org/
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index a300458f85..bb4747f4c0 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
+LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
ifeq ($(BR2_m68k_cf),y)
# relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
index 881a109a0a..e323461529 100644
--- a/package/libpcap/libpcap.mk
+++ b/package/libpcap/libpcap.mk
@@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
LIBPCAP_SITE = http://www.tcpdump.org/release
LIBPCAP_LICENSE = BSD-3-Clause
LIBPCAP_LICENSE_FILES = LICENSE
+LIBPCAP_CPE_ID_VENDOR = tcpdump
LIBPCAP_INSTALL_STAGING = YES
LIBPCAP_DEPENDENCIES = host-flex host-bison
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index d0e7b66241..bd728e6bc6 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.0
LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204
LIBSELINUX_LICENSE = Public Domain
LIBSELINUX_LICENSE_FILES = LICENSE
+LIBSELINUX_CPE_ID_VENDOR = selinuxproject
LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index deba5fafcd..34c9e604c5 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
LIBSEMANAGE_LICENSE = LGPL-2.1+
LIBSEMANAGE_LICENSE_FILES = COPYING
LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
+LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
LIBSEMANAGE_INSTALL_STAGING = YES
LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 2d64c53bc3..59ba710dfe 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.0
LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204
LIBSEPOL_LICENSE = LGPL-2.1+
LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_CPE_ID_VENDOR = selinuxproject
LIBSEPOL_INSTALL_STAGING = YES
LIBSEPOL_DEPENDENCIES = host-flex
diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
index c03fe0db55..eb66ab5643 100644
--- a/package/libssh2/libssh2.mk
+++ b/package/libssh2/libssh2.mk
@@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
LIBSSH2_SITE = https://www.libssh2.org/download
LIBSSH2_LICENSE = BSD
LIBSSH2_LICENSE_FILES = COPYING
+LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
LIBSSH2_INSTALL_STAGING = YES
LIBSSH2_CONF_OPTS = --disable-examples-build
diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
index 13edc9a4ea..fd8bfa6724 100644
--- a/package/libsysfs/libsysfs.mk
+++ b/package/libsysfs/libsysfs.mk
@@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
LIBSYSFS_INSTALL_STAGING = YES
LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
+LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
+LIBSYSFS_CPE_ID_NAME = sysfsutils
$(eval $(autotools-package))
diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
index d5a6c69965..a354716824 100644
--- a/package/libtasn1/libtasn1.mk
+++ b/package/libtasn1/libtasn1.mk
@@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
+LIBTASN1_CPE_ID_VENDOR = gnu
LIBTASN1_INSTALL_STAGING = YES
# We're patching fuzz/Makefile.am
diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
index fa51447170..1ed7ecf906 100644
--- a/package/libunistring/libunistring.mk
+++ b/package/libunistring/libunistring.mk
@@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
LIBUNISTRING_INSTALL_STAGING = YES
LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
+LIBUNISTRING_CPE_ID_VENDOR = gnu
$(eval $(autotools-package))
$(eval $(host-autotools-package))
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index acbdfb7728..c531934dc3 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -13,6 +13,7 @@ LIBXML2_LICENSE_FILES = COPYING
LIBXML2_IGNORE_CVES += CVE-2020-7595
# 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
LIBXML2_IGNORE_CVES += CVE-2019-20388
+LIBXML2_CPE_ID_VENDOR = xmlsoft
LIBXML2_CONFIG_SCRIPTS = xml2-config
# relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 2f37f303ac..3c603ad9f6 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
LIBXSLT_INSTALL_STAGING = YES
LIBXSLT_LICENSE = MIT
LIBXSLT_LICENSE_FILES = COPYING
+LIBXSLT_CPE_ID_VENDOR = xmlsoft
LIBXSLT_CONF_OPTS = \
--with-gnu-ld \
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index eea0c12f22..a1e2640bac 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib
LIBZLIB_LICENSE_FILES = README
LIBZLIB_INSTALL_STAGING = YES
LIBZLIB_PROVIDES = zlib
+LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
# It is not possible to build only a shared version of zlib, so we build both
# shared and static, unless we only want the static libs, and we eventually
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 7181465c66..39600ef94b 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
LIGHTTPD_LICENSE = BSD-3-Clause
LIGHTTPD_LICENSE_FILES = COPYING
+LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
LIGHTTPD_DEPENDENCIES = host-pkgconf
LIGHTTPD_CONF_OPTS = \
--without-wolfssl \
diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
index cbad8d592a..632afd70bb 100644
--- a/package/linux-firmware/linux-firmware.mk
+++ b/package/linux-firmware/linux-firmware.mk
@@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122
LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
LINUX_FIRMWARE_SITE_METHOD = git
+LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
+
# Intel SST DSP
ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
--git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
index 4c3cb716b3..4496295f2a 100644
--- a/package/linux-headers/linux-headers.mk
+++ b/package/linux-headers/linux-headers.mk
@@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \
LICENSES/preferred/GPL-2.0 \
LICENSES/exceptions/Linux-syscall-note
endif
+LINUX_HEADERS_CPE_ID_VENDOR = linux
+LINUX_HEADERS_CPE_ID_NAME = linux_kernel
LINUX_HEADERS_INSTALL_STAGING = YES
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 57fb2c9cfd..ecd4a723c4 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -23,6 +23,8 @@ LINUX_PAM_LICENSE_FILES = Copyright
# We're patching configure.ac
LINUX_PAM_AUTORECONF = YES
LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
+LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
+LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
LINUX_PAM_CONF_OPTS += --enable-selinux
diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
index 24d033d124..177fff71bb 100644
--- a/package/llvm/llvm.mk
+++ b/package/llvm/llvm.mk
@@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
LLVM_LICENSE = Apache-2.0 with exceptions
LLVM_LICENSE_FILES = LICENSE.TXT
+LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
LLVM_INSTALL_STAGING = YES
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index 53e3c85c6d..9788f04230 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -8,6 +8,7 @@ LXC_VERSION = 3.2.1
LXC_SITE = https://linuxcontainers.org/downloads/lxc
LXC_LICENSE = LGPL-2.1+
LXC_LICENSE_FILES = COPYING
+LXC_CPE_ID_VENDOR = linuxcontainers
LXC_DEPENDENCIES = host-pkgconf
LXC_INSTALL_STAGING = YES
# We're patching configure.ac
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 1d32666ccc..856d791d8a 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
LZ4_INSTALL_STAGING = YES
LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
+LZ4_CPE_ID_VENDOR = yann_collet
# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
# 1.9.2, while in fact this issue has been fixed since lz4-r130:
diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
index 0e64d8cde2..ec821adbe8 100644
--- a/package/memtester/memtester.mk
+++ b/package/memtester/memtester.mk
@@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.3.0
MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
MEMTESTER_LICENSE = GPL-2.0
MEMTESTER_LICENSE_FILES = COPYING
+MEMTESTER_CPE_ID_VENDOR = pryopus
MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
index 6efd5be80d..a7c6483221 100644
--- a/package/mii-diag/mii-diag.mk
+++ b/package/mii-diag/mii-diag.mk
@@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
MII_DIAG_LICENSE = GPL # No version specified
MII_DIAG_LICENSE_FILES = mii-diag.c
+MII_DIAG_CPE_ID_VENDOR = debian
MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
index ef2999eb16..837aff3aa5 100644
--- a/package/mpfr/mpfr.mk
+++ b/package/mpfr/mpfr.mk
@@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
MPFR_LICENSE = LGPL-3.0+
MPFR_LICENSE_FILES = COPYING.LESSER
+MPFR_CPE_ID_VENDOR = gnu
MPFR_INSTALL_STAGING = YES
MPFR_DEPENDENCIES = gmp
HOST_MPFR_DEPENDENCIES = host-gmp
diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
index b9a4eaba45..6ee7fd5dfd 100644
--- a/package/mrouted/mrouted.mk
+++ b/package/mrouted/mrouted.mk
@@ -9,6 +9,7 @@ MROUTED_SITE = $(call github,troglobit,mrouted,$(MROUTED_VERSION))
MROUTED_DEPENDENCIES = host-bison
MROUTED_LICENSE = BSD-3-Clause
MROUTED_LICENSE_FILES = LICENSE
+MROUTED_CPE_ID_VENDOR = troglobit
define MROUTED_CONFIGURE_CMDS
(cd $(@D); \
diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index 3477460200..035b624ab2 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
MTD_LICENSE = GPL-2.0
MTD_LICENSE_FILES = COPYING
+MTD_CPE_ID_VENDOR = mtd-utils_project
+MTD_CPE_ID_NAME = mtd-utils
MTD_INSTALL_STAGING = YES
ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index c11650c766..5c5e497488 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
NCURSES_DEPENDENCIES = host-ncurses
NCURSES_LICENSE = MIT with advertising clause
NCURSES_LICENSE_FILES = COPYING
+NCURSES_CPE_ID_VENDOR = gnu
NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
NCURSES_PATCH = \
$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 904279d1fb..09ca33f754 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
NETSNMP_LICENSE = Various BSD-like
NETSNMP_LICENSE_FILES = COPYING
+NETSNMP_CPE_ID_VENDOR = net-snmp
+NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
NETSNMP_INSTALL_STAGING = YES
NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
NETSNMP_CONF_OPTS = \
diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
index 7af229a57e..57d05b5c6b 100644
--- a/package/nfs-utils/nfs-utils.mk
+++ b/package/nfs-utils/nfs-utils.mk
@@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
NFS_UTILS_LICENSE = GPL-2.0+
NFS_UTILS_LICENSE_FILES = COPYING
NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
+NFS_UTILS_CPE_ID_VENDOR = linux-nfs
+NFS_UTILS_AUTORECONF = YES
NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64ac22181b..c8937229ab 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -5,6 +5,8 @@
################################################################################
OPENSSH_VERSION = 8.3p1
+OPENSSH_CPE_ID_VERSION = 8.3
+OPENSSH_CPE_ID_VERSION_MINOR = p1
OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
OPENSSH_LICENSE_FILES = LICENCE
@@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_CFLAGS)" \
LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_CPE_ID_VENDOR = openbsd
OPENSSH_CONF_OPTS = \
--sysconfdir=/etc/ssh \
--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
index b31468eca2..a6618851ba 100644
--- a/package/pax-utils/pax-utils.mk
+++ b/package/pax-utils/pax-utils.mk
@@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
PAX_UTILS_LICENSE = GPL-2.0
PAX_UTILS_LICENSE_FILES = COPYING
+PAX_UTILS_CPE_ID_VENDOR = gentoo
PAX_UTILS_DEPENDENCIES = host-pkgconf
PAX_UTILS_CONF_OPTS = --without-python
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
index e632e222c3..1b8d6699b6 100644
--- a/package/paxtest/paxtest.mk
+++ b/package/paxtest/paxtest.mk
@@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
PAXTEST_SITE = https://www.grsecurity.net/~spender
PAXTEST_LICENSE = GPL-2.0+
PAXTEST_LICENSE_FILES = README
+PAXTEST_CPE_ID_VENDOR = grsecurity
define PAXTEST_BUILD_CMDS
$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index 3c280e593f..b37a2ca9b7 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
PCRE_LICENSE = BSD-3-Clause
PCRE_LICENSE_FILES = LICENCE
+PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
PCRE_INSTALL_STAGING = YES
PCRE_CONFIG_SCRIPTS = pcre-config
diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index a446ebca46..52d4e36f2e 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
PIXMAN_LICENSE = MIT
PIXMAN_LICENSE_FILES = COPYING
+PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
PIXMAN_INSTALL_STAGING = YES
PIXMAN_DEPENDENCIES = host-pkgconf
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index a06c7847ab..183c9b4925 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.0
POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204
POLICYCOREUTILS_LICENSE = GPL-2.0
POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 685666a200..118f9fc334 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
PPPD_LICENSE_FILES = \
pppd/tdb.c pppd/plugins/pppoatm/COPYING \
pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
+PPPD_CPE_ID_VENDOR = samba
+PPPD_CPE_ID_NAME = ppp
# 0001-pppd-Fix-bounds-check.patch
PPPD_IGNORE_CVES += CVE-2020-8597
diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
index e126d0e0a4..94276233c8 100644
--- a/package/proftpd/proftpd.mk
+++ b/package/proftpd/proftpd.mk
@@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c
PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
PROFTPD_LICENSE = GPL-2.0+
PROFTPD_LICENSE_FILES = COPYING
+PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
PROFTPD_CONF_ENV = \
ac_cv_func_setpgrp_void=yes \
diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
index 08787ef623..d82da101f5 100644
--- a/package/protobuf/protobuf.mk
+++ b/package/protobuf/protobuf.mk
@@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
PROTOBUF_LICENSE = BSD-3-Clause
PROTOBUF_LICENSE_FILES = LICENSE
+PROTOBUF_CPE_ID_VENDOR = google
# N.B. Need to use host protoc during cross compilation.
PROTOBUF_DEPENDENCIES = host-protobuf
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7b7c7d9637..7e3d18b433 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
PURE_FTPD_LICENSE = ISC
PURE_FTPD_LICENSE_FILES = COPYING
+PURE_FTPD_CPE_ID_VENDOR = pureftpd
PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index cfb87bb6fd..2659a0b982 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \
doc/licenses/BSD.txt \
doc/licenses/elementtree.txt \
src/lxml/isoschematron/resources/rng/iso-schematron.rng
+PYTHON_LXML_CPE_ID_VENDOR = lxml
+PYTHON_LXML_CPE_ID_NAME = lxml
# python-lxml can use either setuptools, or distutils as a fallback.
# So, we use setuptools.
diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
index 2cb575ae22..ade5ca5521 100644
--- a/package/python-setuptools/python-setuptools.mk
+++ b/package/python-setuptools/python-setuptools.mk
@@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
PYTHON_SETUPTOOLS_LICENSE = MIT
PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
+PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
+PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
diff --git a/package/python/python.mk b/package/python/python.mk
index ccaaadd012..2d4c5a3721 100644
--- a/package/python/python.mk
+++ b/package/python/python.mk
@@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
PYTHON_LICENSE = Python-2.0, others
PYTHON_LICENSE_FILES = LICENSE
+PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
PYTHON_LIBTOOL_PATCH = NO
# Python needs itself to be built, so in order to cross-compile
diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index cb138fd488..21c1dde928 100644
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
# NOTE: there is no top-level license file for non-(L)GPL licenses;
# the non-(L)GPL license texts are specified in the affected
# individual source files.
+QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
#-------------------------------------------------------------
# Target-qemu
diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
index 9f1c82ce40..d3bcef7df1 100644
--- a/package/rapidjson/rapidjson.mk
+++ b/package/rapidjson/rapidjson.mk
@@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
RAPIDJSON_LICENSE = MIT
RAPIDJSON_LICENSE_FILES = license.txt
+RAPIDJSON_CPE_ID_VENDOR = tencent
# rapidjson is a header-only C++ library
RAPIDJSON_INSTALL_TARGET = NO
diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index f5d7d5bf9e..04872ac868 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
READLINE_CONF_OPTS = --disable-install-examples
READLINE_LICENSE = GPL-3.0+
READLINE_LICENSE_FILES = COPYING
+READLINE_CPE_ID_VENDOR = gnu
define READLINE_INSTALL_INPUTRC
$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 1a5fefff06..891a0d29e6 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -9,6 +9,7 @@ REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190609
REFPOLICY_LICENSE = GPL-2.0
REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_CPE_ID_VENDOR = tresys
REFPOLICY_INSTALL_STAGING = YES
REFPOLICY_DEPENDENCIES = \
host-m4 \
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 90f21559f8..f9e1a0443a 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
+RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
index c17b7fe982..a52cfff3c3 100644
--- a/package/rt-tests/rt-tests.mk
+++ b/package/rt-tests/rt-tests.mk
@@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.8
RT_TESTS_LICENSE = GPL-2.0+
RT_TESTS_LICENSE_FILES = COPYING
RT_TESTS_DEPENDENCIES = numactl
+RT_TESTS_CPE_ID_VENDOR = kernel
define RT_TESTS_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
diff --git a/package/sed/sed.mk b/package/sed/sed.mk
index 6bb3220553..64fb2035b0 100644
--- a/package/sed/sed.mk
+++ b/package/sed/sed.mk
@@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
SED_SITE = $(BR2_GNU_MIRROR)/sed
SED_LICENSE = GPL-3.0
SED_LICENSE_FILES = COPYING
+SED_CPE_ID_VENDOR = gnu
SED_CONF_OPTS = \
--bindir=/bin \
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index 63ca3651e8..7b1c1a4b64 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
SETOOLS_INSTALL_STAGING = YES
SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_CPE_ID_VENDOR = selinuxproject
SETOOLS_SETUP_TYPE = setuptools
HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-python-networkx
diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
index 66ca59d79d..2e29e4c803 100644
--- a/package/setserial/setserial.mk
+++ b/package/setserial/setserial.mk
@@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
SETSERIAL_LICENSE = GPL-2.0
SETSERIAL_LICENSE_FILES = debian/copyright
+
# make all also builds setserial.cat which needs nroff
SETSERIAL_MAKE_OPTS = setserial
diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
index 1a36c75d47..0db0e084f6 100644
--- a/package/smcroute/smcroute.mk
+++ b/package/smcroute/smcroute.mk
@@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
SMCROUTE_LICENSE = GPL-2.0+
SMCROUTE_LICENSE_FILES = COPYING
+SMCROUTE_CPE_ID_VENDOR = troglobit
SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
#BUG:The package Makefile uses CC?= even though the package is autotools based
diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
index ed97d0a7b4..8caa1e2b3c 100644
--- a/package/spawn-fcgi/spawn-fcgi.mk
+++ b/package/spawn-fcgi/spawn-fcgi.mk
@@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
SPAWN_FCGI_LICENSE = BSD-3-Clause
SPAWN_FCGI_LICENSE_FILES = COPYING
+SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
$(eval $(autotools-package))
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index 3283d40cb1..a3061591b1 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -5,11 +5,13 @@
################################################################################
SQLITE_VERSION = 3310100
+SQLITE_CPE_ID_VERSION = 3.31.1
SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
SQLITE_SITE = https://www.sqlite.org/2020
SQLITE_LICENSE = Public domain
SQLITE_LICENSE_FILES = tea/license.terms
SQLITE_INSTALL_STAGING = YES
+SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 7f1752ce57..1f7437fa31 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -12,6 +12,7 @@ STRONGSWAN_PATCH = \
$(STRONGSWAN_SITE)/patches/28_gmp_pkcs1_overflow_patch/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
STRONGSWAN_LICENSE = GPL-2.0+
STRONGSWAN_LICENSE_FILES = COPYING LICENSE
+STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
STRONGSWAN_DEPENDENCIES = host-pkgconf
STRONGSWAN_INSTALL_STAGING = YES
STRONGSWAN_CONF_OPTS += \
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 9e0a40e561..643eff1cbc 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
TAR_CONF_OPTS = --exec-prefix=/
TAR_LICENSE = GPL-3.0+
TAR_LICENSE_FILES = COPYING
+TAR_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_ACL),y)
TAR_DEPENDENCIES += acl
diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
index 6d750b3cd2..913891e897 100644
--- a/package/tcl/tcl.mk
+++ b/package/tcl/tcl.mk
@@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
TCL_LICENSE = TCL
TCL_LICENSE_FILES = license.terms
+TCL_CPE_ID_VENDOR = $(TCL_NAME)
TCL_SUBDIR = unix
TCL_INSTALL_STAGING = YES
TCL_AUTORECONF = YES
diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 01a46b9b5f..9687e3c497 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
TCPDUMP_SITE = http://www.tcpdump.org/release
TCPDUMP_LICENSE = BSD-3-Clause
TCPDUMP_LICENSE_FILES = LICENSE
+TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
TCPDUMP_CONF_ENV = \
ac_cv_linux_vers=2 \
td_cv_buggygetaddrinfo=no \
diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
index 57905fda05..301a222e39 100644
--- a/package/tftpd/tftpd.mk
+++ b/package/tftpd/tftpd.mk
@@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
TFTPD_CONF_OPTS = --without-tcpwrappers
TFTPD_LICENSE = BSD-4-Clause
TFTPD_LICENSE_FILES = tftpd/tftpd.c
+TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
+TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
define TFTPD_INSTALL_TARGET_CMDS
$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
index a06c25998f..61e22f6ae8 100644
--- a/package/uboot-tools/uboot-tools.mk
+++ b/package/uboot-tools/uboot-tools.mk
@@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
UBOOT_TOOLS_LICENSE = GPL-2.0+
UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
+UBOOT_TOOLS_CPE_ID_VENDOR = denx
+UBOOT_TOOLS_CPE_ID_NAME = u-boot
UBOOT_TOOLS_INSTALL_STAGING = YES
# u-boot 2020.01+ needs make 4.0+
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 6c8f295eed..fe24dd08ea 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -21,6 +21,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
Documentation/licenses/COPYING.ISC \
Documentation/licenses/COPYING.LGPL-2.1-or-later
+UTIL_LINUX_CPE_ID_VENDOR = kernel
UTIL_LINUX_INSTALL_STAGING = YES
UTIL_LINUX_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
UTIL_LINUX_CONF_OPTS += \
diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
index 035d7b23e9..38656dafe5 100644
--- a/package/valgrind/valgrind.mk
+++ b/package/valgrind/valgrind.mk
@@ -9,6 +9,7 @@ VALGRIND_SITE = ftp://sourceware.org/pub/valgrind
VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
+VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
VALGRIND_CONF_OPTS = \
--disable-ubsan \
--without-mpicc
diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 1fbb6a6b86..2bd3d437e4 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -23,6 +23,7 @@ VIM_CONF_ENV = \
VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
VIM_LICENSE = Charityware
VIM_LICENSE_FILES = README.txt
+VIM_CPE_ID_VENDOR = $(VIM_NAME)
ifeq ($(BR2_PACKAGE_ACL),y)
VIM_CONF_OPTS += --enable-acl
diff --git a/package/wget/wget.mk b/package/wget/wget.mk
index ed3f1fdff9..65c132e453 100644
--- a/package/wget/wget.mk
+++ b/package/wget/wget.mk
@@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
WGET_DEPENDENCIES = host-pkgconf
WGET_LICENSE = GPL-3.0+
WGET_LICENSE_FILES = COPYING
+WGET_CPE_ID_VENDOR = gnu
ifeq ($(BR2_PACKAGE_GNUTLS),y)
WGET_CONF_OPTS += --with-ssl=gnutls
diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
index 31b62e36e1..f51aba75df 100644
--- a/package/wireless-regdb/wireless-regdb.mk
+++ b/package/wireless-regdb/wireless-regdb.mk
@@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
WIRELESS_REGDB_LICENSE = ISC
WIRELESS_REGDB_LICENSE_FILES = LICENSE
+WIRELESS_REGDB_CPE_ID_VENDOR = kernel
ifeq ($(BR2_PACKAGE_CRDA),y)
define WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
index b87ab20fb2..01d03218d6 100644
--- a/package/wireless_tools/wireless_tools.mk
+++ b/package/wireless_tools/wireless_tools.mk
@@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
WIRELESS_TOOLS_LICENSE = GPL-2.0
WIRELESS_TOOLS_LICENSE_FILES = COPYING
+WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
+WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
WIRELESS_TOOLS_INSTALL_STAGING = YES
WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 8e7b9c3a65..93763c3973 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
WPA_SUPPLICANT_SITE = http://w1.fi/releases
WPA_SUPPLICANT_LICENSE = BSD-3-Clause
WPA_SUPPLICANT_LICENSE_FILES = README
+WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
WPA_SUPPLICANT_SUBDIR = wpa_supplicant
WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index ae42b1e62f..5caf421132 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
XERCES_LICENSE = Apache-2.0
XERCES_LICENSE_FILES = LICENSE
+XERCES_CPE_ID_VENDOR = apache
+XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
XERCES_INSTALL_STAGING = YES
define XERCES_DISABLE_SAMPLES
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index dbf874e9b9..5c464d91dd 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_CPE_ID_VENDOR = tukaani
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
XZ_CONF_OPTS = --enable-threads
--
2.17.1
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (8 preceding siblings ...)
2020-06-16 17:03 ` [Buildroot] [RFC v9 10/10] packages: fixup of cpe info Matt Weber
@ 2020-06-21 8:45 ` Yann E. MORIN
2020-06-22 11:44 ` Matthew Weber
2020-06-25 11:00 ` Thomas Petazzoni
10 siblings, 1 reply; 25+ messages in thread
From: Yann E. MORIN @ 2020-06-21 8:45 UTC (permalink / raw)
To: buildroot
On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> Similar to make legal-info, produce a csv delimited file containing
> all selected packages CPE identification.
>
> By default, support the pkg infra defining a set of CPE_ID_* defaults
> using the package name for the vendor and name as most CPE IDs seem
> to align with that assumption. Plus initially, use the pkg version as
> the CPE ID's version field.
So, as I understand it, the CPE info for host packages will also be
stored in the generated file, but it will be a partial list.
For example, if a host package has a Config.in option (e.g. aespipe,
with BR2_PACKAGE_HOST_AESPIPE=y), then it will be listed in PACKAGES,
and so will be present in the CPE manifest.
But on the other hand, a host package that has no Config.in option but
is oart of the dependency chain of a package (e.g. host-pkgconf) will
not be listed in PACKAGES, and thus will not appear in the manifest.
This is a bit awkward I think.
As far as I understand it, the CPE info is (mostly|only) usefull to
then query the CVE list applicable to that CPE.
As such, this is (mostly|only) relevant to the target packages, I would
think, no? Thus, host pakcages should be filtered out.
If we are however interested by the CPE info for host packages, probably
that should go to a separate manifest, like for the legal-info, no?
Also, see an issue, below...
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
[--SNIP--]
> @@ -864,6 +865,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all
> mv .legal-info.sha256 legal-info.sha256)
> @echo "Legal info produced in $(LEGAL_INFO_DIR)"
>
> +.PHONY: cpe-info-clean
> +cpe-info-clean:
> + @rm -f $(CPE_MANIFEST_CSV)
This must also be removed on 'make clean'.
> +.PHONY: cpe-info-prepare
> +cpe-info-prepare:
> + @$(call MESSAGE,"Gathering CPE info")
> + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
> +
> +.PHONY: cpe-info
> +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
I think this depednecy is incorrect. Indeed, you reallt want that
cpe-info-clean be run before cpe-info-prepare, so I think you'll need
these dependencies:
cpe-info-prepare: cpe-info-clean
cpe-info: cpe-info-prepare
cpe-info: $(foreach p,$(filter-out host-%,$(PACKAGES)),$(p)-cpe-info)
(Yes, I see you modeled your dependencies on the legal-info ones, but I
think they are broken.)
[--SNIP--]
> diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk
> index d88a14ab0f..9818eda12d 100644
> --- a/package/pkg-utils.mk
> +++ b/package/pkg-utils.mk
> @@ -223,3 +223,11 @@ legal-deps = \
> $(filter-out $(if $(1:host-%=),host-%),\
> $(call non-virtual-deps,\
> $($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)])
> +
> +#
> +# cpe-info helper functions
> +#
> +
> +define cpe-manifest # cpe, pkg name, version, url
> + echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV)
> +endef
If (and *if*) we need the CPE info for host packages, then we could
change this helper to redirect to the appropriate manifest, a bit like
is done for legal-info.
But I'm not sure we want it (at least not now).
Regards,
Yann E. MORIN.
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
@ 2020-06-21 8:56 ` Yann E. MORIN
2020-06-22 11:35 ` Matthew Weber
0 siblings, 1 reply; 25+ messages in thread
From: Yann E. MORIN @ 2020-06-21 8:56 UTC (permalink / raw)
To: buildroot
Matt, All,
On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> The reporting of host packages causes some duplication and complicates
> what is really in the targets configuration. For the purpose of the
> first version of this patchset, its assumed that host packages aren't
> relevant for the configuration and we only report the target's
> contents.
Ah, I see this patch now, which addresses my concerns about hos
packages in the first patch.
So, I think we should keep the $(1)-cpe-info rule as -is, but filter-out
host packages as I suggested in the review of the first patch.
Regards,
Yann E. MORIN.
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> Changes
>
> v4 -> v8
> - None
>
> v3
> - Fixed host build error because cpe-info wasn't defined
>
> v1 -> v2
> [Thomas P
> - select if target vs selecting not host
> ---
> package/pkg-generic.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 7d892ca1d6..efdde0ad94 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -984,10 +984,12 @@ endif
>
> $(1)-cpe-info: PKG=$(2)
> $(1)-cpe-info:
> +ifeq ($$($(2)_TYPE),target)
> ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
> @$$(call MESSAGE,"Collecting cpe info")
> $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
> +endif # ifeq ($$($(2)_TYPE),target)
>
> # legal-info: declare dependencies and set values used later for the manifest
> ifneq ($$($(2)_LICENSE_FILES),)
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
@ 2020-06-21 9:23 ` Yann E. MORIN
2020-06-22 11:34 ` Matthew Weber
2020-06-25 11:04 ` Thomas Petazzoni
1 sibling, 1 reply; 25+ messages in thread
From: Yann E. MORIN @ 2020-06-21 9:23 UTC (permalink / raw)
To: buildroot
On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> There are two types of software CPE prefixes applicable for software,
> one for applications and one for operating systems.
> Note: The third type is for hardware.
>
> This patchset determines which should be used and stores that
> information with the package for later use when assembling the CPE
> report.
So this means that the CPE manifest in patch 1 is incomplete, and indeed
does not represent actual CPE information, right?
In this case, I think we should not create that manifest until we have
the full information available to generate it.
I am fine with the series introducing the CPE info bit by bit, because
it is easier to review (thanks! :-) ), but the manifest is useless if
only parts of the series is applied.
So, the series should probably be something like:
- introduce basic CPE info from pakcage metadata
(patch 1 without the manifest creation)
- introduce the OS / Application prefix
- introduce the generic suffix
- introduce support for the minor-version
etc...
See also a comment below...
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 1408845613..7d892ca1d6 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif
I think the CPE ID could be constructed as:
ifneq ($(filter linux linux-headers,$(1)),)
$(2)_CPE_ID = $(CPE_PREFIX_OS)
else
$(2)_CPE_ID = $(CPE_PREFIX_APP)
endif
$(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VENDOR))
$(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_NAME))
$(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VERSION))
$(2)_CPE_ID += $(CPE_SUFFIX)
... and then...
> $(1)-cpe-info: PKG=$(2)
> $(1)-cpe-info:
> ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
> @$$(call MESSAGE,"Collecting cpe info")
> - $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> + $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
... use $(subst $(space),:,$($(2)_CPE_ID))
The CPE spec, chapter 5.3.2, bullet point 2, states:
The underscore (x5f) MAY be used, and it SHOULD be used in place of
whitespace characters (which SHALL NOT be used).
So we know there will be no space in any of the fields, and thus any
existing space is due to our append-assignment, so we can replace the
spaces with a colon.
Regards,
Yann E. MORIN.
> endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>
> # legal-info: declare dependencies and set values used later for the manifest
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix
2020-06-21 9:23 ` Yann E. MORIN
@ 2020-06-22 11:34 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-06-22 11:34 UTC (permalink / raw)
To: buildroot
Yann,
On Sun, Jun 21, 2020 at 4:24 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> > There are two types of software CPE prefixes applicable for software,
> > one for applications and one for operating systems.
> > Note: The third type is for hardware.
> >
> > This patchset determines which should be used and stores that
> > information with the package for later use when assembling the CPE
> > report.
>
> So this means that the CPE manifest in patch 1 is incomplete, and indeed
> does not represent actual CPE information, right?
>
> In this case, I think we should not create that manifest until we have
> the full information available to generate it.
>
> I am fine with the series introducing the CPE info bit by bit, because
> it is easier to review (thanks! :-) ), but the manifest is useless if
> only parts of the series is applied.
>
> So, the series should probably be something like:
>
> - introduce basic CPE info from pakcage metadata
> (patch 1 without the manifest creation)
>
> - introduce the OS / Application prefix
>
> - introduce the generic suffix
>
> - introduce support for the minor-version
>
Good point on ordering
> etc...
>
> See also a comment below...
>
> > diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> > index 1408845613..7d892ca1d6 100644
> > --- a/package/pkg-generic.mk
> > +++ b/package/pkg-generic.mk
> > @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> > $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> > $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
> >
> > +ifneq ($(filter linux linux-headers,$(1)),)
> > +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> > +else
> > +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> > +endif
>
> I think the CPE ID could be constructed as:
>
> ifneq ($(filter linux linux-headers,$(1)),)
> $(2)_CPE_ID = $(CPE_PREFIX_OS)
> else
> $(2)_CPE_ID = $(CPE_PREFIX_APP)
> endif
>
> $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VENDOR))
> $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_NAME))
> $(2)_CPE_ID += $(subst $(space),_,$($(2)_CPE_ID_VERSION))
>
> $(2)_CPE_ID += $(CPE_SUFFIX)
>
> ... and then...
>
> > $(1)-cpe-info: PKG=$(2)
> > $(1)-cpe-info:
> > ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
> > @$$(call MESSAGE,"Collecting cpe info")
> > - $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> > + $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
>
> ... use $(subst $(space),:,$($(2)_CPE_ID))
>
> The CPE spec, chapter 5.3.2, bullet point 2, states:
> The underscore (x5f) MAY be used, and it SHOULD be used in place of
> whitespace characters (which SHALL NOT be used).
>
> So we know there will be no space in any of the fields, and thus any
> existing space is due to our append-assignment, so we can replace the
> spaces with a colon.
>
Thanks, that makes sense and then we don't end up with any spaces to
have to clean up later.
Regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs
2020-06-21 8:56 ` Yann E. MORIN
@ 2020-06-22 11:35 ` Matthew Weber
0 siblings, 0 replies; 25+ messages in thread
From: Matthew Weber @ 2020-06-22 11:35 UTC (permalink / raw)
To: buildroot
Yann,
On Sun, Jun 21, 2020 at 3:59 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Matt, All,
>
> On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> > The reporting of host packages causes some duplication and complicates
> > what is really in the targets configuration. For the purpose of the
> > first version of this patchset, its assumed that host packages aren't
> > relevant for the configuration and we only report the target's
> > contents.
>
> Ah, I see this patch now, which addresses my concerns about hos
> packages in the first patch.
>
> So, I think we should keep the $(1)-cpe-info rule as -is, but filter-out
> host packages as I suggested in the review of the first patch.
>
Sure.
Regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
@ 2020-06-22 11:44 ` Matthew Weber
2020-06-22 20:55 ` Frank Hunleth
0 siblings, 1 reply; 25+ messages in thread
From: Matthew Weber @ 2020-06-22 11:44 UTC (permalink / raw)
To: buildroot
Yann,
On Sun, Jun 21, 2020 at 3:46 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> > Similar to make legal-info, produce a csv delimited file containing
> > all selected packages CPE identification.
> >
> > By default, support the pkg infra defining a set of CPE_ID_* defaults
> > using the package name for the vendor and name as most CPE IDs seem
> > to align with that assumption. Plus initially, use the pkg version as
> > the CPE ID's version field.
>
> So, as I understand it, the CPE info for host packages will also be
> stored in the generated file, but it will be a partial list.
>
> For example, if a host package has a Config.in option (e.g. aespipe,
> with BR2_PACKAGE_HOST_AESPIPE=y), then it will be listed in PACKAGES,
> and so will be present in the CPE manifest.
>
> But on the other hand, a host package that has no Config.in option but
> is oart of the dependency chain of a package (e.g. host-pkgconf) will
> not be listed in PACKAGES, and thus will not appear in the manifest.
>
> This is a bit awkward I think.
>
> As far as I understand it, the CPE info is (mostly|only) usefull to
> then query the CVE list applicable to that CPE.
>
> As such, this is (mostly|only) relevant to the target packages, I would
> think, no? Thus, host pakcages should be filtered out.
Correct only target packages are really useful but I could see a host
package list also being something that long term would be a good
datapoint. There are cases where those host packages could inflict
behavior on the target that could need a CVE tagged against them.
(Note, I saw the conclusion you had in "cpe-info: only report target
pkgs" . )
>
> If we are however interested by the CPE info for host packages, probably
> that should go to a separate manifest, like for the legal-info, no?
>
Agree.
> Also, see an issue, below...
>
> > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> > ---
> [--SNIP--]
> > @@ -864,6 +865,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all
> > mv .legal-info.sha256 legal-info.sha256)
> > @echo "Legal info produced in $(LEGAL_INFO_DIR)"
> >
> > +.PHONY: cpe-info-clean
> > +cpe-info-clean:
> > + @rm -f $(CPE_MANIFEST_CSV)
>
> This must also be removed on 'make clean'.
Sure
>
> > +.PHONY: cpe-info-prepare
> > +cpe-info-prepare:
> > + @$(call MESSAGE,"Gathering CPE info")
> > + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
> > +
> > +.PHONY: cpe-info
> > +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
>
> I think this depednecy is incorrect. Indeed, you reallt want that
> cpe-info-clean be run before cpe-info-prepare, so I think you'll need
> these dependencies:
>
> cpe-info-prepare: cpe-info-clean
> cpe-info: cpe-info-prepare
> cpe-info: $(foreach p,$(filter-out host-%,$(PACKAGES)),$(p)-cpe-info)
>
> (Yes, I see you modeled your dependencies on the legal-info ones, but I
> think they are broken.)
>
:-) ah ok.
Thanks for the review!
Best regards,
Matt
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-06-22 11:44 ` Matthew Weber
@ 2020-06-22 20:55 ` Frank Hunleth
0 siblings, 0 replies; 25+ messages in thread
From: Frank Hunleth @ 2020-06-22 20:55 UTC (permalink / raw)
To: buildroot
Matt,
> > On 2020-06-16 12:03 -0500, Matt Weber spake thusly:
> > > Similar to make legal-info, produce a csv delimited file containing
> > > all selected packages CPE identification.
> > >
> > > By default, support the pkg infra defining a set of CPE_ID_* defaults
> > > using the package name for the vendor and name as most CPE IDs seem
> > > to align with that assumption. Plus initially, use the pkg version as
> > > the CPE ID's version field.
Sorry for the late comments. I only now saw your CPE patches. This is
really valuable work. One of my projects is being updated to provide
CycloneDX files (XML or JSON). At a high level, CycloneDX combines
information from legal-info, show-info, and cpe-info into one JSON or
XML-formatted file. https://cyclonedx.org/ has more information.
I am not an expert on this, so let me share comments that I received
when forwarding your patches to the people working on CycloneDX
integration:
> Having buildroot output to CycloneDX directly would be ideal. CycloneDX is being adopted by tool makers already so this is in alignment to what others are doing.
>
> CPE, SWID, and PURL are different formats in which software can be identified. CPE is deprecated by the NVD but will likely still be around for another few years. SWID contains a tagId which is used for identity, and the format provides elementary SBOM capabilities as well. PURL also performs identity but also includes location information so that packages can be resolved, which plays into provenance a bit.
>
> All three are valuable. Only CPE and SWID are supported by the NVD. However, every member in the OSS Coalition has, or will be adopting PURL - so basically the entire development ecosystem is about to support it in a major way. Some SCA vendors already support it.
>
> Because all three can be used for identity, all three are valuable in the ?known vulnerability? use case as described here: https://cyclonedx.org/use-cases/#known-vulnerabilities
I am very thankful that you've started this work. Certainly having
accurate CPEs is a step in the right direction, IMHO.
Thanks,
Frank
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
` (9 preceding siblings ...)
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
@ 2020-06-25 11:00 ` Thomas Petazzoni
2020-07-01 7:43 ` Gregory CLEMENT
10 siblings, 1 reply; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:00 UTC (permalink / raw)
To: buildroot
Hello Matt,
On Tue, 16 Jun 2020 12:03:32 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> Similar to make legal-info, produce a csv delimited file containing
> all selected packages CPE identification.
>
> By default, support the pkg infra defining a set of CPE_ID_* defaults
> using the package name for the vendor and name as most CPE IDs seem
> to align with that assumption. Plus initially, use the pkg version as
> the CPE ID's version field.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
This patch really does two things:
- Add some CPE_* variables into the package infrastructure
- Add a cpe-info make target
These are two separate things, should be two separate patches. However,
see below.
> +.PHONY: cpe-info-clean
> +cpe-info-clean:
> + @rm -f $(CPE_MANIFEST_CSV)
> +
> +.PHONY: cpe-info-prepare
> +cpe-info-prepare:
> + @$(call MESSAGE,"Gathering CPE info")
> + @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE)
> +
> +.PHONY: cpe-info
> +cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info)
> + @echo "CPE info produced in $(CPE_MANIFEST_CSV)"
I don't think we need/want an additional make target. We have "make
show-info" already, it outputs a JSON blurb, which we can extend with
additional information from the packages.
> +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
> +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
These variables should be documented in the Buildroot manual.
I see you set some default values for those CPE_ID values, but I am
wondering if that's how we want to do this. Indeed a big question,
which was discussed in a thread earlier this year between Michael
Walle, Akshay Bhat and me is that how do we then distinguish packages
for which the CPE information in Buildroot has been verified and is
known to be correct, from packages that have the CPE information not
verified, and even further from packages that don't have any CPE
information because this specific package is not known in the NVD
database.
So I'd like to see a proposal that clarifies how we are going to handle
this. One way is to *not* have any default value for those CPE
variables, and add them to packages progressively, so that we know that
when the CPE information is there, it _has_ been verified.
It's not great because it means adding gazillions of CPE_ID information
in packages. But is there any other option ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
2020-06-21 9:23 ` Yann E. MORIN
@ 2020-06-25 11:04 ` Thomas Petazzoni
1 sibling, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:04 UTC (permalink / raw)
To: buildroot
On Tue, 16 Jun 2020 12:03:33 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> +CPE_PREFIX_OS = cpe:2.3:o
> +CPE_PREFIX_APP = cpe:2.3:a
> +CPE_SUFFIX = *:*:*:*:*:*:*
> +
> ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
> NLS_OPTS = --enable-nls
> TARGET_NLS_DEPENDENCIES = host-gettext
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 1408845613..7d892ca1d6 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -976,11 +976,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
> $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
> $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif
Shouldn't the CPE_ID be directly defined with those, i.e in PATCH
01/10, and the type be overridden by the packages which are not
"application" packages, i.e:
$(2)_CPE_TYPE ?= a
$(2)_CPE_ID ?= cpe:2.3:$$($(2)_CPE_TYPE):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):*:*:*:*:*:*:*
Of course, the linux package would have to set LINUX_CPE_TYPE = o.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
@ 2020-06-25 11:09 ` Thomas Petazzoni
0 siblings, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:09 UTC (permalink / raw)
To: buildroot
On Tue, 16 Jun 2020 12:03:36 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> $(1)-cpe-info: PKG=$(2)
> +ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
> +$(1)-cpe-info: toolchain
> +endif
> $(1)-cpe-info:
> ifeq ($$($(2)_TYPE),target)
> +ifneq ($$($(2)_NAME),toolchain-external)
> +ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
> +ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y)
> + $$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
> + $$(eval $(2)_CPE_ID_VENDOR = gnu)
> + $$(eval $(2)_CPE_ID_NAME = glibc)
> + $$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
> + $$(eval $(2)_RAWNAME = glibc)
It is absolutely atrocious to have this stuff directly in the middle of
pkg-generic.mk, and even further only within the $(1)-cpe-info target.
Why isn't this been done inside the external toolchain package itself,
or the external toolchain package infrastructure ?
I think this specific issue of having proper tracking of the target
elements (C library, gcc runtime) of the toolchain is global, and not
just for CPE/CVE tracking: we already do not properly track this in
terms of legal-info for example.
So rather than this one-off hack that solves just the specific case of
CPE tracking for glibc in external toolchains, we need a more global
solution.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
@ 2020-06-25 11:12 ` Thomas Petazzoni
0 siblings, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:12 UTC (permalink / raw)
To: buildroot
On Tue, 16 Jun 2020 12:03:37 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
There are only _CPE_ variables, no _CVE_ variable is documented here.
> +* +LIBFOO_CPE_ID_VENDOR+
> + This variable is optional. It only must be defined if the package name
> + does not match what the CPE ID uses for the vendor. By default it's set
> + to <pkg-name>_project.
> +
> +* +LIBFOO_CPE_ID_NAME+
> + This variable is optional. It only must be defined if the package name
> + does not match what the CPE ID uses for the name. By default it's set
> + to <pkg-name>.
> +
> +* +LIBFOO_CPE_ID_VERSION+
> + This variable is optional. By default it's set to <pkg-version>.
> +
> +* +LIBFOO_CPE_ID_VERSION_MINOR+
> + This variable is optional. By default it's set to *.
None of this documentation describes *what* those variables must
contain. It says it's optional, what is the default value, but does not
explain what value it should be set to. This is especially true for
VERSION vs. VERSION_MINOR.
> +* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
> + default case of a single package's Common Product Enumeration (CPE)
> + identification string. +make cpe-info+ copies all of these into a
> + +cpe-manifest.csv+ file. To identify a package's possible CPE,
> + the National Vunerability Database can be searched at
> + https://nvd.nist.gov/products/cpe/search.
This explanation could be extended a bit to explain clearly that a
default _CPE_ID value will be defined based on the other CPE_ID_*
variables, and that this should be used to override the overall value
only in special situations.
However, in practice, do we have such cases ? Do you have situation
where customizing VENDOR, NAME, VERSION, VERSION_MINOR is not enough,
and you have to set a package-specific CPE_ID value directly ?
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
@ 2020-06-25 11:14 ` Thomas Petazzoni
0 siblings, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:14 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 16 Jun 2020 12:03:38 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> Python class which consumes a NIST CPE XML and provides helper
> functions to access and search the db's data.
>
> - Defines the CPE as a object with operations / formats
> - Processing of CPE dictionary
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
The pkg-stats script now has some logic to use the NVD database in JSON
format. I guess it doesn't make much sense to duplicate this logic and
use the XML variant of the same database. I believe Gr?gory has already
worked on moving this pkg-stats NVD/CVE logic into a separate library
so that it can be used elsewhere.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
@ 2020-06-25 11:18 ` Thomas Petazzoni
0 siblings, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-06-25 11:18 UTC (permalink / raw)
To: buildroot
On Tue, 16 Jun 2020 12:03:39 -0500
Matt Weber <matthew.weber@rockwellcollins.com> wrote:
> The script supports looking up all the CPEs provided in a
> make cpe-info csv file export from a target Buildroot build.
> It checks the current version and suggests a CPE needs update
> or possibly an initial submission is required to NIST.
>
> Adds option to allow alternate locations for the dictionary
> URL and caching of a processed dictionary to speed up execution.
>
> Outputs a cpe/ folder with propsed xml generated from the
> dictionary contents to propose updated versions to NIST.
>
> For missing CPE matches, a cpe-report-missing.txt is created
> by the script that can be used later to manually create proposed
> new NIST dictionary entries.
>
> Ref: NIST has a group email (cpe_dictionary at nist.gov) used to
> recieve these version update and new entry xml files. They do
> process the XML and provide feedback. In some cases they will
> propose back something different where the vendor or version is
> slightly different.
>
> Limitations
> - Currently any use of non-number version identifiers isn't
> supported by NIST as they use ranges to determine impact
> of a CVE
> - Any Linux version from a non-upstream is also not supported
> without manually adjusting the information as the custom
> kernel will more then likely not match the upstream version
> used in the dictionary
>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
At this point, I am not really clear what this script does. Indeed,
what I would have initially expected is a script that based on the
"show-info" output, tells the user what are the known unfixed CVEs
affecting his configuration. But this is not what this cpe-report
script is doing.
I am not sure to understand what are the CPE updates that this script
generates ? Does the NVD database needs to know about all versions of
all software components ? I though the database was indexed by CVE, and
then provided for each CVE the range of versions of the software
component affected by that CVE.
Could you clarify a bit the whole process, and what are those "CPE
updates" sent to NIST useful for ?
> +CPE_XML_URL = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz"
Or perhaps this "dictionary" is not about CVEs, but about listing all
versions of all software components ?
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-06-25 11:00 ` Thomas Petazzoni
@ 2020-07-01 7:43 ` Gregory CLEMENT
2020-07-01 11:57 ` Thomas Petazzoni
0 siblings, 1 reply; 25+ messages in thread
From: Gregory CLEMENT @ 2020-07-01 7:43 UTC (permalink / raw)
To: buildroot
Hello,
>> +$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project
>> +$(2)_CPE_ID_NAME ?= $$($(2)_NAME)
>> +$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
>> +$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>
> These variables should be documented in the Buildroot manual.
>
> I see you set some default values for those CPE_ID values, but I am
> wondering if that's how we want to do this. Indeed a big question,
> which was discussed in a thread earlier this year between Michael
> Walle, Akshay Bhat and me is that how do we then distinguish packages
> for which the CPE information in Buildroot has been verified and is
> known to be correct, from packages that have the CPE information not
> verified, and even further from packages that don't have any CPE
> information because this specific package is not known in the NVD
> database.
>
> So I'd like to see a proposal that clarifies how we are going to handle
> this. One way is to *not* have any default value for those CPE
> variables, and add them to packages progressively, so that we know that
> when the CPE information is there, it _has_ been verified.
>
> It's not great because it means adding gazillions of CPE_ID information
> in packages. But is there any other option ?
I am working on a adding a tool allowing to check the cve status of a
given configuration. I am about to submit it. For now I base my check on
the buildroot package name as it is done in pkg-stat, but as you know
there are some mismatch. At a point there will be the need to use the
CPE information, so I have already had to think on how to manage it.
I already have to deal with failure when checking if a version was
affected by a CVE. And for this situation I choose to report that
failure instead of considering the package being affected or not by
default. The idea is to, later, be able to fix the failure but in the
meantime being aware of it.
For package name I would use a similar approach: if there is no CPE_ID
provided then try to use the package name but in this case report that
it has to be checked manually, while if there is a CPE_ID then use it as
a reliable name. So I am clearly in favor on the second option proposed
by Thomas. The ultimate goal is to have a CPE_ID information in each
package but in the meantime there is a path to achieve this.
Gregory
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
* [Buildroot] [RFC v9 01/10] cpe-info: new make target
2020-07-01 7:43 ` Gregory CLEMENT
@ 2020-07-01 11:57 ` Thomas Petazzoni
0 siblings, 0 replies; 25+ messages in thread
From: Thomas Petazzoni @ 2020-07-01 11:57 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 01 Jul 2020 09:43:10 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:
> > It's not great because it means adding gazillions of CPE_ID information
> > in packages. But is there any other option ?
>
> I am working on a adding a tool allowing to check the cve status of a
> given configuration. I am about to submit it. For now I base my check on
> the buildroot package name as it is done in pkg-stat, but as you know
> there are some mismatch. At a point there will be the need to use the
> CPE information, so I have already had to think on how to manage it.
>
> I already have to deal with failure when checking if a version was
> affected by a CVE. And for this situation I choose to report that
> failure instead of considering the package being affected or not by
> default. The idea is to, later, be able to fix the failure but in the
> meantime being aware of it.
>
> For package name I would use a similar approach: if there is no CPE_ID
> provided then try to use the package name but in this case report that
> it has to be checked manually, while if there is a CPE_ID then use it as
> a reliable name. So I am clearly in favor on the second option proposed
> by Thomas. The ultimate goal is to have a CPE_ID information in each
> package but in the meantime there is a path to achieve this.
This all looks sensible to me, so please go ahead and submit the
initial work you have, even without CPE ID support for now.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2020-07-01 11:57 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 17:03 [Buildroot] [RFC v9 01/10] cpe-info: new make target Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 02/10] cpe-info: id prefix/suffix Matt Weber
2020-06-21 9:23 ` Yann E. MORIN
2020-06-22 11:34 ` Matthew Weber
2020-06-25 11:04 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 03/10] cpe-info: only report target pkgs Matt Weber
2020-06-21 8:56 ` Yann E. MORIN
2020-06-22 11:35 ` Matthew Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 04/10] cpe-info: cpe minor version support Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support Matt Weber
2020-06-25 11:09 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 06/10] cpe-info: update manual for new pkg vars Matt Weber
2020-06-25 11:12 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 07/10] support/scripts/cpedb.py: new CPE XML helper Matt Weber
2020-06-25 11:14 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 08/10] support/scripts/cpe-report: new script Matt Weber
2020-06-25 11:18 ` Thomas Petazzoni
2020-06-16 17:03 ` [Buildroot] [RFC v9 09/10] docs/manual: new security management section Matt Weber
2020-06-16 17:03 ` [Buildroot] [RFC v9 10/10] packages: fixup of cpe info Matt Weber
2020-06-21 8:45 ` [Buildroot] [RFC v9 01/10] cpe-info: new make target Yann E. MORIN
2020-06-22 11:44 ` Matthew Weber
2020-06-22 20:55 ` Frank Hunleth
2020-06-25 11:00 ` Thomas Petazzoni
2020-07-01 7:43 ` Gregory CLEMENT
2020-07-01 11:57 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.