[Buildroot] [NEXT 06/26] boa: add CPE id

Thomas Petazzoni thomas.petazzoni at bootlin.com
Fri Mar 2 09:49:33 UTC 2018 

Hello,

On Fri, 2 Mar 2018 09:19:25 +0100, Arnout Vandecappelle wrote:

>  Just to be clear about what you're saying here: in v3, you'll making it so that
> nothing has to be done explicitly in the package to get a CPE ID, but it may be
> (and probably will be) invalid? So that the initial report will contain a huge
> amount of invalid entries, and we can fix them one by one?
> 
>  I realize I'm contradicting myself, but that still leaves us with a problem (or
> rather, limitation). We have no way of keeping track of which packages have been
> checked and which haven't, so we have no way of keeping track of which ones are
> broken.
> 
>  Or perhaps the pkg-stats script could eventually check the entry in the CPE
> database, and add a column to indicate that it's valid or not?

Yes, that would be the idea.

> > The CPE list will be as accurate as people using it update the NIST
> > entries, either manually or as Buildroot nudges them to send an email.
> > The CVEs those CPEs will find is another complete story and most open
> > ways of searching for those don't concluded clean results without a
> > good amount of manual intervention.  
> 
>  Yes, I do realize that this is a kind of catch-22 situation, if nobody uses the
> database then obviously it will not be up-to-date. But to be honest, right now I
> don't even really understand what kind of information you can get from it even
> in the ideal case. That's why I asked to post an RFC script, so we can get some
> idea of what the end goal is (and ultimately, whether this is worth the effort).

Yes, I agree. The current proposal that just adds CPE_ID to packages,
and has a mechanism to generate a CSV based on that isn't very useful
per-se. I would also like to see the tooling that processes those
CPE_ID to query the NIST database, and get some useful data out of it.

Even if the data isn't great for the moment because the NIST database
is limited, it would show how the whole thing would be useful.

Right now the patch series just adds some IDs and generates a CSV with
those IDs, which isn't terribly useful.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
http://bootlin.com

More information about the buildroot mailing list