[Buildroot] [PATCH v8 2/9] cpe-info: id prefix/suffix

Arnout Vandecappelle arnout at mind.be
Sun Apr 14 14:53:49 UTC 2019



On 08/03/2019 23:04, Matt Weber wrote:
> There are two types of software CPE prefixes applicable for software,
> one for applications and one for operating systems.
> Note: The third type is for hardware.
> 
> This patchset determines which should be used and stores that
> information with the package for later use when assembling the CPE
> report.
> 
> Refs:
>    https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
>    https://cpe.mitre.org/specification/
> 
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
> ---
> Changes
> 
> v8
>  - Rebase
> 
> v4 -> v7
>  - None
> 
> v3
> [Arnout
>  - Moved CPE prefix and suffix defines to package/Makefile.in
> 
> v1 -> v2
> [Thomas P
>  - Change to using a filter on pkg name value vs ifelse
> ---
>  package/Makefile.in    | 4 ++++
>  package/pkg-generic.mk | 8 +++++++-
>  2 files changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/package/Makefile.in b/package/Makefile.in
> index dc818a2..644282f 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -389,6 +389,10 @@ TARGET_CONFIGURE_ARGS = \
>  
>  ################################################################################
>  
> +CPE_PREFIX_OS = cpe:2.3:o
> +CPE_PREFIX_APP = cpe:2.3:a
> +CPE_SUFFIX = *:*:*:*:*:*:*

 This is not correct. For Python packages, for instance, the language field is
set to python.

> +
>  ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
>  NLS_OPTS = --enable-nls
>  TARGET_NLS_DEPENDENCIES = host-gettext
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index 644128d..a547c65 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -916,11 +916,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
>  $(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
>  $(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
>  
> +ifneq ($(filter linux linux-headers,$(1)),)
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)

 The linux and linux-headers packages are so special that I don't think it makes
sense to have a separate rule here. For example, the value of LINUX_VERSION is
probably NOT what you want to use in CPE_ID.

 Regards,
 Arnout


> +else
> +$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
> +endif
> +
>  $(1)-cpe-info: PKG=$(2)
>  $(1)-cpe-info:
>  ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  	@$$(call MESSAGE,"Collecting cpe info")
> -	$(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
> +	$(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
>  endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
>  
>  # legal-info: declare dependencies and set values used later for the manifest
> 


More information about the buildroot mailing list