[Buildroot] [External] Re: Gsoc Interest : Follow upstream updates and CVEs of packages

Arnout Vandecappelle arnout at mind.be
Tue Mar 26 21:55:13 UTC 2019


 Hi Manas,

On 13/03/2019 14:19, Manas Mangaonkar wrote:
>> With respect to what breakages?  Test builds or versions not listed in
>> NVD?  
> 
> For example if a packager,user tries to package something or build something for
> buildroot.but then due to some upstream dependency issues
> or other problems it does not build.Then this can be automatically reported as a
> issue in the upstream repo.This is a git specific approach though.
> but this could work for everything

 The project we had in mind was more about identifying open CVEs (or other
vulnerabilities) on Buildroot packages, not on problems with building them. For
the latter, we already have the autobuild infrastructure that serves very well.


>> I don't think a NVD only approach makes sense.  It could be a
>> start but there are tools that centralize feeds.  I'd suggest
>> reviewing Debian, Gentoo, and other distros approaches and tooling for
>> this situation.
> 
> As a packager at fedora,currently we have automated update posting on bugzilling
> whenver we have updates available

 We have that too (since recently) [1]. Well, not creating bugs automatically,
and the bulk of the packages don't have a match at release-monitoring yet, but
it's a start :-)

> but not automated build breakage notifier due
> to upstream.

 We don't have anything like automatic updates, and I'm not sure if we would
want it....

> as far as i know same goes for Debian.There does exist one tool that releases to
> Github then to pypi and then to fedora(which is fedora's own gsoc project).
> So modifying it with buildroot functionality and other custom functions for
> buildroot and tracking cve would be something to consider.
> 
> Owasp tracking project looks interesting.

 The eye candy scares the hell out of me :-)

 But it's true, if we can convert [1] into a BoM for Dependency-Track then that
tool can take care of identifying vulnerabilities.


 Regards,
 Arnout


[1] http://autobuild.buildroot.net/stats/


More information about the buildroot mailing list