[Buildroot] [PATCH 0/2] Add CVE reporting to pkg-stats

Thomas Petazzoni thomas.petazzoni at bootlin.com
Tue Feb 4 21:52:29 UTC 2020


This set of commit extends the pkg-stats tool to use the NVD database
(https://nvd.nist.gov/vuln/data-feeds) to see if the current version
of each Buildroot package is affected by a CVE.

An example result can be seen here:

 - Human readable HTML:       https://bootlin.com/~thomas/stats-cve.html
 - Machine parseable JSON:    https://bootlin.com/~thomas/stats-cve.json

Thanks to this, we can see that 60 of our packages are apparently
affected by a total of 185 CVEs.

A new per-package variable, <pkg>_IGNORE_CVES, is introduced, and
allows to tell the tool to ignore some CVEs, for example because it is
fixed by a local patch in Buildroot, or because the CVE does not apply
to the Buildroot package (the CVE only affects a non-Linux operating
system, or affect a functionality of the package that isn't built in

Of course, the results are not perfect:

 - The NVD database product names certainly don't 100% match the
   Buildroot package names. We might have to add some extra metadata
   information in each package (CPE ID ?) to map to the correct NVD
   database product name.

 - Buildroot packages that have a version selection are not correctly

But overall, it already provide useful results. The plan is of course
to implement e-mail notification to Buildroot developers in charge of
packages with unfixed CVEs, in a second step.

Thanks to Thomas DS and Titouan for all the help in the implementation
of this. We started at 2 PM today, and we have this first version to

Thomas DS: I told you we could have something done by the end of the day!


Thomas Petazzoni (2):
  support/scripts/pkg-stats: add support for CVE reporting
  docs/manual: describe the new <pkg>_IGNORE_CVES variable

 docs/manual/adding-packages-generic.txt |  14 +++
 support/scripts/pkg-stats               | 157 +++++++++++++++++++++++-
 2 files changed, 170 insertions(+), 1 deletion(-)


More information about the buildroot mailing list