[Buildroot] CVE tracking for selected packages

Titouan Christophe titouan.christophe at railnova.eu
Wed Feb 19 10:25:41 UTC 2020


Hello Thomas and all,

On 2/19/20 10:21 AM, Thomas De Schampheleire wrote:
> Hi all,
> 
> With the recent addition of CVE checks in the pkg-stats script, we
> have made a great step forward, and anyone can check the list at:
> http://autobuild.buildroot.org/stats/ to see which packages have which CVEs.
> 
> What would be another great improvement, is the possibility to check
> for a given defconfig in a particular Buildroot tree (i.e. not
> necessarily the master) which CVEs are not yet solved.

I'm glad that you come up with this proposal. I also wanted something 
similar for our builds.

> 
> Basically something like:
> 
>      make cve-info
> 
> which would list only those CVEs applicable for the packages selected,
> so that a user knows directly if action is required or not for their
> particular case.
> 
> Alternatively, we could add the info to 'make show-info', but since
> obtaining the info will also require a download of the CVE databases,
> I assume this is not desired.
> 
> For the implementation, I assume we should either create a make target
> to call pkg-stats with the list of packages required, and perhaps
> restricting to CVE checking only (instead of also version checking),
> or extract the CVE logic to another file that can be reused by both
> pkg-stats as the new thing.

Extracting this logic into a dedicated script would make sense, as 
finding the CVEs only requires a list of pairs [(package, version)], and 
could be run entirely outside of a Buildroot tree.

In my CI/CD pipelines, I already run `make legal-info` as the last step, 
and I imagine reusing the CSV output of legal-info (or any other script 
that generates a "manifest" of the included packages) could be done on a 
daily basis, like in a nightly build.

> 
> Feedback welcome!
> 
> Thomas
> 

Best regards,

Titouan

PS: By the way, I have some code nearly ready to switch to the v1.1 of 
the NVD feeds. Patch soming soon.


More information about the buildroot mailing list