[Buildroot] CVEs not matching buildroot packages
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Wed Mar 18 14:12:56 UTC 2020
Hello,
On Wed, 18 Mar 2020 14:57:27 +0100
Heiko Thiery <heiko.thiery at gmail.com> wrote:
> Just to go on with this I did a proof of concept for the CVE mapping.
>
> A first version can be found here:
> https://github.com/hthiery/buildroot/tree/feature-cve-map
>
> What this change does:
> Add a new file format for the CVE mapping: <pkg>.cve. This is done in
> YAML format. In this file at least the fields vendor and product has
> to be defined. With this we can create a map from the CVE to the
> buildroot package name.
> Now we can decide the following:
> 1) the package has a mapping and is affected by a CVE (RED ZONE)
> 2) the package has a mapping and a CVE is found but fixed (GREEN ZONE)
> 3) the package has a mapping and no CVE is found (GREEN ZONE)
> 4) the package has no mapping and it is affected by CVE found by guess
> (try to compare buildroot name vs. CVE product name value) (YELLOW
> ZONE)
> 5) the package has no mapping and no CVE is found (we don't konw if
> there isn't a CVE or we have no match because the buildroot name does
> not match the CVE product name) (GREY ZONE)
>
> Here is an example of a yaml file: package/pppd/ppd.cve
> --- snip ---
> vendor: point-to-point_protocol_project
> product: point-to-point_protocol
>
> cves:
> CVE-2020-8597:
> patch: 0001-pppd-Fix-bounds-check.patch
>
> --- snip ---
>
> To take the decision if a CVE is fixed there could be more possible
> reasons instead of the patch in the example above. I can image
> something like 'does-not-apply'.
>
> I think the effort to have an extra file is not so much and it will
> not pollute the Makefile with variables that are not build related.
> For checking the YAML syntax an extra pkg-check can be implemented.
>
> As mentioned at the beginning this is first idea how a mapping could
> look. What do you think?
I'll give my very quick and probably very blunt and brutal feedback: I
don't like having another file with package metadata. This metadata
should be in the .mk file.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list