[Buildroot] CVEs not matching buildroot packages
Heiko Thiery
heiko.thiery at gmail.com
Wed Mar 18 14:34:12 UTC 2020
Hi,
Am Mi., 18. März 2020 um 15:12 Uhr schrieb Thomas Petazzoni
<thomas.petazzoni at bootlin.com>:
>
> Hello,
>
> On Wed, 18 Mar 2020 14:57:27 +0100
> Heiko Thiery <heiko.thiery at gmail.com> wrote:
>
> > Just to go on with this I did a proof of concept for the CVE mapping.
> >
> > A first version can be found here:
> > https://github.com/hthiery/buildroot/tree/feature-cve-map
> >
> > What this change does:
> > Add a new file format for the CVE mapping: <pkg>.cve. This is done in
> > YAML format. In this file at least the fields vendor and product has
> > to be defined. With this we can create a map from the CVE to the
> > buildroot package name.
> > Now we can decide the following:
> > 1) the package has a mapping and is affected by a CVE (RED ZONE)
> > 2) the package has a mapping and a CVE is found but fixed (GREEN ZONE)
> > 3) the package has a mapping and no CVE is found (GREEN ZONE)
> > 4) the package has no mapping and it is affected by CVE found by guess
> > (try to compare buildroot name vs. CVE product name value) (YELLOW
> > ZONE)
> > 5) the package has no mapping and no CVE is found (we don't konw if
> > there isn't a CVE or we have no match because the buildroot name does
> > not match the CVE product name) (GREY ZONE)
> >
> > Here is an example of a yaml file: package/pppd/ppd.cve
> > --- snip ---
> > vendor: point-to-point_protocol_project
> > product: point-to-point_protocol
> >
> > cves:
> > CVE-2020-8597:
> > patch: 0001-pppd-Fix-bounds-check.patch
> >
> > --- snip ---
> >
> > To take the decision if a CVE is fixed there could be more possible
> > reasons instead of the patch in the example above. I can image
> > something like 'does-not-apply'.
> >
> > I think the effort to have an extra file is not so much and it will
> > not pollute the Makefile with variables that are not build related.
> > For checking the YAML syntax an extra pkg-check can be implemented.
> >
> > As mentioned at the beginning this is first idea how a mapping could
> > look. What do you think?
>
> I'll give my very quick and probably very blunt and brutal feedback: I
> don't like having another file with package metadata. This metadata
> should be in the .mk file.
This is really brutal .. Just kidding ;-)
Don't you think more variables (CPE_VENDOR, CPE_PRODUCT, CVE_IGNORED
..) in the Makefile will slow down the parsing? The other thing is
that IMHO valuable information about why a CVE is ignored (fixed, does
not apply to the build configuration ... ) will be lost or has to
added as comment in the Makefile.
On the other hand I understand your concern about having another file
with meta information.
--
Heiko
More information about the buildroot
mailing list