[Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script
Matthew Weber
matthew.weber at rockwellcollins.com
Wed Oct 7 12:20:06 UTC 2020
Heiko,
On Wed, Oct 7, 2020 at 3:13 AM Heiko Thiery <heiko.thiery at gmail.com> wrote:
>
> Hi Gregory, Hi Matt,
>
> Am Di., 6. Okt. 2020 um 15:44 Uhr schrieb Gregory CLEMENT
> <gregory.clement at bootlin.com>:
> >
> > From: Matt Weber <matthew.weber at rockwellcollins.com>
> >
> > The script supports looking up all the CPEs provided in a
> > make cpe-info csv file export from a target Buildroot build.
> > It checks the current version and suggests a CPE needs update
> > or possibly an initial submission is required to NIST.
>
> Is there a way to create this kind of list/output also for all
> packages in buildroot and not only the one that is generated by a
> configuration?
Yeah. The CPE maintaining tooling can look at whatever list of CPE
you feed it, so we'd just need to add an option to dump the complete
CPE listing similar to how pkg-stats does it. There was some debate
on just using "show vars" directly by the tooling and not generating
this in between csv file. I'm still of the argument that having this
hand-off file in some format is still valuable for 3rd party analysis
of the pkg listing (similar to what we have with the legal info
csv's). However if we allow full package list dumps of CPE and the
current defconfig, it may make sense to convert the CPE tools to just
directly use the "show vars" and have a command line option to select
the type of analysis. Then the tool could be improved to also output
an optional report similar to the CSV. This would allow us to remove
the cpe-info make target and simplify the buildsystem changeset.
Regards,
Matt
More information about the buildroot
mailing list