[Buildroot] [PATCH] package/plg-utils: escape \ in generated legal-info
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Feb 7 11:28:31 UTC 2021
Peter, All,
On 2021-02-07 10:35 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> I still wonder if it wouldn't be better to not have the backslashes in
> the variable and do whatever escaping is needed inside the CVE logic,
I think quite the opposite, in fact: we want the CPE_ID value to be
exactly what is in the NVD database without any mangling on our side.
The rules to encode the CPE stuff are non-trivial at least to me),
requiring some escaping/de-escaping in the various formats, and with
different rules for the attributes and their representation
All is defined in NISTIR 7695 [0], in the following chapters:
5.3.2 - Restrictions on attribute-value strings
6.2.1 - Syntax for Formatted String Binding
[0] https://doi.org/10.6028/NIST.IR.7695
> but OK - We need a quick fix and this solves it.
>
> Perhaps we should add a gitlab test to verify that we generate valid
> json, E.G. by piping it to jq (or similar).
Yeah, I'm working on it... But we can't do that in gitlab, because the
output of show-info depends on the selected packages, so it would have
to be done in the autobuilders.
> Committed, thanks.
Thanks.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list