[Buildroot] [PATCH] package/plg-utils: escape \ in generated legal-info
Peter Korsgaard
peter at korsgaard.com
Sun Feb 7 12:18:02 UTC 2021
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> Peter, All,
> On 2021-02-07 10:35 +0100, Peter Korsgaard spake thusly:
>> >>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
>> I still wonder if it wouldn't be better to not have the backslashes in
>> the variable and do whatever escaping is needed inside the CVE logic,
> I think quite the opposite, in fact: we want the CPE_ID value to be
> exactly what is in the NVD database without any mangling on our side.
> The rules to encode the CPE stuff are non-trivial at least to me),
> requiring some escaping/de-escaping in the various formats, and with
> different rules for the attributes and their representation
> All is defined in NISTIR 7695 [0], in the following chapters:
> 5.3.2 - Restrictions on attribute-value strings
> 6.2.1 - Syntax for Formatted String Binding
> [0] https://doi.org/10.6028/NIST.IR.7695
Ok.
>> but OK - We need a quick fix and this solves it.
>>
>> Perhaps we should add a gitlab test to verify that we generate valid
>> json, E.G. by piping it to jq (or similar).
> Yeah, I'm working on it... But we can't do that in gitlab, because the
> output of show-info depends on the selected packages, so it would have
> to be done in the autobuilders.
But that then requires jq on the autobuilder. Can't we just do a 'make
allyespackageconfig' in gitlab?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list