From: Matt Weber Date: Wed, 4 Nov 2020 14:51:37 +0000 (+0100) Subject: package/pkg-generic.mk: add CPE ID related package variables X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=97a54c33c917d530933fc8f30e17baf4a72b3d50;p=buildroot.git package/pkg-generic.mk: add CPE ID related package variables Currently, the match between Buildroot packages and CVEs is solely based on the package names. Unfortunately, as one can imagine, there isn't necessarily a strict mapping between Buildroot package names, and how software projects are referenced in the National Vulnerability Database (NVD) which we use. The NVD has defined the concept of CPE (Common Platform Enumeration) identifiers, which uniquely identifies software components based on string looking like this: cpe:2.3:a:netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:* In particular, this CPE identifier contains a vendor name (here "netsurf-browser"), a product name (here "libnsbmp") and a version (here "0.1.2"). This patch series introduces the concept of CPE ID in Buildroot, where each package can be associated to a CPE ID. A package can define one or several of: - _CPE_ID_VENDOR - _CPE_ID_PRODUCT - _CPE_ID_VERSION - _CPE_ID_VERSION_MINOR - _CPE_ID_PREFIX If one or several of those variables are defined, then the _CPE_ID will be defined by the generic package infrastructure as follows: $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* _CPE_ID_* variables that are not explicitly specified by the package will carry a default value defined by the generic package infrastructure. If a package is happy with the default _CPE_ID, and therefore does not need to define any of _CPE_ID_{VENDOR,PRODUCT,...}, it can set _CPE_ID_VALID = YES. If any of the _CPE_ID_{VENDOR,PRODUCT,...} variables are defined by the package, then _CPE_ID_VALID = YES will be set by the generic package infrastructure. Then, it's only if _CPE_ID_VALID = YES that a _CPE_ID will be defined. Indeed, we want to be able to distinguish packages for which the CPE ID information has been checked and is considered valid, from packages for which the CPE ID information has never been verified. For this reason, we cannot simply define a default value for _CPE_ID. The _CPE_ID_* values for the host package are inherited from the same variables of the corresponding target package, as we normally do for most package variables. Signed-off-by: Matt Weber Signed-off-by: Thomas Petazzoni Reviewed-by: Matt Weber Reviewed-by: Heiko Thiery Signed-off-by: Thomas Petazzoni --- diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk index 54de03da03..621fb91424 100644 --- a/package/pkg-generic.mk +++ b/package/pkg-generic.mk @@ -608,6 +608,76 @@ $(2)_REDISTRIBUTE ?= YES $(2)_REDIST_SOURCES_DIR = $$(REDIST_SOURCES_DIR_$$(call UPPERCASE,$(4)))/$$($(2)_BASENAME_RAW) +# If any of the _CPE_ID_* variables are set, we assume the CPE ID +# information is valid for this package. +ifneq ($$($(2)_CPE_ID_VENDOR)$$($(2)_CPE_ID_NAME)$$($(2)_CPE_ID_VERSION)$$($(2)_CPE_ID_VERSION_MINOR)$$($(2)_CPE_ID_PREFIX),) +$(2)_CPE_ID_VALID = YES +endif + +# When we're a host package, make sure to use the variables of the +# corresponding target package, if any. +ifneq ($$($(3)_CPE_ID_VENDOR)$$($(3)_CPE_ID_NAME)$$($(3)_CPE_ID_VERSION)$$($(3)_CPE_ID_VERSION_MINOR)$$($(3)_CPE_ID_PREFIX),) +$(2)_CPE_ID_VALID = YES +endif + +# If the CPE ID is valid for the target package so it is for the host +# package +ifndef $(2)_CPE_ID_VALID + ifdef $(3)_CPE_ID_VALID + $(2)_CPE_ID_VALID = $$($(3)_CPE_ID_VALID) + endif +endif + +ifeq ($$($(2)_CPE_ID_VALID),YES) + # CPE_ID_VENDOR + ifndef $(2)_CPE_ID_VENDOR + ifdef $(3)_CPE_ID_VENDOR + $(2)_CPE_ID_VENDOR = $$($(3)_CPE_ID_VENDOR) + else + $(2)_CPE_ID_VENDOR = $$($(2)_RAWNAME)_project + endif + endif + + # CPE_ID_NAME + ifndef $(2)_CPE_ID_NAME + ifdef $(3)_CPE_ID_NAME + $(2)_CPE_ID_NAME = $$($(3)_CPE_ID_NAME) + else + $(2)_CPE_ID_NAME = $$($(2)_RAWNAME) + endif + endif + + # CPE_ID_VERSION + ifndef $(2)_CPE_ID_VERSION + ifdef $(3)_CPE_ID_VERSION + $(2)_CPE_ID_VERSION = $$($(3)_CPE_ID_VERSION) + else + $(2)_CPE_ID_VERSION = $$($(2)_VERSION) + endif + endif + + # CPE_ID_VERSION_MINOR + ifndef $(2)_CPE_ID_VERSION_MINOR + ifdef $(3)_CPE_ID_VERSION_MINOR + $(2)_CPE_ID_VERSION_MINOR = $$($(3)_CPE_ID_VERSION_MINOR) + else + $(2)_CPE_ID_VERSION_MINOR = * + endif + endif + + # CPE_ID_PREFIX + ifndef $(2)_CPE_ID_PREFIX + ifdef $(3)_CPE_ID_PREFIX + $(2)_CPE_ID_PREFIX = $$($(3)_CPE_ID_PREFIX) + else + $(2)_CPE_ID_PREFIX = cpe:2.3:a + endif + endif + + # Calculate complete CPE ID + $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:* +endif # ifeq ($$($(2)_CPE_ID_VALID),YES) + # When a target package is a toolchain dependency set this variable to # 'NO' so the 'toolchain' dependency is not added to prevent a circular # dependency.