[Buildroot] [PATCH 0/2] Add CVE reporting to pkg-stats
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Tue Feb 4 21:52:29 UTC 2020
Hello,
This set of commit extends the pkg-stats tool to use the NVD database
(https://nvd.nist.gov/vuln/data-feeds) to see if the current version
of each Buildroot package is affected by a CVE.
An example result can be seen here:
- Human readable HTML: https://bootlin.com/~thomas/stats-cve.html
- Machine parseable JSON: https://bootlin.com/~thomas/stats-cve.json
Thanks to this, we can see that 60 of our packages are apparently
affected by a total of 185 CVEs.
A new per-package variable, <pkg>_IGNORE_CVES, is introduced, and
allows to tell the tool to ignore some CVEs, for example because it is
fixed by a local patch in Buildroot, or because the CVE does not apply
to the Buildroot package (the CVE only affects a non-Linux operating
system, or affect a functionality of the package that isn't built in
Buildroot).
Of course, the results are not perfect:
- The NVD database product names certainly don't 100% match the
Buildroot package names. We might have to add some extra metadata
information in each package (CPE ID ?) to map to the correct NVD
database product name.
- Buildroot packages that have a version selection are not correctly
handled.
But overall, it already provide useful results. The plan is of course
to implement e-mail notification to Buildroot developers in charge of
packages with unfixed CVEs, in a second step.
Thanks to Thomas DS and Titouan for all the help in the implementation
of this. We started at 2 PM today, and we have this first version to
show.
Thomas DS: I told you we could have something done by the end of the day!
Thomas
Thomas Petazzoni (2):
support/scripts/pkg-stats: add support for CVE reporting
docs/manual: describe the new <pkg>_IGNORE_CVES variable
docs/manual/adding-packages-generic.txt | 14 +++
support/scripts/pkg-stats | 157 +++++++++++++++++++++++-
2 files changed, 170 insertions(+), 1 deletion(-)
--
2.24.1
More information about the buildroot
mailing list