[Buildroot] [PATCH 0/2] Add CVE reporting to pkg-stats

Titouan Christophe titouan.christophe at railnova.eu
Tue Feb 4 22:32:42 UTC 2020


Hello Thomas^2 and all,

On 2/4/20 10:52 PM, Thomas Petazzoni wrote:
> Hello,
> 
> This set of commit extends the pkg-stats tool to use the NVD database
> (https://nvd.nist.gov/vuln/data-feeds) to see if the current version
> of each Buildroot package is affected by a CVE.
> 
> An example result can be seen here:
> 
>   - Human readable HTML:       https://bootlin.com/~thomas/stats-cve.html
>   - Machine parseable JSON:    https://bootlin.com/~thomas/stats-cve.json

Really great to see this landing !

> 
> Thanks to this, we can see that 60 of our packages are apparently
> affected by a total of 185 CVEs.
> 
> A new per-package variable, <pkg>_IGNORE_CVES, is introduced, and
> allows to tell the tool to ignore some CVEs, for example because it is
> fixed by a local patch in Buildroot, or because the CVE does not apply
> to the Buildroot package (the CVE only affects a non-Linux operating
> system, or affect a functionality of the package that isn't built in
> Buildroot).
> 
> Of course, the results are not perfect:
> 
>   - The NVD database product names certainly don't 100% match the
>     Buildroot package names. We might have to add some extra metadata
>     information in each package (CPE ID ?) to map to the correct NVD
>     database product name.
> 
>   - Buildroot packages that have a version selection are not correctly
>     handled.

In this latter case, we should maybe display a comment in the CVE column 
of the HTML report that says "CVE checking failed", because the 
"correct" CSS class could let us think that everything is fine while a 
package is on fire.

Probably bikeshed for this first iteration though.

> 
> But overall, it already provide useful results. The plan is of course
> to implement e-mail notification to Buildroot developers in charge of
> packages with unfixed CVEs, in a second step.
> 
> Thanks to Thomas DS and Titouan for all the help in the implementation
> of this. We started at 2 PM today, and we have this first version to
> show.
> 
> Thomas DS: I told you we could have something done by the end of the day!
> 
> Thomas
> 
> Thomas Petazzoni (2):
>    support/scripts/pkg-stats: add support for CVE reporting
>    docs/manual: describe the new <pkg>_IGNORE_CVES variable
> 
>   docs/manual/adding-packages-generic.txt |  14 +++
>   support/scripts/pkg-stats               | 157 +++++++++++++++++++++++-
>   2 files changed, 170 insertions(+), 1 deletion(-)
> 

I'll run once more through the code tomorrow morning with a fresh brain, 
but overall looks okay.


Best regards,

Titouan



More information about the buildroot mailing list