[Buildroot] [PATCH 0/2] Add CVE reporting to pkg-stats
Titouan Christophe
titouan.christophe at railnova.eu
Tue Feb 4 22:32:42 UTC 2020
Hello Thomas^2 and all,
On 2/4/20 10:52 PM, Thomas Petazzoni wrote:
> Hello,
>
> This set of commit extends the pkg-stats tool to use the NVD database
> (https://nvd.nist.gov/vuln/data-feeds) to see if the current version
> of each Buildroot package is affected by a CVE.
>
> An example result can be seen here:
>
> - Human readable HTML: https://bootlin.com/~thomas/stats-cve.html
> - Machine parseable JSON: https://bootlin.com/~thomas/stats-cve.json
Really great to see this landing !
>
> Thanks to this, we can see that 60 of our packages are apparently
> affected by a total of 185 CVEs.
>
> A new per-package variable, <pkg>_IGNORE_CVES, is introduced, and
> allows to tell the tool to ignore some CVEs, for example because it is
> fixed by a local patch in Buildroot, or because the CVE does not apply
> to the Buildroot package (the CVE only affects a non-Linux operating
> system, or affect a functionality of the package that isn't built in
> Buildroot).
>
> Of course, the results are not perfect:
>
> - The NVD database product names certainly don't 100% match the
> Buildroot package names. We might have to add some extra metadata
> information in each package (CPE ID ?) to map to the correct NVD
> database product name.
>
> - Buildroot packages that have a version selection are not correctly
> handled.
In this latter case, we should maybe display a comment in the CVE column
of the HTML report that says "CVE checking failed", because the
"correct" CSS class could let us think that everything is fine while a
package is on fire.
Probably bikeshed for this first iteration though.
>
> But overall, it already provide useful results. The plan is of course
> to implement e-mail notification to Buildroot developers in charge of
> packages with unfixed CVEs, in a second step.
>
> Thanks to Thomas DS and Titouan for all the help in the implementation
> of this. We started at 2 PM today, and we have this first version to
> show.
>
> Thomas DS: I told you we could have something done by the end of the day!
>
> Thomas
>
> Thomas Petazzoni (2):
> support/scripts/pkg-stats: add support for CVE reporting
> docs/manual: describe the new <pkg>_IGNORE_CVES variable
>
> docs/manual/adding-packages-generic.txt | 14 +++
> support/scripts/pkg-stats | 157 +++++++++++++++++++++++-
> 2 files changed, 170 insertions(+), 1 deletion(-)
>
I'll run once more through the code tomorrow morning with a fresh brain,
but overall looks okay.
Best regards,
Titouan
More information about the buildroot
mailing list