| Message ID | 20241121082901.2747720-3-benjamin.bouvier@ekinops.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Add exact CPE name including vendor to several components. | expand |
I did not find any CVE for bridge-utils in our nvdcve_2-2.db. Based on what did you choose the vendor? I think that until there is a CVE where we can the base data from and also a conflicting CVE which would show this need, we should not limit the vendor string. And regarding the other patches, it would be great if the commit message Would contain description why it is needed (e.g. which vendor in existing CVEs you want to filter out). Peter > -----Original Message----- > From: openembedded-devel@lists.openembedded.org <openembedded- > devel@lists.openembedded.org> On Behalf Of Benjamin Bouvier via > lists.openembedded.org > Sent: Thursday, November 21, 2024 9:29 > To: openembedded-devel@lists.openembedded.org > Cc: Benjamin Bouvier <benjamin.bouvier@ekinops.com> > Subject: [oe] [meta-networking][PATCH 2/3] bridge-utils: add CVE_PRODUCT > > Add exact CPE name in CVE_PRODUCT. > > Signed-off-by: Benjamin Bouvier <benjamin.bouvier@ekinops.com> > --- > .../recipes-support/bridge-utils/bridge-utils_1.7.1.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta-networking/recipes-support/bridge-utils/bridge- > utils_1.7.1.bb b/meta-networking/recipes-support/bridge-utils/bridge- > utils_1.7.1.bb > index cf0fc1c33..66c8f2d05 100644 > --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb > +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb > @@ -19,6 +19,8 @@ S = "${WORKDIR}/git" > > DEPENDS = "sysfsutils" > > +CVE_PRODUCT = "kernel:bridge-utils" > + > inherit autotools-brokensep update-alternatives > > ALTERNATIVE:${PN} = "brctl" > -- > 2.34.1
On 21/11/2024 09:42, Marko, Peter wrote: > I did not find any CVE for bridge-utils in our nvdcve_2-2.db. > Based on what did you choose the vendor? I've looked at nvd database to get vendor name associated for each component:https://nvd.nist.gov/products/cpe/search For bridge-utils, it returns kernel as the vendor name. > > I think that until there is a CVE where we can the base data from > and also a conflicting CVE which would show this need, > we should not limit the vendor string. A component only relies on a specific source, which is always associated to a vendor:component pair. Setting the complete name should help to anticipate false-positive CVE reporting before facing that issue. It is also interesting in order to supply more precise information for meta-layers like meta-dependencytrack of meta-cyclonedx which rely on CVE_PRODUCT variable to produce SBOM. > > And regarding the other patches, it would be great if the commit message > Would contain description why it is needed (e.g. which vendor in existing > CVEs you want to filter out). OK, I will update with additional explanation. > > Peter > >> -----Original Message----- >> From: openembedded-devel@lists.openembedded.org <openembedded- >> devel@lists.openembedded.org> On Behalf Of Benjamin Bouvier via >> lists.openembedded.org >> Sent: Thursday, November 21, 2024 9:29 >> To: openembedded-devel@lists.openembedded.org >> Cc: Benjamin Bouvier <benjamin.bouvier@ekinops.com> >> Subject: [oe] [meta-networking][PATCH 2/3] bridge-utils: add CVE_PRODUCT >> >> Add exact CPE name in CVE_PRODUCT. >> >> Signed-off-by: Benjamin Bouvier <benjamin.bouvier@ekinops.com> >> --- >> .../recipes-support/bridge-utils/bridge-utils_1.7.1.bb | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/meta-networking/recipes-support/bridge-utils/bridge- >> utils_1.7.1.bb b/meta-networking/recipes-support/bridge-utils/bridge- >> utils_1.7.1.bb >> index cf0fc1c33..66c8f2d05 100644 >> --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb >> +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb >> @@ -19,6 +19,8 @@ S = "${WORKDIR}/git" >> >> DEPENDS = "sysfsutils" >> >> +CVE_PRODUCT = "kernel:bridge-utils" >> + >> inherit autotools-brokensep update-alternatives >> >> ALTERNATIVE:${PN} = "brctl" >> -- >> 2.34.1
> I've looked at nvd database to get vendor name associated for each component:https://nvd.nist.gov/products/cpe/search > For bridge-utils, it returns kernel as the vendor name. Thanks! > A component only relies on a specific source, which is always associated to a vendor:component pair. Setting the complete name should help to anticipate false-positive CVE reporting before facing that issue. > It is also interesting in order to supply more precise information for meta-layers like meta-dependencytrack of meta-cyclonedx which rely on CVE_PRODUCT variable to produce SBOM. I have a bad experience with relying on cpe being exact, especially for first CVEs where random names are assigned as there is no former example. I hope this improves with the new CVE annotations, let's see. I'd rather change the CVE_PRODUCT on first false positive in fear that someone invents new cpe and we have a false negative. Peter
diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb index cf0fc1c33..66c8f2d05 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.7.1.bb @@ -19,6 +19,8 @@ S = "${WORKDIR}/git" DEPENDS = "sysfsutils" +CVE_PRODUCT = "kernel:bridge-utils" + inherit autotools-brokensep update-alternatives ALTERNATIVE:${PN} = "brctl"
Add exact CPE name in CVE_PRODUCT. Signed-off-by: Benjamin Bouvier <benjamin.bouvier@ekinops.com> --- .../recipes-support/bridge-utils/bridge-utils_1.7.1.bb | 2 ++ 1 file changed, 2 insertions(+)