1 |
On Tue, May 07, 2013 at 11:59:18PM -0400, Mike Frysinger wrote: |
2 |
> the guys who maintain the security CVE project [1] [2] (designed to be the |
3 |
> authority when it comes to indexing security related vulnerabilities in |
4 |
> projects) have a CPE specification [3] to make tracking CVEs back to a |
5 |
> canonical source in a machine parseable format. |
6 |
> |
7 |
> the ChromiumOS project wants to be able to tie CPEs to a specific package. |
8 |
> this would probably also be a good thing for our own security team to tie into |
9 |
> the GLSA process. the Debian project too is extending their database to |
10 |
> include CPE information [4]. |
11 |
> |
12 |
> we've already got a database for maintaining this sort of thing on a per- |
13 |
> package basis: metadata.xml. so let's extend the DTD to cover this. the |
14 |
> existing remote-id field looks like a pretty good fit, so the proposal is |
15 |
> simple: add a new "cpe" type. the entries for net-misc/curl would be: |
16 |
> <upstream> |
17 |
> <remote-id type="cpe">cpe:/a:curl:curl</remote-id> |
18 |
> <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id> |
19 |
> </upstream> |
20 |
> |
21 |
> or the gzip package: |
22 |
> <upstream> |
23 |
> <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id> |
24 |
> </upstream> |
25 |
> |
26 |
> for most packages, there will probably be only one cpe entry, but as you can |
27 |
> see here, sometimes more than one can track back to a single package. |
28 |
> |
29 |
> we have some scripts running on the CrOS side to try and do an initial seed |
30 |
> (at least, for all the packages we're using), so i'll probably take care of |
31 |
> merging that into the main tree. i'm not proposing this be required or |
32 |
> anything (since not all packages will have one). |
33 |
|
34 |
I'm all for it. We can then easily map CVEs against packages, especially if |
35 |
the version structure we use in the ebuilds is the same one as used upstream |
36 |
(so the remainder of the CPE with version can be easily obtained). |
37 |
|
38 |
http://blog.siphos.be/2013/04/matching-packages-with-cves/ |
39 |
|
40 |
Wkr, |
41 |
Sven Vermeulen |