1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 05/07/2013 11:59 PM, Mike Frysinger wrote: |
5 |
> the guys who maintain the security CVE project [1] [2] (designed to be the |
6 |
> authority when it comes to indexing security related vulnerabilities in |
7 |
> projects) have a CPE specification [3] to make tracking CVEs back to a |
8 |
> canonical source in a machine parseable format. |
9 |
> |
10 |
> the ChromiumOS project wants to be able to tie CPEs to a specific package. |
11 |
> this would probably also be a good thing for our own security team to tie into |
12 |
> the GLSA process. the Debian project too is extending their database to |
13 |
> include CPE information [4]. |
14 |
> |
15 |
> we've already got a database for maintaining this sort of thing on a per- |
16 |
> package basis: metadata.xml. so let's extend the DTD to cover this. the |
17 |
> existing remote-id field looks like a pretty good fit, so the proposal is |
18 |
> simple: add a new "cpe" type. the entries for net-misc/curl would be: |
19 |
> <upstream> |
20 |
> <remote-id type="cpe">cpe:/a:curl:curl</remote-id> |
21 |
> <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id> |
22 |
> </upstream> |
23 |
> |
24 |
> or the gzip package: |
25 |
> <upstream> |
26 |
> <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id> |
27 |
> </upstream> |
28 |
> |
29 |
> for most packages, there will probably be only one cpe entry, but as you can |
30 |
> see here, sometimes more than one can track back to a single package. |
31 |
> |
32 |
> we have some scripts running on the CrOS side to try and do an initial seed |
33 |
> (at least, for all the packages we're using), so i'll probably take care of |
34 |
> merging that into the main tree. i'm not proposing this be required or |
35 |
> anything (since not all packages will have one). |
36 |
> |
37 |
> thoughts ? |
38 |
|
39 |
Love it. |
40 |
|
41 |
- -Zero |
42 |
|
43 |
> -mike |
44 |
> |
45 |
> [1] http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures |
46 |
> [2] http://cve.mitre.org/ |
47 |
> [3] http://cpe.mitre.org/specification/ |
48 |
> [4] http://wiki.debian.org/CPEtagPackagesDep |
49 |
> |
50 |
|
51 |
-----BEGIN PGP SIGNATURE----- |
52 |
Version: GnuPG v2.0.19 (GNU/Linux) |
53 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
54 |
|
55 |
iQIcBAEBAgAGBQJRic8EAAoJEKXdFCfdEflKtUwP/jHZGlYFc25hdpjjNJuotsCS |
56 |
FkxsyucqjGOAmlw8OY23dvTcc24miDvaZ9f/gabu7KfPEvZrCM5DwXAe/LTvyut8 |
57 |
LUeX2dXsd41ZXitGaFU88pgptJWcI7V+QMEI9I8/zz0azgNFY6bHyCRaSObEciFt |
58 |
xhouUm3T/FaBWFIz503O7qriEVD5IxvKJN61bQU1UqUyLZpLYc3HHOLU0bDT5MlS |
59 |
L3yw6uZ0sS9+P23pfb+zEauExaFsNPPoEU9yAyqI8ZAj0NzpQ1tNc/jnZ4XXGXdQ |
60 |
gr+F/TkelSlUvfOv+oejYuDHr4n6djXc/vnU/fvL59NGpsvm1POMBfXSxDT5DkdP |
61 |
WP/JSdSPF1PVK/xLNN335X55TuA+YqKzOxK690Sxj6zS2CPzSftMaFZCodC9Ho7K |
62 |
BMhTS8RdfchGArShVKbdLM/j4ss0Fs6lmHm8KtMG5kmQNQklL3PsEFFFstsLyWd2 |
63 |
QXUr4bJDOrMcl+nlfOoId5/rPeEE1PvnF3gGR5LENpeGQ40SP85fIRVcdhtdGRbb |
64 |
sPvErye+p6vsn/GltP0aqiXSxoz1AUdM8fg9jOIOCkRfU77qwbLM6pd8kFZ+qHBn |
65 |
oxCIwJYjeQqeALDNBpFWlztx15pdZqG4raXWb9/i8PeUIvczlzO64LywKvJnJXQK |
66 |
eDlKyFGC8CgrbRFnB8IK |
67 |
=li7p |
68 |
-----END PGP SIGNATURE----- |