[Openembedded-architecture] proposal: instant security information and a bom.json

Thu Aug 18 07:50:13 UTC 2016

Dear OpenEmbedded Architecture Team

We would like to have up-to-date information on known security
vulnerabilities for each build based on OpenEmbedded.

Goal:
* provide information about known security vulnerabilities, see [1]
* cover all components included within an image
* all builds provide a bom.json containing meta data on security
    vulnerabilities and additional information about the image such
    as license information, vendor URL's, etc.

Implementation proposal:
* bitbake recipies will contain additional fields, e.g.
    * CPE_NAME="cpe:2.3:a:openssl:openssl:1.0.1f"
        The Common Platform Enumeration standard identifies components
        uniquely and vulnerabilities have assigned identifiers, see [2]
    * CVE_FIXES="CVE-2016-2842 CVE-2016-0705"
        This information shall reflect known vulnerabilities that are fixed within
        a recipe by a patches, see [3]
* add the new fields CPE_NAME and CVE_FIXES to classes/package.bbclass 
* use a Web API to get information about the security vulnerabilities, e.g.
    * curl -s http://cve.circl.lu/api/cvefor/cpe:2.3:a:openssl:openssl:1.0.1s | jq -r '.[] | .id + null'
       Provides a list of known vulnerabilities, e.g.
       CVE-2016-2176
       CVE-2016-2109
       CVE-2016-2107
       CVE-2016-2106
       CVE-2016-2105
       The used api is based on cve-search[4], a very nice tool that can be
       installed locally with a few steps. Configurable via local.conf variable
       such as CVE_RESOLVER, so we can support local deployments and any CVE
       info provider very easily.
       To enable portability to other CVE resolvers, a convention such as
       CVE_RESOLVER provides a list of known CVE's will be implemented.
       People can then use a local CVE database or use a web service as described.       
* Generate a bom.json via classes/bom.bbclass containing all relevant
    information for further processing, such a file could look like this:
{
  "machine": "qemuarm", 
  "distro": "poky",
  "version": "2.0.1",
  "components": [
    {
      "pv": "1.22.1", 
      "name": "busybox", 
      "license": "GPLv2 & bzip2", 
      "cpe": "cpe:/a:busybox:busybox:1.22.1", 
      "summary": "Tiny versions of many common UNIX utilities in a single small executable", 
      "pn": "busybox-syslog", 
      "cve_fixes": [
        "CVE-2099-0000", 
        "CVE-2099-1111"
      ]
    }, 
    {
      "pv": "2.20", 
      "name": "glibc", 
      "license": "GPLv2 & LGPLv2.1", 
      "cpe": "cpe:/a:gnu:glibc:2.20", 
      "summary": "GLIBC (GNU C Library)", 
      "pn": "libc6", 
      "cve_fixes": [
        "CVE-2015-7547"
      ]
    }
  ]
}
    One idea here is to enrich bom.json with other meta data such as license or
    package URL to have on single file for post processing for several aspects.
* an addon script or specific bitbake target will check a specific bom.json of an
    older build for known vulnerabilities

All the best!
Roger

[1] https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
[2] https://cpe.mitre.org/specification/ 
[3] https://cve.mitre.org/ 
[4] https://github.com/cve-search/cve-search 