[Openembedded-architecture] proposal: instant security information and a bom.json
Richard Purdie
richard.purdie at linuxfoundation.org
Thu Aug 18 08:19:54 UTC 2016
On Thu, 2016-08-18 at 07:50 +0000, Meier, Roger wrote:
> Dear OpenEmbedded Architecture Team
>
> We would like to have up-to-date information on known security
> vulnerabilities for each build based on OpenEmbedded.
>
> Goal:
> * provide information about known security vulnerabilities, see [1]
> * cover all components included within an image
> * all builds provide a bom.json containing meta data on security
> vulnerabilities and additional information about the image such
> as license information, vendor URL's, etc.
>
> Implementation proposal:
> * bitbake recipies will contain additional fields, e.g.
> * CPE_NAME="cpe:2.3:a:openssl:openssl:1.0.1f"
> The Common Platform Enumeration standard identifies
> components
> uniquely and vulnerabilities have assigned identifiers, see
> [2]
Whilst I understand the idea, I am worried about trying to maintain
duplicate information in our recipes. Why couldn't this just be:
CPE_NAME = "cpe:2.3:a:${BPN}:${BPN}:${PV}"
?
> * CVE_FIXES="CVE-2016-2842 CVE-2016-0705"
> This information shall reflect known vulnerabilities that are
> fixed within
> a recipe by a patches, see [3]
We already discussed and agreed to add CVE tags into the patches
themselves. Again, I don't want to duplicate information, I'd much
rather the system just constructed such a field by parsing the tags out
of the patches.
> * add the new fields CPE_NAME and CVE_FIXES to
> classes/package.bbclass
Which piece of package.bbclass and why? Could you 'cpe' class not
extend the package.bbclass functions if its enabled making it opt in?
> * use a Web API to get information about the security
> vulnerabilities, e.g.
Have you looked at the cve-tool patch that has been on the OE-Core
mailing list? That also has some similarities and intentions to this
and I'd love to see people collaborating on such tools.
Just to be clear, I do think something like this would be good, however
we need to ensure we don't duplicate information or make things harder
for recipe maintenance.
Cheers,
Richard
More information about the Openembedded-architecture
mailing list