Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packages.manifest does not have the tag CPE_ID: in openwrt trunk #1

Open
strhuan opened this issue Sep 23, 2019 · 2 comments
Open

Packages.manifest does not have the tag CPE_ID: in openwrt trunk #1

strhuan opened this issue Sep 23, 2019 · 2 comments

Comments

@strhuan
Copy link

strhuan commented Sep 23, 2019

and i can't seem to find any commits towards metadata.pm on openwrt that would add support for
CPE-ID:
So i don't understand how this would ever work.
I like the idea though. Is this on a todo for the openwrt project to add CPE-ID to metadata.pm ?
But maybe i am fundamentally misunderstanding how i should be using cve-indicator
@strhuan
Copy link
Author

strhuan commented Oct 7, 2019

seems like i have misunderstood where package data is created. Still trying to figure out where the package metadata is created but in the meantime. Used the openwrt branch in your and did a test build but Package.metadata of a finished build does not have CPE_ID
ex
Package: busybox
Version: 1.29.3-3
Depends: libc
Alternatives: 100:/usr/bin/flock:/bin/busybox, 100:/usr/bin/free:/bin/busybox, 100:/sbin/ip:/bin/busybox, 100:/bin/kill:/bin/busybox, 100:/usr/bin/pgrep:/bin/busybox, 100:/bin/ps:/bin/busybox, 100:/usr/bin/top:/bin/busybox, 100:/usr/bin/uptime:/bin/busybox
Source: package/utils/busybox
License: GPL-2.0
LicenseFiles: LICENSE archival/libarchive/bz/LICENSE
Section: base
Essential: yes
Maintainer: Felix Fietkau nbd@nbd.name
Architecture: mips_24kc
Installed-Size: 207242
Filename: busybox_1.29.3-3_mips_24kc.ipk
Size: 207176
SHA256sum: 095e608116644aa2ce1e2d802a3d250c04594b2347d89a8198e923c0feab770f
Description: The Swiss Army Knife of embedded Linux.
It slices, it dices, it makes Julian Fries.
as you can see

the packages.manifest
Does Not have any thing called
CPE-ID

even though the Makefile for busybox has
it added

Copyright (C) 2006-2016 OpenWrt.org

This is free software, licensed under the GNU General Public License v2.

See /LICENSE for more information.

include $(TOPDIR)/rules.mk

PKG_NAME:=busybox
PKG_VERSION:=1.29.3
PKG_RELEASE:=3
PKG_FLAGS:=essential

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://www.busybox.net/downloads
http://sources.buildroot.net
PKG_HASH:=97648636e579462296478e0218e65e4bc1e9cd69089a3b1aeb810bff7621efb7

PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
PKG_BUILD_PARALLEL:=1
PKG_CHECK_FORMAT_SECURITY:=0

#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
PKG_ASLR_PIE:=0

PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
PKG_CPE_ID:=cpe:/a:busybox:busybox

What am i missing

@kkreitmair
Copy link
Owner

Sorry for the late response.

Yes it is a todo for the openwrt project. There is a pull request for this, but unfortunately this is pending.
As an "workaround" you can add the needed changes in your own build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@strhuan @kkreitmair