On 20 Oct 2023, at 08:49, Mikko Rapeli via lists.openembedded.org <[email protected]> wrote: > For example in meta-arm, trusted-firmware-a embeds mbed_tls SW component. > Thus trusted-firmware-a can add CVE_PRODUCT for it since CVE database > uses product name "mbed_tls": > > CVE_PRODUCT += "mbed_tls"
Right now, CVE_PRODUCT is the set of names that the project is known by. Pathological case being curl: CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl” So this a change of semantics. > and set the version of mbed_tls: > > CVE_VERSION_mbed_tls = “2.28.4” ... > CVE checker for this use case. I hope the "CVE_VERSION_vendor:product" > does not cause odd breakages. It will, because bitbake won’t know that the colon is meant to be part of the vendor/product pair and it looks exactly like an override. Instead of trying to shoehorn this change into the existing variables, maybe we need new ones. If we solve this problem we don’t want to solve it for just eg TF-A embedding mbedtls, but also arbitrary Rust applications which statically link to many crates. It would be great if the same tooling that generates the SRC_URI with the 100 cargo:// entries would also set the right variables so that CVE tooling knows what crates and versions are in the recipe. Totally making stuff up with little thinking, but how about we leave CVE_PRODUCT and CVE_VERSION as the set of known names and version for the top-level product, but add a new variable using varflags for each of the integrated components? CVE_PRODUCT = “trusted-firmware-a” CVE_COMPONENTS[mbedtls] = “3.30” We could even do something clever and allow CVE_COMPONENTS = “” to mean “all of the components”, but if CVE_COMPONENTS itself is set then that’s the set of components that are actually being used, to handle cases where eg mbedtls may or may not be enabled via a PACKAGECONFIG. Cheers, Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#191156): https://lists.openembedded.org/g/openembedded-core/message/191156 Mute This Topic: https://lists.openembedded.org/mt/102076964/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
