[gentoo-dev] extending metadata.xml to support CPE information

[gentoo-dev] extending metadata.xml to support CPE information

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1717 bytes --]

the guys who maintain the security CVE project [1] [2] (designed to be the 
authority when it comes to indexing security related vulnerabilities in 
projects) have a CPE specification [3] to make tracking CVEs back to a 
canonical source in a machine parseable format.

the ChromiumOS project wants to be able to tie CPEs to a specific package.  
this would probably also be a good thing for our own security team to tie into 
the GLSA process.  the Debian project too is extending their database to 
include CPE information [4].

we've already got a database for maintaining this sort of thing on a per-
package basis: metadata.xml.  so let's extend the DTD to cover this.  the 
existing remote-id field looks like a pretty good fit, so the proposal is 
simple: add a new "cpe" type.  the entries for net-misc/curl would be:
<upstream>
 <remote-id type="cpe">cpe:/a:curl:curl</remote-id>
 <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id>
</upstream>

or the gzip package:
<upstream>
 <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id>
</upstream>

for most packages, there will probably be only one cpe entry, but as you can 
see here, sometimes more than one can track back to a single package.

we have some scripts running on the CrOS side to try and do an initial seed 
(at least, for all the packages we're using), so i'll probably take care of 
merging that into the main tree.  i'm not proposing this be required or 
anything (since not all packages will have one).

thoughts ?
-mike

[1] http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
[2] http://cve.mitre.org/
[3] http://cpe.mitre.org/specification/
[4] http://wiki.debian.org/CPEtagPackagesDep

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Rick "Zero_Chaos" Farina]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2013 11:59 PM, Mike Frysinger wrote:
> the guys who maintain the security CVE project [1] [2] (designed to be the 
> authority when it comes to indexing security related vulnerabilities in 
> projects) have a CPE specification [3] to make tracking CVEs back to a 
> canonical source in a machine parseable format.
> 
> the ChromiumOS project wants to be able to tie CPEs to a specific package.  
> this would probably also be a good thing for our own security team to tie into 
> the GLSA process.  the Debian project too is extending their database to 
> include CPE information [4].
> 
> we've already got a database for maintaining this sort of thing on a per-
> package basis: metadata.xml.  so let's extend the DTD to cover this.  the 
> existing remote-id field looks like a pretty good fit, so the proposal is 
> simple: add a new "cpe" type.  the entries for net-misc/curl would be:
> <upstream>
>  <remote-id type="cpe">cpe:/a:curl:curl</remote-id>
>  <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id>
> </upstream>
> 
> or the gzip package:
> <upstream>
>  <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id>
> </upstream>
> 
> for most packages, there will probably be only one cpe entry, but as you can 
> see here, sometimes more than one can track back to a single package.
> 
> we have some scripts running on the CrOS side to try and do an initial seed 
> (at least, for all the packages we're using), so i'll probably take care of 
> merging that into the main tree.  i'm not proposing this be required or 
> anything (since not all packages will have one).
> 
> thoughts ?

Love it.

- -Zero

> -mike
> 
> [1] http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
> [2] http://cve.mitre.org/
> [3] http://cpe.mitre.org/specification/
> [4] http://wiki.debian.org/CPEtagPackagesDep
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRic8EAAoJEKXdFCfdEflKtUwP/jHZGlYFc25hdpjjNJuotsCS
FkxsyucqjGOAmlw8OY23dvTcc24miDvaZ9f/gabu7KfPEvZrCM5DwXAe/LTvyut8
LUeX2dXsd41ZXitGaFU88pgptJWcI7V+QMEI9I8/zz0azgNFY6bHyCRaSObEciFt
xhouUm3T/FaBWFIz503O7qriEVD5IxvKJN61bQU1UqUyLZpLYc3HHOLU0bDT5MlS
L3yw6uZ0sS9+P23pfb+zEauExaFsNPPoEU9yAyqI8ZAj0NzpQ1tNc/jnZ4XXGXdQ
gr+F/TkelSlUvfOv+oejYuDHr4n6djXc/vnU/fvL59NGpsvm1POMBfXSxDT5DkdP
WP/JSdSPF1PVK/xLNN335X55TuA+YqKzOxK690Sxj6zS2CPzSftMaFZCodC9Ho7K
BMhTS8RdfchGArShVKbdLM/j4ss0Fs6lmHm8KtMG5kmQNQklL3PsEFFFstsLyWd2
QXUr4bJDOrMcl+nlfOoId5/rPeEE1PvnF3gGR5LENpeGQ40SP85fIRVcdhtdGRbb
sPvErye+p6vsn/GltP0aqiXSxoz1AUdM8fg9jOIOCkRfU77qwbLM6pd8kFZ+qHBn
oxCIwJYjeQqeALDNBpFWlztx15pdZqG4raXWb9/i8PeUIvczlzO64LywKvJnJXQK
eDlKyFGC8CgrbRFnB8IK
=li7p
-----END PGP SIGNATURE-----

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Sergey Popov]

[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]

08.05.2013 07:59, Mike Frysinger пишет:
> the guys who maintain the security CVE project [1] [2] (designed to be the 
> authority when it comes to indexing security related vulnerabilities in 
> projects) have a CPE specification [3] to make tracking CVEs back to a 
> canonical source in a machine parseable format.
> 
> the ChromiumOS project wants to be able to tie CPEs to a specific package.  
> this would probably also be a good thing for our own security team to tie into 
> the GLSA process.  the Debian project too is extending their database to 
> include CPE information [4].
> 
> we've already got a database for maintaining this sort of thing on a per-
> package basis: metadata.xml.  so let's extend the DTD to cover this.  the 
> existing remote-id field looks like a pretty good fit, so the proposal is 
> simple: add a new "cpe" type.  the entries for net-misc/curl would be:
> <upstream>
>  <remote-id type="cpe">cpe:/a:curl:curl</remote-id>
>  <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id>
> </upstream>
> 
> or the gzip package:
> <upstream>
>  <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id>
> </upstream>
> 
> for most packages, there will probably be only one cpe entry, but as you can 
> see here, sometimes more than one can track back to a single package.
> 
> we have some scripts running on the CrOS side to try and do an initial seed 
> (at least, for all the packages we're using), so i'll probably take care of 
> merging that into the main tree.  i'm not proposing this be required or 
> anything (since not all packages will have one).
> 
> thoughts ?

Reasonable improvement, that can make tracking security issues more
easily and automatically. +1 for that

-- 
Best regards, Sergey Popov
Gentoo Linux Developer
Desktop-effects project lead


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Sven Vermeulen]

On Tue, May 07, 2013 at 11:59:18PM -0400, Mike Frysinger wrote:
> the guys who maintain the security CVE project [1] [2] (designed to be the 
> authority when it comes to indexing security related vulnerabilities in 
> projects) have a CPE specification [3] to make tracking CVEs back to a 
> canonical source in a machine parseable format.
> 
> the ChromiumOS project wants to be able to tie CPEs to a specific package.  
> this would probably also be a good thing for our own security team to tie into 
> the GLSA process.  the Debian project too is extending their database to 
> include CPE information [4].
> 
> we've already got a database for maintaining this sort of thing on a per-
> package basis: metadata.xml.  so let's extend the DTD to cover this.  the 
> existing remote-id field looks like a pretty good fit, so the proposal is 
> simple: add a new "cpe" type.  the entries for net-misc/curl would be:
> <upstream>
>  <remote-id type="cpe">cpe:/a:curl:curl</remote-id>
>  <remote-id type="cpe">cpe:/a:curl:libcurl</remote-id>
> </upstream>
> 
> or the gzip package:
> <upstream>
>  <remote-id type="cpe">cpe:/a:gnu:gzip</remote-id>
> </upstream>
> 
> for most packages, there will probably be only one cpe entry, but as you can 
> see here, sometimes more than one can track back to a single package.
> 
> we have some scripts running on the CrOS side to try and do an initial seed 
> (at least, for all the packages we're using), so i'll probably take care of 
> merging that into the main tree.  i'm not proposing this be required or 
> anything (since not all packages will have one).

I'm all for it. We can then easily map CVEs against packages, especially if
the version structure we use in the ebuilds is the same one as used upstream
(so the remainder of the CPE with version can be easily obtained).

http://blog.siphos.be/2013/04/matching-packages-with-cves/

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 1199 bytes --]

On Tuesday 07 May 2013 23:59:18 Mike Frysinger wrote:
> we've already got a database for maintaining this sort of thing on a per-
> package basis: metadata.xml.  so let's extend the DTD to cover this.  the
> existing remote-id field looks like a pretty good fit, so the proposal is
> simple: add a new "cpe" type.

committed:
http://sources.gentoo.org/gentoo/xml/htdocs/dtd/metadata.dtd?r1=1.12&r2=1.13

--- metadata.dtd	31 Dec 2012 21:10:30 -0000	1.12
+++ metadata.dtd	9 May 2013 01:00:39 -0000
@@ -64,7 +64,7 @@
     <!ELEMENT bugs-to (#PCDATA)>
     <!-- specify a type of package identification tracker -->
     <!ELEMENT remote-id (#PCDATA)>
-      <!ATTLIST remote-id type (bitbucket|cpan|cpan-module|cran|ctan|freecode|freshmeat|github|gitorious|google-code|launchpad|
pear|pecl|pypi|rubyforge|rubygems|sourceforge|sourceforge-jp|vim) #REQUIRED>
+      <!ATTLIST remote-id type (bitbucket|cpan|cpan-module|cpe|cran|ctan|freecode|freshmeat|github|gitorious|google-code|
launchpad|pear|pecl|pypi|rubyforge|rubygems|sourceforge|sourceforge-jp|vim) #REQUIRED>
 
   <!-- category/package information for cross-linking in descriptions
     and useflag descriptions -->
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 551 bytes --]

On Wednesday 08 May 2013 21:01:19 Mike Frysinger wrote:
> On Tuesday 07 May 2013 23:59:18 Mike Frysinger wrote:
> > we've already got a database for maintaining this sort of thing on a per-
> > package basis: metadata.xml.  so let's extend the DTD to cover this.  the
> > existing remote-id field looks like a pretty good fit, so the proposal is
> > simple: add a new "cpe" type.
> 
> committed:

or not.  someone on cc want to commit that change for me ? :)

just add "cpe" between "cpan-module" and "cran" in the remote-id field.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] extending metadata.xml to support CPE information

[Sven Vermeulen]

On Wed, May 08, 2013 at 09:06:00PM -0400, Mike Frysinger wrote:
> On Wednesday 08 May 2013 21:01:19 Mike Frysinger wrote:
> > On Tuesday 07 May 2013 23:59:18 Mike Frysinger wrote:
> > > we've already got a database for maintaining this sort of thing on a per-
> > > package basis: metadata.xml.  so let's extend the DTD to cover this.  the
> > > existing remote-id field looks like a pretty good fit, so the proposal is
> > > simple: add a new "cpe" type.
> > 
> > committed:
> 
> or not.  someone on cc want to commit that change for me ? :)
> 
> just add "cpe" between "cpan-module" and "cran" in the remote-id field.

Done

Wkr,
	Sven Vermeulen