Page MenuHome
Differential D16160

deps_builder: Add support for cve-bin-tool
ClosedPublic
Actions

Authored by Ray Molenkamp (LazyDodo) on Oct 5 2022, 10:19 PM.

Details

Reviewers
Brecht Van Lommel (brecht)
Sybren A. Stüvel (sybren)
Commits
rB2db9bfb6d884: deps_builder: Add support for cve-bin-tool
rB9b8be81eef93: deps_builder: Add support for cve-bin-tool
Summary

The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).

This change adds all known CPE's (unique identifier for a software component) for our deps and adds a little bit of tooling to make running cve-bin-tool a easier. No attempt is made to manage the issues reported (one can mitigate/ignore/etc issues, but no tooling is provided in this diff for this).

cve-bin-tool uses the NVD database, which unless you have an API key limits you to 1 request per 6 seconds, it is highly recommended for platform maintainers to get a key over at

https://nvd.nist.gov/developers/request-an-api-key

as it would significantly decrease the time needed to download/update the databases required. once obtained, pass it to cmake using -DNVD_KEY=your_api_key

then you can just run the newly made targets by either running

make cve_check

or running

make cve_check_html

No attempt is currently made to locate cve-bin-tool and it is assumed to be available in the path, for installation instructions see the cve-bin-tool project page on github (TL;DR: pip instal cve-bin-tool)

Diff Detail

Repository
rB Blender
Branch
tmp_cve_bin_tool (branched from master)
Build Status
Buildable 24162
Build 24162: arc lint + arc unit

Event Timeline

Ray Molenkamp (LazyDodo) requested review of this revision.Oct 5 2022, 10:19 PM
Ray Molenkamp (LazyDodo) created this revision.
Harbormaster completed remote builds in B24138: Diff 56504.Oct 5 2022, 10:19 PM
Ray Molenkamp (LazyDodo) edited the summary of this revision. (Show Details)Oct 5 2022, 10:29 PM
Brecht Van Lommel (brecht) requested changes to this revision.Oct 6 2022, 1:02 PM

Seems simple enough.

build_files/build_environment/bom.json.in
1 ↗(On Diff #56504)

Can this be named cve_check_bom.json.in and move into the cmake folder next to cve_check.cmake? Otherwise not obvious what this file is doing here.

build_files/build_environment/cmake/cve_check.cmake
6

These lines are all terminated very short, why not use at least 79 chars wide?

63

Rename this variable to CVE_CHECK_NVD_KEY?

build_files/build_environment/cmake/versions.cmake
16

I don't understand what all this cpe:2.3:a and :*:*:*:*:*:*:* means. Unless I'm missing something, it's not even using that and only getting the vendor/library/version from this?

This revision now requires changes to proceed.Oct 6 2022, 1:02 PM
Ray Molenkamp (LazyDodo) added inline comments.Oct 6 2022, 2:52 PM
build_files/build_environment/cmake/versions.cmake
16

it's a standarized URI essentially full specifications, in cpe:2.3: part : vendor : product : version : update : edition : language : sw_edition : target_sw : target_hw : other format

i picked this format for some reasons

  1. You have to know the exact vendor and product fields for a successful match, which you can only lookup in the NVE database, which gives you the CPE.
  2. There is no mistake where this information comes from or what the source of the information is or what standard it adheres to.
  3. They are kinda scary looking, if we had vendor/product/version fields one would be more likely to "wing it" this one you know have to look up.
  4. I liked it was a single line, contains all information, keeping versions.cmake neat

Downsides:

while cve-bin-tool allows you to specify the CPE in a cyclonedx bom, it's not using it for matching so we have to do a little work there.

Brecht Van Lommel (brecht) added inline comments.Oct 6 2022, 4:57 PM
build_files/build_environment/cmake/versions.cmake
16

Ok, seems fine to have this then.

Ray Molenkamp (LazyDodo) updated this revision to Diff 56548.Oct 6 2022, 6:08 PM
  • fix comment length
  • move template file to the cmake folder, with a more appropriate name
  • move to using a CSV file since the json bom somehow missed some CVE's and i'm not entirely sure why.
Harbormaster completed remote builds in B24161: Diff 56548.Oct 6 2022, 6:09 PM
Ray Molenkamp (LazyDodo) updated this revision to Diff 56549.Oct 6 2022, 6:11 PM
Ray Molenkamp (LazyDodo) marked 4 inline comments as done.
  • rename NVD_KEY to CVE_CHECK_NVD_KEY
Harbormaster completed remote builds in B24162: Diff 56549.Oct 6 2022, 6:11 PM
Ray Molenkamp (LazyDodo) added a comment.Oct 6 2022, 6:11 PM

Updates with feedback

Brecht Van Lommel (brecht) accepted this revision.Oct 6 2022, 6:38 PM
This revision is now accepted and ready to land.Oct 6 2022, 6:38 PM
Closed by commit rB9b8be81eef93: deps_builder: Add support for cve-bin-tool (authored by Ray Molenkamp (LazyDodo)). · Explain WhyOct 10 2022, 7:48 PM
This revision was automatically updated to reflect the committed changes.
Ray Molenkamp (LazyDodo) added a commit: rB9b8be81eef93: deps_builder: Add support for cve-bin-tool.
Brecht Van Lommel (brecht) added a commit: rB2db9bfb6d884: deps_builder: Add support for cve-bin-tool.Nov 3 2022, 3:05 PM

Revision Contents
Changeset List

PathSize
build_files/
build_environment/
1 line
cmake/
75 lines
2 lines
57 lines

Diff 56549

View Options

build_files/build_environment/CMakeLists.txt

Loading...
View Options

build_files/build_environment/cmake/cve_check.cmake

Loading...
View Options

build_files/build_environment/cmake/cve_check.csv.in

Loading...
View Options

build_files/build_environment/cmake/versions.cmake

Loading...