fffc553485
This script queries the list of CPE IDs for the packages of the current configuration (based on the "make show-info" output), and: - for CPE IDs that do not have any matching entry in the CPE database, it emits a warning - for CPE IDs that do have a matching entry, but not with the same version, it generates a snippet of XML that can be used to propose an updated version to NIST. Ref: NIST has a group email (cpe_dictionary@nist.gov) used to recieve these version update and new entry xml files. They do process the XML and provide feedback. In some cases they will propose back something different where the vendor or version is slightly different. Limitations - Currently any use of non-number version identifiers isn't supported by NIST as they use ranges to determine impact of a CVE - Any Linux version from a non-upstream is also not supported without manually adjusting the information as the custom kernel will more then likely not match the upstream version used in the dictionary Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Tested-by: Matt Weber <matthew.weber@rockwellcollins.com> [yann.morin.1998@free.fr: - codestyles as spotted by Arnout ] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> |
||
|---|---|---|
| .. | ||
| config-fragments | ||
| dependencies | ||
| docker | ||
| download | ||
| gnuconfig | ||
| kconfig | ||
| legal-info | ||
| libtool | ||
| misc | ||
| scripts | ||
| testing | ||