[Buildroot] [PATCH 1/1] package/libteam: drop LIBTEAM_CPE_ID_VENDOR
Fabrice Fontaine
fontaine.fabrice at gmail.com
Sat Nov 6 09:57:32 UTC 2021
Hi,
Le ven. 5 nov. 2021 à 22:41, Yann E. MORIN <yann.morin.1998 at free.fr> a écrit :
>
> Fabrice, All,
>
> On 2021-11-05 22:31 +0100, Fabrice Fontaine spake thusly:
> > LIBTEAM_CPE_ID_VENDOR was wrongly set since the addition of the package
> > in commit 7485f5be0c460649e7406699cde82bb492aa23f1 as
> > cpe:2.3:a:libteam:libteam is not a valid CPE identifier for this
> > package:
> > https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibteam%3Alibteam
>
> I hadn't pushed that for more than 30 minutes that you already
> noticed. Woo... Scray! ;-)
>
> How did you catch this?
I'm manually checking the CPE of each new package.
>
> How can we easily validate that a CPE is indeed valid (short of running
> the full pkg-stats)?
We could update check-package, the simplest option would be to add a call to
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=3ACPE_ID_PREFIX:CPE_ID_VENDOR:CPE_ID_PRODUCT
If this call returns no entries, we can be confident that the CPE
variables are invalid (because the user made an error or because the
NVD NIST database was updated).
However, an HTTP request will be sent for every package with a
user-given CPE variable ...
The other option would be to mutualize the functions used by pkg-stats
to download the full CPE dictionary.
>
> Joachim, what made you think libteam was appropriate?
>
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
>
> Applied to master, thanks.
>
> Regards,
> Yann E. MORIN.
>
> > ---
> > package/libteam/libteam.mk | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/package/libteam/libteam.mk b/package/libteam/libteam.mk
> > index 99454a03e5..8bd83aa20d 100644
> > --- a/package/libteam/libteam.mk
> > +++ b/package/libteam/libteam.mk
> > @@ -6,7 +6,6 @@
> >
> > LIBTEAM_VERSION = 1.31
> > LIBTEAM_SITE = $(call github,jpirko,libteam,v$(LIBTEAM_VERSION))
> > -LIBTEAM_CPE_ID_VENDOR = libteam
> > LIBTEAM_LICENSE = LGPL-2.1+
> > LIBTEAM_LICENSE_FILES = COPYING
> > LIBTEAM_DEPENDENCIES = host-pkgconf jansson libdaemon libnl
> > --
> > 2.33.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
> | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
> '------------------------------^-------^------------------^--------------------'
Best Regards,
Fabrice
More information about the buildroot
mailing list