FLOP:CPE tagger

From Funtoo
Revision as of 11:23, December 8, 2020 by Mrl5 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Created on
2020/04/15
Original Author(s)
mrl5
Git sources (for cloning)
Link
Status

Funtoo Linux Optimization Proposal: CPE tagger

lets tag the ebuilds with NIST NVD CPE so that https://www.funtoo.org/FLOP:CVE_Monitoring is more reliable

By introducing Plugin Oriented Programming we can create a plugin which tags funtoo meta-repo ebuilds with CPE tag. By using proper design, this can be integrated with https://code.funtoo.org/bitbucket/users/drobbins/repos/funtoo-metatools/browse


CVEs, CPEs, WTFs

It's good to know which packages in metarepo have some security vulnerabilities (CVEs). In order to have a reliable linkage CPEs can be used. Here is an example that shows why using CPEs is useful: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh


Steps:

1. Create a JSON representation of meta-repo: https://code.funtoo.org/bitbucket/users/mrl5/repos/metarepo-to-json/browse 

   1.1. Store it as JSON files: https://github.com/mrl5/metarepo-cpe-tag/issues/1

   1.2. Store it in mongodb: https://github.com/mrl5/metarepo-cpe-tag/issues/2

2. Create a reliable CPE tagger: 

   2.1. https://github.com/mrl5/metarepo-cpe-tag/issues/5

   2.2. https://github.com/mrl5/metarepo-cpe-tag/issues/6

3. Handle updates: 

   3.1. https://github.com/mrl5/metarepo-cpe-tag/issues/3

   3.2. https://github.com/mrl5/metarepo-cpe-tag/issues/4

Issue tracker:

- https://github.com/mrl5/metarepo-cpe-tag/issues

Related FLOPs:

- https://www.funtoo.org/FLOP:CVE_Monitoring


Retrieved from "https://www.funtoo.org/index.php?title=FLOP:CPE_tagger&oldid=34672"