From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check
Date: Thu, 9 Jul 2020 11:00:22 +0200 [thread overview]
Message-ID: <20200709110022.0e79ff9b@windsurf> (raw)
In-Reply-To: <20200708164006.859021-8-gregory.clement@bootlin.com>
On Wed, 8 Jul 2020 18:40:04 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 883a5bd2be..e033e15e07 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -106,9 +106,11 @@ class Package:
> self.patch_files = []
> self.warnings = 0
> self.current_version = None
> + self.unknown_cve = False
Is this used in your patch ? I don't see it used anywhere.
> self.url = None
> self.url_worker = None
> self.cves = list()
> + self.cves_to_check = list()
> self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
> self.status = {}
>
> @@ -504,7 +506,12 @@ def check_package_cves(nvd_path, packages):
> for pkg_name in cve.pkg_names:
> if pkg_name in packages:
> pkg = packages[pkg_name]
> - if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()):
> + affected = cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list())
> + print(affected)
This is a debug message, probably not meant to be in your final patch.
> + if (affected == 'Unknown'):
> + pkg.cves_to_check.append(cve.identifier)
So this handling of the "Unknown" return value from cve.affects()
should be done together with the change in cve.affects() I guess.
> + elif affected == True:
> + print(cve.identifier)
Again another print, should it really be here ?
> pkg.cves.append(cve.identifier)
>
> def calculate_stats(packages):
> @@ -544,8 +551,11 @@ def calculate_stats(packages):
> stats["version-not-uptodate"] += 1
> stats["patches"] += pkg.patch_count
> stats["total-cves"] += len(pkg.cves)
> + stats["total-cves-to-check"] += len(pkg.cves_to_check)
> if len(pkg.cves) != 0:
> stats["pkg-cves"] += 1
> + if len(pkg.cves_to_check) != 0:
> + stats["pkg-cves_to_check"] += 1
> return stats
>
>
> @@ -763,11 +773,22 @@ def dump_html_pkg(f, pkg):
> td_class.append("correct")
> else:
> td_class.append("wrong")
> - f.write(" <td class=\"%s\">\n" % " ".join(td_class))
> + f.write(" <td class=\"%s\">\n" % " ".join(td_class))
Spurious change here.
> for cve in pkg.cves:
> f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
> f.write(" </td>\n")
>
> + # CVEs to check
> + td_class = ["centered"]
> + if len(pkg.cves_to_check) == 0:
> + td_class.append("correct")
> + else:
> + td_class.append("wrong")
> + f.write(" <td class=\"%s\">\n" % " ".join(td_class))
so you're opening the <td> only in the else case
> + for cve in pkg.cves_to_check:
> + f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
> + f.write(" </td>\n")
but closing it in both cases. Doesn't look good.
Also, if you're adding a column, you need to update the column header
as well, to give a title to this column.
> +
So you've added that to the HTML output. Has the JSON output also been
updated? Or perhaps it just works due to how the JSON output is
generated?
> f.write(" </tr>\n")
>
>
> @@ -786,6 +807,7 @@ def dump_html_all_pkgs(f, packages):
> <td class=\"centered\">Warnings</td>
> <td class=\"centered\">Upstream URL</td>
> <td class=\"centered\">CVEs</td>
> +<td class=\"centered\">CVEs to check</td>
> </tr>
> """)
> for pkg in sorted(packages):
> @@ -824,10 +846,14 @@ def dump_html_stats(f, stats):
> stats["version-not-uptodate"])
> f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
> stats["version-unknown"])
> - f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
> + f.write("<tr><td>Packages might affected by CVEs, where version needed to be checked</td><td>%s</td></tr>\n" %
"Packages might affected by CVEs" is not correct English I believe.
"Packages that might be affected by CVEs" sounds better.
"needed" -> "needs"
> stats["pkg-cves"])
> - f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
> + f.write("<tr><td>Total number of CVEs that might affect all packages, where version needed to be checked</td><td>%s</td></tr>\n" %
version needed -> version needs
> stats["total-cves"])
> + f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
> + stats["pkg-cves_to_check"])
> + f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
> + stats["total-cves_to_check"])
> f.write("</table>\n")
>
>
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-07-09 9:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-08 16:39 [Buildroot] [PATCH 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-08 16:39 ` [Buildroot] [PATCH 1/9] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-07-08 16:54 ` Thomas Petazzoni
2020-07-09 7:34 ` Gregory CLEMENT
2020-07-08 16:39 ` [Buildroot] [PATCH 2/9] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 3/9] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-07-08 16:53 ` Thomas Petazzoni
2020-07-08 16:40 ` [Buildroot] [PATCH 4/9] package/pkg-utils: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 5/9] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-08 18:30 ` Matthew Weber
2020-07-09 8:41 ` Gregory CLEMENT
2020-07-09 9:03 ` Gregory CLEMENT
2020-07-09 11:46 ` Matthew Weber
2020-07-08 16:40 ` [Buildroot] [PATCH 6/9] package/pkg-utils: cve.py: Handle exception when version comparison fails Gregory CLEMENT
2020-07-09 8:52 ` Thomas Petazzoni
2020-07-08 16:40 ` [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-09 9:00 ` Thomas Petazzoni [this message]
2020-07-08 16:40 ` [Buildroot] [PATCH 8/9] support/script/cve-checker: " Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 9/9] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
-- strict thread matches above, loose matches on Subject: below --
2020-07-10 11:22 [Buildroot] [PATCH 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200709110022.0e79ff9b@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox