From: Gregory CLEMENT <gregory.clement@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v3 4/8] support/script: Make CVE class independent of the Pacakage class
Date: Fri, 24 Jul 2020 17:43:52 +0200 [thread overview]
Message-ID: <20200724154356.2607639-5-gregory.clement@bootlin.com> (raw)
In-Reply-To: <20200724154356.2607639-1-gregory.clement@bootlin.com>
The affects method of the CVE use the Package class defined in
pkg-stats. The purpose of migrating the CVE class outside of pkg-stats
was to be able to reuse it from other scripts. So let's remove the
Package dependency and only use the needed information.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/cve.py | 10 +++++-----
support/scripts/pkg-stats | 14 ++++++++------
2 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index a8861d966c..4e83ac8961 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -185,26 +185,26 @@ class CVE:
"""The set of package names referred by this CVE definition"""
return set(p['product'] for p in self.each_cpe())
- def affects(self, br_pkg):
+ def affects(self, name, version, cve_ignore_list):
"""
True if the Buildroot Package object passed as argument is affected
by this CVE.
"""
- if br_pkg.is_cve_ignored(self.identifier):
+ if (self.identifier in cve_ignore_list):
return self.CVE_DOESNT_AFFECT
for cpe in self.each_cpe():
affected = True
- if cpe['product'] != br_pkg.name:
+ if cpe['product'] != name:
continue
if cpe['v_start'] == '-':
return self.CVE_AFFECTS
if not (cpe['v_start'] or cpe['v_end']):
print("No CVE affected version")
continue
- pkg_version = distutils.version.LooseVersion(br_pkg.current_version)
+ pkg_version = distutils.version.LooseVersion(version)
if not hasattr(pkg_version, "version"):
- print("Cannot parse package '%s' version '%s'" % (br_pkg.name, br_pkg.current_version))
+ print("Cannot parse package '%s' version '%s'" % (name, version))
continue
if cpe['v_start']:
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 58847f9ca6..f073e866cb 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -242,11 +242,12 @@ class Package:
self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
return
- def is_cve_ignored(self, cve):
+ def cve_ignored_list(self):
"""
- Tells if the CVE is ignored by the package
+ Give the list of CVEs ignored by the package
"""
- return cve in self.all_ignored_cves.get(self.pkgvar(), [])
+ print(self.all_ignored_cves.get(self.pkgvar(), []))
+ return list(self.all_ignored_cves.get(self.pkgvar(), []))
def set_developers(self, developers):
"""
@@ -498,9 +499,10 @@ def check_package_cves(nvd_path, packages):
for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
for pkg_name in cve.pkg_names:
- if pkg_name in packages and cve.affects(packages[pkg_name]) == cve.CVE_AFFECTS:
- packages[pkg_name].cves.append(cve.identifier)
-
+ if pkg_name in packages:
+ pkg = packages[pkg_name]
+ if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) == cve.CVE_AFFECTS :
+ pkg.cves.append(cve.identifier)
def calculate_stats(packages):
stats = defaultdict(int)
--
2.27.0
next prev parent reply other threads:[~2020-07-24 15:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 15:43 [Buildroot] [PATCH v3 0/8] Improving CVE reporting Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 1/8] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-08-28 7:18 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 2/8] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-08-28 7:34 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 3/8] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-08-28 8:51 ` Thomas Petazzoni
2020-07-24 15:43 ` Gregory CLEMENT [this message]
2020-08-28 9:03 ` [Buildroot] [PATCH v3 4/8] support/script: Make CVE class independent of the Pacakage class Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 5/8] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-29 18:03 ` Matthew Weber
2020-08-28 9:45 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 6/8] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 7/8] support/script/cve-checker: " Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 8/8] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
2020-07-28 7:52 ` [Buildroot] [PATCH v3 0/8] Improving CVE reporting Thomas Petazzoni
2020-07-28 22:07 ` Titouan Christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200724154356.2607639-5-gregory.clement@bootlin.com \
--to=gregory.clement@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox