From: Gregory CLEMENT <gregory.clement@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v3 6/8] support/script/pkg-stats: Manage the CVEs that need to be check
Date: Fri, 24 Jul 2020 17:43:54 +0200 [thread overview]
Message-ID: <20200724154356.2607639-7-gregory.clement@bootlin.com> (raw)
In-Reply-To: <20200724154356.2607639-1-gregory.clement@bootlin.com>
When looking for if a package is affected, the version comparison can
fail. This means that we don't know if the version of the package used
is affected or not and we need to check manually the version.
This patch exposes this new information in json and html format.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/pkg-stats | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index f073e866cb..62f019cf7c 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -106,6 +106,7 @@ class Package:
self.url = None
self.url_worker = None
self.cves = list()
+ self.cves_to_check = list()
self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
self.status = {}
@@ -501,7 +502,10 @@ def check_package_cves(nvd_path, packages):
for pkg_name in cve.pkg_names:
if pkg_name in packages:
pkg = packages[pkg_name]
- if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) == cve.CVE_AFFECTS :
+ affected = cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list())
+ if (affected == cve.CVE_UNKNOWN):
+ pkg.cves_to_check.append(cve.identifier)
+ elif affected == cve.CVE_AFFECTS:
pkg.cves.append(cve.identifier)
def calculate_stats(packages):
@@ -541,8 +545,11 @@ def calculate_stats(packages):
stats["version-not-uptodate"] += 1
stats["patches"] += pkg.patch_count
stats["total-cves"] += len(pkg.cves)
+ stats["total-cves-to-check"] += len(pkg.cves_to_check)
if len(pkg.cves) != 0:
stats["pkg-cves"] += 1
+ if len(pkg.cves_to_check) != 0:
+ stats["pkg-cves_to_check"] += 1
return stats
@@ -765,6 +772,17 @@ def dump_html_pkg(f, pkg):
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
f.write(" </td>\n")
+ # CVEs to check
+ td_class = ["centered"]
+ if len(pkg.cves_to_check) == 0:
+ td_class.append("correct")
+ else:
+ td_class.append("wrong")
+ f.write(" <td class=\"%s\">\n" % " ".join(td_class))
+ for cve in pkg.cves_to_check:
+ f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+ f.write(" </td>\n")
+
f.write(" </tr>\n")
@@ -783,6 +801,7 @@ def dump_html_all_pkgs(f, packages):
<td class=\"centered\">Warnings</td>
<td class=\"centered\">Upstream URL</td>
<td class=\"centered\">CVEs</td>
+<td class=\"centered\">CVEs to check</td>
</tr>
""")
for pkg in sorted(packages):
@@ -821,10 +840,14 @@ def dump_html_stats(f, stats):
stats["version-not-uptodate"])
f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
stats["version-unknown"])
- f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
+ f.write("<tr><td>"Packages that might be affected by CVEs, where version needs to be checked</td><td>%s</td></tr>\n" %
stats["pkg-cves"])
- f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
+ f.write("<tr><td>Total number of CVEs that might affect all packages, where version needs to be checked</td><td>%s</td></tr>\n" %
stats["total-cves"])
+ f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
+ stats["pkg-cves_to_check"])
+ f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
+ stats["total-cves_to_check"])
f.write("</table>\n")
--
2.27.0
next prev parent reply other threads:[~2020-07-24 15:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 15:43 [Buildroot] [PATCH v3 0/8] Improving CVE reporting Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 1/8] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-08-28 7:18 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 2/8] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-08-28 7:34 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 3/8] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-08-28 8:51 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 4/8] support/script: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-08-28 9:03 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 5/8] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-29 18:03 ` Matthew Weber
2020-08-28 9:45 ` Thomas Petazzoni
2020-07-24 15:43 ` Gregory CLEMENT [this message]
2020-07-24 15:43 ` [Buildroot] [PATCH v3 7/8] support/script/cve-checker: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 8/8] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
2020-07-28 7:52 ` [Buildroot] [PATCH v3 0/8] Improving CVE reporting Thomas Petazzoni
2020-07-28 22:07 ` Titouan Christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200724154356.2607639-7-gregory.clement@bootlin.com \
--to=gregory.clement@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox