[Buildroot] [PATCH v4 0/2] Improving CVE reporting

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH v4 0/2] Improving CVE reporting
@ 2020-09-18 10:22 Gregory CLEMENT
  2020-09-18 10:22 ` [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Gregory CLEMENT @ 2020-09-18 10:22 UTC (permalink / raw)
  To: buildroot

Hello,

Most of the series was applied and there were sill this 2 patches
pending.

But since their submission the code base has evolved so I adapted to
apply them on the master branch.

Gregory


Gregory CLEMENT (2):
  support/script/pkg-stats: Manage the CVEs that need to be check
  support/script/cve-checker: Manage the CVEs that need to be check

 support/scripts/cve-checker | 21 +++++++++++++++++++--
 support/scripts/pkg-stats   | 25 ++++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 3 deletions(-)

-- 
2.28.0

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check
  2020-09-18 10:22 [Buildroot] [PATCH v4 0/2] Improving CVE reporting Gregory CLEMENT
@ 2020-09-18 10:22 ` Gregory CLEMENT
  2020-09-18 10:22 ` [Buildroot] [PATCH v4 2/2] support/script/cve-checker: " Gregory CLEMENT
  2020-09-19 12:16 ` [Buildroot] [PATCH v4 0/2] Improving CVE reporting Thomas Petazzoni
  2 siblings, 0 replies; 5+ messages in thread
From: Gregory CLEMENT @ 2020-09-18 10:22 UTC (permalink / raw)
  To: buildroot

When looking for if a package is affected, the version comparison can
fail. This means that we don't know if the version of the package used
is affected or not and we need to check manually the version.

This patch exposes this new information in json and html format.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/pkg-stats | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 503cc45c16..69edeedec0 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -97,6 +97,7 @@ class Package:
         self.url = None
         self.url_worker = None
         self.cves = list()
+        self.cves_to_check = list()
         self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
         self.status = {}
 
@@ -535,7 +536,10 @@ def check_package_cves(nvd_path, packages):
         for pkg_name in cve.pkg_names:
             if pkg_name in packages:
                 pkg = packages[pkg_name]
-                if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS:
+                affected = cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves)
+                if  affected == cve.CVE_UNKNOWN:
+                    pkg.cves_to_check.append(cve.identifier)
+                if  affected == cve.CVE_AFFECTS:
                     pkg.cves.append(cve.identifier)
 
 
@@ -576,8 +580,11 @@ def calculate_stats(packages):
             stats["version-not-uptodate"] += 1
         stats["patches"] += pkg.patch_count
         stats["total-cves"] += len(pkg.cves)
+        stats["total-cves-to-check"] += len(pkg.cves_to_check)
         if len(pkg.cves) != 0:
             stats["pkg-cves"] += 1
+        if len(pkg.cves_to_check) != 0:
+            stats["pkg-cves_to_check"] += 1
     return stats
 
 
@@ -800,6 +807,17 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CVEs to check
+    td_class = ["centered"]
+    if len(pkg.cves_to_check) == 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    for cve in pkg.cves_to_check:
+        f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -818,6 +836,7 @@ def dump_html_all_pkgs(f, packages):
 <td class=\"centered\">Warnings</td>
 <td class=\"centered\">Upstream URL</td>
 <td class=\"centered\">CVEs</td>
+<td class=\"centered\">CVEs to check</td>
 </tr>
 """)
     for pkg in sorted(packages):
@@ -856,6 +875,10 @@ def dump_html_stats(f, stats):
             stats["version-not-uptodate"])
     f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
             stats["version-unknown"])
+    f.write("<tr><td>Packages that might be affected by CVEs, where version needs to be checked</td><td>%s</td></tr>\n" %
+            stats["pkg-cves_to_check"])
+    f.write("<tr><td>Total number of CVEs that might affect all packages, where version needs to be checked</td><td>%s</td></tr>\n" %
+            stats["total-cves_to_check"])
     f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
             stats["pkg-cves"])
     f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
-- 
2.28.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [Buildroot] [PATCH v4 2/2] support/script/cve-checker: Manage the CVEs that need to be check
  2020-09-18 10:22 [Buildroot] [PATCH v4 0/2] Improving CVE reporting Gregory CLEMENT
  2020-09-18 10:22 ` [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
@ 2020-09-18 10:22 ` Gregory CLEMENT
  2020-09-19 12:16 ` [Buildroot] [PATCH v4 0/2] Improving CVE reporting Thomas Petazzoni
  2 siblings, 0 replies; 5+ messages in thread
From: Gregory CLEMENT @ 2020-09-18 10:22 UTC (permalink / raw)
  To: buildroot

When looking for if a package is affected, the version comparison can
fail. This means that we don't know if the version of the package used
is affected or not and we need to check manually the version.

This patch exposes this new information in json and html format.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/cve-checker | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index 998ea5b8af..b32e036d76 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -30,6 +30,7 @@ class Package:
         self.name = name
         self.version = version
         self.cves = list()
+        self.cves_to_check = list()
         self.ignored_cves = ignored_cves
 
 
@@ -40,8 +41,12 @@ def check_package_cves(nvd_path, packages):
     for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
         for pkg_name in cve.pkg_names:
             pkg = packages.get(pkg_name, '')
-            if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves) == cve.CVE_AFFECTS:
-                pkg.cves.append(cve.identifier)
+            if pkg:
+                affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
+                if (affected == cve.CVE_UNKNOWN):
+                    pkg.cves_to_check.append(cve.identifier)
+                elif affected == cve.CVE_AFFECTS:
+                    pkg.cves.append(cve.identifier)
 
 
 html_header = """
@@ -106,6 +111,17 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CVEs to check
+    td_class = ["centered"]
+    if len(pkg.cves_to_check) == 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    for cve in pkg.cves_to_check:
+        f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -116,6 +132,7 @@ def dump_html_all_pkgs(f, packages):
 <td>Package</td>
 <td class=\"centered\">Version</td>
 <td class=\"centered\">CVEs</td>
+<td class=\"centered\">CVEs to check</td>
 </tr>
 """)
     for pkg in packages:
-- 
2.28.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [Buildroot] [PATCH v4 0/2] Improving CVE reporting
  2020-09-18 10:22 [Buildroot] [PATCH v4 0/2] Improving CVE reporting Gregory CLEMENT
  2020-09-18 10:22 ` [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
  2020-09-18 10:22 ` [Buildroot] [PATCH v4 2/2] support/script/cve-checker: " Gregory CLEMENT
@ 2020-09-19 12:16 ` Thomas Petazzoni
  2020-09-21 10:14   ` Gregory CLEMENT
  2 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2020-09-19 12:16 UTC (permalink / raw)
  To: buildroot

Hello,

On Fri, 18 Sep 2020 12:22:23 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> Gregory CLEMENT (2):
>   support/script/pkg-stats: Manage the CVEs that need to be check
>   support/script/cve-checker: Manage the CVEs that need to be check

From your previous iteration, 3 patches were still pending, but you're
only resending 2 here.

What happened with
https://patchwork.ozlabs.org/project/buildroot/patch/20200724154356.2607639-9-gregory.clement at bootlin.com/ ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Buildroot] [PATCH v4 0/2] Improving CVE reporting
  2020-09-19 12:16 ` [Buildroot] [PATCH v4 0/2] Improving CVE reporting Thomas Petazzoni
@ 2020-09-21 10:14   ` Gregory CLEMENT
  0 siblings, 0 replies; 5+ messages in thread
From: Gregory CLEMENT @ 2020-09-21 10:14 UTC (permalink / raw)
  To: buildroot

Hello Thomas,

> Hello,
>
> On Fri, 18 Sep 2020 12:22:23 +0200
> Gregory CLEMENT <gregory.clement@bootlin.com> wrote:
>
>> Gregory CLEMENT (2):
>>   support/script/pkg-stats: Manage the CVEs that need to be check
>>   support/script/cve-checker: Manage the CVEs that need to be check
>
> From your previous iteration, 3 patches were still pending, but you're
> only resending 2 here.
>
> What happened with
> https://patchwork.ozlabs.org/project/buildroot/patch/20200724154356.2607639-9-gregory.clement at bootlin.com/
> ?

I thought it was already applied I get it mixed up with another patch.

I am sending a v5 with the missing patch.

Gregory

>
> Thanks,
>
> Thomas
> -- 
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

-- 
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-09-21 10:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-18 10:22 [Buildroot] [PATCH v4 0/2] Improving CVE reporting Gregory CLEMENT
2020-09-18 10:22 ` [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-09-18 10:22 ` [Buildroot] [PATCH v4 2/2] support/script/cve-checker: " Gregory CLEMENT
2020-09-19 12:16 ` [Buildroot] [PATCH v4 0/2] Improving CVE reporting Thomas Petazzoni
2020-09-21 10:14   ` Gregory CLEMENT

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox