diff mbox series

[v3,4/8] support/script: Make CVE class independent of the Pacakage class

Message ID 20200724154356.2607639-5-gregory.clement@bootlin.com
State Accepted
Headers show
Series Improving CVE reporting | expand

Commit Message

Gregory CLEMENT July 24, 2020, 3:43 p.m. UTC 
The affects method of the CVE use the Package class defined in
pkg-stats. The purpose of migrating the CVE class outside of pkg-stats
was to be able to reuse it from other scripts. So let's remove the
Package dependency and only use the needed information.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/cve.py    | 10 +++++-----
 support/scripts/pkg-stats | 14 ++++++++------
 2 files changed, 13 insertions(+), 11 deletions(-)

Comments

Thomas Petazzoni Aug. 28, 2020, 9:03 a.m. UTC | #1 
Hello,

Typo in the commit title: Pacakage -> Package

On Fri, 24 Jul 2020 17:43:52 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> The affects method of the CVE use the Package class defined in
> pkg-stats. The purpose of migrating the CVE class outside of pkg-stats
> was to be able to reuse it from other scripts. So let's remove the
> Package dependency and only use the needed information.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>

I've applied to next, with a few changes. See below.

> +        if (self.identifier in cve_ignore_list):

No parenthesis needed.

> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 58847f9ca6..f073e866cb 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -242,11 +242,12 @@ class Package:
>                      self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
>                  return
>  
> -    def is_cve_ignored(self, cve):
> +    def cve_ignored_list(self):

Renamed to just ignored_cves(self), and more importantly, added the
@property statement, since really that's what it is: a property of the
class. This allows to reference it like this: pkg.ignored_cves as if it
was a normal property of the class, not a function.

> +        print(self.all_ignored_cves.get(self.pkgvar(), []))

Spurious debug message.

Thanks!

Thomas
diff mbox series

Patch

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index a8861d966c..4e83ac8961 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -185,26 +185,26 @@  class CVE:
         """The set of package names referred by this CVE definition"""
         return set(p['product'] for p in self.each_cpe())
 
-    def affects(self, br_pkg):
+    def affects(self, name, version, cve_ignore_list):
         """
         True if the Buildroot Package object passed as argument is affected
         by this CVE.
         """
-        if br_pkg.is_cve_ignored(self.identifier):
+        if (self.identifier in cve_ignore_list):
             return self.CVE_DOESNT_AFFECT
 
         for cpe in self.each_cpe():
             affected = True
-            if cpe['product'] != br_pkg.name:
+            if cpe['product'] != name:
                 continue
             if cpe['v_start'] == '-':
                 return self.CVE_AFFECTS
             if not (cpe['v_start'] or cpe['v_end']):
                 print("No CVE affected version")
                 continue
-            pkg_version = distutils.version.LooseVersion(br_pkg.current_version)
+            pkg_version = distutils.version.LooseVersion(version)
             if not hasattr(pkg_version, "version"):
-                print("Cannot parse package '%s' version '%s'" % (br_pkg.name, br_pkg.current_version))
+                print("Cannot parse package '%s' version '%s'" % (name, version))
                 continue
 
             if cpe['v_start']:
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 58847f9ca6..f073e866cb 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -242,11 +242,12 @@  class Package:
                     self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
                 return
 
-    def is_cve_ignored(self, cve):
+    def cve_ignored_list(self):
         """
-        Tells if the CVE is ignored by the package
+        Give the list of CVEs ignored by the package
         """
-        return cve in self.all_ignored_cves.get(self.pkgvar(), [])
+        print(self.all_ignored_cves.get(self.pkgvar(), []))
+        return list(self.all_ignored_cves.get(self.pkgvar(), []))
 
     def set_developers(self, developers):
         """
@@ -498,9 +499,10 @@  def check_package_cves(nvd_path, packages):
 
     for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
         for pkg_name in cve.pkg_names:
-            if pkg_name in packages and cve.affects(packages[pkg_name]) == cve.CVE_AFFECTS:
-                packages[pkg_name].cves.append(cve.identifier)
-
+            if pkg_name in packages:
+                pkg = packages[pkg_name]
+                if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) == cve.CVE_AFFECTS :
+                    pkg.cves.append(cve.identifier)
 
 def calculate_stats(packages):
     stats = defaultdict(int)