[07/10] support/scripts/cve-checker: show CPE ID in results

Message ID	20201104145145.1316167-8-thomas.petazzoni@bootlin.com
State	Not Applicable
Headers	show Return-Path: <buildroot-bounces@busybox.net> sender: thomas.petazzoni@bootlin.com) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id E107D24000B; Wed, 4 Nov 2020 14:52:01 +0000 (UTC) From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> To: Buildroot List <buildroot@buildroot.org> Date: Wed, 4 Nov 2020 15:51:41 +0100 Message-Id: <20201104145145.1316167-8-thomas.petazzoni@bootlin.com> In-Reply-To: <20201104145145.1316167-1-thomas.petazzoni@bootlin.com> References: <20201104145145.1316167-1-thomas.petazzoni@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results Precedence: list Cc: Matt Weber <Matthew.Weber@rockwellcollins.com>, Thomas Petazzoni <thomas.petazzoni@bootlin.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	Introduce CPE ID matching for CVEs \| expand [00/10] Introduce CPE ID matching for CVEs [01/10] support/scripts/cve.py: properly match CPEs with version '*' [02/10] support/scripts/cve-checker: parse arguments earlier [03/10] package/pkg-generic.mk: add CPE ID related package variables [04/10] docs/manual: document <pkg>_CPE_ID variables [05/10] package/pkg-utils.mk: expose CPE ID in show-info when available [06/10] support/testing/tests/core/test_cpeid: new test [07/10] support/scripts/cve-checker: show CPE ID in results [08/10] support/script/pkg-stats: show CPE ID in results [09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching [10/10] package: provide CPE ID details for numerous packages

Message ID

20201104145145.1316167-8-thomas.petazzoni@bootlin.com

State

Not Applicable

Headers

From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: Buildroot List <buildroot@buildroot.org>
Date: Wed,  4 Nov 2020 15:51:41 +0100
Message-Id: <20201104145145.1316167-8-thomas.petazzoni@bootlin.com>
In-Reply-To: <20201104145145.1316167-1-thomas.petazzoni@bootlin.com>
References: <20201104145145.1316167-1-thomas.petazzoni@bootlin.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID
 in results
Precedence: list
Cc: Matt Weber <Matthew.Weber@rockwellcollins.com>,
 Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Series

Introduce CPE ID matching for CVEs | expand

Commit Message

Thomas Petazzoni Nov. 4, 2020, 2:51 p.m. UTC

From: Gregory CLEMENT <gregory.clement@bootlin.com>

This commit improves the cve-checker script to show the CPE ID of
packages, if available. For now, it doesn't use CPE IDs to match CVEs.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 support/scripts/cve-checker | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

Comments

Matt Weber Nov. 4, 2020, 5:20 p.m. UTC | #1

Thomas / Greg,

On Wed, Nov 4, 2020 at 8:52 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> From: Gregory CLEMENT <gregory.clement@bootlin.com>
>
> This commit improves the cve-checker script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve-checker | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
> index ff110fc17c..421202d049 100755
> --- a/support/scripts/cve-checker
> +++ b/support/scripts/cve-checker
> @@ -26,9 +26,10 @@ import cve as cvecheck
>
>
>  class Package:
> -    def __init__(self, name, version, ignored_cves):
> +    def __init__(self, name, version, cpeid, ignored_cves):
>          self.name = name
>          self.version = version
> +        self.cpeid = cpeid
>          self.cves = list()
>          self.ignored_cves = ignored_cves
>
> @@ -106,6 +107,19 @@ def dump_html_pkg(f, pkg):
>          f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
>      f.write("  </td>\n")
>
> +    # CPE ID
> +    td_class = ["left"]
> +    if pkg.cpeid:
> +        td_class.append("correct")
> +    else:
> +        td_class.append("wrong")
> +    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
> +    if pkg.cpeid:
> +        f.write("  <code>%s</code>\n" % pkg.cpeid)
> +    else:
> +        f.write("  N/A\n")
> +    f.write("  </td>\n")
> +


Similar question as in the pkgstats about including host package CPE
IDs in the listing.

Thomas Petazzoni Nov. 26, 2020, 3:38 p.m. UTC | #2

On Wed,  4 Nov 2020 15:51:41 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> From: Gregory CLEMENT <gregory.clement@bootlin.com>
> 
> This commit improves the cve-checker script to show the CPE ID of
> packages, if available. For now, it doesn't use CPE IDs to match CVEs.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  support/scripts/cve-checker | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)

Since cve-checker is no longer part of Buildroot, this patch no longer
makes sense, and I marked it as Non Applicable in patchwork.

Best regards,

Thomas

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index ff110fc17c..421202d049 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -26,9 +26,10 @@  import cve as cvecheck
 
 
 class Package:
-    def __init__(self, name, version, ignored_cves):
+    def __init__(self, name, version, cpeid, ignored_cves):
         self.name = name
         self.version = version
+        self.cpeid = cpeid
         self.cves = list()
         self.ignored_cves = ignored_cves
 
@@ -106,6 +107,19 @@  def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CPE ID
+    td_class = ["left"]
+    if pkg.cpeid:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    if pkg.cpeid:
+        f.write("  <code>%s</code>\n" % pkg.cpeid)
+    else:
+        f.write("  N/A\n")
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -116,6 +130,7 @@  def dump_html_all_pkgs(f, packages):
 <td>Package</td>
 <td class=\"centered\">Version</td>
 <td class=\"centered\">CVEs</td>
++<td class=\"centered\">CPE ID</td>
 </tr>
 """)
     for pkg in packages:
@@ -141,6 +156,7 @@  def dump_json(packages, date, output):
         pkg.name: {
             "version": pkg.version,
             "cves": pkg.cves,
+            "cpe-id": pkg.cpeid,
         } for pkg in packages
     }
     # The actual structure to dump, add date to it
@@ -170,7 +186,6 @@  def parse_args():
         parser.error('at least one of --html or --json (or both) is required')
     return args
 
-
 def __main__():
     args = parse_args()
 
@@ -178,7 +193,7 @@  def __main__():
     content = json.load(sys.stdin)
     for item in content:
         pkg = content[item]
-        p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
+        p = Package(item, pkg.get('version', ''), pkg.get('cpe-id', None), pkg.get('ignore_cves', ''))
         packages.append(p)
 
     date = datetime.datetime.utcnow()

[07/10] support/scripts/cve-checker: show CPE ID in results

Commit Message

Comments

Patch