From patchwork Fri Jul 10 11:22:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1326686 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B39dm3Mmmz9sRK for ; Fri, 10 Jul 2020 21:23:24 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id EAAA029478; Fri, 10 Jul 2020 11:23:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JZzrOtY38eZ; Fri, 10 Jul 2020 11:23:17 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 2D2A6203DF; Fri, 10 Jul 2020 11:23:13 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 85E411BF319 for ; Fri, 10 Jul 2020 11:23:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 57EE289A08 for ; Fri, 10 Jul 2020 11:23:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yRtBRedSTzn for ; Fri, 10 Jul 2020 11:23:02 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by hemlock.osuosl.org (Postfix) with ESMTPS id 6A6368972A for ; Fri, 10 Jul 2020 11:23:02 +0000 (UTC) X-Originating-IP: 91.175.115.186 Received: from localhost (91-175-115-186.subs.proxad.net [91.175.115.186]) (Authenticated sender: gregory.clement@bootlin.com) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 6EE1EE0005; Fri, 10 Jul 2020 11:23:00 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Fri, 10 Jul 2020 13:22:33 +0200 Message-Id: <20200710112245.1044073-8-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200710112245.1044073-1-gregory.clement@bootlin.com> References: <20200710112245.1044073-1-gregory.clement@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" When looking for if a package is affected, the version comparison can fail. This means that we don't know if the version of the package used is affected or not and we need to check manually the version. This patch exposes this new information in json and html format. Signed-off-by: Gregory CLEMENT --- support/scripts/pkg-stats | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 883a5bd2be..e033e15e07 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -106,9 +106,11 @@ class Package: self.patch_files = [] self.warnings = 0 self.current_version = None + self.unknown_cve = False self.url = None self.url_worker = None self.cves = list() + self.cves_to_check = list() self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None} self.status = {} @@ -504,7 +506,12 @@ def check_package_cves(nvd_path, packages): for pkg_name in cve.pkg_names: if pkg_name in packages: pkg = packages[pkg_name] - if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()): + affected = cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) + print(affected) + if (affected == 'Unknown'): + pkg.cves_to_check.append(cve.identifier) + elif affected == True: + print(cve.identifier) pkg.cves.append(cve.identifier) def calculate_stats(packages): @@ -544,8 +551,11 @@ def calculate_stats(packages): stats["version-not-uptodate"] += 1 stats["patches"] += pkg.patch_count stats["total-cves"] += len(pkg.cves) + stats["total-cves-to-check"] += len(pkg.cves_to_check) if len(pkg.cves) != 0: stats["pkg-cves"] += 1 + if len(pkg.cves_to_check) != 0: + stats["pkg-cves_to_check"] += 1 return stats @@ -763,11 +773,22 @@ def dump_html_pkg(f, pkg): td_class.append("correct") else: td_class.append("wrong") - f.write(" \n" % " ".join(td_class)) + f.write(" \n" % " ".join(td_class)) for cve in pkg.cves: f.write(" %s
\n" % (cve, cve)) f.write(" \n") + # CVEs to check + td_class = ["centered"] + if len(pkg.cves_to_check) == 0: + td_class.append("correct") + else: + td_class.append("wrong") + f.write(" \n" % " ".join(td_class)) + for cve in pkg.cves_to_check: + f.write(" %s
\n" % (cve, cve)) + f.write(" \n") + f.write(" \n") @@ -786,6 +807,7 @@ def dump_html_all_pkgs(f, packages): Warnings Upstream URL CVEs +CVEs to check """) for pkg in sorted(packages): @@ -824,10 +846,14 @@ def dump_html_stats(f, stats): stats["version-not-uptodate"]) f.write("Packages with no known upstream version%s\n" % stats["version-unknown"]) - f.write("Packages affected by CVEs%s\n" % + f.write("Packages might affected by CVEs, where version needed to be checked%s\n" % stats["pkg-cves"]) - f.write("Total number of CVEs affecting all packages%s\n" % + f.write("Total number of CVEs that might affect all packages, where version needed to be checked%s\n" % stats["total-cves"]) + f.write("Packages affected by CVEs%s\n" % + stats["pkg-cves_to_check"]) + f.write("Total number of CVEs affecting all packages%s\n" % + stats["total-cves_to_check"]) f.write("\n")