From patchwork Fri Jul 24 15:43:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1335811 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BCtmV0NjHz9sTC for ; Sat, 25 Jul 2020 01:44:25 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7925F870BA; Fri, 24 Jul 2020 15:44:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUScJSpQcfg6; Fri, 24 Jul 2020 15:44:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id A9403870A1; Fri, 24 Jul 2020 15:44:21 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 0671B1BF9B9 for ; Fri, 24 Jul 2020 15:44:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 00C9B868E7 for ; Fri, 24 Jul 2020 15:44:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AG5oiwzOMdks for ; Fri, 24 Jul 2020 15:44:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by whitealder.osuosl.org (Postfix) with ESMTPS id E8B63867ED for ; Fri, 24 Jul 2020 15:44:13 +0000 (UTC) X-Originating-IP: 91.175.115.186 Received: from localhost (91-175-115-186.subs.proxad.net [91.175.115.186]) (Authenticated sender: gregory.clement@bootlin.com) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 148F860012; Fri, 24 Jul 2020 15:44:12 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Fri, 24 Jul 2020 17:43:52 +0200 Message-Id: <20200724154356.2607639-5-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200724154356.2607639-1-gregory.clement@bootlin.com> References: <20200724154356.2607639-1-gregory.clement@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v3 4/8] support/script: Make CVE class independent of the Pacakage class X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni , Titouan Christophe Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The affects method of the CVE use the Package class defined in pkg-stats. The purpose of migrating the CVE class outside of pkg-stats was to be able to reuse it from other scripts. So let's remove the Package dependency and only use the needed information. Signed-off-by: Gregory CLEMENT --- support/scripts/cve.py | 10 +++++----- support/scripts/pkg-stats | 14 ++++++++------ 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/support/scripts/cve.py b/support/scripts/cve.py index a8861d966c..4e83ac8961 100755 --- a/support/scripts/cve.py +++ b/support/scripts/cve.py @@ -185,26 +185,26 @@ class CVE: """The set of package names referred by this CVE definition""" return set(p['product'] for p in self.each_cpe()) - def affects(self, br_pkg): + def affects(self, name, version, cve_ignore_list): """ True if the Buildroot Package object passed as argument is affected by this CVE. """ - if br_pkg.is_cve_ignored(self.identifier): + if (self.identifier in cve_ignore_list): return self.CVE_DOESNT_AFFECT for cpe in self.each_cpe(): affected = True - if cpe['product'] != br_pkg.name: + if cpe['product'] != name: continue if cpe['v_start'] == '-': return self.CVE_AFFECTS if not (cpe['v_start'] or cpe['v_end']): print("No CVE affected version") continue - pkg_version = distutils.version.LooseVersion(br_pkg.current_version) + pkg_version = distutils.version.LooseVersion(version) if not hasattr(pkg_version, "version"): - print("Cannot parse package '%s' version '%s'" % (br_pkg.name, br_pkg.current_version)) + print("Cannot parse package '%s' version '%s'" % (name, version)) continue if cpe['v_start']: diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 58847f9ca6..f073e866cb 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -242,11 +242,12 @@ class Package: self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings)) return - def is_cve_ignored(self, cve): + def cve_ignored_list(self): """ - Tells if the CVE is ignored by the package + Give the list of CVEs ignored by the package """ - return cve in self.all_ignored_cves.get(self.pkgvar(), []) + print(self.all_ignored_cves.get(self.pkgvar(), [])) + return list(self.all_ignored_cves.get(self.pkgvar(), [])) def set_developers(self, developers): """ @@ -498,9 +499,10 @@ def check_package_cves(nvd_path, packages): for cve in cvecheck.CVE.read_nvd_dir(nvd_path): for pkg_name in cve.pkg_names: - if pkg_name in packages and cve.affects(packages[pkg_name]) == cve.CVE_AFFECTS: - packages[pkg_name].cves.append(cve.identifier) - + if pkg_name in packages: + pkg = packages[pkg_name] + if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) == cve.CVE_AFFECTS : + pkg.cves.append(cve.identifier) def calculate_stats(packages): stats = defaultdict(int)