From patchwork Fri Jul 24 15:43:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1335815 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BCtmc5nL9z9sR4 for ; Sat, 25 Jul 2020 01:44:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 47E5B870E3; Fri, 24 Jul 2020 15:44:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bYsLm1OgSxY; Fri, 24 Jul 2020 15:44:25 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id CBB0D870BB; Fri, 24 Jul 2020 15:44:24 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 1170A1BF9BD for ; Fri, 24 Jul 2020 15:44:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 0EB24889A3 for ; Fri, 24 Jul 2020 15:44:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDv-Fh3MGc7N for ; Fri, 24 Jul 2020 15:44:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay11.mail.gandi.net (relay11.mail.gandi.net [217.70.178.231]) by hemlock.osuosl.org (Postfix) with ESMTPS id 24472889A0 for ; Fri, 24 Jul 2020 15:44:14 +0000 (UTC) Received: from localhost (91-175-115-186.subs.proxad.net [91.175.115.186]) (Authenticated sender: gregory.clement@bootlin.com) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 6BB8710000B; Fri, 24 Jul 2020 15:44:13 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Fri, 24 Jul 2020 17:43:54 +0200 Message-Id: <20200724154356.2607639-7-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200724154356.2607639-1-gregory.clement@bootlin.com> References: <20200724154356.2607639-1-gregory.clement@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v3 6/8] support/script/pkg-stats: Manage the CVEs that need to be check X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni , Titouan Christophe Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" When looking for if a package is affected, the version comparison can fail. This means that we don't know if the version of the package used is affected or not and we need to check manually the version. This patch exposes this new information in json and html format. Signed-off-by: Gregory CLEMENT --- support/scripts/pkg-stats | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index f073e866cb..62f019cf7c 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -106,6 +106,7 @@ class Package: self.url = None self.url_worker = None self.cves = list() + self.cves_to_check = list() self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None} self.status = {} @@ -501,7 +502,10 @@ def check_package_cves(nvd_path, packages): for pkg_name in cve.pkg_names: if pkg_name in packages: pkg = packages[pkg_name] - if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) == cve.CVE_AFFECTS : + affected = cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()) + if (affected == cve.CVE_UNKNOWN): + pkg.cves_to_check.append(cve.identifier) + elif affected == cve.CVE_AFFECTS: pkg.cves.append(cve.identifier) def calculate_stats(packages): @@ -541,8 +545,11 @@ def calculate_stats(packages): stats["version-not-uptodate"] += 1 stats["patches"] += pkg.patch_count stats["total-cves"] += len(pkg.cves) + stats["total-cves-to-check"] += len(pkg.cves_to_check) if len(pkg.cves) != 0: stats["pkg-cves"] += 1 + if len(pkg.cves_to_check) != 0: + stats["pkg-cves_to_check"] += 1 return stats @@ -765,6 +772,17 @@ def dump_html_pkg(f, pkg): f.write(" %s
\n" % (cve, cve)) f.write(" \n") + # CVEs to check + td_class = ["centered"] + if len(pkg.cves_to_check) == 0: + td_class.append("correct") + else: + td_class.append("wrong") + f.write(" \n" % " ".join(td_class)) + for cve in pkg.cves_to_check: + f.write(" %s
\n" % (cve, cve)) + f.write(" \n") + f.write(" \n") @@ -783,6 +801,7 @@ def dump_html_all_pkgs(f, packages): Warnings Upstream URL CVEs +CVEs to check """) for pkg in sorted(packages): @@ -821,10 +840,14 @@ def dump_html_stats(f, stats): stats["version-not-uptodate"]) f.write("Packages with no known upstream version%s\n" % stats["version-unknown"]) - f.write("Packages affected by CVEs%s\n" % + f.write(""Packages that might be affected by CVEs, where version needs to be checked%s\n" % stats["pkg-cves"]) - f.write("Total number of CVEs affecting all packages%s\n" % + f.write("Total number of CVEs that might affect all packages, where version needs to be checked%s\n" % stats["total-cves"]) + f.write("Packages affected by CVEs%s\n" % + stats["pkg-cves_to_check"]) + f.write("Total number of CVEs affecting all packages%s\n" % + stats["total-cves_to_check"]) f.write("\n")