From patchwork Fri Sep 18 10:22:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1366787 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bt8zh07DNz9sRK for ; Fri, 18 Sep 2020 20:22:55 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9EAF2877C2; Fri, 18 Sep 2020 10:22:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yhbs+Srl63bL; Fri, 18 Sep 2020 10:22:53 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id F1AE0877CC; Fri, 18 Sep 2020 10:22:52 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 63CFB1BF29E for ; Fri, 18 Sep 2020 10:22:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 5B101877CC for ; Fri, 18 Sep 2020 10:22:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RiUi39QiMVRZ for ; Fri, 18 Sep 2020 10:22:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by hemlock.osuosl.org (Postfix) with ESMTPS id 295CA877C2 for ; Fri, 18 Sep 2020 10:22:48 +0000 (UTC) X-Originating-IP: 90.65.92.90 Received: from localhost (lfbn-lyo-1-1913-90.w90-65.abo.wanadoo.fr [90.65.92.90]) (Authenticated sender: gregory.clement@bootlin.com) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 2BD20FF808; Fri, 18 Sep 2020 10:22:47 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Fri, 18 Sep 2020 12:22:24 +0200 Message-Id: <20200918102225.76756-2-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200918102225.76756-1-gregory.clement@bootlin.com> References: <20200918102225.76756-1-gregory.clement@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v4 1/2] support/script/pkg-stats: Manage the CVEs that need to be check X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" When looking for if a package is affected, the version comparison can fail. This means that we don't know if the version of the package used is affected or not and we need to check manually the version. This patch exposes this new information in json and html format. Signed-off-by: Gregory CLEMENT --- support/scripts/pkg-stats | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 503cc45c16..69edeedec0 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -97,6 +97,7 @@ class Package: self.url = None self.url_worker = None self.cves = list() + self.cves_to_check = list() self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None} self.status = {} @@ -535,7 +536,10 @@ def check_package_cves(nvd_path, packages): for pkg_name in cve.pkg_names: if pkg_name in packages: pkg = packages[pkg_name] - if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS: + affected = cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) + if affected == cve.CVE_UNKNOWN: + pkg.cves_to_check.append(cve.identifier) + if affected == cve.CVE_AFFECTS: pkg.cves.append(cve.identifier) @@ -576,8 +580,11 @@ def calculate_stats(packages): stats["version-not-uptodate"] += 1 stats["patches"] += pkg.patch_count stats["total-cves"] += len(pkg.cves) + stats["total-cves-to-check"] += len(pkg.cves_to_check) if len(pkg.cves) != 0: stats["pkg-cves"] += 1 + if len(pkg.cves_to_check) != 0: + stats["pkg-cves_to_check"] += 1 return stats @@ -800,6 +807,17 @@ def dump_html_pkg(f, pkg): f.write(" %s
\n" % (cve, cve)) f.write(" \n") + # CVEs to check + td_class = ["centered"] + if len(pkg.cves_to_check) == 0: + td_class.append("correct") + else: + td_class.append("wrong") + f.write(" \n" % " ".join(td_class)) + for cve in pkg.cves_to_check: + f.write("
%s
\n" % (cve, cve)) + f.write(" \n") + f.write(" \n") @@ -818,6 +836,7 @@ def dump_html_all_pkgs(f, packages): Warnings Upstream URL CVEs +CVEs to check """) for pkg in sorted(packages): @@ -856,6 +875,10 @@ def dump_html_stats(f, stats): stats["version-not-uptodate"]) f.write("Packages with no known upstream version%s\n" % stats["version-unknown"]) + f.write("Packages that might be affected by CVEs, where version needs to be checked%s\n" % + stats["pkg-cves_to_check"]) + f.write("Total number of CVEs that might affect all packages, where version needs to be checked%s\n" % + stats["total-cves_to_check"]) f.write("Packages affected by CVEs%s\n" % stats["pkg-cves"]) f.write("Total number of CVEs affecting all packages%s\n" %