From patchwork Mon Sep 21 10:15:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1368203 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bw0gp0qQgz9sTW for ; Mon, 21 Sep 2020 20:15:34 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id A47B985FA8; Mon, 21 Sep 2020 10:15:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XisW9EnIAZSg; Mon, 21 Sep 2020 10:15:30 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id D3F7D85F18; Mon, 21 Sep 2020 10:15:30 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id F26E41BF3F4 for ; Mon, 21 Sep 2020 10:15:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id EE1ED20506 for ; Mon, 21 Sep 2020 10:15:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPss+3k7uB1T for ; Mon, 21 Sep 2020 10:15:23 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by silver.osuosl.org (Postfix) with ESMTPS id C5BD920502 for ; Mon, 21 Sep 2020 10:15:22 +0000 (UTC) X-Originating-IP: 90.65.92.90 Received: from localhost (lfbn-lyo-1-1913-90.w90-65.abo.wanadoo.fr [90.65.92.90]) (Authenticated sender: gregory.clement@bootlin.com) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 2D678E0005; Mon, 21 Sep 2020 10:15:18 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Mon, 21 Sep 2020 12:15:14 +0200 Message-Id: <20200921101515.132359-3-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200921101515.132359-1-gregory.clement@bootlin.com> References: <20200921101515.132359-1-gregory.clement@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v5 2/3] support/script/cve-checker: Manage the CVEs that need to be check X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" When looking for if a package is affected, the version comparison can fail. This means that we don't know if the version of the package used is affected or not and we need to check manually the version. This patch exposes this new information in json and html format. Signed-off-by: Gregory CLEMENT --- support/scripts/cve-checker | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker index 998ea5b8af..b32e036d76 100755 --- a/support/scripts/cve-checker +++ b/support/scripts/cve-checker @@ -30,6 +30,7 @@ class Package: self.name = name self.version = version self.cves = list() + self.cves_to_check = list() self.ignored_cves = ignored_cves @@ -40,8 +41,12 @@ def check_package_cves(nvd_path, packages): for cve in cvecheck.CVE.read_nvd_dir(nvd_path): for pkg_name in cve.pkg_names: pkg = packages.get(pkg_name, '') - if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves) == cve.CVE_AFFECTS: - pkg.cves.append(cve.identifier) + if pkg: + affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves) + if (affected == cve.CVE_UNKNOWN): + pkg.cves_to_check.append(cve.identifier) + elif affected == cve.CVE_AFFECTS: + pkg.cves.append(cve.identifier) html_header = """ @@ -106,6 +111,17 @@ def dump_html_pkg(f, pkg): f.write(" %s
\n" % (cve, cve)) f.write(" \n") + # CVEs to check + td_class = ["centered"] + if len(pkg.cves_to_check) == 0: + td_class.append("correct") + else: + td_class.append("wrong") + f.write(" \n" % " ".join(td_class)) + for cve in pkg.cves_to_check: + f.write(" %s
\n" % (cve, cve)) + f.write(" \n") + f.write(" \n") @@ -116,6 +132,7 @@ def dump_html_all_pkgs(f, packages): Package Version CVEs +CVEs to check """) for pkg in packages: