From patchwork Thu Jan 7 13:39:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thomas Petazzoni X-Patchwork-Id: 1423290 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DBS67114kz9sSC for ; Fri, 8 Jan 2021 00:40:15 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 4A46A2754C; Thu, 7 Jan 2021 13:40:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sv12ZQ7-z52y; Thu, 7 Jan 2021 13:40:11 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 94C31204E8; Thu, 7 Jan 2021 13:40:11 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id CFD581BF3FC for ; Thu, 7 Jan 2021 13:40:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id CBCE686BD4 for ; Thu, 7 Jan 2021 13:40:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYbHD+Ihq13f for ; Thu, 7 Jan 2021 13:40:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by whitealder.osuosl.org (Postfix) with ESMTPS id 5068F86004 for ; Thu, 7 Jan 2021 13:40:03 +0000 (UTC) X-Originating-IP: 90.2.82.147 Received: from localhost (aputeaux-654-1-223-147.w90-2.abo.wanadoo.fr [90.2.82.147]) (Authenticated sender: thomas.petazzoni@bootlin.com) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 675CF20008; Thu, 7 Jan 2021 13:39:59 +0000 (UTC) From: Thomas Petazzoni To: Buildroot List Date: Thu, 7 Jan 2021 14:39:44 +0100 Message-Id: <20210107133948.2997849-8-thomas.petazzoni@bootlin.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210107133948.2997849-1-thomas.petazzoni@bootlin.com> References: <20210107133948.2997849-1-thomas.petazzoni@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 07/10] support/scripts/pkg-stats: check CPE existence in CPE dictionnary X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This commit extends pkg-stats to leverage the recently introduced CPEDB class to verify that the CPEs provided by Buildroot packages are indeed known in the official CPE dictionnary provided by NVD. Co-Developed-by: Grégory Clement Signed-off-by: Thomas Petazzoni --- support/scripts/pkg-stats | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 854ece389d..2c82dc96ad 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -33,7 +33,7 @@ brpath = os.path.normpath(os.path.join(os.path.dirname(__file__), "..", "..")) sys.path.append(os.path.join(brpath, "utils")) from getdeveloperlib import parse_developers # noqa: E402 import cve as cvecheck # noqa: E402 - +from cpedb import CPEDB # noqa: E402 INFRA_RE = re.compile(r"\$\(eval \$\(([a-z-]*)-package\)\)") URL_RE = re.compile(r"\s*https?://\S*\s*$") @@ -226,7 +226,8 @@ class Package: if var in self.all_cpeids: self.cpeid = self.all_cpeids[var] - self.status['cpe'] = ("ok", "verified CPE identifier") + # Set a preliminary status, it might be overridden by check_package_cpes() + self.status['cpe'] = ("warning", "not checked against CPE dictionnary") else: self.status['cpe'] = ("error", "no verified CPE identifier") @@ -601,6 +602,18 @@ def check_package_cves(nvd_path, packages): pkg.status['cve'] = ("ok", "not affected by CVEs") +def check_package_cpes(nvd_path, packages): + cpedb = CPEDB(nvd_path) + cpedb.get_xml_dict() + for p in packages: + if not p.cpeid: + continue + if cpedb.find(p.cpeid): + p.status['cpe'] = ("ok", "verified CPE identifier") + else: + p.status['cpe'] = ("error", "CPE identifier unknown in CPE database") + + def calculate_stats(packages): stats = defaultdict(int) stats['packages'] = len(packages) @@ -899,19 +912,17 @@ def dump_html_pkg(f, pkg): # CPE ID td_class = ["left"] - if pkg.status['cpe'][0] == "ok": + if pkg.is_status_ok("cpe"): td_class.append("cpe-ok") - elif pkg.status['cpe'][0] == "error": + elif pkg.is_status_error("cpe"): td_class.append("cpe-nok") else: td_class.append("cpe-unknown") f.write(" \n" % " ".join(td_class)) - if pkg.status['cpe'][0] == "ok": + if pkg.cpeid: f.write(" %s\n" % pkg.cpeid) - elif pkg.status['cpe'][0] == "error": - f.write(" N/A\n") - else: - f.write(" %s\n" % pkg.status['cpe'][1]) + if not pkg.is_status_ok("cpe"): + f.write(" %s%s\n" % ("
" if pkg.cpeid else "", pkg.status['cpe'][1])) f.write(" \n") f.write(" \n") @@ -1101,6 +1112,7 @@ def __main__(): if args.nvd_path: print("Checking packages CVEs") check_package_cves(args.nvd_path, packages) + check_package_cpes(args.nvd_path, packages) print("Calculate stats") stats = calculate_stats(packages) if args.html: