| Message ID | 20210518182155.47055-3-matthew.weber@collins.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/3] support/scripts/pkg-stats: fix flake8 E741 ambiguous variable name | expand |
Matthew, All, On 2021-05-18 13:21 -0500, Matthew Weber via buildroot spake thusly: > - If a package doesn't have any versioning, ignore and state that > - If a package is virtual, CVE=ignore and CPE state virtual > - For any of these NA cases, don't provide search link > > Signed-off-by: Matthew Weber <matthew.weber@collins.com> Honestly, I get quickly lost in the coe of pkg-stats... However, with this series applied, the cells for CVE and CPE for virtual packages are not green, suggesting this is abnormal. However, this is perfectly fine :the re are no CVE and no CPE for virtual packages, so they should be green. I managed to do that by adding the following on-top of this third patch: diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 3aaf1169cb..d06778ab05 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -910,6 +910,8 @@ def dump_html_pkg(f, pkg): td_class = ["centered"] if pkg.is_status_ok("cve"): td_class.append("cve-ok") + elif pkg.is_status_na("cve") and not pkg.is_actual_package: + td_class.append("cve-ok") elif pkg.is_status_error("cve"): td_class.append("cve-nok") else: @@ -937,6 +939,8 @@ def dump_html_pkg(f, pkg): td_class = ["left"] if pkg.is_status_ok("cpe"): td_class.append("cpe-ok") + elif pkg.is_status_na("cpe") and not pkg.is_actual_package: + td_class.append("cpe-ok") elif pkg.is_status_error("cpe"): td_class.append("cpe-nok") else: But I am not usre this is the best solution... So, I've not applied patches 2 and 3 in the series. Could you please respin with the above (if it's OK for you, or with a better solution), please? Additionally, as a further refinement, packages that have no version, like urandom-scripts, makedevs, etc... are usually bundled with Buildroot. Do you think for those we should: 1. declare 'buildroot' to NVD, as the 'buildroot_project' vendor and the 'buildroot' product, as well as 'makedevs', 'urandom-scripts' et al. as products, 2. add "MAKEDEVS_CPE_VENDOR = buildroot_project" to each of those bundled packages. Thoughts? Regards, Yann E. MORIN. > --- > support/scripts/pkg-stats | 20 +++++++++++++------- > 1 file changed, 13 insertions(+), 7 deletions(-) > > diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats > index ca55a301de..3aaf1169cb 100755 > --- a/support/scripts/pkg-stats > +++ b/support/scripts/pkg-stats > @@ -229,7 +229,10 @@ class Package: > """ > var = self.pkgvar() > if not self.is_actual_package: > - self.status['cpe'] = ("na", "no valid package infra") > + self.status['cpe'] = ("na", "N/A - virtual pkg") > + return > + if not self.current_version: > + self.status['cpe'] = ("na", "no version information available") > return > > if var in self.all_cpeids: > @@ -587,7 +590,7 @@ def check_package_cves(nvd_path, packages): > cpe_product_pkgs = defaultdict(list) > for pkg in packages: > if not pkg.is_actual_package: > - pkg.status['cve'] = ("na", "no valid package infra") > + pkg.status['cve'] = ("na", "N/A") > continue > if not pkg.current_version: > pkg.status['cve'] = ("na", "no version information available") > @@ -942,12 +945,15 @@ def dump_html_pkg(f, pkg): > if pkg.cpeid: > f.write(" <code>%s</code>\n" % pkg.cpeid) > if not pkg.is_status_ok("cpe"): > - if pkg.cpeid: > - f.write(" <br/>%s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 > - (pkg.status['cpe'][1], ":".join(pkg.cpeid.split(":")[0:5]))) > + if pkg.is_actual_package and pkg.current_version: > + if pkg.cpeid: > + f.write(" <br/>%s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 > + (pkg.status['cpe'][1], ":".join(pkg.cpeid.split(":")[0:5]))) > + else: > + f.write(" %s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 > + (pkg.status['cpe'][1], pkg.name)) > else: > - f.write(" %s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % > - (pkg.status['cpe'][1], pkg.name)) > + f.write(" %s\n" % pkg.status['cpe'][1]) > > f.write(" </td>\n") > > -- > 2.17.1 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
Yann, > -----Original Message----- > From: Yann E. MORIN <yann.morin.1998@free.fr> > Sent: Tuesday, May 18, 2021 3:17 PM > To: Weber, Matthew L Collins <Matthew.Weber@collins.com> > Cc: buildroot@buildroot.org > Subject: [External] Re: [Buildroot] [PATCH 3/3] support/scripts/pkg-stats: > clarify when a CVE/CPE should report as N/A > > Matthew, All, > > On 2021-05-18 13:21 -0500, Matthew Weber via buildroot spake thusly: > > - If a package doesn't have any versioning, ignore and state that > > - If a package is virtual, CVE=ignore and CPE state virtual > > - For any of these NA cases, don't provide search link > > > > Signed-off-by: Matthew Weber <matthew.weber@collins.com> > > Honestly, I get quickly lost in the coe of pkg-stats... > > However, with this series applied, the cells for CVE and CPE for virtual > packages are not green, suggesting this is abnormal. However, this is > perfectly fine there are no CVE and no CPE for virtual packages, so they > should be green. > > I managed to do that by adding the following on-top of this third patch: > > diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats > index 3aaf1169cb..d06778ab05 100755 > --- a/support/scripts/pkg-stats > +++ b/support/scripts/pkg-stats > @@ -910,6 +910,8 @@ def dump_html_pkg(f, pkg): > td_class = ["centered"] > if pkg.is_status_ok("cve"): > td_class.append("cve-ok") > + elif pkg.is_status_na("cve") and not pkg.is_actual_package: > + td_class.append("cve-ok") > elif pkg.is_status_error("cve"): > td_class.append("cve-nok") > else: > @@ -937,6 +939,8 @@ def dump_html_pkg(f, pkg): > td_class = ["left"] > if pkg.is_status_ok("cpe"): > td_class.append("cpe-ok") > + elif pkg.is_status_na("cpe") and not pkg.is_actual_package: > + td_class.append("cpe-ok") > elif pkg.is_status_error("cpe"): > td_class.append("cpe-nok") > else: > > But I am not usre this is the best solution... So, I've not applied patches 2 and > 3 in the series. Could you please respin with the above (if it's OK for you, or > with a better solution), please? I'll take a look (I noticed this and didn't have a good feeling if they should be green). > > Additionally, as a further refinement, packages that have no version, like > urandom-scripts, makedevs, etc... are usually bundled with Buildroot. Do you > think for those we should: > > 1. declare 'buildroot' to NVD, as the 'buildroot_project' vendor and > the 'buildroot' product, as well as 'makedevs', 'urandom-scripts' et > al. as products, > > 2. add "MAKEDEVS_CPE_VENDOR = buildroot_project" to each of those > bundled packages. > I'd go with (2) where we use 'buildroot_project' as the vendor, and then each of those packages that have no version would use the Buildroot version and their name as the product. I don't see any reason NIST won't support us adding those dictionary entries, and I know other distros do similar for things like ifupdown scripts, etc. I can work on a series like this but would like to get the pending one merged before we open this topic up 😊 Regards, Matt
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index ca55a301de..3aaf1169cb 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -229,7 +229,10 @@ class Package: """ var = self.pkgvar() if not self.is_actual_package: - self.status['cpe'] = ("na", "no valid package infra") + self.status['cpe'] = ("na", "N/A - virtual pkg") + return + if not self.current_version: + self.status['cpe'] = ("na", "no version information available") return if var in self.all_cpeids: @@ -587,7 +590,7 @@ def check_package_cves(nvd_path, packages): cpe_product_pkgs = defaultdict(list) for pkg in packages: if not pkg.is_actual_package: - pkg.status['cve'] = ("na", "no valid package infra") + pkg.status['cve'] = ("na", "N/A") continue if not pkg.current_version: pkg.status['cve'] = ("na", "no version information available") @@ -942,12 +945,15 @@ def dump_html_pkg(f, pkg): if pkg.cpeid: f.write(" <code>%s</code>\n" % pkg.cpeid) if not pkg.is_status_ok("cpe"): - if pkg.cpeid: - f.write(" <br/>%s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 - (pkg.status['cpe'][1], ":".join(pkg.cpeid.split(":")[0:5]))) + if pkg.is_actual_package and pkg.current_version: + if pkg.cpeid: + f.write(" <br/>%s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 + (pkg.status['cpe'][1], ":".join(pkg.cpeid.split(":")[0:5]))) + else: + f.write(" %s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501 + (pkg.status['cpe'][1], pkg.name)) else: - f.write(" %s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % - (pkg.status['cpe'][1], pkg.name)) + f.write(" %s\n" % pkg.status['cpe'][1]) f.write(" </td>\n")
- If a package doesn't have any versioning, ignore and state that - If a package is virtual, CVE=ignore and CPE state virtual - For any of these NA cases, don't provide search link Signed-off-by: Matthew Weber <matthew.weber@collins.com> --- support/scripts/pkg-stats | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)