From patchwork Fri Jul 24 15:43:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory CLEMENT X-Patchwork-Id: 1335810 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BCtmS0ys0z9sSn for ; Sat, 25 Jul 2020 01:44:22 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id B15F6870A3; Fri, 24 Jul 2020 15:44:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anaehzSI421i; Fri, 24 Jul 2020 15:44:15 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id CB6A987075; Fri, 24 Jul 2020 15:44:15 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id DD4751BF39D for ; Fri, 24 Jul 2020 15:44:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D32CF2045B for ; Fri, 24 Jul 2020 15:44:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qk85NqwddLlx for ; Fri, 24 Jul 2020 15:44:13 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by silver.osuosl.org (Postfix) with ESMTPS id ABE7120006 for ; Fri, 24 Jul 2020 15:44:12 +0000 (UTC) X-Originating-IP: 91.175.115.186 Received: from localhost (91-175-115-186.subs.proxad.net [91.175.115.186]) (Authenticated sender: gregory.clement@bootlin.com) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id CBE1C6000D; Fri, 24 Jul 2020 15:44:08 +0000 (UTC) From: Gregory CLEMENT To: buildroot@buildroot.org Date: Fri, 24 Jul 2020 17:43:48 +0200 Message-Id: <20200724154356.2607639-1-gregory.clement@bootlin.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Subject: [Buildroot] [PATCH v3 0/8] Improving CVE reporting X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber , Thomas Petazzoni , Titouan Christophe Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Hello, The purpose of this series is to improve the CVE reporting in order to be usable for a project. Until know the CVE affecting the packages were reported for the buildroot project using pkg-stat. With this series it is now possible to report the packages affected by CVEs for a given configuration. While I was on CVE I switched to the support of the JSON 1.1 for the NVDE database. In this series I also added a new state for the CVE status of the packages. This new state will be used to emphasize that the automatic check has failed and it was needed to be verified manually. The idea behind this was to be as much accurate as possible to avoid any false positive. It will also help to improve the meta-data of the package. The next step will be to reuse the works done by Matthew Weber [1] to use the cpeid and only use the package name and the package version as fall back. In this series there is at least one open point about the packages excluded from the cve check. For now I excluded the kernel and gcc as there are also excluded by the pkg-stats script but this list could (should ?) be extended or modified. In this third version the following changes have been done: v2 -> v3: - removed the first patch that had been applied - rebased the series on a recent master branch - Fixed recursive call in parse_node as suggested by Titouan. I didn't use the more recent syntax (Python >=3.4) because I think buildroot doesn't impose having a recent python. Titouan also mentioned that CPE nodes can be ORed or ANDed and I confirm it. So I had a closer look on it. First found there are children node only with the AND operator. Then most of the time the AND associate a version of product than could be affected with a version of another product which usually provide service to the first one such as an operating system. Or we could have the association of a software and an hardware. Having an application in the second part of the AND can happen but is very rare. Supporting these features will make the code more complex. By just parsing the node recursively without applying the AND condition, we could have some false positive CVE. But at least we won't miss CVE and the case were it would be useful for buildroot should be very scarce. If later we realize that we have a lot of false positive because we ignore this feature then we can decide to modify the code to support it. v1 -> v2 - Port the version fix to pkg-stat from cve.py and move this patch as the first one - Remove debug message - Remove unused argument -p and -n in cve-checker - Remove the information about the commit used in the output for the cve-checker - Remove all the unnecessary import - Add a default path to the download directory for nvd for the cve-checker - Do not use boolean anymore for the affected status - Use ignore_cves instead of ignored_cves in pkg-utils - Fix the html output for cve-checker and pkg-stat - Check if ijson is present on the host Gregory Gregory CLEMENT (8): support/scripts: Turn CVE check into a module support/scripts/cve.py: Switch to JSON 1.1 package/pkg-utils: show-info: report the list of the CVEs ignored support/script: Make CVE class independent of the Pacakage class support/scripts: Add a per configuration CVE checker support/script/pkg-stats: Manage the CVEs that need to be check support/script/cve-checker: Manage the CVEs that need to be check package/pkg-utils/cve.py: Manage case when package version doesn't exist package/pkg-utils.mk | 5 +- support/scripts/cve-checker | 275 ++++++++++++++++++++++++++++++++++++ support/scripts/cve.py | 233 ++++++++++++++++++++++++++++++ support/scripts/pkg-stats | 171 +++++----------------- 4 files changed, 548 insertions(+), 136 deletions(-) create mode 100755 support/scripts/cve-checker create mode 100755 support/scripts/cve.py