[Buildroot] [PATCH v3 5/8] support/scripts: Add a per configuration CVE checker
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Aug 28 09:45:55 UTC 2020
Hello,
On Fri, 24 Jul 2020 17:43:53 +0200
Gregory CLEMENT <gregory.clement at bootlin.com> wrote:
> This scripts takes as entry on stdin a JSON description of the package
> used for a given configuration. This description is the one generated
> by "make show-info".
>
> The script generates the list of all the package used and if they are
> affected by a CVE. The output is either a JSON or an HTML file similar
> to the one generated by pkg-stats.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement at bootlin.com>
Thanks, I have applied to next, but after doing a number of changes,
see below.
> +import argparse
> +import datetime
> +import os
> +import json
> +import sys
> +
> +sys.path.append('utils/')
This was not needed.
> +
> +import cve as cvecheck
> +
> +class Package:
> + def __init__(self, name, version, ignored_cves):
> + self.name = name
> + self.version = version
> + self.cves = list()
> + self.ignored_cves = ignored_cves
> +
> +def check_package_cves(nvd_path, packages):
> + if not os.path.isdir(nvd_path):
> + os.makedirs(nvd_path)
> +
> + for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
> + for pkg_name in cve.pkg_names:
> + pkg = packages.get(pkg_name, '')
> + if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves):
This was not correct as cve.affects() no longer returns a boolean. Due
to this, all existing CVEs were reported in the generated HTML/JSON as
affecting the package.
> + pkg.cves.append(cve.identifier)
> +
> +html_header = """
> +<head>
> +<script src=\"https://www.kryogenix.org/code/browser/sorttable/sorttable.js\"></script>
> +<style type=\"text/css\">
> +table {
> + width: 100%;
> +}
> +td {
> + border: 1px solid black;
> +}
> +td.centered {
> + text-align: center;
> +}
> +td.wrong {
> + background: #ff9a69;
> +}
> +td.correct {
> + background: #d2ffc4;
> +}
> +td.nopatches {
> + background: #d2ffc4;
> +}
> +td.somepatches {
> + background: #ffd870;
> +}
> +td.lotsofpatches {
> + background: #ff9a69;
> +}
> +
> +td.good_url {
> + background: #d2ffc4;
> +}
> +td.missing_url {
> + background: #ffd870;
> +}
> +td.invalid_url {
> + background: #ff9a69;
> +}
> +
> +td.version-good {
> + background: #d2ffc4;
> +}
> +td.version-needs-update {
> + background: #ff9a69;
> +}
> +td.version-unknown {
> + background: #ffd870;
> +}
> +td.version-error {
> + background: #ccc;
> +}
Lots of these CSS classes were not useful, so I dropped them.
> +
> +</style>
> +<title>CVE status for Buildroot packages</title>
Changed "Buildroot packages" for "Buildroot configuration". Indeed,
compared to pkg-stats which operates on all packages (it's a tool for
Buildroot maintenance), cve-checker is really about a given Buildroot
configuration.
> +def infra_str(infra_list):
This function was not used anywhere, so I dropped it.
> +def boolean_str(b):
This function was not used anywhere, so I dropped it.
> +def dump_json(packages, date, output):
> + # Format packages as a dictionnary instead of a list
> + # Exclude local field that does not contains real date
> + excluded_fields = ['url_worker', 'name']
> + pkgs = {
> + pkg.name: {
> + k: v
> + for k, v in pkg.__dict__.items()
> + if k not in excluded_fields
> + } for pkg in packages
I simplified that a bit, as we don't want all fields in the JSON I
believe, just the version and list of CVEs. For example, the list of
ignored CVEs is not really relevant.
> +
> +def parse_args():
> + parser = argparse.ArgumentParser()
> + output = parser.add_argument_group('output', 'Output file(s)')
> + output.add_argument('--html', dest='html', type=resolvepath,
> + help='HTML output file')
> + output.add_argument('--json', dest='json', type=resolvepath,
> + help='JSON output file')
> + packages = parser.add_mutually_exclusive_group()
This line was not used.
> + parser.add_argument('--nvd-path', dest='nvd_path',
> + help='Path to the local NVD database',type=resolvepath,
> + default='./nvd_dl')
The default value doesn't exist for pkg-stats, I'm not sure it makes
sense to have a default value. I've however added a required=True
because this script doesn't do anything useful if we don't have access
to the NVD data.
> +def __main__():
> + packages = list()
> + exclude_pacakges = ["linux", "gcc"]
I'm not sure why those two packages were excluded, so I've dropped
that, at least for now. We can of course improve things later on.
> + content = json.load(sys.stdin)
> + for item in content:
> + if item in exclude_pacakges:
> + continue
> + pkg = content[item]
> + p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
> + packages.append(p)
> +
> + args = parse_args()
> + date = datetime.datetime.utcnow()
> +
> + if args.nvd_path:
I've dropped this "if", since args.nvd_path is a required option.
As said above: applied to next with all those changes. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list