[Buildroot] [PATCH 08/17] support/scripts/cpe-report: new script

Heiko Thiery heiko.thiery at gmail.com
Wed Oct 7 08:11:21 UTC 2020 

Hi Gregory, Hi Matt,

Am Di., 6. Okt. 2020 um 15:44 Uhr schrieb Gregory CLEMENT
<gregory.clement at bootlin.com>:
>
> From: Matt Weber <matthew.weber at rockwellcollins.com>
>
> The script supports looking up all the CPEs provided in a
> make cpe-info csv file export from a target Buildroot build.
> It checks the current version and suggests a CPE needs update
> or possibly an initial submission is required to NIST.

Is there a way to create this kind of list/output also for all
packages in buildroot and not only the one that is generated by a
configuration?

> Adds option to allow alternate locations for the dictionary
> URL and caching of a processed dictionary to speed up execution.
>
> Outputs a cpe/ folder with propsed xml generated from the
> dictionary contents to propose updated versions to NIST.
>
> For missing CPE matches, a cpe-report-missing.txt is created
> by the script that can be used later to manually create proposed
> new NIST dictionary entries.
>
> Ref: NIST has a group email (cpe_dictionary at nist.gov) used to
> recieve these version update and new entry xml files.  They do
> process the XML and provide feedback. In some cases they will
> propose back something different where the vendor or version is
> slightly different.
>
> Limitations
>  - Currently any use of non-number version identifiers isn't
>    supported by NIST as they use ranges to determine impact
>    of a CVE
>  - Any Linux version from a non-upstream is also not supported
>    without manually adjusting the information as the custom
>    kernel will more then likely not match the upstream version
>    used in the dictionary
>
> Signed-off-by: Matt Weber <matthew.weber at rockwellcollins.com>
> ---
>  support/scripts/cpe-report | 70 ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 70 insertions(+)
>  create mode 100755 support/scripts/cpe-report
>
> diff --git a/support/scripts/cpe-report b/support/scripts/cpe-report
> new file mode 100755
> index 0000000000..7242a372b2
> --- /dev/null
> +++ b/support/scripts/cpe-report
> @@ -0,0 +1,70 @@
> +#!/usr/bin/env python

Shouldn't we use python3 here?

> +
> +import argparse
> +import sys
> +import csv
> +from cpedb import CPEDB
> +
> +CPE_XML_URL = "https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz"
> +
> +
> +def get_target_cpe_report(cpe_report_file, cpedb):
> +    report_cpe_exact_match = ""
> +    report_cpe_needing_update = ""
> +    report_cpe_needing_update_list = ""
> +    report_cpe_missing = ""
> +
> +    print("CPE: Checking for matches...")
> +    try:
> +        with open(cpe_report_file) as cpe_file:
> +            cpe_list = csv.reader(cpe_file)
> +            next(cpe_list)  # make cpe-info has a one line header
> +            for cpe in cpe_list:
> +                result = cpedb.find(cpe[0])
> +                if not result:
> +                    result = cpedb.find_partial(cpedb.get_cpe_no_version(cpe[0]))
> +                    if not result:
> +                        report_cpe_missing += cpe[0] + "," + cpe[1] + "," + cpe[3] + "\n"
> +                    else:
> +                        latest_version = cpedb.find_partial_latest_version(cpedb.get_cpe_no_version(cpe[0]))
> +                        report_cpe_needing_update += cpe[0] + ", Latest Version Guess from Dict[" + latest_version + "]\n"
> +                        report_cpe_needing_update_list += cpe[0] + "\n"
> +                else:
> +                    report_cpe_exact_match += cpe[0] + "\n"
> +    except (OSError, IOError) as e:
> +        print("CPE: report csv file (%s): %s" % (e.errno, e.strerror))
> +        sys.exit(1)
> +
> +    print("CPE: Found but may REQUIRE an UPDATE:\n" + report_cpe_needing_update)
> +    print("CPE: Not found:\n" + report_cpe_missing)
> +
> +    fp = open('cpe-report-missing.txt', 'w+')
> +    fp.write(report_cpe_missing)
> +    fp.close()
> +
> +    for cpe in report_cpe_needing_update_list.splitlines():
> +        cpedb.update(cpe)
> +    print("XML Generation Complete of NIST update files, see ./cpe/*")
> +
> +
> +def parse_args():
> +    parser = argparse.ArgumentParser()
> +    parser.add_argument('-c', dest='cpe_report', action='store', required=True,
> +                        help='CPE Report generated by make cpe-info (csv format)')
> +    parser.add_argument('-u', dest='url', action='store', required=False,
> +                        help='(optional)URL to the NIST dict (official-cpe-dictionary_v2.3.xml.gz)')
> +    return parser.parse_args()
> +
> +
> +def __main__():
> +    args = parse_args()
> +    cpedb = CPEDB()
> +    url = CPE_XML_URL
> +    if args.url:
> +        url = args.url
> +    cpedb.get_xml_dict(url)
> +    print("Performing Target CPE Report Analysis...")
> +    get_target_cpe_report(args.cpe_report, cpedb)
> +
> +
> +__main__()

-- 
Heiko

More information about the buildroot mailing list