[Buildroot] [PATCH 16/17] support/script/cve-checker: Allow to use cpeid

Gregory CLEMENT gregory.clement at bootlin.com
Tue Oct 6 13:42:49 UTC 2020


Add a argument to cve-checker allowing to use the cpeid instead of the
internal name and version from buildroot. It should allow to have
more accurate CVE status.

Signed-off-by: Gregory CLEMENT <gregory.clement at bootlin.com>
---
 support/scripts/cve-checker | 48 +++++++++++++++++++++++++++++++------
 1 file changed, 41 insertions(+), 7 deletions(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index b32e036d76..d1bce65b0c 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -26,23 +26,26 @@ import cve as cvecheck
 
 
 class Package:
-    def __init__(self, name, version, ignored_cves):
+    def __init__(self, name, version, cpeid, ignored_cves):
         self.name = name
         self.version = version
+        self.cpeid = cpeid
         self.cves = list()
         self.cves_to_check = list()
         self.ignored_cves = ignored_cves
 
 
-def check_package_cves(nvd_path, packages):
+def check_package_cves(nvd_path, packages, use_cpeid):
     if not os.path.isdir(nvd_path):
         os.makedirs(nvd_path)
-
     for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
         for pkg_name in cve.pkg_names:
             pkg = packages.get(pkg_name, '')
             if pkg:
-                affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
+                if use_cpeid:
+                    affected = cve.affects_cpeid(pkg.cpeid, pkg.ignored_cves)
+                else:
+                    affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
                 if (affected == cve.CVE_UNKNOWN):
                     pkg.cves_to_check.append(cve.identifier)
                 elif affected == cve.CVE_AFFECTS:
@@ -91,7 +94,14 @@ if (typeof sorttable === \"object\") {
 
 def dump_html_pkg(f, pkg):
     f.write(" <tr>\n")
-    f.write("  <td>%s</td>\n" % pkg.name)
+    td_class = ["left"]
+    if len(pkg.cpeid) != 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    f.write("  %s\n" % pkg.name)
+    f.write("  </td>\n")
 
     # Current version
     if len(pkg.version) > 20:
@@ -122,6 +132,16 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CPEID valid
+    td_class = ["left"]
+    if len(pkg.cpeid) != 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    f.write("  %s\n" % pkg.cpeid)
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -133,6 +153,7 @@ def dump_html_all_pkgs(f, packages):
 <td class=\"centered\">Version</td>
 <td class=\"centered\">CVEs</td>
 <td class=\"centered\">CVEs to check</td>
+<td class=\"centered\">CPEID valid</td>
 </tr>
 """)
     for pkg in packages:
@@ -158,6 +179,7 @@ def dump_json(packages, date, output):
         pkg.name: {
             "version": pkg.version,
             "cves": pkg.cves,
+            "cpeid": pkg.cpeid,
         } for pkg in packages
     }
     # The actual structure to dump, add date to it
@@ -182,25 +204,37 @@ def parse_args():
     parser.add_argument('--nvd-path', dest='nvd_path',
                         help='Path to the local NVD database', type=resolvepath,
                         required=True)
+    parser.add_argument("--cpeid", action='store_true')
     args = parser.parse_args()
     if not args.html and not args.json:
         parser.error('at least one of --html or --json (or both) is required')
     return args
 
+def cpeid_name(pkg):
+    try:
+        return pkg.cpeid.split(':')[1]
+    except:
+        return ''
 
 def __main__():
     packages = list()
     content = json.load(sys.stdin)
     for item in content:
         pkg = content[item]
-        p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
+        p = Package(item, pkg.get('version', ''), pkg.get('cpeid', ''), pkg.get('ignore_cves', ''))
         packages.append(p)
 
     args = parse_args()
+    if args.cpeid:
+        print("going to use strict cpeid")
     date = datetime.datetime.utcnow()
 
     print("Checking packages CVEs")
-    check_package_cves(args.nvd_path, {p.name: p for p in packages})
+    if args.cpeid:
+        check_package_cves(args.nvd_path, {cpeid_name(p): p for p in packages}, args.cpeid)
+    else:
+        check_package_cves(args.nvd_path, {p.name: p for p in packages}, args.cpeid)
+
 
     if args.html:
         print("Write HTML")
-- 
2.28.0




More information about the buildroot mailing list