[Buildroot] [PATCH 07/10] support/scripts/pkg-stats: check CPE existence in CPE dictionnary

Matthew Weber matthew.weber at collins.com
Thu Jan 7 19:37:59 UTC 2021 

Gregory/Thomas,

On Thu, Jan 7, 2021 at 7:40 AM Thomas Petazzoni
<thomas.petazzoni at bootlin.com> wrote:
>
> This commit extends pkg-stats to leverage the recently introduced
> CPEDB class to verify that the CPEs provided by Buildroot packages are
> indeed known in the official CPE dictionnary provided by NVD.
>
> Co-Developed-by: Grégory Clement <gregory.clement at bootlin.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> ---
>  support/scripts/pkg-stats | 30 +++++++++++++++++++++---------
>  1 file changed, 21 insertions(+), 9 deletions(-)
>
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 854ece389d..2c82dc96ad 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -33,7 +33,7 @@ brpath = os.path.normpath(os.path.join(os.path.dirname(__file__), "..", ".."))
>  sys.path.append(os.path.join(brpath, "utils"))
>  from getdeveloperlib import parse_developers  # noqa: E402
>  import cve as cvecheck  # noqa: E402
> -
> +from cpedb import CPEDB  # noqa: E402
>
>  INFRA_RE = re.compile(r"\$\(eval \$\(([a-z-]*)-package\)\)")
>  URL_RE = re.compile(r"\s*https?://\S*\s*$")
> @@ -226,7 +226,8 @@ class Package:
>
>          if var in self.all_cpeids:
>              self.cpeid = self.all_cpeids[var]
> -            self.status['cpe'] = ("ok", "verified CPE identifier")
> +            # Set a preliminary status, it might be overridden by check_package_cpes()
> +            self.status['cpe'] = ("warning", "not checked against CPE dictionnary")
>          else:
>              self.status['cpe'] = ("error", "no verified CPE identifier")
>
> @@ -601,6 +602,18 @@ def check_package_cves(nvd_path, packages):
>                  pkg.status['cve'] = ("ok", "not affected by CVEs")
>
>
> +def check_package_cpes(nvd_path, packages):
> +    cpedb = CPEDB(nvd_path)
> +    cpedb.get_xml_dict()
> +    for p in packages:
> +        if not p.cpeid:
> +            continue
> +        if cpedb.find(p.cpeid):
> +            p.status['cpe'] = ("ok", "verified CPE identifier")
> +        else:
> +            p.status['cpe'] = ("error", "CPE identifier unknown in CPE database")

I noticed in the pkgstats output that busybox which has an exact match
was coming up as the following.

cpe:2.3:a:busybox:busybox:1.32.0:*:*:*:*:*:*:*
CPE identifier unknown in CPE database

More information about the buildroot mailing list