From: Sai.Sathujoda@toshiba-tsip.com
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>,
dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp
Subject: [isar-cip-core 1/3] scripts/run-cve-checks.sh: Add script to generate CVE report
Date: Thu, 21 Dec 2023 17:34:21 +0530 [thread overview]
Message-ID: <20231221120423.2388639-2-Sai.Sathujoda@toshiba-tsip.com> (raw)
In-Reply-To: <20231221120423.2388639-1-Sai.Sathujoda@toshiba-tsip.com>
From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
This script will extract latest dpkg-status files for all the deployed
targets and generate their CVE reports using the cve_checker.py script in
[1] and these report shall be uploaded back to cve-reports sub-directory
under cip-project.org in the s3 bucket.
[1] https://gitlab.com/cip-playground/debian-cve-checker
Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
scripts/run-cve-checks.sh | 40 +++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100755 scripts/run-cve-checks.sh
diff --git a/scripts/run-cve-checks.sh b/scripts/run-cve-checks.sh
new file mode 100755
index 0000000..b8da81d
--- /dev/null
+++ b/scripts/run-cve-checks.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Toshiba Corp., 2023
+#
+# Authors:
+# Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+# This script is used in .gitlab-ci.yml to create
+# CVE reports in CSV format for each deployed build target.
+# It uses the dpkg status files generated during the
+#build stages and saved as gitlab-ci artifacts.
+
+set -e
+
+# Install AWS CLI
+if ! which aws 2>&1 >/dev/null; then
+ echo "Installing awscli..."
+ apt update
+ apt install -y python3-wheel
+ apt install -y awscli
+fi
+
+# Retrieve the latest dpkg status files from AWS
+aws s3 cp --no-progress --recursive s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/ ./
+
+# Create new CVE reports
+mkdir cve-reports
+for i in *.dpkg_status; do
+ echo "Checking $i"
+ filename=${i%.dpkg_status}
+ cve_checker.py --status $i --output ./cve-reports/$filename.csv
+done
+
+# Synchronize the CVE reports to AWS (it will delete old reports)
+aws s3 sync --no-progress --delete --acl public-read cve-reports s3://download.cip-project.org/cip-core/cve-checks/cve-reports
--
2.30.2
next prev parent reply other threads:[~2023-12-21 12:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 12:04 [isar-cip-core 0/3] Generate CVE-reports during a tag release Sai.Sathujoda
2023-12-21 12:04 ` Sai.Sathujoda [this message]
2023-12-21 12:04 ` [isar-cip-core 2/3] scripts/deploy-cip-core.sh: Upload dpkg-status files to aws s3 bucket Sai.Sathujoda
2023-12-21 12:04 ` [isar-cip-core 3/3] .gitlab-ci.yml: Add cve-checks job which runs when a tag is pushed Sai.Sathujoda
2024-01-02 12:32 ` [isar-cip-core 0/3] Generate CVE-reports during a tag release Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231221120423.2388639-2-Sai.Sathujoda@toshiba-tsip.com \
--to=sai.sathujoda@toshiba-tsip.com \
--cc=cip-dev@lists.cip-project.org \
--cc=dinesh.kumar@toshiba-tsip.com \
--cc=jan.kiszka@siemens.com \
--cc=kazuhiro3.hayashi@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.