All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jan Kiszka <jan.kiszka@siemens.com>
To: Sai.Sathujoda@toshiba-tsip.com, cip-dev@lists.cip-project.org
Cc: dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp
Subject: Re: [isar-cip-core v2 1/3] scripts/run-cve-checks.sh: Add script to generate CVE report
Date: Thu, 18 Jan 2024 19:20:26 +0100	[thread overview]
Message-ID: <7f6da87f-56ed-468b-a935-0d62c4b19502@siemens.com> (raw)
In-Reply-To: <20240118175942.1052089-2-Sai.Sathujoda@toshiba-tsip.com>

On 18.01.24 18:59, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
> 
> This script will extract latest dpkg-status files for all the deployed
> targets and generate their CVE reports using the cve_checker.py script in
> [1] and these report shall be uploaded back to cve-reports sub-directory
> under cip-project.org in the s3 bucket.
> 
> [1] https://gitlab.com/cip-playground/debian-cve-checker
> 
> Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
> ---
>  scripts/run-cve-checks.sh | 40 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 40 insertions(+)
>  create mode 100755 scripts/run-cve-checks.sh
> 
> diff --git a/scripts/run-cve-checks.sh b/scripts/run-cve-checks.sh
> new file mode 100755
> index 0000000..15a2bd8
> --- /dev/null
> +++ b/scripts/run-cve-checks.sh
> @@ -0,0 +1,40 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Toshiba Corp., 2023
> +#
> +# Authors:
> +#  Daniel Sangorrin <daniel.sangorrin@...>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +# This script is used in .gitlab-ci.yml to create
> +# CVE reports in CSV format for each deployed build target.
> +# It uses the dpkg status files generated during the
> +# build stages and saved as gitlab-ci artifacts.
> +
> +set -e
> +
> +# Install AWS CLI
> +if ! which aws 2>&1 >/dev/null; then

In scripts/run-cve-checks.sh line 21:
if ! which aws 2>&1 >/dev/null; then
               ^--^ SC2069 (warning): To redirect stdout+stderr, 2>&1 must be last (or use '{ cmd > file; } 2>&1' to clarify).

BTW, some alternative:

command -v aws >/dev/null

> +	echo "Installing awscli..."
> +	apt update
> +	apt install -y python3-wheel
> +	apt install -y awscli
> +fi
> +
> +# Retrieve the latest dpkg status files from AWS
> +aws s3 cp --no-progress --recursive s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/ ./
> +
> +# Create new CVE reports
> +mkdir cve-reports
> +for i in *.dpkg_status; do
> +	echo "Checking $i"
> +	filename=${i%.dpkg_status}
> +	cve_checker.py --status $i --output ./cve-reports/$filename.csv

In scripts/run-cve-checks.sh line 36:
        cve_checker.py --status $i --output ./cve-reports/$filename.csv
                                ^-- SC2086 (info): Double quote to prevent globbing and word splitting.
                                                          ^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.


Granted, this is pointless here as we break up *.dpkg_status into i 
above. But it would silence shellcheck cheaply.

Another nitpick: "i" is not the best name for this local var. Even "f" 
like "file" would be better than "i" like "integer". ;)

And then "filename" should likely be "basename"

> +done
> +
> +# Synchronize the CVE reports to AWS (it will delete old reports)
> +aws s3 sync --no-progress --delete --acl public-read cve-reports s3://download.cip-project.org/cip-core/cve-checks/cve-reports

I'm fixing these up while merging, no need for v2.

Jan

-- 
Siemens AG, Technology
Linux Expert Center



  reply	other threads:[~2024-01-18 18:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-18 17:59 [isar-cip-core v2 0/3] Generate CVE-reports only with manual trigger Sai.Sathujoda
2024-01-18 17:59 ` [isar-cip-core v2 1/3] scripts/run-cve-checks.sh: Add script to generate CVE report Sai.Sathujoda
2024-01-18 18:20   ` Jan Kiszka [this message]
2024-01-18 17:59 ` [isar-cip-core v2 2/3] scripts/deploy-cip-core.sh: Upload dpkg-status files to gitlab CI artifacts Sai.Sathujoda
2024-01-18 17:59 ` [isar-cip-core v2 3/3] .gitlab-ci.yml: Run cve-checks job only when it is manually triggered in the pipeline Sai.Sathujoda
2024-01-18 18:20 ` [isar-cip-core v2 0/3] Generate CVE-reports only with manual trigger Jan Kiszka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7f6da87f-56ed-468b-a935-0d62c4b19502@siemens.com \
    --to=jan.kiszka@siemens.com \
    --cc=Sai.Sathujoda@toshiba-tsip.com \
    --cc=cip-dev@lists.cip-project.org \
    --cc=dinesh.kumar@toshiba-tsip.com \
    --cc=kazuhiro3.hayashi@toshiba.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.