From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check
Date: Thu, 9 Jul 2020 11:00:22 +0200 [thread overview]
Message-ID: <20200709110022.0e79ff9b@windsurf> (raw)
In-Reply-To: <20200708164006.859021-8-gregory.clement@bootlin.com>
On Wed, 8 Jul 2020 18:40:04 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 883a5bd2be..e033e15e07 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -106,9 +106,11 @@ class Package:
> self.patch_files = []
> self.warnings = 0
> self.current_version = None
> + self.unknown_cve = False
Is this used in your patch ? I don't see it used anywhere.
> self.url = None
> self.url_worker = None
> self.cves = list()
> + self.cves_to_check = list()
> self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
> self.status = {}
>
> @@ -504,7 +506,12 @@ def check_package_cves(nvd_path, packages):
> for pkg_name in cve.pkg_names:
> if pkg_name in packages:
> pkg = packages[pkg_name]
> - if cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list()):
> + affected = cve.affects(pkg.name, pkg.current_version, pkg.cve_ignored_list())
> + print(affected)
This is a debug message, probably not meant to be in your final patch.
> + if (affected == 'Unknown'):
> + pkg.cves_to_check.append(cve.identifier)
So this handling of the "Unknown" return value from cve.affects()
should be done together with the change in cve.affects() I guess.
> + elif affected == True:
> + print(cve.identifier)
Again another print, should it really be here ?
> pkg.cves.append(cve.identifier)
>
> def calculate_stats(packages):
> @@ -544,8 +551,11 @@ def calculate_stats(packages):
> stats["version-not-uptodate"] += 1
> stats["patches"] += pkg.patch_count
> stats["total-cves"] += len(pkg.cves)
> + stats["total-cves-to-check"] += len(pkg.cves_to_check)
> if len(pkg.cves) != 0:
> stats["pkg-cves"] += 1
> + if len(pkg.cves_to_check) != 0:
> + stats["pkg-cves_to_check"] += 1
> return stats
>
>
> @@ -763,11 +773,22 @@ def dump_html_pkg(f, pkg):
> td_class.append("correct")
> else:
> td_class.append("wrong")
> - f.write(" <td class=\"%s\">\n" % " ".join(td_class))
> + f.write(" <td class=\"%s\">\n" % " ".join(td_class))
Spurious change here.
> for cve in pkg.cves:
> f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
> f.write(" </td>\n")
>
> + # CVEs to check
> + td_class = ["centered"]
> + if len(pkg.cves_to_check) == 0:
> + td_class.append("correct")
> + else:
> + td_class.append("wrong")
> + f.write(" <td class=\"%s\">\n" % " ".join(td_class))
so you're opening the <td> only in the else case
> + for cve in pkg.cves_to_check:
> + f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
> + f.write(" </td>\n")
but closing it in both cases. Doesn't look good.
Also, if you're adding a column, you need to update the column header
as well, to give a title to this column.
> +
So you've added that to the HTML output. Has the JSON output also been
updated? Or perhaps it just works due to how the JSON output is
generated?
> f.write(" </tr>\n")
>
>
> @@ -786,6 +807,7 @@ def dump_html_all_pkgs(f, packages):
> <td class=\"centered\">Warnings</td>
> <td class=\"centered\">Upstream URL</td>
> <td class=\"centered\">CVEs</td>
> +<td class=\"centered\">CVEs to check</td>
> </tr>
> """)
> for pkg in sorted(packages):
> @@ -824,10 +846,14 @@ def dump_html_stats(f, stats):
> stats["version-not-uptodate"])
> f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
> stats["version-unknown"])
> - f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
> + f.write("<tr><td>Packages might affected by CVEs, where version needed to be checked</td><td>%s</td></tr>\n" %
"Packages might affected by CVEs" is not correct English I believe.
"Packages that might be affected by CVEs" sounds better.
"needed" -> "needs"
> stats["pkg-cves"])
> - f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
> + f.write("<tr><td>Total number of CVEs that might affect all packages, where version needed to be checked</td><td>%s</td></tr>\n" %
version needed -> version needs
> stats["total-cves"])
> + f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
> + stats["pkg-cves_to_check"])
> + f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
> + stats["total-cves_to_check"])
> f.write("</table>\n")
>
>
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-07-09 9:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-08 16:39 [Buildroot] [PATCH 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-08 16:39 ` [Buildroot] [PATCH 1/9] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-07-08 16:54 ` Thomas Petazzoni
2020-07-09 7:34 ` Gregory CLEMENT
2020-07-08 16:39 ` [Buildroot] [PATCH 2/9] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 3/9] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-07-08 16:53 ` Thomas Petazzoni
2020-07-08 16:40 ` [Buildroot] [PATCH 4/9] package/pkg-utils: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 5/9] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-08 18:30 ` Matthew Weber
2020-07-09 8:41 ` Gregory CLEMENT
2020-07-09 9:03 ` Gregory CLEMENT
2020-07-09 11:46 ` Matthew Weber
2020-07-08 16:40 ` [Buildroot] [PATCH 6/9] package/pkg-utils: cve.py: Handle exception when version comparison fails Gregory CLEMENT
2020-07-09 8:52 ` Thomas Petazzoni
2020-07-08 16:40 ` [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-09 9:00 ` Thomas Petazzoni [this message]
2020-07-08 16:40 ` [Buildroot] [PATCH 8/9] support/script/cve-checker: " Gregory CLEMENT
2020-07-08 16:40 ` [Buildroot] [PATCH 9/9] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
2020-07-10 11:22 [Buildroot] [PATCH 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200709110022.0e79ff9b@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.