[Buildroot] [PATCH v5 0/3] Improving CVE reporting

[Buildroot] [PATCH v5 0/3] Improving CVE reporting

[Gregory CLEMENT]

Hello,

Most of the series was applied and there were sill this 3 patches
pending.

But since their submission the code base has evolved so I adapted to
apply them on the master branch.

Compared to the v4, this version adds patch "package/pkg-utils/cve.py:
Manage case when package version doesn't exist" that I wrongly thought
was already applied.

Gregory

Gregory CLEMENT (3):
  support/script/pkg-stats: Manage the CVEs that need to be check
  support/script/cve-checker: Manage the CVEs that need to be check
  package/pkg-utils/cve.py: Manage case when package version doesn't
    exist

 support/scripts/cve-checker | 21 +++++++++++++++++++--
 support/scripts/cve.py      |  7 ++++++-
 support/scripts/pkg-stats   | 25 ++++++++++++++++++++++++-
 3 files changed, 49 insertions(+), 4 deletions(-)

-- 
2.28.0

[Buildroot] [PATCH v5 1/3] support/script/pkg-stats: Manage the CVEs that need to be check

[Gregory CLEMENT]

When looking for if a package is affected, the version comparison can
fail. This means that we don't know if the version of the package used
is affected or not and we need to check manually the version.

This patch exposes this new information in json and html format.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/pkg-stats | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 503cc45c16..69edeedec0 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -97,6 +97,7 @@ class Package:
         self.url = None
         self.url_worker = None
         self.cves = list()
+        self.cves_to_check = list()
         self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
         self.status = {}
 
@@ -535,7 +536,10 @@ def check_package_cves(nvd_path, packages):
         for pkg_name in cve.pkg_names:
             if pkg_name in packages:
                 pkg = packages[pkg_name]
-                if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS:
+                affected = cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves)
+                if  affected == cve.CVE_UNKNOWN:
+                    pkg.cves_to_check.append(cve.identifier)
+                if  affected == cve.CVE_AFFECTS:
                     pkg.cves.append(cve.identifier)
 
 
@@ -576,8 +580,11 @@ def calculate_stats(packages):
             stats["version-not-uptodate"] += 1
         stats["patches"] += pkg.patch_count
         stats["total-cves"] += len(pkg.cves)
+        stats["total-cves-to-check"] += len(pkg.cves_to_check)
         if len(pkg.cves) != 0:
             stats["pkg-cves"] += 1
+        if len(pkg.cves_to_check) != 0:
+            stats["pkg-cves_to_check"] += 1
     return stats
 
 
@@ -800,6 +807,17 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CVEs to check
+    td_class = ["centered"]
+    if len(pkg.cves_to_check) == 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    for cve in pkg.cves_to_check:
+        f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -818,6 +836,7 @@ def dump_html_all_pkgs(f, packages):
 <td class=\"centered\">Warnings</td>
 <td class=\"centered\">Upstream URL</td>
 <td class=\"centered\">CVEs</td>
+<td class=\"centered\">CVEs to check</td>
 </tr>
 """)
     for pkg in sorted(packages):
@@ -856,6 +875,10 @@ def dump_html_stats(f, stats):
             stats["version-not-uptodate"])
     f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
             stats["version-unknown"])
+    f.write("<tr><td>Packages that might be affected by CVEs, where version needs to be checked</td><td>%s</td></tr>\n" %
+            stats["pkg-cves_to_check"])
+    f.write("<tr><td>Total number of CVEs that might affect all packages, where version needs to be checked</td><td>%s</td></tr>\n" %
+            stats["total-cves_to_check"])
     f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
             stats["pkg-cves"])
     f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
-- 
2.28.0

[Buildroot] [PATCH v5 2/3] support/script/cve-checker: Manage the CVEs that need to be check

[Gregory CLEMENT]

When looking for if a package is affected, the version comparison can
fail. This means that we don't know if the version of the package used
is affected or not and we need to check manually the version.

This patch exposes this new information in json and html format.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/cve-checker | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
index 998ea5b8af..b32e036d76 100755
--- a/support/scripts/cve-checker
+++ b/support/scripts/cve-checker
@@ -30,6 +30,7 @@ class Package:
         self.name = name
         self.version = version
         self.cves = list()
+        self.cves_to_check = list()
         self.ignored_cves = ignored_cves
 
 
@@ -40,8 +41,12 @@ def check_package_cves(nvd_path, packages):
     for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
         for pkg_name in cve.pkg_names:
             pkg = packages.get(pkg_name, '')
-            if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves) == cve.CVE_AFFECTS:
-                pkg.cves.append(cve.identifier)
+            if pkg:
+                affected = cve.affects(pkg.name, pkg.version, pkg.ignored_cves)
+                if (affected == cve.CVE_UNKNOWN):
+                    pkg.cves_to_check.append(cve.identifier)
+                elif affected == cve.CVE_AFFECTS:
+                    pkg.cves.append(cve.identifier)
 
 
 html_header = """
@@ -106,6 +111,17 @@ def dump_html_pkg(f, pkg):
         f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
     f.write("  </td>\n")
 
+    # CVEs to check
+    td_class = ["centered"]
+    if len(pkg.cves_to_check) == 0:
+        td_class.append("correct")
+    else:
+        td_class.append("wrong")
+    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    for cve in pkg.cves_to_check:
+        f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+    f.write("  </td>\n")
+
     f.write(" </tr>\n")
 
 
@@ -116,6 +132,7 @@ def dump_html_all_pkgs(f, packages):
 <td>Package</td>
 <td class=\"centered\">Version</td>
 <td class=\"centered\">CVEs</td>
+<td class=\"centered\">CVEs to check</td>
 </tr>
 """)
     for pkg in packages:
-- 
2.28.0

[Buildroot] [PATCH v5 3/3] package/pkg-utils/cve.py: Manage case when package version doesn't exist

[Gregory CLEMENT]

Until now, when a package didn't report a version, then the CVE
comparison was just skipped. It leads most of the time to declare the
package not affected by the CVE.

Instead of it, report the CVE_UNKNOWN status in order to be aware that
the CVE related to this package has to be checked.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
 support/scripts/cve.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 6396019e0e..3cc01248b2 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -198,6 +198,7 @@ class CVE:
         if self.identifier in cve_ignore_list:
             return self.CVE_DOESNT_AFFECT
 
+        unknown_pkg_version = False
         pkg_version = distutils.version.LooseVersion(version)
         if not hasattr(pkg_version, "version"):
             print("Cannot parse package '%s' version '%s'" % (name, version))
@@ -212,6 +213,7 @@ class CVE:
                 print("No CVE affected version")
                 continue
             if not pkg_version:
+                unknown_pkg_version = True
                 continue
 
             if cpe['v_start']:
@@ -241,4 +243,7 @@ class CVE:
             # We're in the version range affected by this CVE
             return self.CVE_AFFECTS
 
-        return self.CVE_DOESNT_AFFECT
+        if unknown_pkg_version:
+            return self.CVE_UNKNOWN
+        else:
+            return self.CVE_DOESNT_AFFECT
-- 
2.28.0

Re: [Buildroot] [PATCH v5 1/3] support/script/pkg-stats: Manage the CVEs that need to be check

[Thomas Petazzoni]

On Mon, 21 Sep 2020 12:15:13 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> When looking for if a package is affected, the version comparison can
> fail. This means that we don't know if the version of the package used
> is affected or not and we need to check manually the version.
> 
> This patch exposes this new information in json and html format.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> ---
>  support/scripts/pkg-stats | 25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)

I finally applied this patch, but after renaming the concept from "CVEs
to check" to "unsure CVEs", and listing them in the same column as
normal CVEs in the HTML rendering, but with a "(unsure)" notice next to
them.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v5 2/3] support/script/cve-checker: Manage the CVEs that need to be check

[Thomas Petazzoni]

On Mon, 21 Sep 2020 12:15:14 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> When looking for if a package is affected, the version comparison can
> fail. This means that we don't know if the version of the package used
> is affected or not and we need to check manually the version.
> 
> This patch exposes this new information in json and html format.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
> ---
>  support/scripts/cve-checker | 21 +++++++++++++++++++--
>  1 file changed, 19 insertions(+), 2 deletions(-)

The cve-checker script was removed and merged back into pkg-stats, for
which this feature was added by PATCH 1/3 in this series, so I've
marked this patch as Rejected.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v5 3/3] package/pkg-utils/cve.py: Manage case when package version doesn't exist

[Thomas Petazzoni]

On Mon, 21 Sep 2020 12:15:15 +0200
Gregory CLEMENT <gregory.clement@bootlin.com> wrote:

> Until now, when a package didn't report a version, then the CVE
> comparison was just skipped. It leads most of the time to declare the
> package not affected by the CVE.
> 
> Instead of it, report the CVE_UNKNOWN status in order to be aware that
> the CVE related to this package has to be checked.
> 
> Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>

Do you remember which packages/cases this was handling?

>              if not pkg_version:
> +                unknown_pkg_version = True

I've added a print() here, and did a full run of pkg-stats on all
packages, and did not get any match.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot