2020-08-08 20:08:23 +02:00
|
|
|
#!/usr/bin/env python3
|
2009-10-28 00:28:40 +01:00
|
|
|
|
|
|
|
# Copyright (C) 2009 by Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
import aiohttp
|
2018-04-04 22:05:33 +02:00
|
|
|
import argparse
|
2020-08-08 20:08:23 +02:00
|
|
|
import asyncio
|
2018-04-04 22:05:33 +02:00
|
|
|
import datetime
|
|
|
|
import fnmatch
|
|
|
|
import os
|
|
|
|
from collections import defaultdict
|
|
|
|
import re
|
|
|
|
import subprocess
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
import json
|
2020-03-07 08:56:24 +01:00
|
|
|
import sys
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2020-11-05 17:30:19 +01:00
|
|
|
brpath = os.path.normpath(os.path.join(os.path.dirname(__file__), "..", ".."))
|
|
|
|
|
|
|
|
sys.path.append(os.path.join(brpath, "utils"))
|
2020-03-24 14:24:44 +01:00
|
|
|
from getdeveloperlib import parse_developers # noqa: E402
|
2021-01-31 14:38:16 +01:00
|
|
|
from cpedb import CPEDB # noqa: E402
|
2020-02-15 13:44:16 +01:00
|
|
|
|
2019-02-07 22:04:26 +01:00
|
|
|
INFRA_RE = re.compile(r"\$\(eval \$\(([a-z-]*)-package\)\)")
|
|
|
|
URL_RE = re.compile(r"\s*https?://\S*\s*$")
|
2018-04-04 22:05:33 +02:00
|
|
|
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
RM_API_STATUS_ERROR = 1
|
|
|
|
RM_API_STATUS_FOUND_BY_DISTRO = 2
|
|
|
|
RM_API_STATUS_FOUND_BY_PATTERN = 3
|
|
|
|
RM_API_STATUS_NOT_FOUND = 4
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2020-03-24 14:25:57 +01:00
|
|
|
|
2020-03-07 08:56:29 +01:00
|
|
|
class Defconfig:
|
|
|
|
def __init__(self, name, path):
|
|
|
|
self.name = name
|
|
|
|
self.path = path
|
|
|
|
self.developers = None
|
|
|
|
|
|
|
|
def set_developers(self, developers):
|
|
|
|
"""
|
|
|
|
Fills in the .developers field
|
|
|
|
"""
|
|
|
|
self.developers = [
|
|
|
|
developer.name
|
|
|
|
for developer in developers
|
|
|
|
if developer.hasfile(self.path)
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
def get_defconfig_list():
|
|
|
|
"""
|
|
|
|
Builds the list of Buildroot defconfigs, returning a list of Defconfig
|
|
|
|
objects.
|
|
|
|
"""
|
|
|
|
return [
|
|
|
|
Defconfig(name[:-len('_defconfig')], os.path.join('configs', name))
|
2020-11-05 17:30:19 +01:00
|
|
|
for name in os.listdir(os.path.join(brpath, 'configs'))
|
2020-03-07 08:56:29 +01:00
|
|
|
if name.endswith('_defconfig')
|
|
|
|
]
|
|
|
|
|
2019-02-07 22:04:26 +01:00
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
class Package:
|
2020-03-07 08:56:25 +01:00
|
|
|
all_licenses = dict()
|
2018-04-04 22:05:33 +02:00
|
|
|
all_license_files = list()
|
|
|
|
all_versions = dict()
|
2020-02-15 13:44:16 +01:00
|
|
|
all_ignored_cves = dict()
|
2021-01-05 23:23:31 +01:00
|
|
|
all_cpeids = dict()
|
2020-03-07 08:56:32 +01:00
|
|
|
# This is the list of all possible checks. Add new checks to this list so
|
|
|
|
# a tool that post-processeds the json output knows the checks before
|
|
|
|
# iterating over the packages.
|
|
|
|
status_checks = ['cve', 'developers', 'hash', 'license',
|
|
|
|
'license-files', 'patches', 'pkg-check', 'url', 'version']
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
def __init__(self, name, path):
|
|
|
|
self.name = name
|
|
|
|
self.path = path
|
2020-03-07 08:56:28 +01:00
|
|
|
self.pkg_path = os.path.dirname(path)
|
2018-04-04 22:05:33 +02:00
|
|
|
self.infras = None
|
2020-03-07 08:56:25 +01:00
|
|
|
self.license = None
|
2018-04-04 22:05:33 +02:00
|
|
|
self.has_license = False
|
|
|
|
self.has_license_files = False
|
|
|
|
self.has_hash = False
|
2020-03-07 08:56:23 +01:00
|
|
|
self.patch_files = []
|
2018-04-04 22:05:33 +02:00
|
|
|
self.warnings = 0
|
|
|
|
self.current_version = None
|
2018-10-02 04:37:28 +02:00
|
|
|
self.url = None
|
2018-10-02 04:37:29 +02:00
|
|
|
self.url_worker = None
|
2020-12-04 16:45:57 +01:00
|
|
|
self.cpeid = None
|
2020-02-15 13:44:16 +01:00
|
|
|
self.cves = list()
|
2021-02-11 10:29:10 +01:00
|
|
|
self.ignored_cves = list()
|
2020-03-07 08:56:22 +01:00
|
|
|
self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status = {}
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
def pkgvar(self):
|
|
|
|
return self.name.upper().replace("-", "_")
|
|
|
|
|
2018-10-02 04:37:28 +02:00
|
|
|
def set_url(self):
|
|
|
|
"""
|
|
|
|
Fills in the .url field
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['url'] = ("warning", "no Config.in")
|
2020-11-05 17:30:19 +01:00
|
|
|
pkgdir = os.path.dirname(os.path.join(brpath, self.path))
|
|
|
|
for filename in os.listdir(pkgdir):
|
2018-10-02 04:37:28 +02:00
|
|
|
if fnmatch.fnmatch(filename, 'Config.*'):
|
2020-11-05 17:30:19 +01:00
|
|
|
fp = open(os.path.join(pkgdir, filename), "r")
|
2018-10-02 04:37:28 +02:00
|
|
|
for config_line in fp:
|
|
|
|
if URL_RE.match(config_line):
|
|
|
|
self.url = config_line.strip()
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['url'] = ("ok", "found")
|
2018-10-02 04:37:28 +02:00
|
|
|
fp.close()
|
|
|
|
return
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['url'] = ("error", "missing")
|
2018-10-02 04:37:28 +02:00
|
|
|
fp.close()
|
|
|
|
|
2020-03-07 08:56:23 +01:00
|
|
|
@property
|
|
|
|
def patch_count(self):
|
|
|
|
return len(self.patch_files)
|
|
|
|
|
2020-03-07 08:56:31 +01:00
|
|
|
@property
|
|
|
|
def has_valid_infra(self):
|
2021-05-19 04:46:37 +02:00
|
|
|
if self.infras is None:
|
|
|
|
return False
|
|
|
|
return len(self.infras) > 0
|
|
|
|
|
|
|
|
@property
|
|
|
|
def is_actual_package(self):
|
2020-03-07 08:56:31 +01:00
|
|
|
try:
|
2021-05-19 04:46:37 +02:00
|
|
|
if not self.has_valid_infra:
|
|
|
|
return False
|
2020-03-07 08:56:31 +01:00
|
|
|
if self.infras[0][1] == 'virtual':
|
|
|
|
return False
|
|
|
|
except IndexError:
|
2020-03-24 14:26:31 +01:00
|
|
|
return False
|
2020-03-07 08:56:31 +01:00
|
|
|
return True
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def set_infra(self):
|
|
|
|
"""
|
|
|
|
Fills in the .infras field
|
|
|
|
"""
|
|
|
|
self.infras = list()
|
2020-11-05 17:30:19 +01:00
|
|
|
with open(os.path.join(brpath, self.path), 'r') as f:
|
2018-04-04 22:05:33 +02:00
|
|
|
lines = f.readlines()
|
2021-01-07 14:39:42 +01:00
|
|
|
for line in lines:
|
|
|
|
match = INFRA_RE.match(line)
|
2018-04-04 22:05:33 +02:00
|
|
|
if not match:
|
|
|
|
continue
|
|
|
|
infra = match.group(1)
|
|
|
|
if infra.startswith("host-"):
|
|
|
|
self.infras.append(("host", infra[5:]))
|
|
|
|
else:
|
|
|
|
self.infras.append(("target", infra))
|
|
|
|
|
|
|
|
def set_license(self):
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
Fills in the .status['license'] and .status['license-files'] fields
|
2018-04-04 22:05:33 +02:00
|
|
|
"""
|
2021-05-19 04:46:37 +02:00
|
|
|
if not self.is_actual_package:
|
2020-03-07 08:56:31 +01:00
|
|
|
self.status['license'] = ("na", "no valid package infra")
|
|
|
|
self.status['license-files'] = ("na", "no valid package infra")
|
|
|
|
return
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
var = self.pkgvar()
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['license'] = ("error", "missing")
|
|
|
|
self.status['license-files'] = ("error", "missing")
|
2018-04-04 22:05:33 +02:00
|
|
|
if var in self.all_licenses:
|
2020-03-07 08:56:25 +01:00
|
|
|
self.license = self.all_licenses[var]
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['license'] = ("ok", "found")
|
2018-04-04 22:05:33 +02:00
|
|
|
if var in self.all_license_files:
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['license-files'] = ("ok", "found")
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
def set_hash_info(self):
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
Fills in the .status['hash'] field
|
2018-04-04 22:05:33 +02:00
|
|
|
"""
|
2021-05-19 04:46:37 +02:00
|
|
|
if not self.is_actual_package:
|
2020-03-07 08:56:31 +01:00
|
|
|
self.status['hash'] = ("na", "no valid package infra")
|
|
|
|
self.status['hash-license'] = ("na", "no valid package infra")
|
|
|
|
return
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
hashpath = self.path.replace(".mk", ".hash")
|
2020-11-05 17:30:19 +01:00
|
|
|
if os.path.exists(os.path.join(brpath, hashpath)):
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['hash'] = ("ok", "found")
|
|
|
|
else:
|
|
|
|
self.status['hash'] = ("error", "missing")
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
def set_patch_count(self):
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
Fills in the .patch_count, .patch_files and .status['patches'] fields
|
2018-04-04 22:05:33 +02:00
|
|
|
"""
|
2021-05-19 04:46:37 +02:00
|
|
|
if not self.is_actual_package:
|
2020-03-07 08:56:31 +01:00
|
|
|
self.status['patches'] = ("na", "no valid package infra")
|
|
|
|
return
|
|
|
|
|
2020-11-05 17:30:19 +01:00
|
|
|
pkgdir = os.path.dirname(os.path.join(brpath, self.path))
|
2018-04-04 22:05:33 +02:00
|
|
|
for subdir, _, _ in os.walk(pkgdir):
|
2020-03-07 08:56:23 +01:00
|
|
|
self.patch_files = fnmatch.filter(os.listdir(subdir), '*.patch')
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2020-03-07 08:56:26 +01:00
|
|
|
if self.patch_count == 0:
|
|
|
|
self.status['patches'] = ("ok", "no patches")
|
|
|
|
elif self.patch_count < 5:
|
|
|
|
self.status['patches'] = ("warning", "some patches")
|
|
|
|
else:
|
|
|
|
self.status['patches'] = ("error", "lots of patches")
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
def set_current_version(self):
|
|
|
|
"""
|
|
|
|
Fills in the .current_version field
|
|
|
|
"""
|
|
|
|
var = self.pkgvar()
|
|
|
|
if var in self.all_versions:
|
|
|
|
self.current_version = self.all_versions[var]
|
|
|
|
|
2020-12-04 16:45:57 +01:00
|
|
|
def set_cpeid(self):
|
|
|
|
"""
|
|
|
|
Fills in the .cpeid field
|
|
|
|
"""
|
|
|
|
var = self.pkgvar()
|
2021-05-19 04:46:37 +02:00
|
|
|
if not self.is_actual_package:
|
2021-05-19 04:46:38 +02:00
|
|
|
self.status['cpe'] = ("na", "N/A - virtual pkg")
|
|
|
|
return
|
|
|
|
if not self.current_version:
|
|
|
|
self.status['cpe'] = ("na", "no version information available")
|
2020-12-04 16:45:57 +01:00
|
|
|
return
|
|
|
|
|
|
|
|
if var in self.all_cpeids:
|
|
|
|
self.cpeid = self.all_cpeids[var]
|
2021-01-31 14:38:16 +01:00
|
|
|
# Set a preliminary status, it might be overridden by check_package_cpes()
|
|
|
|
self.status['cpe'] = ("warning", "not checked against CPE dictionnary")
|
2020-12-04 16:45:57 +01:00
|
|
|
else:
|
|
|
|
self.status['cpe'] = ("error", "no verified CPE identifier")
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def set_check_package_warnings(self):
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
Fills in the .warnings and .status['pkg-check'] fields
|
2018-04-04 22:05:33 +02:00
|
|
|
"""
|
2020-11-05 17:30:19 +01:00
|
|
|
cmd = [os.path.join(brpath, "utils/check-package")]
|
|
|
|
pkgdir = os.path.dirname(os.path.join(brpath, self.path))
|
2020-03-07 08:56:26 +01:00
|
|
|
self.status['pkg-check'] = ("error", "Missing")
|
2018-04-04 22:05:33 +02:00
|
|
|
for root, dirs, files in os.walk(pkgdir):
|
|
|
|
for f in files:
|
|
|
|
if f.endswith(".mk") or f.endswith(".hash") or f == "Config.in" or f == "Config.in.host":
|
|
|
|
cmd.append(os.path.join(root, f))
|
|
|
|
o = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[1]
|
|
|
|
lines = o.splitlines()
|
|
|
|
for line in lines:
|
2020-03-01 22:18:48 +01:00
|
|
|
m = re.match("^([0-9]*) warnings generated", line.decode())
|
2018-04-04 22:05:33 +02:00
|
|
|
if m:
|
|
|
|
self.warnings = int(m.group(1))
|
2020-03-07 08:56:26 +01:00
|
|
|
if self.warnings == 0:
|
|
|
|
self.status['pkg-check'] = ("ok", "no warnings")
|
|
|
|
else:
|
|
|
|
self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
|
2018-04-04 22:05:33 +02:00
|
|
|
return
|
|
|
|
|
2021-02-11 10:29:10 +01:00
|
|
|
def set_ignored_cves(self):
|
2020-02-15 13:44:16 +01:00
|
|
|
"""
|
2020-07-24 17:43:52 +02:00
|
|
|
Give the list of CVEs ignored by the package
|
2020-02-15 13:44:16 +01:00
|
|
|
"""
|
2021-02-11 10:29:10 +01:00
|
|
|
self.ignored_cves = list(self.all_ignored_cves.get(self.pkgvar(), []))
|
2020-02-15 13:44:16 +01:00
|
|
|
|
2020-03-07 08:56:24 +01:00
|
|
|
def set_developers(self, developers):
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
Fills in the .developers and .status['developers'] field
|
2020-03-07 08:56:24 +01:00
|
|
|
"""
|
|
|
|
self.developers = [
|
|
|
|
dev.name
|
|
|
|
for dev in developers
|
|
|
|
if dev.hasfile(self.path)
|
|
|
|
]
|
|
|
|
|
2020-03-07 08:56:26 +01:00
|
|
|
if self.developers:
|
|
|
|
self.status['developers'] = ("ok", "{} developers".format(len(self.developers)))
|
|
|
|
else:
|
|
|
|
self.status['developers'] = ("warning", "no developers")
|
|
|
|
|
|
|
|
def is_status_ok(self, name):
|
2021-01-07 14:39:38 +01:00
|
|
|
return name in self.status and self.status[name][0] == 'ok'
|
|
|
|
|
|
|
|
def is_status_error(self, name):
|
|
|
|
return name in self.status and self.status[name][0] == 'error'
|
|
|
|
|
|
|
|
def is_status_na(self, name):
|
|
|
|
return name in self.status and self.status[name][0] == 'na'
|
2020-03-07 08:56:26 +01:00
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def __eq__(self, other):
|
|
|
|
return self.path == other.path
|
|
|
|
|
|
|
|
def __lt__(self, other):
|
|
|
|
return self.path < other.path
|
|
|
|
|
|
|
|
def __str__(self):
|
|
|
|
return "%s (path='%s', license='%s', license_files='%s', hash='%s', patches=%d)" % \
|
2020-03-24 14:28:05 +01:00
|
|
|
(self.name, self.path, self.is_status_ok('license'),
|
|
|
|
self.is_status_ok('license-files'), self.status['hash'], self.patch_count)
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
|
|
|
|
def get_pkglist(npackages, package_list):
|
|
|
|
"""
|
|
|
|
Builds the list of Buildroot packages, returning a list of Package
|
|
|
|
objects. Only the .name and .path fields of the Package object are
|
|
|
|
initialized.
|
|
|
|
|
|
|
|
npackages: limit to N packages
|
|
|
|
package_list: limit to those packages in this list
|
|
|
|
"""
|
|
|
|
WALK_USEFUL_SUBDIRS = ["boot", "linux", "package", "toolchain"]
|
|
|
|
WALK_EXCLUDES = ["boot/common.mk",
|
|
|
|
"linux/linux-ext-.*.mk",
|
|
|
|
"package/freescale-imx/freescale-imx.mk",
|
|
|
|
"package/gcc/gcc.mk",
|
|
|
|
"package/gstreamer/gstreamer.mk",
|
|
|
|
"package/gstreamer1/gstreamer1.mk",
|
|
|
|
"package/gtk2-themes/gtk2-themes.mk",
|
|
|
|
"package/matchbox/matchbox.mk",
|
|
|
|
"package/opengl/opengl.mk",
|
|
|
|
"package/qt5/qt5.mk",
|
|
|
|
"package/x11r7/x11r7.mk",
|
|
|
|
"package/doc-asciidoc.mk",
|
|
|
|
"package/pkg-.*.mk",
|
|
|
|
"toolchain/toolchain-external/pkg-toolchain-external.mk",
|
|
|
|
"toolchain/toolchain-external/toolchain-external.mk",
|
|
|
|
"toolchain/toolchain.mk",
|
|
|
|
"toolchain/helpers.mk",
|
|
|
|
"toolchain/toolchain-wrapper.mk"]
|
|
|
|
packages = list()
|
|
|
|
count = 0
|
2020-11-05 17:30:19 +01:00
|
|
|
for root, dirs, files in os.walk(brpath):
|
|
|
|
root = os.path.relpath(root, brpath)
|
2018-04-04 22:05:33 +02:00
|
|
|
rootdir = root.split("/")
|
2020-11-05 17:30:19 +01:00
|
|
|
if len(rootdir) < 1:
|
2018-04-04 22:05:33 +02:00
|
|
|
continue
|
2020-11-05 17:30:19 +01:00
|
|
|
if rootdir[0] not in WALK_USEFUL_SUBDIRS:
|
2018-04-04 22:05:33 +02:00
|
|
|
continue
|
|
|
|
for f in files:
|
|
|
|
if not f.endswith(".mk"):
|
|
|
|
continue
|
|
|
|
# Strip ending ".mk"
|
|
|
|
pkgname = f[:-3]
|
|
|
|
if package_list and pkgname not in package_list:
|
|
|
|
continue
|
|
|
|
pkgpath = os.path.join(root, f)
|
|
|
|
skip = False
|
|
|
|
for exclude in WALK_EXCLUDES:
|
2020-11-05 17:30:19 +01:00
|
|
|
if re.match(exclude, pkgpath):
|
2018-04-04 22:05:33 +02:00
|
|
|
skip = True
|
|
|
|
continue
|
|
|
|
if skip:
|
|
|
|
continue
|
|
|
|
p = Package(pkgname, pkgpath)
|
|
|
|
packages.append(p)
|
|
|
|
count += 1
|
|
|
|
if npackages and count == npackages:
|
|
|
|
return packages
|
|
|
|
return packages
|
|
|
|
|
|
|
|
|
support/scripts/pkg-stats: support generating stats based on configured packages
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-05 17:30:20 +01:00
|
|
|
def get_config_packages():
|
|
|
|
cmd = ["make", "--no-print-directory", "show-info"]
|
|
|
|
js = json.loads(subprocess.check_output(cmd))
|
2021-02-01 13:20:56 +01:00
|
|
|
return set([v["name"] for v in js.values()])
|
support/scripts/pkg-stats: support generating stats based on configured packages
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-05 17:30:20 +01:00
|
|
|
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def package_init_make_info():
|
2019-07-19 16:35:55 +02:00
|
|
|
# Fetch all variables at once
|
|
|
|
variables = subprocess.check_output(["make", "BR2_HAVE_DOT_CONFIG=y", "-s", "printvars",
|
2020-12-04 16:45:57 +01:00
|
|
|
"VARS=%_LICENSE %_LICENSE_FILES %_VERSION %_IGNORE_CVES %_CPE_ID"])
|
2020-03-01 22:18:48 +01:00
|
|
|
variable_list = variables.decode().splitlines()
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
# We process first the host package VERSION, and then the target
|
|
|
|
# package VERSION. This means that if a package exists in both
|
2019-07-19 16:35:55 +02:00
|
|
|
# target and host variants, with different values (eg. version
|
|
|
|
# numbers (unlikely)), we'll report the target one.
|
|
|
|
variable_list = [x[5:] for x in variable_list if x.startswith("HOST_")] + \
|
|
|
|
[x for x in variable_list if not x.startswith("HOST_")]
|
|
|
|
|
2021-05-18 20:21:53 +02:00
|
|
|
for item in variable_list:
|
2018-04-04 22:05:33 +02:00
|
|
|
# Get variable name and value
|
2021-05-18 20:21:53 +02:00
|
|
|
pkgvar, value = item.split("=")
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2019-07-19 16:35:55 +02:00
|
|
|
# Strip the suffix according to the variable
|
|
|
|
if pkgvar.endswith("_LICENSE"):
|
|
|
|
# If value is "unknown", no license details available
|
|
|
|
if value == "unknown":
|
|
|
|
continue
|
|
|
|
pkgvar = pkgvar[:-8]
|
2020-03-07 08:56:25 +01:00
|
|
|
Package.all_licenses[pkgvar] = value
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2019-08-01 17:12:43 +02:00
|
|
|
elif pkgvar.endswith("_LICENSE_FILES"):
|
2019-07-19 16:35:55 +02:00
|
|
|
if pkgvar.endswith("_MANIFEST_LICENSE_FILES"):
|
|
|
|
continue
|
|
|
|
pkgvar = pkgvar[:-14]
|
|
|
|
Package.all_license_files.append(pkgvar)
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2019-07-19 16:35:55 +02:00
|
|
|
elif pkgvar.endswith("_VERSION"):
|
|
|
|
if pkgvar.endswith("_DL_VERSION"):
|
|
|
|
continue
|
|
|
|
pkgvar = pkgvar[:-8]
|
|
|
|
Package.all_versions[pkgvar] = value
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2020-02-15 13:44:16 +01:00
|
|
|
elif pkgvar.endswith("_IGNORE_CVES"):
|
|
|
|
pkgvar = pkgvar[:-12]
|
|
|
|
Package.all_ignored_cves[pkgvar] = value.split()
|
|
|
|
|
2020-12-04 16:45:57 +01:00
|
|
|
elif pkgvar.endswith("_CPE_ID"):
|
|
|
|
pkgvar = pkgvar[:-7]
|
|
|
|
Package.all_cpeids[pkgvar] = value
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2021-01-05 23:23:31 +01:00
|
|
|
|
2020-08-08 20:08:25 +02:00
|
|
|
check_url_count = 0
|
|
|
|
|
|
|
|
|
|
|
|
async def check_url_status(session, pkg, npkgs, retry=True):
|
|
|
|
global check_url_count
|
|
|
|
|
2020-08-08 20:08:24 +02:00
|
|
|
try:
|
|
|
|
async with session.get(pkg.url) as resp:
|
|
|
|
if resp.status >= 400:
|
|
|
|
pkg.status['url'] = ("error", "invalid {}".format(resp.status))
|
2020-08-08 20:08:25 +02:00
|
|
|
check_url_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
|
2020-08-08 20:08:24 +02:00
|
|
|
return
|
|
|
|
except (aiohttp.ClientError, asyncio.TimeoutError):
|
|
|
|
if retry:
|
2020-08-08 20:08:25 +02:00
|
|
|
return await check_url_status(session, pkg, npkgs, retry=False)
|
2020-08-08 20:08:24 +02:00
|
|
|
else:
|
|
|
|
pkg.status['url'] = ("error", "invalid (err)")
|
2020-08-08 20:08:25 +02:00
|
|
|
check_url_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
|
2020-08-08 20:08:24 +02:00
|
|
|
return
|
2018-10-02 04:37:29 +02:00
|
|
|
|
2020-08-08 20:08:24 +02:00
|
|
|
pkg.status['url'] = ("ok", "valid")
|
2020-08-08 20:08:25 +02:00
|
|
|
check_url_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
|
2018-10-02 04:37:29 +02:00
|
|
|
|
2020-08-08 20:08:24 +02:00
|
|
|
|
|
|
|
async def check_package_urls(packages):
|
|
|
|
tasks = []
|
|
|
|
connector = aiohttp.TCPConnector(limit_per_host=5)
|
|
|
|
async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess:
|
|
|
|
packages = [p for p in packages if p.status['url'][0] == 'ok']
|
|
|
|
for pkg in packages:
|
2020-11-19 15:53:52 +01:00
|
|
|
tasks.append(asyncio.ensure_future(check_url_status(sess, pkg, len(packages))))
|
2020-08-08 20:08:24 +02:00
|
|
|
await asyncio.wait(tasks)
|
2018-10-02 04:37:28 +02:00
|
|
|
|
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
def check_package_latest_version_set_status(pkg, status, version, identifier):
|
|
|
|
pkg.latest_version = {
|
|
|
|
"status": status,
|
|
|
|
"version": version,
|
|
|
|
"id": identifier,
|
|
|
|
}
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
|
|
|
|
pkg.status['version'] = ('warning', "Release Monitoring API error")
|
|
|
|
elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND:
|
|
|
|
pkg.status['version'] = ('warning', "Package not found on Release Monitoring")
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
if pkg.latest_version['version'] is None:
|
|
|
|
pkg.status['version'] = ('warning', "No upstream version available on Release Monitoring")
|
|
|
|
elif pkg.latest_version['version'] != pkg.current_version:
|
|
|
|
pkg.status['version'] = ('error', "The newer version {} is available upstream".format(pkg.latest_version['version']))
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
else:
|
2020-08-08 20:08:23 +02:00
|
|
|
pkg.status['version'] = ('ok', 'up-to-date')
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
async def check_package_get_latest_version_by_distro(session, pkg, retry=True):
|
|
|
|
url = "https://release-monitoring.org//api/project/Buildroot/%s" % pkg.name
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
try:
|
2020-08-08 20:08:23 +02:00
|
|
|
async with session.get(url) as resp:
|
|
|
|
if resp.status != 200:
|
|
|
|
return False
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
data = await resp.json()
|
2021-09-01 16:10:29 +02:00
|
|
|
version = data['stable_versions'][0] if 'stable_versions' in data else data['version'] if 'version' in data else None
|
2020-08-08 20:08:23 +02:00
|
|
|
check_package_latest_version_set_status(pkg,
|
|
|
|
RM_API_STATUS_FOUND_BY_DISTRO,
|
|
|
|
version,
|
|
|
|
data['id'])
|
|
|
|
return True
|
|
|
|
|
|
|
|
except (aiohttp.ClientError, asyncio.TimeoutError):
|
|
|
|
if retry:
|
|
|
|
return await check_package_get_latest_version_by_distro(session, pkg, retry=False)
|
|
|
|
else:
|
|
|
|
return False
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
async def check_package_get_latest_version_by_guess(session, pkg, retry=True):
|
|
|
|
url = "https://release-monitoring.org/api/projects/?pattern=%s" % pkg.name
|
|
|
|
try:
|
|
|
|
async with session.get(url) as resp:
|
|
|
|
if resp.status != 200:
|
|
|
|
return False
|
|
|
|
|
|
|
|
data = await resp.json()
|
|
|
|
# filter projects that have the right name and a version defined
|
support/scripts/pkg-stats: use the new 'stable_versions' field of release-monitoring.org
The pkg-stats script queries release-monitoring.org to find the latest
upstream versions of our packages. However, up until recently,
release-monitoring.org had no notion of stable
vs. development/release-candidate versions, so for some packages the
"latest" version was in fact a development/release-candidate version
that we didn't want to package in Buildroot.
However, in recent time, release-monitoring.org has gained support for
differentiating stable vs. development releases of upstream
projects. See for example
https://release-monitoring.org/project/10024/ for the glib library,
which has a number of versions marked "Pre-release".
The JSON blurb returned by release-monitoring.org has 3 relevant
fields:
- "version", which we are using currently, which is a string
containing the reference of the latest version, including
pre-release.
- "versions", which is an array of strings listing all versions,
pre-release or not.
- "stable_versions", which is an array of string listing only
non-pre-release versions. It is ordered newest first to oldest
last.
So, this commit changes from using 'version' to using
'stable_versions[0]'.
As an example, before this change, pkg-stats reports that nfs-utils
needs to be bumped to 2.5.5rc3, while after this patch, it reports
that nfs-utils is already at 2.5.4, and that this is the latest stable
version (modulo an issue where Buildroot has 2.5.4 and
release-monitoring.org has 2-5-4, this will be addressed separately).
Note that part of this change was already done in commit f7b0e0860, but
it was incomplete.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-10-08 23:21:35 +02:00
|
|
|
projects = [p for p in data['projects'] if p['name'] == pkg.name and 'stable_versions' in p]
|
2020-08-08 20:08:23 +02:00
|
|
|
projects.sort(key=lambda x: x['id'])
|
|
|
|
|
|
|
|
if len(projects) > 0:
|
|
|
|
check_package_latest_version_set_status(pkg,
|
support/scripts/pkg-stats: fix the status for packages found by guess
The pkg-stats scripts tries to match packages against
release-monitoring.org in two ways:
- First by using the "Buildroot" distribution registered on
release-monitoring.org, in which we have added a lot of mappings
between Buildroot package names and release-monitoring.org package
names. If there is a match using this distribution, the package
status is RM_API_STATUS_FOUND_BY_DISTRO, which means that the
resulting HTML has a "found by distro" statement.
- Then, if the first solution didn't work, by using the pattern
matching, as done in the check_package_get_latest_version_by_guess()
function.
However, there is a bug in this later case: it sets the package status
to RM_API_STATUS_FOUND_BY_DISTRO as well, while it should have been
RM_API_STATUS_FOUND_BY_PATTERN. Due to this bug, in the resulting HTML
file from a pkg-stats run, all packages are marked as "found by
distro" even the ones that are "found by guess".
This commit fixes that by setting the correct package status.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-10-08 23:21:34 +02:00
|
|
|
RM_API_STATUS_FOUND_BY_PATTERN,
|
support/scripts/pkg-stats: use the new 'stable_versions' field of release-monitoring.org
The pkg-stats script queries release-monitoring.org to find the latest
upstream versions of our packages. However, up until recently,
release-monitoring.org had no notion of stable
vs. development/release-candidate versions, so for some packages the
"latest" version was in fact a development/release-candidate version
that we didn't want to package in Buildroot.
However, in recent time, release-monitoring.org has gained support for
differentiating stable vs. development releases of upstream
projects. See for example
https://release-monitoring.org/project/10024/ for the glib library,
which has a number of versions marked "Pre-release".
The JSON blurb returned by release-monitoring.org has 3 relevant
fields:
- "version", which we are using currently, which is a string
containing the reference of the latest version, including
pre-release.
- "versions", which is an array of strings listing all versions,
pre-release or not.
- "stable_versions", which is an array of string listing only
non-pre-release versions. It is ordered newest first to oldest
last.
So, this commit changes from using 'version' to using
'stable_versions[0]'.
As an example, before this change, pkg-stats reports that nfs-utils
needs to be bumped to 2.5.5rc3, while after this patch, it reports
that nfs-utils is already at 2.5.4, and that this is the latest stable
version (modulo an issue where Buildroot has 2.5.4 and
release-monitoring.org has 2-5-4, this will be addressed separately).
Note that part of this change was already done in commit f7b0e0860, but
it was incomplete.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-10-08 23:21:35 +02:00
|
|
|
projects[0]['stable_versions'][0],
|
2020-08-08 20:08:23 +02:00
|
|
|
projects[0]['id'])
|
|
|
|
return True
|
|
|
|
|
|
|
|
except (aiohttp.ClientError, asyncio.TimeoutError):
|
|
|
|
if retry:
|
|
|
|
return await check_package_get_latest_version_by_guess(session, pkg, retry=False)
|
|
|
|
else:
|
|
|
|
return False
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
|
2020-08-08 20:08:25 +02:00
|
|
|
check_latest_count = 0
|
|
|
|
|
|
|
|
|
|
|
|
async def check_package_latest_version_get(session, pkg, npkgs):
|
|
|
|
global check_latest_count
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
if await check_package_get_latest_version_by_distro(session, pkg):
|
2020-08-08 20:08:25 +02:00
|
|
|
check_latest_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
|
2020-08-08 20:08:23 +02:00
|
|
|
return
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
if await check_package_get_latest_version_by_guess(session, pkg):
|
2020-08-08 20:08:25 +02:00
|
|
|
check_latest_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
|
2020-08-08 20:08:23 +02:00
|
|
|
return
|
2019-08-01 17:12:44 +02:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
check_package_latest_version_set_status(pkg,
|
|
|
|
RM_API_STATUS_NOT_FOUND,
|
|
|
|
None, None)
|
2020-08-08 20:08:25 +02:00
|
|
|
check_latest_count += 1
|
|
|
|
print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
|
2019-08-01 17:12:44 +02:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
|
|
|
|
async def check_package_latest_version(packages):
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
"""
|
|
|
|
Fills in the .latest_version field of all Package objects
|
|
|
|
|
2020-03-07 08:56:22 +01:00
|
|
|
This field is a dict and has the following keys:
|
|
|
|
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
- status: one of RM_API_STATUS_ERROR,
|
|
|
|
RM_API_STATUS_FOUND_BY_DISTRO, RM_API_STATUS_FOUND_BY_PATTERN,
|
|
|
|
RM_API_STATUS_NOT_FOUND
|
|
|
|
- version: string containing the latest version known by
|
|
|
|
release-monitoring.org for this package
|
|
|
|
- id: string containing the id of the project corresponding to this
|
|
|
|
package, as known by release-monitoring.org
|
|
|
|
"""
|
2020-03-07 08:56:26 +01:00
|
|
|
|
2021-05-19 04:46:37 +02:00
|
|
|
for pkg in [p for p in packages if not p.is_actual_package]:
|
2020-08-08 20:08:23 +02:00
|
|
|
pkg.status['version'] = ("na", "no valid package infra")
|
2020-03-09 15:17:09 +01:00
|
|
|
|
2020-08-08 20:08:23 +02:00
|
|
|
tasks = []
|
|
|
|
connector = aiohttp.TCPConnector(limit_per_host=5)
|
|
|
|
async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess:
|
2021-05-19 04:46:37 +02:00
|
|
|
packages = [p for p in packages if p.is_actual_package]
|
2020-08-08 20:08:23 +02:00
|
|
|
for pkg in packages:
|
2020-11-19 15:53:52 +01:00
|
|
|
tasks.append(asyncio.ensure_future(check_package_latest_version_get(sess, pkg, len(packages))))
|
2020-08-08 20:08:23 +02:00
|
|
|
await asyncio.wait(tasks)
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
def check_package_cve_affects(cve, cpe_product_pkgs):
|
|
|
|
for product in cve.affected_products:
|
2021-01-05 23:23:31 +01:00
|
|
|
if product not in cpe_product_pkgs:
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
continue
|
|
|
|
for pkg in cpe_product_pkgs[product]:
|
|
|
|
if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves, pkg.cpeid) == cve.CVE_AFFECTS:
|
|
|
|
pkg.cves.append(cve.identifier)
|
|
|
|
|
2021-01-05 23:23:31 +01:00
|
|
|
|
2020-02-15 13:44:16 +01:00
|
|
|
def check_package_cves(nvd_path, packages):
|
|
|
|
if not os.path.isdir(nvd_path):
|
|
|
|
os.makedirs(nvd_path)
|
|
|
|
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
cpe_product_pkgs = defaultdict(list)
|
|
|
|
for pkg in packages:
|
2021-05-19 04:46:37 +02:00
|
|
|
if not pkg.is_actual_package:
|
2021-05-19 04:46:38 +02:00
|
|
|
pkg.status['cve'] = ("na", "N/A")
|
2020-12-04 16:45:59 +01:00
|
|
|
continue
|
|
|
|
if not pkg.current_version:
|
2020-12-04 16:46:00 +01:00
|
|
|
pkg.status['cve'] = ("na", "no version information available")
|
2020-12-04 16:45:59 +01:00
|
|
|
continue
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
if pkg.cpeid:
|
|
|
|
cpe_product = cvecheck.cpe_product(pkg.cpeid)
|
|
|
|
cpe_product_pkgs[cpe_product].append(pkg)
|
|
|
|
else:
|
|
|
|
cpe_product_pkgs[pkg.name].append(pkg)
|
2020-02-15 13:44:16 +01:00
|
|
|
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
|
|
|
|
check_package_cve_affects(cve, cpe_product_pkgs)
|
2020-09-02 23:21:57 +02:00
|
|
|
|
2020-12-04 16:46:00 +01:00
|
|
|
for pkg in packages:
|
|
|
|
if 'cve' not in pkg.status:
|
|
|
|
if pkg.cves:
|
|
|
|
pkg.status['cve'] = ("error", "affected by CVEs")
|
|
|
|
else:
|
|
|
|
pkg.status['cve'] = ("ok", "not affected by CVEs")
|
|
|
|
|
2021-01-05 23:23:31 +01:00
|
|
|
|
2021-01-31 14:38:16 +01:00
|
|
|
def check_package_cpes(nvd_path, packages):
|
|
|
|
cpedb = CPEDB(nvd_path)
|
|
|
|
cpedb.get_xml_dict()
|
|
|
|
for p in packages:
|
|
|
|
if not p.cpeid:
|
|
|
|
continue
|
|
|
|
if cpedb.find(p.cpeid):
|
|
|
|
p.status['cpe'] = ("ok", "verified CPE identifier")
|
|
|
|
else:
|
2021-05-19 04:46:36 +02:00
|
|
|
p.status['cpe'] = ("error", "CPE version unknown in CPE database")
|
2021-01-31 14:38:16 +01:00
|
|
|
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def calculate_stats(packages):
|
|
|
|
stats = defaultdict(int)
|
2020-03-07 08:56:27 +01:00
|
|
|
stats['packages'] = len(packages)
|
2018-04-04 22:05:33 +02:00
|
|
|
for pkg in packages:
|
|
|
|
# If packages have multiple infra, take the first one. For the
|
|
|
|
# vast majority of packages, the target and host infra are the
|
|
|
|
# same. There are very few packages that use a different infra
|
|
|
|
# for the host and target variants.
|
|
|
|
if len(pkg.infras) > 0:
|
|
|
|
infra = pkg.infras[0][1]
|
|
|
|
stats["infra-%s" % infra] += 1
|
|
|
|
else:
|
|
|
|
stats["infra-unknown"] += 1
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('license'):
|
2018-04-04 22:05:33 +02:00
|
|
|
stats["license"] += 1
|
|
|
|
else:
|
|
|
|
stats["no-license"] += 1
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('license-files'):
|
2018-04-04 22:05:33 +02:00
|
|
|
stats["license-files"] += 1
|
|
|
|
else:
|
|
|
|
stats["no-license-files"] += 1
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('hash'):
|
2018-04-04 22:05:33 +02:00
|
|
|
stats["hash"] += 1
|
|
|
|
else:
|
|
|
|
stats["no-hash"] += 1
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
stats["rmo-mapping"] += 1
|
|
|
|
else:
|
|
|
|
stats["rmo-no-mapping"] += 1
|
2020-03-07 08:56:22 +01:00
|
|
|
if not pkg.latest_version['version']:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
stats["version-unknown"] += 1
|
2020-03-07 08:56:22 +01:00
|
|
|
elif pkg.latest_version['version'] == pkg.current_version:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
stats["version-uptodate"] += 1
|
|
|
|
else:
|
|
|
|
stats["version-not-uptodate"] += 1
|
2018-04-04 22:05:33 +02:00
|
|
|
stats["patches"] += pkg.patch_count
|
2020-02-15 13:44:16 +01:00
|
|
|
stats["total-cves"] += len(pkg.cves)
|
|
|
|
if len(pkg.cves) != 0:
|
|
|
|
stats["pkg-cves"] += 1
|
2020-12-04 16:45:57 +01:00
|
|
|
if pkg.cpeid:
|
|
|
|
stats["cpe-id"] += 1
|
|
|
|
else:
|
|
|
|
stats["no-cpe-id"] += 1
|
2018-04-04 22:05:33 +02:00
|
|
|
return stats
|
|
|
|
|
|
|
|
|
|
|
|
html_header = """
|
|
|
|
<head>
|
2017-07-06 03:36:31 +02:00
|
|
|
<script src=\"https://www.kryogenix.org/code/browser/sorttable/sorttable.js\"></script>
|
2009-10-28 00:28:40 +01:00
|
|
|
<style type=\"text/css\">
|
|
|
|
table {
|
|
|
|
width: 100%;
|
|
|
|
}
|
|
|
|
td {
|
|
|
|
border: 1px solid black;
|
|
|
|
}
|
|
|
|
td.centered {
|
|
|
|
text-align: center;
|
|
|
|
}
|
2012-07-31 21:32:25 +02:00
|
|
|
td.wrong {
|
2010-07-26 15:15:14 +02:00
|
|
|
background: #ff9a69;
|
|
|
|
}
|
2012-07-31 21:32:25 +02:00
|
|
|
td.correct {
|
2010-07-26 15:15:14 +02:00
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
2012-07-31 21:32:25 +02:00
|
|
|
td.nopatches {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
td.somepatches {
|
|
|
|
background: #ffd870;
|
|
|
|
}
|
|
|
|
td.lotsofpatches {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
2018-10-02 04:37:28 +02:00
|
|
|
td.good_url {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
td.missing_url {
|
|
|
|
background: #ffd870;
|
|
|
|
}
|
|
|
|
td.invalid_url {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
td.version-good {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
td.version-needs-update {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
|
|
|
td.version-unknown {
|
|
|
|
background: #ffd870;
|
|
|
|
}
|
|
|
|
td.version-error {
|
|
|
|
background: #ccc;
|
|
|
|
}
|
|
|
|
|
2020-12-04 16:45:57 +01:00
|
|
|
td.cpe-ok {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
|
|
|
|
td.cpe-nok {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
|
|
|
|
|
|
|
td.cpe-unknown {
|
|
|
|
background: #ffd870;
|
|
|
|
}
|
|
|
|
|
2020-12-04 16:46:00 +01:00
|
|
|
td.cve-ok {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
|
|
|
|
td.cve-nok {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
|
|
|
|
|
|
|
td.cve-unknown {
|
|
|
|
background: #ffd870;
|
|
|
|
}
|
|
|
|
|
2021-04-22 21:45:57 +02:00
|
|
|
td.cve_ignored {
|
|
|
|
background: #ccc;
|
|
|
|
}
|
|
|
|
|
2009-10-28 00:28:40 +01:00
|
|
|
</style>
|
2012-07-31 21:32:25 +02:00
|
|
|
<title>Statistics of Buildroot packages</title>
|
2009-10-28 00:28:40 +01:00
|
|
|
</head>
|
|
|
|
|
|
|
|
<a href=\"#results\">Results</a><br/>
|
|
|
|
|
2017-07-06 03:36:31 +02:00
|
|
|
<p id=\"sortable_hint\"></p>
|
2018-04-04 22:05:33 +02:00
|
|
|
"""
|
|
|
|
|
2017-07-06 03:36:31 +02:00
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
html_footer = """
|
|
|
|
</body>
|
|
|
|
<script>
|
|
|
|
if (typeof sorttable === \"object\") {
|
|
|
|
document.getElementById(\"sortable_hint\").innerHTML =
|
|
|
|
\"hint: the table can be sorted by clicking the column headers\"
|
|
|
|
}
|
|
|
|
</script>
|
|
|
|
</html>
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
def infra_str(infra_list):
|
|
|
|
if not infra_list:
|
|
|
|
return "Unknown"
|
|
|
|
elif len(infra_list) == 1:
|
|
|
|
return "<b>%s</b><br/>%s" % (infra_list[0][1], infra_list[0][0])
|
|
|
|
elif infra_list[0][1] == infra_list[1][1]:
|
|
|
|
return "<b>%s</b><br/>%s + %s" % \
|
|
|
|
(infra_list[0][1], infra_list[0][0], infra_list[1][0])
|
|
|
|
else:
|
|
|
|
return "<b>%s</b> (%s)<br/><b>%s</b> (%s)" % \
|
|
|
|
(infra_list[0][1], infra_list[0][0],
|
|
|
|
infra_list[1][1], infra_list[1][0])
|
|
|
|
|
|
|
|
|
|
|
|
def boolean_str(b):
|
|
|
|
if b:
|
|
|
|
return "Yes"
|
|
|
|
else:
|
|
|
|
return "No"
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_pkg(f, pkg):
|
|
|
|
f.write(" <tr>\n")
|
2020-11-05 17:30:19 +01:00
|
|
|
f.write(" <td>%s</td>\n" % pkg.path)
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
# Patch count
|
|
|
|
td_class = ["centered"]
|
|
|
|
if pkg.patch_count == 0:
|
|
|
|
td_class.append("nopatches")
|
|
|
|
elif pkg.patch_count < 5:
|
|
|
|
td_class.append("somepatches")
|
|
|
|
else:
|
|
|
|
td_class.append("lotsofpatches")
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
|
|
|
(" ".join(td_class), str(pkg.patch_count)))
|
|
|
|
|
|
|
|
# Infrastructure
|
|
|
|
infra = infra_str(pkg.infras)
|
|
|
|
td_class = ["centered"]
|
|
|
|
if infra == "Unknown":
|
|
|
|
td_class.append("wrong")
|
|
|
|
else:
|
|
|
|
td_class.append("correct")
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
|
|
|
(" ".join(td_class), infra_str(pkg.infras)))
|
|
|
|
|
|
|
|
# License
|
|
|
|
td_class = ["centered"]
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('license'):
|
2018-04-04 22:05:33 +02:00
|
|
|
td_class.append("correct")
|
|
|
|
else:
|
|
|
|
td_class.append("wrong")
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
2020-03-07 08:56:26 +01:00
|
|
|
(" ".join(td_class), boolean_str(pkg.is_status_ok('license'))))
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
# License files
|
|
|
|
td_class = ["centered"]
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('license-files'):
|
2018-04-04 22:05:33 +02:00
|
|
|
td_class.append("correct")
|
|
|
|
else:
|
|
|
|
td_class.append("wrong")
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
2020-03-07 08:56:26 +01:00
|
|
|
(" ".join(td_class), boolean_str(pkg.is_status_ok('license-files'))))
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
# Hash
|
|
|
|
td_class = ["centered"]
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.is_status_ok('hash'):
|
2018-04-04 22:05:33 +02:00
|
|
|
td_class.append("correct")
|
|
|
|
else:
|
|
|
|
td_class.append("wrong")
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
2020-03-07 08:56:26 +01:00
|
|
|
(" ".join(td_class), boolean_str(pkg.is_status_ok('hash'))))
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
# Current version
|
|
|
|
if len(pkg.current_version) > 20:
|
|
|
|
current_version = pkg.current_version[:20] + "..."
|
|
|
|
else:
|
|
|
|
current_version = pkg.current_version
|
|
|
|
f.write(" <td class=\"centered\">%s</td>\n" % current_version)
|
|
|
|
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
# Latest version
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
td_class.append("version-error")
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['version'] is None:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
td_class.append("version-unknown")
|
2020-03-07 08:56:22 +01:00
|
|
|
elif pkg.latest_version['version'] != pkg.current_version:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
td_class.append("version-needs-update")
|
|
|
|
else:
|
|
|
|
td_class.append("version-good")
|
|
|
|
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
latest_version_text = "<b>Error</b>"
|
2020-03-07 08:56:22 +01:00
|
|
|
elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
latest_version_text = "<b>Not found</b>"
|
|
|
|
else:
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['version'] is None:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
latest_version_text = "<b>Found, but no version</b>"
|
|
|
|
else:
|
2019-02-07 22:04:26 +01:00
|
|
|
latest_version_text = "<a href=\"https://release-monitoring.org/project/%s\"><b>%s</b></a>" % \
|
2020-03-07 08:56:22 +01:00
|
|
|
(pkg.latest_version['id'], str(pkg.latest_version['version']))
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
|
|
|
|
latest_version_text += "<br/>"
|
|
|
|
|
2020-03-07 08:56:22 +01:00
|
|
|
if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO:
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
latest_version_text += "found by <a href=\"https://release-monitoring.org/distro/Buildroot/\">distro</a>"
|
|
|
|
else:
|
|
|
|
latest_version_text += "found by guess"
|
|
|
|
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
|
|
|
(" ".join(td_class), latest_version_text))
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
# Warnings
|
|
|
|
td_class = ["centered"]
|
|
|
|
if pkg.warnings == 0:
|
|
|
|
td_class.append("correct")
|
|
|
|
else:
|
|
|
|
td_class.append("wrong")
|
|
|
|
f.write(" <td class=\"%s\">%d</td>\n" %
|
|
|
|
(" ".join(td_class), pkg.warnings))
|
|
|
|
|
2018-10-02 04:37:28 +02:00
|
|
|
# URL status
|
|
|
|
td_class = ["centered"]
|
2020-03-07 08:56:26 +01:00
|
|
|
url_str = pkg.status['url'][1]
|
|
|
|
if pkg.status['url'][0] in ("error", "warning"):
|
2018-10-02 04:37:28 +02:00
|
|
|
td_class.append("missing_url")
|
2020-03-07 08:56:26 +01:00
|
|
|
if pkg.status['url'][0] == "error":
|
2018-10-02 04:37:28 +02:00
|
|
|
td_class.append("invalid_url")
|
2020-03-07 08:56:26 +01:00
|
|
|
url_str = "<a href=%s>%s</a>" % (pkg.url, pkg.status['url'][1])
|
2018-10-02 04:37:28 +02:00
|
|
|
else:
|
|
|
|
td_class.append("good_url")
|
|
|
|
url_str = "<a href=%s>Link</a>" % pkg.url
|
|
|
|
f.write(" <td class=\"%s\">%s</td>\n" %
|
|
|
|
(" ".join(td_class), url_str))
|
|
|
|
|
2020-02-15 13:44:16 +01:00
|
|
|
# CVEs
|
|
|
|
td_class = ["centered"]
|
2021-01-07 14:39:39 +01:00
|
|
|
if pkg.is_status_ok("cve"):
|
2020-12-04 16:46:00 +01:00
|
|
|
td_class.append("cve-ok")
|
2021-01-07 14:39:39 +01:00
|
|
|
elif pkg.is_status_error("cve"):
|
2020-12-04 16:46:00 +01:00
|
|
|
td_class.append("cve-nok")
|
2021-05-19 04:46:38 +02:00
|
|
|
elif pkg.is_status_na("cve") and not pkg.is_actual_package:
|
|
|
|
td_class.append("cve-ok")
|
2020-02-15 13:44:16 +01:00
|
|
|
else:
|
2020-12-04 16:46:00 +01:00
|
|
|
td_class.append("cve-unknown")
|
2020-02-15 13:44:16 +01:00
|
|
|
f.write(" <td class=\"%s\">\n" % " ".join(td_class))
|
2021-01-07 14:39:39 +01:00
|
|
|
if pkg.is_status_error("cve"):
|
2020-12-04 16:46:00 +01:00
|
|
|
for cve in pkg.cves:
|
|
|
|
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
|
2021-01-07 14:39:39 +01:00
|
|
|
elif pkg.is_status_na("cve"):
|
2020-12-04 16:46:00 +01:00
|
|
|
f.write(" %s" % pkg.status['cve'][1])
|
2021-01-07 14:39:39 +01:00
|
|
|
else:
|
|
|
|
f.write(" N/A\n")
|
2020-02-15 13:44:16 +01:00
|
|
|
f.write(" </td>\n")
|
|
|
|
|
2021-04-22 21:45:57 +02:00
|
|
|
# CVEs Ignored
|
|
|
|
td_class = ["centered"]
|
|
|
|
if pkg.ignored_cves:
|
|
|
|
td_class.append("cve_ignored")
|
|
|
|
f.write(" <td class=\"%s\">\n" % " ".join(td_class))
|
|
|
|
for ignored_cve in pkg.ignored_cves:
|
|
|
|
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (ignored_cve, ignored_cve))
|
|
|
|
f.write(" </td>\n")
|
|
|
|
|
2020-12-04 16:45:57 +01:00
|
|
|
# CPE ID
|
|
|
|
td_class = ["left"]
|
2021-01-31 14:38:16 +01:00
|
|
|
if pkg.is_status_ok("cpe"):
|
2020-12-04 16:45:57 +01:00
|
|
|
td_class.append("cpe-ok")
|
2021-01-31 14:38:16 +01:00
|
|
|
elif pkg.is_status_error("cpe"):
|
2020-12-04 16:45:57 +01:00
|
|
|
td_class.append("cpe-nok")
|
2021-05-19 04:46:38 +02:00
|
|
|
elif pkg.is_status_na("cpe") and not pkg.is_actual_package:
|
|
|
|
td_class.append("cpe-ok")
|
2020-12-04 16:45:57 +01:00
|
|
|
else:
|
|
|
|
td_class.append("cpe-unknown")
|
|
|
|
f.write(" <td class=\"%s\">\n" % " ".join(td_class))
|
2021-01-31 14:38:16 +01:00
|
|
|
if pkg.cpeid:
|
2020-12-04 16:45:57 +01:00
|
|
|
f.write(" <code>%s</code>\n" % pkg.cpeid)
|
2021-01-31 14:38:16 +01:00
|
|
|
if not pkg.is_status_ok("cpe"):
|
2021-05-19 04:46:38 +02:00
|
|
|
if pkg.is_actual_package and pkg.current_version:
|
|
|
|
if pkg.cpeid:
|
|
|
|
f.write(" <br/>%s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501
|
|
|
|
(pkg.status['cpe'][1], ":".join(pkg.cpeid.split(":")[0:5])))
|
|
|
|
else:
|
|
|
|
f.write(" %s <a href=\"https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=%s\">(Search)</a>\n" % # noqa: E501
|
|
|
|
(pkg.status['cpe'][1], pkg.name))
|
2021-04-22 21:45:56 +02:00
|
|
|
else:
|
2021-05-19 04:46:38 +02:00
|
|
|
f.write(" %s\n" % pkg.status['cpe'][1])
|
2021-04-22 21:45:56 +02:00
|
|
|
|
2020-12-04 16:45:57 +01:00
|
|
|
f.write(" </td>\n")
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
f.write(" </tr>\n")
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_all_pkgs(f, packages):
|
|
|
|
f.write("""
|
2017-07-06 03:36:31 +02:00
|
|
|
<table class=\"sortable\">
|
2009-10-28 00:28:40 +01:00
|
|
|
<tr>
|
2012-07-31 21:32:25 +02:00
|
|
|
<td>Package</td>
|
|
|
|
<td class=\"centered\">Patch count</td>
|
|
|
|
<td class=\"centered\">Infrastructure</td>
|
|
|
|
<td class=\"centered\">License</td>
|
2012-08-05 11:50:10 +02:00
|
|
|
<td class=\"centered\">License files</td>
|
2014-10-17 15:34:12 +02:00
|
|
|
<td class=\"centered\">Hash file</td>
|
2018-04-04 22:05:33 +02:00
|
|
|
<td class=\"centered\">Current version</td>
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
<td class=\"centered\">Latest version</td>
|
2017-04-08 21:35:33 +02:00
|
|
|
<td class=\"centered\">Warnings</td>
|
2018-10-02 04:37:28 +02:00
|
|
|
<td class=\"centered\">Upstream URL</td>
|
2020-02-15 13:44:16 +01:00
|
|
|
<td class=\"centered\">CVEs</td>
|
2021-04-22 21:45:57 +02:00
|
|
|
<td class=\"centered\">CVEs Ignored</td>
|
2020-12-04 16:45:57 +01:00
|
|
|
<td class=\"centered\">CPE ID</td>
|
2009-10-28 00:28:40 +01:00
|
|
|
</tr>
|
2018-04-04 22:05:33 +02:00
|
|
|
""")
|
|
|
|
for pkg in sorted(packages):
|
|
|
|
dump_html_pkg(f, pkg)
|
|
|
|
f.write("</table>")
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_stats(f, stats):
|
|
|
|
f.write("<a id=\"results\"></a>\n")
|
|
|
|
f.write("<table>\n")
|
|
|
|
infras = [infra[6:] for infra in stats.keys() if infra.startswith("infra-")]
|
|
|
|
for infra in infras:
|
|
|
|
f.write(" <tr><td>Packages using the <i>%s</i> infrastructure</td><td>%s</td></tr>\n" %
|
|
|
|
(infra, stats["infra-%s" % infra]))
|
|
|
|
f.write(" <tr><td>Packages having license information</td><td>%s</td></tr>\n" %
|
|
|
|
stats["license"])
|
|
|
|
f.write(" <tr><td>Packages not having license information</td><td>%s</td></tr>\n" %
|
|
|
|
stats["no-license"])
|
|
|
|
f.write(" <tr><td>Packages having license files information</td><td>%s</td></tr>\n" %
|
|
|
|
stats["license-files"])
|
|
|
|
f.write(" <tr><td>Packages not having license files information</td><td>%s</td></tr>\n" %
|
|
|
|
stats["no-license-files"])
|
|
|
|
f.write(" <tr><td>Packages having a hash file</td><td>%s</td></tr>\n" %
|
|
|
|
stats["hash"])
|
|
|
|
f.write(" <tr><td>Packages not having a hash file</td><td>%s</td></tr>\n" %
|
|
|
|
stats["no-hash"])
|
|
|
|
f.write(" <tr><td>Total number of patches</td><td>%s</td></tr>\n" %
|
|
|
|
stats["patches"])
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
f.write("<tr><td>Packages having a mapping on <i>release-monitoring.org</i></td><td>%s</td></tr>\n" %
|
|
|
|
stats["rmo-mapping"])
|
|
|
|
f.write("<tr><td>Packages lacking a mapping on <i>release-monitoring.org</i></td><td>%s</td></tr>\n" %
|
|
|
|
stats["rmo-no-mapping"])
|
|
|
|
f.write("<tr><td>Packages that are up-to-date</td><td>%s</td></tr>\n" %
|
|
|
|
stats["version-uptodate"])
|
|
|
|
f.write("<tr><td>Packages that are not up-to-date</td><td>%s</td></tr>\n" %
|
|
|
|
stats["version-not-uptodate"])
|
|
|
|
f.write("<tr><td>Packages with no known upstream version</td><td>%s</td></tr>\n" %
|
|
|
|
stats["version-unknown"])
|
2020-02-15 13:44:16 +01:00
|
|
|
f.write("<tr><td>Packages affected by CVEs</td><td>%s</td></tr>\n" %
|
|
|
|
stats["pkg-cves"])
|
|
|
|
f.write("<tr><td>Total number of CVEs affecting all packages</td><td>%s</td></tr>\n" %
|
|
|
|
stats["total-cves"])
|
2020-12-04 16:45:57 +01:00
|
|
|
f.write("<tr><td>Packages with CPE ID</td><td>%s</td></tr>\n" %
|
|
|
|
stats["cpe-id"])
|
|
|
|
f.write("<tr><td>Packages without CPE ID</td><td>%s</td></tr>\n" %
|
|
|
|
stats["no-cpe-id"])
|
2018-04-04 22:05:33 +02:00
|
|
|
f.write("</table>\n")
|
|
|
|
|
|
|
|
|
2019-08-01 11:07:27 +02:00
|
|
|
def dump_html_gen_info(f, date, commit):
|
2018-04-04 22:05:33 +02:00
|
|
|
# Updated on Mon Feb 19 08:12:08 CET 2018, Git commit aa77030b8f5e41f1c53eb1c1ad664b8c814ba032
|
2019-07-19 15:06:30 +02:00
|
|
|
f.write("<p><i>Updated on %s, git commit %s</i></p>\n" % (str(date), commit))
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
|
2019-07-19 15:06:30 +02:00
|
|
|
def dump_html(packages, stats, date, commit, output):
|
2018-04-04 22:05:33 +02:00
|
|
|
with open(output, 'w') as f:
|
|
|
|
f.write(html_header)
|
|
|
|
dump_html_all_pkgs(f, packages)
|
|
|
|
dump_html_stats(f, stats)
|
2019-08-01 11:07:27 +02:00
|
|
|
dump_html_gen_info(f, date, commit)
|
2018-04-04 22:05:33 +02:00
|
|
|
f.write(html_footer)
|
|
|
|
|
|
|
|
|
2020-03-07 08:56:29 +01:00
|
|
|
def dump_json(packages, defconfigs, stats, date, commit, output):
|
2019-07-19 15:06:29 +02:00
|
|
|
# Format packages as a dictionnary instead of a list
|
|
|
|
# Exclude local field that does not contains real date
|
|
|
|
excluded_fields = ['url_worker', 'name']
|
|
|
|
pkgs = {
|
|
|
|
pkg.name: {
|
|
|
|
k: v
|
|
|
|
for k, v in pkg.__dict__.items()
|
|
|
|
if k not in excluded_fields
|
|
|
|
} for pkg in packages
|
|
|
|
}
|
2020-03-07 08:56:29 +01:00
|
|
|
defconfigs = {
|
|
|
|
d.name: {
|
|
|
|
k: v
|
|
|
|
for k, v in d.__dict__.items()
|
|
|
|
} for d in defconfigs
|
|
|
|
}
|
2019-07-19 15:06:29 +02:00
|
|
|
# Aggregate infrastructures into a single dict entry
|
|
|
|
statistics = {
|
|
|
|
k: v
|
|
|
|
for k, v in stats.items()
|
|
|
|
if not k.startswith('infra-')
|
|
|
|
}
|
|
|
|
statistics['infra'] = {k[6:]: v for k, v in stats.items() if k.startswith('infra-')}
|
|
|
|
# The actual structure to dump, add commit and date to it
|
|
|
|
final = {'packages': pkgs,
|
|
|
|
'stats': statistics,
|
2020-03-07 08:56:29 +01:00
|
|
|
'defconfigs': defconfigs,
|
2020-03-07 08:56:32 +01:00
|
|
|
'package_status_checks': Package.status_checks,
|
2019-07-19 15:06:30 +02:00
|
|
|
'commit': commit,
|
|
|
|
'date': str(date)}
|
2019-07-19 15:06:29 +02:00
|
|
|
|
|
|
|
with open(output, 'w') as f:
|
|
|
|
json.dump(final, f, indent=2, separators=(',', ': '))
|
|
|
|
f.write('\n')
|
|
|
|
|
|
|
|
|
2020-03-07 11:37:05 +01:00
|
|
|
def resolvepath(path):
|
2020-07-12 21:23:13 +02:00
|
|
|
return os.path.abspath(os.path.expanduser(path))
|
2020-03-07 11:37:05 +01:00
|
|
|
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def parse_args():
|
|
|
|
parser = argparse.ArgumentParser()
|
2019-07-19 15:06:29 +02:00
|
|
|
output = parser.add_argument_group('output', 'Output file(s)')
|
2020-03-07 11:37:05 +01:00
|
|
|
output.add_argument('--html', dest='html', type=resolvepath,
|
2018-04-04 22:05:33 +02:00
|
|
|
help='HTML output file')
|
2020-03-07 11:37:05 +01:00
|
|
|
output.add_argument('--json', dest='json', type=resolvepath,
|
2019-07-19 15:06:29 +02:00
|
|
|
help='JSON output file')
|
2019-07-19 15:06:28 +02:00
|
|
|
packages = parser.add_mutually_exclusive_group()
|
support/scripts/pkg-stats: support generating stats based on configured packages
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-05 17:30:20 +01:00
|
|
|
packages.add_argument('-c', dest='configpackages', action='store_true',
|
|
|
|
help='Apply to packages enabled in current configuration')
|
2019-07-19 15:06:28 +02:00
|
|
|
packages.add_argument('-n', dest='npackages', type=int, action='store',
|
2019-08-01 17:12:43 +02:00
|
|
|
help='Number of packages')
|
2019-07-19 15:06:28 +02:00
|
|
|
packages.add_argument('-p', dest='packages', action='store',
|
2019-08-01 17:12:43 +02:00
|
|
|
help='List of packages (comma separated)')
|
2020-02-15 13:44:16 +01:00
|
|
|
parser.add_argument('--nvd-path', dest='nvd_path',
|
2020-03-07 11:37:05 +01:00
|
|
|
help='Path to the local NVD database', type=resolvepath)
|
2019-07-19 15:06:29 +02:00
|
|
|
args = parser.parse_args()
|
|
|
|
if not args.html and not args.json:
|
|
|
|
parser.error('at least one of --html or --json (or both) is required')
|
|
|
|
return args
|
2018-04-04 22:05:33 +02:00
|
|
|
|
2021-01-05 23:23:31 +01:00
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
def __main__():
|
2020-11-19 15:53:51 +01:00
|
|
|
global cvecheck
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
args = parse_args()
|
2020-11-19 15:53:51 +01:00
|
|
|
|
|
|
|
if args.nvd_path:
|
|
|
|
import cve as cvecheck
|
|
|
|
|
2018-04-04 22:05:33 +02:00
|
|
|
if args.packages:
|
|
|
|
package_list = args.packages.split(",")
|
support/scripts/pkg-stats: support generating stats based on configured packages
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-05 17:30:20 +01:00
|
|
|
elif args.configpackages:
|
|
|
|
package_list = get_config_packages()
|
2018-04-04 22:05:33 +02:00
|
|
|
else:
|
|
|
|
package_list = None
|
2019-07-19 15:06:30 +02:00
|
|
|
date = datetime.datetime.utcnow()
|
2020-11-05 17:30:19 +01:00
|
|
|
commit = subprocess.check_output(['git', '-C', brpath,
|
|
|
|
'rev-parse',
|
2020-03-01 22:18:48 +01:00
|
|
|
'HEAD']).splitlines()[0].decode()
|
2018-05-18 15:05:00 +02:00
|
|
|
print("Build package list ...")
|
2018-04-04 22:05:33 +02:00
|
|
|
packages = get_pkglist(args.npackages, package_list)
|
2020-03-07 08:56:24 +01:00
|
|
|
print("Getting developers ...")
|
2020-11-19 15:53:54 +01:00
|
|
|
developers = parse_developers()
|
2020-03-07 08:56:29 +01:00
|
|
|
print("Build defconfig list ...")
|
|
|
|
defconfigs = get_defconfig_list()
|
|
|
|
for d in defconfigs:
|
|
|
|
d.set_developers(developers)
|
2018-05-18 15:05:00 +02:00
|
|
|
print("Getting package make info ...")
|
2018-04-04 22:05:33 +02:00
|
|
|
package_init_make_info()
|
2018-05-18 15:05:00 +02:00
|
|
|
print("Getting package details ...")
|
2018-04-04 22:05:33 +02:00
|
|
|
for pkg in packages:
|
|
|
|
pkg.set_infra()
|
|
|
|
pkg.set_license()
|
|
|
|
pkg.set_hash_info()
|
|
|
|
pkg.set_patch_count()
|
|
|
|
pkg.set_check_package_warnings()
|
|
|
|
pkg.set_current_version()
|
2020-12-04 16:45:57 +01:00
|
|
|
pkg.set_cpeid()
|
2018-10-02 04:37:28 +02:00
|
|
|
pkg.set_url()
|
2021-02-11 10:29:10 +01:00
|
|
|
pkg.set_ignored_cves()
|
2020-03-07 08:56:24 +01:00
|
|
|
pkg.set_developers(developers)
|
2018-10-02 04:37:29 +02:00
|
|
|
print("Checking URL status")
|
2020-08-08 20:08:24 +02:00
|
|
|
loop = asyncio.get_event_loop()
|
|
|
|
loop.run_until_complete(check_package_urls(packages))
|
support/scripts/pkg-stats: add latest upstream version information
This commit adds fetching the latest upstream version of each package
from release-monitoring.org.
The fetching process first tries to use the package mappings of the
"Buildroot" distribution [1]. This mapping mechanism allows to tell
release-monitoring.org what is the name of a package in a given
distribution/build-system. For example, the package xutil_util-macros
in Buildroot is named xorg-util-macros on release-monitoring.org. This
mapping can be seen in the section "Mappings" of
https://release-monitoring.org/project/15037/.
If there is no mapping, then it does a regular search, and within the
search results, looks for a package whose name matches the Buildroot
name.
Even though fetching from release-monitoring.org is a bit slow, using
multiprocessing.Pool has proven to not be reliable, with some requests
ending up with an exception. So we keep a serialized approach, but
with a single HTTPSConnectionPool() for all queries. Long term, we
hope to be able to use a database dump of release-monitoring.org
instead.
From an output point of view, the latest version column:
- Is green when the version in Buildroot matches the latest upstream
version
- Is orange when the latest upstream version is unknown because the
package was not found on release-monitoring.org
- Is red when the version in Buildroot doesn't match the latest
upstream version. Note that we are not doing anything smart here:
we are just testing if the strings are equal or not.
- The cell contains the link to the project on release-monitoring.org
if found.
- The cell indicates if the match was done using a distro mapping, or
through a regular search.
[1] https://release-monitoring.org/distro/Buildroot/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-05 16:19:59 +01:00
|
|
|
print("Getting latest versions ...")
|
2020-08-08 20:08:23 +02:00
|
|
|
loop = asyncio.get_event_loop()
|
|
|
|
loop.run_until_complete(check_package_latest_version(packages))
|
2020-02-15 13:44:16 +01:00
|
|
|
if args.nvd_path:
|
|
|
|
print("Checking packages CVEs")
|
support/scripts/{pkg-stats, cve.py}: support CPE ID based matching
This commit modifies cve.py, as well as its users cve-checker and
pkg-stats to support CPE ID based matching, for packages that have CPE
ID information.
One of the non-trivial thing is that we can't simply iterate over all
CVEs, and then iterate over all our packages to see which packages
have CPE ID information that match the CPEs affected by the
CVE. Indeed, this is an O(n^2) operation.
So instead, we do a pre-filtering of packages potentially affected. In
check_package_cves(), we build a cpe_product_pkgs dict that associates
a CPE product name to the packages that have this CPE product
name. The CPE product name is either derived from the CPE information
provided by the package if available, and otherwise we use the package
name, which is what was used prior to this patch.
And then, when we look at CVEs, we only consider the packages that
have a CPE product name matching the CPE products affected by the
CVEs. This is done in check_package_cve_affects().
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:58 +01:00
|
|
|
check_package_cves(args.nvd_path, packages)
|
2021-01-31 14:38:16 +01:00
|
|
|
check_package_cpes(args.nvd_path, packages)
|
2018-05-18 15:05:00 +02:00
|
|
|
print("Calculate stats")
|
2018-04-04 22:05:33 +02:00
|
|
|
stats = calculate_stats(packages)
|
2019-07-19 15:06:29 +02:00
|
|
|
if args.html:
|
|
|
|
print("Write HTML")
|
2019-07-19 15:06:30 +02:00
|
|
|
dump_html(packages, stats, date, commit, args.html)
|
2019-07-19 15:06:29 +02:00
|
|
|
if args.json:
|
|
|
|
print("Write JSON")
|
2020-03-07 08:56:29 +01:00
|
|
|
dump_json(packages, defconfigs, stats, date, commit, args.json)
|
2018-04-04 22:05:33 +02:00
|
|
|
|
|
|
|
|
|
|
|
__main__()
|