2020-07-24 17:43:53 +02:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
# Copyright (C) 2009 by Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
|
|
# Copyright (C) 2020 by Gregory CLEMENT <gregory.clement@bootlin.com>
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
|
|
|
import argparse
|
|
|
|
import datetime
|
|
|
|
import os
|
|
|
|
import json
|
|
|
|
import sys
|
|
|
|
import cve as cvecheck
|
|
|
|
|
2020-09-02 23:21:57 +02:00
|
|
|
|
2020-07-24 17:43:53 +02:00
|
|
|
class Package:
|
|
|
|
def __init__(self, name, version, ignored_cves):
|
|
|
|
self.name = name
|
|
|
|
self.version = version
|
|
|
|
self.cves = list()
|
|
|
|
self.ignored_cves = ignored_cves
|
|
|
|
|
2020-09-02 23:21:57 +02:00
|
|
|
|
2020-07-24 17:43:53 +02:00
|
|
|
def check_package_cves(nvd_path, packages):
|
|
|
|
if not os.path.isdir(nvd_path):
|
|
|
|
os.makedirs(nvd_path)
|
|
|
|
|
|
|
|
for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
|
|
|
|
for pkg_name in cve.pkg_names:
|
|
|
|
pkg = packages.get(pkg_name, '')
|
|
|
|
if pkg and cve.affects(pkg.name, pkg.version, pkg.ignored_cves) == cve.CVE_AFFECTS:
|
|
|
|
pkg.cves.append(cve.identifier)
|
|
|
|
|
2020-09-02 23:21:57 +02:00
|
|
|
|
2020-07-24 17:43:53 +02:00
|
|
|
html_header = """
|
|
|
|
<head>
|
|
|
|
<script src=\"https://www.kryogenix.org/code/browser/sorttable/sorttable.js\"></script>
|
|
|
|
<style type=\"text/css\">
|
|
|
|
table {
|
|
|
|
width: 100%;
|
|
|
|
}
|
|
|
|
td {
|
|
|
|
border: 1px solid black;
|
|
|
|
}
|
|
|
|
td.centered {
|
|
|
|
text-align: center;
|
|
|
|
}
|
|
|
|
td.wrong {
|
|
|
|
background: #ff9a69;
|
|
|
|
}
|
|
|
|
td.correct {
|
|
|
|
background: #d2ffc4;
|
|
|
|
}
|
|
|
|
|
|
|
|
</style>
|
|
|
|
<title>CVE status for Buildroot configuration</title>
|
|
|
|
</head>
|
|
|
|
|
|
|
|
<p id=\"sortable_hint\"></p>
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
html_footer = """
|
|
|
|
</body>
|
|
|
|
<script>
|
|
|
|
if (typeof sorttable === \"object\") {
|
|
|
|
document.getElementById(\"sortable_hint\").innerHTML =
|
|
|
|
\"hint: the table can be sorted by clicking the column headers\"
|
|
|
|
}
|
|
|
|
</script>
|
|
|
|
</html>
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_pkg(f, pkg):
|
|
|
|
f.write(" <tr>\n")
|
|
|
|
f.write(" <td>%s</td>\n" % pkg.name)
|
|
|
|
|
|
|
|
# Current version
|
|
|
|
if len(pkg.version) > 20:
|
|
|
|
version = pkg.version[:20] + "..."
|
|
|
|
else:
|
|
|
|
version = pkg.version
|
|
|
|
f.write(" <td class=\"centered\">%s</td>\n" % version)
|
|
|
|
|
|
|
|
# CVEs
|
|
|
|
td_class = ["centered"]
|
|
|
|
if len(pkg.cves) == 0:
|
|
|
|
td_class.append("correct")
|
|
|
|
else:
|
|
|
|
td_class.append("wrong")
|
|
|
|
f.write(" <td class=\"%s\">\n" % " ".join(td_class))
|
|
|
|
for cve in pkg.cves:
|
|
|
|
f.write(" <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
|
|
|
|
f.write(" </td>\n")
|
|
|
|
|
|
|
|
f.write(" </tr>\n")
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_all_pkgs(f, packages):
|
|
|
|
f.write("""
|
|
|
|
<table class=\"sortable\">
|
|
|
|
<tr>
|
|
|
|
<td>Package</td>
|
|
|
|
<td class=\"centered\">Version</td>
|
|
|
|
<td class=\"centered\">CVEs</td>
|
|
|
|
</tr>
|
|
|
|
""")
|
|
|
|
for pkg in packages:
|
|
|
|
dump_html_pkg(f, pkg)
|
|
|
|
f.write("</table>")
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html_gen_info(f, date):
|
|
|
|
f.write("<p><i>Generated on %s</i></p>\n" % (str(date)))
|
|
|
|
|
|
|
|
|
|
|
|
def dump_html(packages, date, output):
|
|
|
|
with open(output, 'w') as f:
|
|
|
|
f.write(html_header)
|
|
|
|
dump_html_all_pkgs(f, packages)
|
|
|
|
dump_html_gen_info(f, date)
|
|
|
|
f.write(html_footer)
|
|
|
|
|
|
|
|
|
|
|
|
def dump_json(packages, date, output):
|
|
|
|
# Format packages as a dictionnary instead of a list
|
|
|
|
pkgs = {
|
|
|
|
pkg.name: {
|
|
|
|
"version": pkg.version,
|
|
|
|
"cves": pkg.cves,
|
|
|
|
} for pkg in packages
|
|
|
|
}
|
2020-09-02 23:21:57 +02:00
|
|
|
# The actual structure to dump, add date to it
|
2020-07-24 17:43:53 +02:00
|
|
|
final = {'packages': pkgs,
|
|
|
|
'date': str(date)}
|
|
|
|
with open(output, 'w') as f:
|
|
|
|
json.dump(final, f, indent=2, separators=(',', ': '))
|
|
|
|
f.write('\n')
|
|
|
|
|
|
|
|
|
|
|
|
def resolvepath(path):
|
|
|
|
return os.path.abspath(os.path.expanduser(path))
|
|
|
|
|
|
|
|
|
|
|
|
def parse_args():
|
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
output = parser.add_argument_group('output', 'Output file(s)')
|
|
|
|
output.add_argument('--html', dest='html', type=resolvepath,
|
|
|
|
help='HTML output file')
|
|
|
|
output.add_argument('--json', dest='json', type=resolvepath,
|
|
|
|
help='JSON output file')
|
|
|
|
parser.add_argument('--nvd-path', dest='nvd_path',
|
2020-09-02 23:21:57 +02:00
|
|
|
help='Path to the local NVD database', type=resolvepath,
|
2020-07-24 17:43:53 +02:00
|
|
|
required=True)
|
|
|
|
args = parser.parse_args()
|
|
|
|
if not args.html and not args.json:
|
|
|
|
parser.error('at least one of --html or --json (or both) is required')
|
|
|
|
return args
|
|
|
|
|
|
|
|
|
|
|
|
def __main__():
|
|
|
|
packages = list()
|
|
|
|
content = json.load(sys.stdin)
|
|
|
|
for item in content:
|
|
|
|
pkg = content[item]
|
|
|
|
p = Package(item, pkg.get('version', ''), pkg.get('ignore_cves', ''))
|
|
|
|
packages.append(p)
|
|
|
|
|
|
|
|
args = parse_args()
|
|
|
|
date = datetime.datetime.utcnow()
|
|
|
|
|
|
|
|
print("Checking packages CVEs")
|
|
|
|
check_package_cves(args.nvd_path, {p.name: p for p in packages})
|
|
|
|
|
|
|
|
if args.html:
|
|
|
|
print("Write HTML")
|
|
|
|
dump_html(packages, date, args.html)
|
|
|
|
if args.json:
|
|
|
|
print("Write JSON")
|
|
|
|
dump_json(packages, date, args.json)
|
|
|
|
|
2020-09-02 23:21:57 +02:00
|
|
|
|
2020-07-24 17:43:53 +02:00
|
|
|
__main__()
|