support/scripts: make CVE class independent of the Packaage class

The affects method of the CVE uses the Package class defined in pkg-stats. The purpose of migrating the CVE class outside of pkg-stats was to be able to reuse it from other scripts. So let's remove the Package dependency and only use the needed information. Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-24 17:43:52 +02:00 · 2020-07-24 17:43:52 +02:00 · 2a2f69d672
commit 2a2f69d672
parent b9c9f23f9a
2 changed files with 13 additions and 11 deletions
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@ -190,21 +190,21 @@ class CVE:
        """The set of package names referred by this CVE definition"""
        return set(p['product'] for p in self.each_cpe())

-    def affects(self, br_pkg):
+    def affects(self, name, version, cve_ignore_list):
        """
        True if the Buildroot Package object passed as argument is affected
        by this CVE.
        """
-        if br_pkg.is_cve_ignored(self.identifier):
+        if self.identifier in cve_ignore_list:
            return self.CVE_DOESNT_AFFECT

-        pkg_version = distutils.version.LooseVersion(br_pkg.current_version)
+        pkg_version = distutils.version.LooseVersion(version)
        if not hasattr(pkg_version, "version"):
-            print("Cannot parse package '%s' version '%s'" % (br_pkg.name, br_pkg.current_version))
+            print("Cannot parse package '%s' version '%s'" % (name, version))
            pkg_version = None

        for cpe in self.each_cpe():
-            if cpe['product'] != br_pkg.name:
+            if cpe['product'] != name:
                continue
            if cpe['v_start'] == '-':
                return self.CVE_AFFECTS
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@ -236,11 +236,12 @@ class Package:
                    self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
                return

-    def is_cve_ignored(self, cve):
+    @property
+    def ignored_cves(self):
        """
-        Tells if the CVE is ignored by the package
+        Give the list of CVEs ignored by the package
        """
-        return cve in self.all_ignored_cves.get(self.pkgvar(), [])
+        return list(self.all_ignored_cves.get(self.pkgvar(), []))

    def set_developers(self, developers):
        """
@ -536,9 +537,10 @@ def check_package_cves(nvd_path, packages):

    for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
        for pkg_name in cve.pkg_names:
-            if pkg_name in packages and cve.affects(packages[pkg_name]) == cve.CVE_AFFECTS:
-                packages[pkg_name].cves.append(cve.identifier)
-
+            if pkg_name in packages:
+                pkg = packages[pkg_name]
+                if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS :
+                    pkg.cves.append(cve.identifier)

 def calculate_stats(packages):
    stats = defaultdict(int)