support/scripts/pkg-stats: improve rendering of CVE information

This commit improves pkg-stats to fill in pkg.status['cve'] depending on the situation for CVEs affecting this package. They are then used in the HTML rendering. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:46:00 +01:00 · 2020-12-04 16:46:00 +01:00 · bd665d182c
commit bd665d182c
parent 78d7521f82
1 changed files with 31 additions and 5 deletions
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@ -571,8 +571,10 @@ def check_package_cves(nvd_path, packages):
    cpe_product_pkgs = defaultdict(list)
    for pkg in packages:
        if not pkg.has_valid_infra:
+            pkg.status['cve'] = ("na", "no valid package infra")
            continue
        if not pkg.current_version:
+            pkg.status['cve'] = ("na", "no version information available")
            continue
        if pkg.cpeid:
            cpe_product = cvecheck.cpe_product(pkg.cpeid)
@ -583,6 +585,13 @@ def check_package_cves(nvd_path, packages):
    for cve in cvecheck.CVE.read_nvd_dir(nvd_path):
        check_package_cve_affects(cve, cpe_product_pkgs)

+    for pkg in packages:
+        if 'cve' not in pkg.status:
+            if pkg.cves:
+                pkg.status['cve'] = ("error", "affected by CVEs")
+            else:
+                pkg.status['cve'] = ("ok", "not affected by CVEs")
+
 def calculate_stats(packages):
    stats = defaultdict(int)
    stats['packages'] = len(packages)
@ -693,6 +702,18 @@ td.cpe-unknown {
 background: #ffd870;
 }

+td.cve-ok {
+  background: #d2ffc4;
+}
+
+td.cve-nok {
+  background: #ff9a69;
+}
+
+td.cve-unknown {
+ background: #ffd870;
+}
+
 </style>
 <title>Statistics of Buildroot packages</title>
 </head>
@ -851,13 +872,18 @@ def dump_html_pkg(f, pkg):

    # CVEs
    td_class = ["centered"]
-    if len(pkg.cves) == 0:
-        td_class.append("correct")
+    if pkg.status['cve'][0] == "ok":
+        td_class.append("cve-ok")
+    elif pkg.status['cve'][0] == "error":
+        td_class.append("cve-nok")
    else:
-        td_class.append("wrong")
+        td_class.append("cve-unknown")
    f.write("  <td class=\"%s\">\n" % " ".join(td_class))
+    if pkg.status['cve'][0] == "error":
        for cve in pkg.cves:
            f.write("   <a href=\"https://security-tracker.debian.org/tracker/%s\">%s<br/>\n" % (cve, cve))
+    elif pkg.status['cve'][0] == "na":
+        f.write("    %s" % pkg.status['cve'][1])
    f.write("  </td>\n")

    # CPE ID