NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2a057339cc
kumquat-buildroot/support
History
Thomas Petazzoni 4a157be9ef support/scripts/pkg-stats: add support for CVE reporting 
This commit extends the pkg-stats script to grab information about the
CVEs affecting the Buildroot packages.

To do so, it downloads the NVD database from
https://nvd.nist.gov/vuln/data-feeds in JSON format, and processes the
JSON file to determine which of our packages is affected by which
CVE. The information is then displayed in both the HTML output and the
JSON output of pkg-stats.

To use this feature, you have to pass the new --nvd-path option,
pointing to a writable directory where pkg-stats will store the NVD
database. If the local database is less than 24 hours old, it will not
re-download it. If it is more than 24 hours old, it will re-download
only the files that have really been updated by upstream NVD.

Packages can use the newly introduced <pkg>_IGNORE_CVES variable to
tell pkg-stats that some CVEs should be ignored: it can be because a
patch we have is fixing the CVE, or because the CVE doesn't apply in
our case.

>From an implementation point of view:

 - A new class CVE implement most of the required functionalities:
   - Downloading the yearly NVD files
   - Reading and extracting relevant data from these files
   - Matching Packages against a CVE

 - The statistics are extended with the total number of CVEs, and the
   total number of packages that have at least one CVE pending.

 - The HTML output is extended with these new details. There are no
   changes to the code generating the JSON output because the existing
   code is smart enough to automatically expose the new information.

This development is a collective effort with Titouan Christophe
<titouan.christophe@railnova.eu> and Thomas De Schampheleire
<thomas.de_schampheleire@nokia.com>.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 16:49:07 +01:00
..
config-fragments support/config-fragments/autobuild: fix riscv toolchains 2020-01-02 09:15:43 +01:00
dependencies core/dependencies: check if we need to build our own host-coreutils 2020-01-06 21:43:38 +01:00
docker support/docker: add python3 2019-10-27 20:24:10 +01:00
download support/download/svn: generate reproducible svn archives 2019-12-30 10:50:21 +01:00
gnuconfig support/gnuconfig: update to 2019-05-28 2019-05-31 22:59:52 +02:00
kconfig support/kconfig/merge_config.sh: avoid false positive matches from comment lines 2018-11-24 10:11:15 +01:00
legal-info core/legal-info: update list of saved material in README 2020-01-18 18:38:42 +01:00
libtool support/libtool: add patch for newer versions 2014-12-21 13:21:56 +01:00
misc Update for 2019.11 2019-12-01 22:39:47 +01:00
scripts support/scripts/pkg-stats: add support for CVE reporting 2020-02-15 16:49:07 +01:00
testing support/testing/glxinfo: explicitely enable GLX 2020-02-15 11:59:13 +01:00