[Buildroot] [PATCH v3 12/12] support/scripts/pkg-stats: add status for cve check

Titouan Christophe titouan.christophe at railnova.eu
Sun Feb 23 14:24:14 UTC 2020


Heiko, all,

On 2/22/20 9:57 AM, Heiko Thiery wrote:
> Signed-off-by: Heiko Thiery <heiko.thiery at gmail.com>
> ---
>   support/scripts/pkg-stats | 10 ++++++++--
>   1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index ed22f6b650..4efff8624f 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -617,8 +617,14 @@ def check_package_cves(nvd_path, packages):
>   
>       for cve in CVE.read_nvd_dir(nvd_path):
>           for pkg_name in cve.pkg_names:
> -            if pkg_name in packages and cve.affects(packages[pkg_name]):
> -                packages[pkg_name].cves.append(cve.identifier)
> +            if pkg_name in packages:
> +                if cve.affects(packages[pkg_name]):
> +                    packages[pkg_name].cves.append(cve.identifier)
> +                if len(packages[pkg_name].cves):
> +                    packages[pkg_name].status['cve'] = ('error', 'affected by cve')
> +                else:
> +                    packages[pkg_name].status['cve'] = ('ok', 'no cve found')
> +
>   
>   
>   def calculate_stats(packages):
> 

In the current state, that would give:

* If a CVE applies to a br package -> error
* If a CVE does not applies to a br package -> ok
* If no CVE points to a br package -> na (no status check done)

I would argue that the latest case is not correct. The status should be 
ok, because we ran through the whole list of CVEs from the NVD feed, and 
we did not find any of them that applies to this package.

I would rather write it like this:

########################
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index ed22f6b650..91477d583e 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -620,6 +620,12 @@ def check_package_cves(nvd_path, packages):
              if pkg_name in packages and cve.affects(packages[pkg_name]):
                  packages[pkg_name].cves.append(cve.identifier)

+    for pkg_name, pkg in packages.items():
+        if len(pkg.cves) > 0:
+            pkg.status['cve'] = ('error', 'affected by CVE(s)')
+        else:
+            pkg.status['cve'] = ('ok', 'no CVE found')
+

  def calculate_stats(packages):
      stats = defaultdict(int)
########################


Best regards,

Titouan


More information about the buildroot mailing list