[Buildroot] [PATCH v3 12/12] support/scripts/pkg-stats: add status for cve check

Heiko Thiery heiko.thiery at gmail.com
Mon Feb 24 07:06:18 UTC 2020 

Hi Titouan and all,

Am So., 23. Feb. 2020 um 15:24 Uhr schrieb Titouan Christophe
<titouan.christophe at railnova.eu>:
>
> Heiko, all,
>
> On 2/22/20 9:57 AM, Heiko Thiery wrote:
> > Signed-off-by: Heiko Thiery <heiko.thiery at gmail.com>
> > ---
> >   support/scripts/pkg-stats | 10 ++++++++--
> >   1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> > index ed22f6b650..4efff8624f 100755
> > --- a/support/scripts/pkg-stats
> > +++ b/support/scripts/pkg-stats
> > @@ -617,8 +617,14 @@ def check_package_cves(nvd_path, packages):
> >
> >       for cve in CVE.read_nvd_dir(nvd_path):
> >           for pkg_name in cve.pkg_names:
> > -            if pkg_name in packages and cve.affects(packages[pkg_name]):
> > -                packages[pkg_name].cves.append(cve.identifier)
> > +            if pkg_name in packages:
> > +                if cve.affects(packages[pkg_name]):
> > +                    packages[pkg_name].cves.append(cve.identifier)
> > +                if len(packages[pkg_name].cves):
> > +                    packages[pkg_name].status['cve'] = ('error', 'affected by cve')
> > +                else:
> > +                    packages[pkg_name].status['cve'] = ('ok', 'no cve found')
> > +
> >
> >
> >   def calculate_stats(packages):
> >
>
> In the current state, that would give:
>
> * If a CVE applies to a br package -> error
> * If a CVE does not applies to a br package -> ok
> * If no CVE points to a br package -> na (no status check done)
>
> I would argue that the latest case is not correct. The status should be
> ok, because we ran through the whole list of CVEs from the NVD feed, and
> we did not find any of them that applies to this package.

I see .. I think you are right. This will lead to a wrong status. I
will remove the initializer for the status.

>
> I would rather write it like this:
>
> ########################
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index ed22f6b650..91477d583e 100755
> --- a/support/scripts/pkg-stats
> +++ b/support/scripts/pkg-stats
> @@ -620,6 +620,12 @@ def check_package_cves(nvd_path, packages):
>               if pkg_name in packages and cve.affects(packages[pkg_name]):
>                   packages[pkg_name].cves.append(cve.identifier)
>
> +    for pkg_name, pkg in packages.items():
> +        if len(pkg.cves) > 0:
> +            pkg.status['cve'] = ('error', 'affected by CVE(s)')
> +        else:
> +            pkg.status['cve'] = ('ok', 'no CVE found')
> +

Isn't it right that we loop then (depending on the amount of nvd
pathes) several thousend times?

e.g. packages ~2600, nvds ~ 20 => 20*2600=52000

On the other hand we loop over the list of packages all over the place ;-/

>
>   def calculate_stats(packages):
>       stats = defaultdict(int)
> ########################
>
>
> Best regards,
>
> Titouan

More information about the buildroot mailing list