[Buildroot] [PATCH 5/9] support/scripts: Add a per configuration CVE checker

Matthew Weber matthew.weber at rockwellcollins.com
Thu Jul 9 11:46:59 UTC 2020


Gregory,

On Wed, Jul 8, 2020 at 11:41 AM Gregory CLEMENT
<gregory.clement at bootlin.com> wrote:
>
> This scripts takes as entry on stdin a JSON description of the package
> used for a given configuration. This description is the one generated
> by "make show-info".
>
> The script generates the list of all the package used and if they are
> affected by a CVE. The output is either a JSON or an HTML file similar
> to the one generated by pkg-stats.
>
> Signed-off-by: Gregory CLEMENT <gregory.clement at bootlin.com>
> ---
>  support/scripts/cve-checker | 291 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 291 insertions(+)
>  create mode 100755 support/scripts/cve-checker
>
> diff --git a/support/scripts/cve-checker b/support/scripts/cve-checker
> new file mode 100755
> index 0000000000..db8497d7aa
> --- /dev/null
> +++ b/support/scripts/cve-checker
> @@ -0,0 +1,291 @@
> +#!/usr/bin/env python
> +
> +# Copyright (C) 2009 by Thomas Petazzoni <thomas.petazzoni at free-electrons.com>
> +# Copyright (C) 2020 by Gregory CLEMENT <gregory.clement at bootlin.com>
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +# General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +import argparse
> +import datetime
> +import fnmatch
> +import os
> +from collections import defaultdict
> +import re
> +import subprocess
> +import requests  # URL checking
> +import json
> +import ijson

I noticed ijson wasn't something I had already installed on my host
system.  I'd suggest adding the dependency check similar to the
graph-size make target (support/scripts/size-stats), since this is a
user facing tool vs pkg-stats was for maintenance.  An easy test to
see what dependencies a user might run into on a basic system could be
to use the base buildroot Docker
image(https://hub.docker.com/r/buildroot/base) or create one using
(support/docker/Dockerfile).

> +import certifi
> +import distutils.version
> +import time
> +import gzip
> +import sys
> +from urllib3 import HTTPSConnectionPool
> +from urllib3.exceptions import HTTPError
> +from multiprocessing import Pool
> +

Regards,
Matt


More information about the buildroot mailing list