From 2a2f69d672f51f96eef377139c9e77001ae4a0e9 Mon Sep 17 00:00:00 2001 From: Gregory CLEMENT Date: Fri, 24 Jul 2020 17:43:52 +0200 Subject: [PATCH] support/scripts: make CVE class independent of the Packaage class The affects method of the CVE uses the Package class defined in pkg-stats. The purpose of migrating the CVE class outside of pkg-stats was to be able to reuse it from other scripts. So let's remove the Package dependency and only use the needed information. Signed-off-by: Gregory CLEMENT Signed-off-by: Thomas Petazzoni --- support/scripts/cve.py | 10 +++++----- support/scripts/pkg-stats | 14 ++++++++------ 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/support/scripts/cve.py b/support/scripts/cve.py index e812da810c..6396019e0e 100755 --- a/support/scripts/cve.py +++ b/support/scripts/cve.py @@ -190,21 +190,21 @@ class CVE: """The set of package names referred by this CVE definition""" return set(p['product'] for p in self.each_cpe()) - def affects(self, br_pkg): + def affects(self, name, version, cve_ignore_list): """ True if the Buildroot Package object passed as argument is affected by this CVE. """ - if br_pkg.is_cve_ignored(self.identifier): + if self.identifier in cve_ignore_list: return self.CVE_DOESNT_AFFECT - pkg_version = distutils.version.LooseVersion(br_pkg.current_version) + pkg_version = distutils.version.LooseVersion(version) if not hasattr(pkg_version, "version"): - print("Cannot parse package '%s' version '%s'" % (br_pkg.name, br_pkg.current_version)) + print("Cannot parse package '%s' version '%s'" % (name, version)) pkg_version = None for cpe in self.each_cpe(): - if cpe['product'] != br_pkg.name: + if cpe['product'] != name: continue if cpe['v_start'] == '-': return self.CVE_AFFECTS diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 5e2213fb5c..be586a2c2e 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -236,11 +236,12 @@ class Package: self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings)) return - def is_cve_ignored(self, cve): + @property + def ignored_cves(self): """ - Tells if the CVE is ignored by the package + Give the list of CVEs ignored by the package """ - return cve in self.all_ignored_cves.get(self.pkgvar(), []) + return list(self.all_ignored_cves.get(self.pkgvar(), [])) def set_developers(self, developers): """ @@ -536,9 +537,10 @@ def check_package_cves(nvd_path, packages): for cve in cvecheck.CVE.read_nvd_dir(nvd_path): for pkg_name in cve.pkg_names: - if pkg_name in packages and cve.affects(packages[pkg_name]) == cve.CVE_AFFECTS: - packages[pkg_name].cves.append(cve.identifier) - + if pkg_name in packages: + pkg = packages[pkg_name] + if cve.affects(pkg.name, pkg.current_version, pkg.ignored_cves) == cve.CVE_AFFECTS : + pkg.cves.append(cve.identifier) def calculate_stats(packages): stats = defaultdict(int) -- 2.30.2