mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-13 03:20:50 +00:00
Code Issues Projects Releases Wiki Activity
Files
mut
meta-security/scripts/cvert-update
Andrii Bordunov via Openembedded-core fbc9b46075 cve-report: add scripts to generate CVE reports 
cvert-foss - generate CVE report for the list of packages.
  Analyze the whole image manifest to align with the complex
  CPE configurations.

cvert-update - update NVD feeds and store CVE structues dump.
  CVE dump is a pickled representation of the cve_struct dictionary.

cvert.py - python library used by cvert-* scripts.
  NVD JSON Vulnerability Feeds https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

Usage examples:

  o Download CVE feeds to "nvdfeed" directory
    % cvert-update nvdfeed
  o Update CVE feeds and store a dump in a file
    % cvert-update --store cvedump nvdfeed
  o Generate a CVE report
    % cvert-foss --feed-dir nvdfeed --output report-foss.txt cve-manifest
  o (faster) Use dump file to generate a CVE report
    % cvert-foss --restore cvedump --output report-foss.txt cve-manifest
  o Generate a full report
    % cvert-foss --restore cvedump --show-description --show-reference \
                 --output report-foss-full.txt cve-manifest

Manifest example:

  bash,4.2,CVE-2014-7187
  python,2.7.35,
  python,3.5.5,CVE-2017-17522 CVE-2018-1061

Report example:

    patched |  7.5 | CVE-2018-1061      | python | 3.5.5
    patched | 10.0 | CVE-2014-7187      | bash | 4.2
    patched |  8.8 | CVE-2017-17522     | python | 3.5.5
  unpatched | 10.0 | CVE-2014-6271      | bash | 4.2
  unpatched | 10.0 | CVE-2014-6277      | bash | 4.2
  unpatched | 10.0 | CVE-2014-6278      | bash | 4.2
  unpatched | 10.0 | CVE-2014-7169      | bash | 4.2
  unpatched | 10.0 | CVE-2014-7186      | bash | 4.2
  unpatched |  4.6 | CVE-2012-3410      | bash | 4.2
  unpatched |  8.4 | CVE-2016-7543      | bash | 4.2
  unpatched |  5.0 | CVE-2010-3492      | python | 2.7.35
  unpatched |  5.3 | CVE-2016-1494      | python | 2.7.35
  unpatched |  6.5 | CVE-2017-18207     | python | 3.5.5
  unpatched |  6.5 | CVE-2017-18207     | python | 2.7.35
  unpatched |  7.1 | CVE-2013-7338      | python | 2.7.35
  unpatched |  7.5 | CVE-2018-1060      | python | 3.5.5
  unpatched |  8.8 | CVE-2017-17522     | python | 2.7.35

Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26 21:58:33 -07:00

80 lines
2.5 KiB
Python
Executable File
Raw Permalink Blame History

#!/usr/bin/env python3
#
# Copyright (c) 2018 by Cisco Systems, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
""" Update NVD feeds and store CVE blob locally
"""
import textwrap
import argparse
import logging
import logging.config
import cvert
def update_cvert():
"""Update CVE storage"""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent("""
Update NVD feeds and store CVE blob locally.
"""),
epilog=textwrap.dedent("""
examples:
# Download NVD feeds to "nvdfeed" directory.
# If there are meta files in the directory, they will be updated
# and only fresh archives will be downloaded
%% %(prog)s nvdfeed
# Inspect NVD feeds in "nvdfeed" directory
# and prepare a CVE dump python blob "cvedump".
# Use it later as input for cvert-* scripts (for speeding up)
%% %(prog)s --offline --store cvedump nvdfeed
# Download (update) NVD feeds and prepare the CVE dump
%% %(prog)s --store cvedump nvdfeed
"""))
parser.add_argument("-d", "--store", help="save CVE data structures in file",
metavar="FILENAME")
parser.add_argument("--offline", help="do not update from NVD site",
action="store_true")
parser.add_argument("--debug", help="print debug messages",
action="store_true")
parser.add_argument("feed_dir", help="feeds directory",
metavar="feed-dir")
args = parser.parse_args()
logging.config.dictConfig(cvert.logconfig(args.debug))
cve_struct = cvert.update_feeds(args.feed_dir, args.offline)
if not cve_struct and args.offline:
parser.error("No CVEs found in {0}. Try turn off offline mode.".format(args.feed_dir))
if args.store:
cvert.save_cve(args.store, cve_struct)
if __name__ == "__main__":
update_cvert()
Reference in New Issue View Git Blame Copy Permalink