-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(backports): Add output backport fixes for debian based distros #1273
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1273 +/- ##
==========================================
- Coverage 79.35% 79.32% -0.04%
==========================================
Files 271 274 +3
Lines 4902 4996 +94
Branches 591 608 +17
==========================================
+ Hits 3890 3963 +73
- Misses 865 875 +10
- Partials 147 158 +11
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
Sample outputbreadgenie@breadlamp:~/Code/cve-bin-tool$ python3 -m cve_bin_tool.cli test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz -b
[18:35:05] INFO cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update immediately. cvedb.py:304
INFO cve_bin_tool.CVEDB - Check database is using latest schema cvedb.py:316
INFO cve_bin_tool.CVEDB - There are 167181 CVE entries in the database cvedb.py:334
[18:35:06] INFO cve_bin_tool.VersionScanner - Checkers: accountsservice, avahi, bash, bind, binutils, bolt, bubblewrap, busybox, bzip2, cronie, cryptsetup, cups, curl, dbus, dnsmasq, version_scanner.py:91
dovecot, dpkg, enscript, expat, ffmpeg, freeradius, ftp, gcc, gimp, glibc, gnomeshell, gnupg, gnutls, gpgme, gstreamer, gupnp, haproxy, hostapd, hunspell, icecast, icu,
irssi, kbd, kerberos, kexectools, libarchive, libbpg, libcurl, libdb, libgcrypt, libical, libjpeg_turbo, liblas, libnss, libsndfile, libsoup, libssh2, libtiff, libvirt,
libxslt, lighttpd, logrotate, lua, mariadb, mdadm, memcached, mtr, mysql, ncurses, nessus, netpbm, nginx, node, ntp, openafs, openjpeg, openldap, openssh, openssl,
openswan, openvpn, p7zip, png, polarssl_fedora, postgresql, pspp, python, qt, radare2, rsyslog, samba, sqlite, strongswan, subversion, sudo, syslogng, systemd, tcpdump,
trousers, varnish, webkitgtk, wireshark, wpa_supplicant, xerces, xml2, zlib, zsh
WARNING cve_bin_tool.VersionScanner - pspp was detected with version UNKNOWN in file test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz contains version_scanner.py:210
/usr/bin/pspp-dump-sav
INFO cve_bin_tool.VersionScanner - test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz contains /usr/bin/psppire contains pspp 1.2.0 version_scanner.py:218
INFO cve_bin_tool.CVEScanner - Known CVEs in ProductInfo(vendor='gnu', product='pspp', version='1.2.0') cve_scanner.py:195
[18:35:06] cve_scanner.py:199
╭─────────────────────────────────────────────────────────────────────────── 2 CVE(s) in gnu.pspp v1.2.0 ───────────────────────────────────────────────────────────────────────────╮ cve_scanner.py:200
│ │
│ CVE-2018-20230 CVE-2019-9211 │
│ │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
cve_scanner.py:216
INFO cve_bin_tool.VersionScanner - test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz contains /usr/bin/pspp contains pspp 1.2.0 version_scanner.py:218
WARNING cve_bin_tool.VersionScanner - pspp was detected with version UNKNOWN in file test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz contains version_scanner.py:210
/usr/lib64/pspp/libpspp-core-1.2.0.so
INFO cve_bin_tool.VersionScanner - test/condensed-downloads/pspp-1.2.0-lp151.2.1.x86_64.rpm.tar.gz contains /usr/lib64/pspp/libpspp-1.2.0.so is pspp 1.2.0 version_scanner.py:218
INFO cve_bin_tool - cli.py:415
INFO cve_bin_tool - Overall CVE summary: cli.py:416
INFO cve_bin_tool - There are 3 files with known CVEs detected cli.py:422
INFO cve_bin_tool - Known CVEs in ('pspp', '1.2.0'): cli.py:432
╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ CVE BINARY TOOL ║
╚══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
• cve-bin-tool Report Generated: 2021-07-28 18:35:06
• Time of last update of CVE Data: 2021-07-28 18:21:33
╭─────────────────╮
│ NewFound CVEs │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ gnu │ pspp │ 1.2.0 │ CVE-2018-20230 │ HIGH │ 7.8 (v3) │
│ gnu │ pspp │ 1.2.0 │ CVE-2019-9211 │ MEDIUM │ 6.5 (v3) │
└────────┴─────────┴─────────┴────────────────┴──────────┴──────────────────────┘
INFO cve_bin_tool - pspp: CVE-2018-20230 has backported fix in v1.2.0-3 release. debian_backports.py:56
INFO cve_bin_tool - pspp: CVE-2019-9211 has backported fix in v1.2.0-4 release. debian_backports.py:56 |
The commit 869b899 removes
|
I honestly can't decide whether we should be using requests or not. I'm going to open an issue about it and maybe we can talk about it in the meeting tomorrow too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm so glad that this was possible for debian-based systems. I have a few suggestions, but also don't forget to add documentation of the new flag into the manual.
cve_bin_tool/backports/__init__.py
Outdated
self.all_cve_data = all_cve_data | ||
|
||
def check_backport(self): | ||
if distro.id() in DEBIAN_DISTROS: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be useful for users to be able to list backport information even if the machine being used for scanning isn't running debian itself. I'm thinking particularly of folk who might be running cve-bin-tool in a separate CI system or running it on a downloads server, but it might also be important for other debian-based distros whose names we don't know yet.
Let's figure out if there's a nice way to do that. Could backports/debian_backports.py take an argument (say from a --backported-fixes=debian
option, and have the default be "local_system" that grabs distro.id() or something) instead of distro.id()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the user specify an option debian
how will the system recognise whether which version of debian the user wants? 🤔
Maybe something like debian-bullseye, debian-buster
and so on for the choices?
Or maybe stick to the latest version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like having debian-bullseye
etc. as options. Not sure the best way to communicate the availability of these options to users, but maybe just documenting it in Manual.md?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The help message got very messy from the long list of options. So I'll add these options in MANUAL.md.
Co-authored-by: Terri Oda <terri@toybox.ca>
56924a4
to
76840ad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs a quick update because the previous PR caused an argument conflict in cli.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we're missing SPDX license lines at the top of the new files.
Can you also file a separate issue for the "get data by explicitly specifying the distro" option so we don't forget that as future work?
Other than those two things, this is looking ready to merge.
I have added the explicit specification of distro info in this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like your solution for specifying distros!
#1018
Fix #1339