Commit dc310137 authored by David Spencer's avatar David Spencer

Redo results writing.

parent d6616cb8
......@@ -46,12 +46,6 @@ lists, run
### Project structure
Each package list is in a subdirectory 'pkg-lists/name', which contains:
* a script named 'update', which creates or updates the package list
* working data
* the package list, which is always named 'list.csv'
Each vulnerability list is in a subdirectory 'vuln-lists/name', which
contains:
......@@ -60,7 +54,14 @@ contains:
* a script named 'check', which checks a supplied package list against
the vulnerability list
* working data (in the case of NVDS this is ~900Mb!)
* reports
Each package list is in a subdirectory 'pkg-lists/name', which contains:
* a script named 'update', which creates or updates the package list
* working data
* the package list, which is always named 'list.csv'
* the results of running each vulnerability list check , which is
always named 'results_vlist.csv'
Individual updates and individual checks can be disabled by removing
execute permission from the relevant scripts.
......
#!/bin/sh
# BadNews vulnerability monitor
# Top-level check & report creation
# Top-level check
#-----------------------------------------------------------------------
set -eu
......@@ -20,7 +20,7 @@ for chk in vuln-lists/*/check; do
echo "| Checking $PNAME against $VNAME"
echo "+----------------------------------------------------------------------+"
echo
REPORTPATH="$pkgdir/report_${PNAME}_${VNAME}_$(date '+%Y-%m-%d_%T')" ./check "$pkglist"
./check "$pkglist"
cd - >/dev/null
done
fi
......
......@@ -8,12 +8,17 @@ set -eu
# This requires vxquery from https://www.vuxml.org/
[ -x /usr/bin/vxquery ] || { echo "vxquery not found :(" >&2; exit 1; }
REPORTPATH="${REPORTPATH:-report}"
INPUT_CSV="$1"
dn=$(dirname "$1")
rn="results_$(basename $(pwd))"
OUTPUT_TXT="${dn}/${rn}.txt"
#-----------------------------------------------------------------------
vxquery -f <(awk -F, '{print $1"-"$2}' "$1") vuln.xml > "$REPORTPATH".txt
echo "Wrote $REPORTPATH.txt"
vxquery -f <(awk -F, '{print $1"-"$2}' "${INPUT_CSV}") vuln.xml > "${OUTPUT_TXT}"
echo "Wrote ${OUTPUT_TXT}"
#-----------------------------------------------------------------------
......
......@@ -12,24 +12,31 @@ set -eu
# This requires system/cve-check-tool from SlackBuilds.org
[ -x /usr/bin/cve-check-tool ] || { echo "cve-check-tool not found :(" >&2; exit 1; }
REPORTPATH="${REPORTPATH:-report}"
#-----------------------------------------------------------------------
dn=$(dirname "$1")
bn=$(basename "$1")
rn="results_$(basename $(pwd))"
# we get a few more matches in lower case, so:
tr '[:upper:]' '[:lower:]' < "$1" | sort -u > /tmp/$(basename "$1")
INPUT_CSV="/tmp/${bn}"
tr '[:upper:]' '[:lower:]' < "$1" | sort -u > "${INPUT_CSV}"
# Create the output in two formats.
OUTPUT_HTML="${dn}/${rn}.html"
OUTPUT_CSV="${dn}/${rn}.csv"
# The database is hardcoded to live at $HOME/NVDS (derp),
# cve-check-tool hardcodes its database to live at $HOME/NVDS (derp),
# but we can subvert that :)
export HOME=$(realpath ..)
# Create the reports, in two formats.
#-----------------------------------------------------------------------
# (1) html
cve-check-tool -t faux -u /tmp/$(basename "$1") > "$REPORTPATH".html
echo "Wrote $REPORTPATH.html"
cve-check-tool -t faux -u /tmp/$(basename "$1") > "${OUTPUT_HTML}"
echo "Wrote ${OUTPUT_HTML}"
# (2) csv
cve-check-tool -t faux -u -c "$1" | sort > "$REPORTPATH".csv
echo "Wrote $REPORTPATH.csv"
cve-check-tool -t faux -u -c "$1" | sort > "${OUTPUT_CSV}"
echo "Wrote ${OUTPUT_CSV}"
#-----------------------------------------------------------------------
......
......@@ -24,7 +24,7 @@ if len(sys.argv) >= 2:
else:
sys.exit("Argument missing")
reportpath=os.environ.get("REPORTPATH","report")+".csv"
resultpath="{:s}/results_{:s}.csv".format(os.path.dirname(pkglistpath),os.path.basename(os.getcwd()))
#-----------------------------------------------------------------------
# Read the package list and store it in 'plist'.
......@@ -69,7 +69,7 @@ print("Processed {:d} records from {:s}".format(recnum,pkglistpath))
# Read and match the vulnerability list.
vulnlistfile=open(vulnlistpath,'r')
reportfile=open(reportpath,'w')
resultfile=open(resultpath,'w')
# The pkgsrc pkg-vulnerabilities.txt file has the record format
# <vexpr><space><vcategory><space><vurl>
......@@ -103,7 +103,7 @@ class Cond():
def printvulns(vglob,vcondlist,vcategory,vurl):
"""
Check all packages 'p' in the global 'plist'
Print a report record if
Print a result record if
* 'p.name' =~ 'vglob', and
* 'p.version' 'vcond.op' 'vcond.version', for all vcond in vcondlist
"""
......@@ -145,7 +145,7 @@ def printvulns(vglob,vcondlist,vcategory,vurl):
print("{:s},{:s},{:s},{:s},{:s},{:s}".format(
p.name, p.version, p.patched, p.ignored,
vcategory, vurl),
file=reportfile)
file=resultfile)
recnum=0
......@@ -177,7 +177,7 @@ except:
vulnlistfile.close()
print("Processed {:d} records from {:s}".format(recnum,vulnlistpath))
reportfile.close()
print("Wrote "+reportpath)
resultfile.close()
print("Wrote "+resultpath)
#-----------------------------------------------------------------------
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment