new file mode 100755
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+import argparse
+import sys
+import csv
+from cpedb import CPEDB
+
+
+def get_target_cpe_report(cpe_report_file, cpedb):
+ report_cpe_exact_match = ""
+ report_cpe_needing_update = ""
+ report_cpe_missing = ""
+
+ print("CPE: Checking for matches...")
+ try:
+ with open(cpe_report_file) as cpe_file:
+ cpe_list = csv.reader(cpe_file)
+ next(cpe_list) # make cpe-info has a one line header
+ for cpe in cpe_list:
+ result = cpedb.find(cpe[0])
+ if not result:
+ result = cpedb.find_partial(cpedb.get_cpe_no_version(cpe[0]))
+ if not result:
+ report_cpe_missing += cpe[0] + "\n"
+ else:
+ report_cpe_needing_update += cpe[0] + "\n"
+ else:
+ report_cpe_exact_match += cpe[0] + "\n"
+ except (OSError, IOError) as e:
+ print("CPE: report csv file (%s): %s" % (e.errno, e.strerror))
+ sys.exit(1)
+
+ print("CPE: Found EXACT match:\n" + report_cpe_exact_match)
+ print("CPE: Found but REQUIRES UPDATE:\n" + report_cpe_needing_update)
+ print("CPE: Not found (proposing the following to be added):\n" + report_cpe_missing)
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-c', dest='cpe_report', action='store', required=True,
+ help='CPE Report generated by make cpe-info (csv format)')
+ return parser.parse_args()
+
+
+def __main__():
+ args = parse_args()
+ cpedb = CPEDB()
+ cpedb.get_xml_dict()
+ print("Performing Target CPE Report Analysis...")
+ get_target_cpe_report(args.cpe_report, cpedb)
+
+
+__main__()
The script supports looking up all the CPEs provided in a make cpe-info csv file export from a target Buildroot build. It checks the current version and suggests a CPE needs update or possibly initial submission to NIST. Limitations - Currently any use of non-number version identifiers isn't supported by NIST as they use ranges to determine impact of a CVE - Any Linux version from a non-upstream is also not supported without manually adjusting the information as the custom kernel will more then likely not match the upstream version used in the dictionary Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- Changes v5 -> v7 - No change v5 [Ricardo - Updated v4 comments about general flake formatting cleanup - Incorporated parts of patch 1/2 suggestions for optimizations [Ricardo/Arnout - Collectly, decided to move cpe report analysis to this script and use a seperate module cpedb class [Arnout - Rename cpe_dict to instead be cpedb v1 -> v4 - Patch did not exist and was part of pkg-stats file --- support/scripts/cpe-report | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100755 support/scripts/cpe-report