-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: CI pre-checker for VENDOR_PRODUCT #3628
Comments
Also noting from #3605 -- @ffontaine has beenfinding invalid ones in older code. Some of that may be due to CPEs changing over time, some may just be because I trusted submitters too much and didn't double-check every thing manually when I approved the original PR. We may also want to run the validation script on all of the VENDOR_PRODUCT entries once a week or something and have it open up issues if any of them become invalid. |
Quoting from #3363 on the topic of allowing "invalid" checkers: so it's here and easy to read:
Originally posted by @ffontaine in #3633 (comment) |
Hello @terriko , I want to work on this . How should I proceed? |
@crazytrain328 I'd probably start by writing a python script that takes a checker *.py file and checks to see if each thing in the VENDOR_PRODUCT list provided has any CVEs associated with it. So basically, parse out VENDOR_PRODUCT and run something like with % replaced by each {vendor, product} pair you need to look up. We don't really have a function for this in the existing cvedb class, so you can pretty much just jam some sql into your new script and tell it to use the same database name. (eventually you might want to use the cvedb class to make sure the database is there and is up to date, but for a first pass that doesn't need to be in the script) |
Hello @terriko , |
@crazytrain328 you might find my experiment script from the version compare investigations useful: https://github.com/intel/cve-bin-tool/blob/main/experiments/sqlite-experiments.py I won't say that that particular file is great coding, since it was never intended to be used "in production" as it were, but it should be enough to get you started with a minimal connection to the database and hwo to run a sql query manually It's got a pretty minimum connection setup: dbcon = sqlite3.connect("/home/terri/.cache/cve-bin-tool/cve.db")
dbcon.create_function("regexp", 2, lambda x, y: 1 if re.search(x, y) else 0)
cursor = dbcon.cursor() (You don't need the regexp function if you're not doing regex searches.) And then the rest of the file is a bunch of select statements that work against the db and output some data. You could copy that file, change out the home directory to match your name instead of mine, and edit one of the cursor.execute lines to contain whatever you actually want to look up. |
Hello @terriko |
@crazytrain328 Are you using an NVD api key or the mirror? I ask because NVD does sometimes just won't connect, especially for folk on windows -- we actually download our cache on linux and copy it to windows for that reason. But the mirror should be more generally available even if NVD is misbehaving. |
I got it! I ran the initial script and am able to parse out whether all the vendor_product pairs have associated cves or not . |
Are you asking how to run it in github actions? You can look at our other scripts under the Parts you'll need off the top of my head:
|
I've already made a PR (#3840). Can you check it once? |
@terriko Do we really need to run it weekly? I have added the github actions so that it checks any newly added/modified checker for related CVEs. There is one thing we cud do to assure completeness. I'll file an issue if someone wants to volunteer to check whether the existing checkers have all related CVEs or not? How does it sound? |
Ideally: the version that runs on a PR checks only the files changed in that PR. The idea behind running it weekly (or monthly or whatever) would be to check existing checkers not in a PR so we'd get some warning if the CPE for a checker was removed from NVD. (which does happen periodically). the frequency there doesn't matter so much, it's just the idea that "check your PR before merging" and "address technical debt" should probably be different but related github actions. |
And yes, I'll get to the PR when I can! |
Description
The
VENDOR_PRODUCT
variable in a binary checker provides{vendor, product}
pairs that correspond to CPE entries and can be used to look up vulnerabilities. Currently, I check these manually while reviewing pull requests, but there's no reason we couldn't have a script in github actions or run from pre-commit that could check that they're valid and fail if they are not.Design thoughts:
{vendor, product}
returns any CVEs. (In theory you can have a CPE that doesn't have any CVEs associated yet, but in practice there's no much point in making a checker until there's a least one CVE so it's unlikely to come up very often.)Why?
Occasionally, people make a typo or new contributors try to make a checker without seeing if there's even a CPE
Anything else?
This is probably suitable for adventurous beginners with some SQL experience, but I don't think it's quite simple enough for me to tag it as a good first issue because it's going to be a bit finicky to figure out how to test and deploy it in github actions.
The text was updated successfully, but these errors were encountered: