From 1ad50ac4c8fbd84f2ee0b0469dd58a01a7f5e006 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 24 Jul 2020 17:51:05 -0700 Subject: [PATCH] add build container cve reporting --- Makefile | 1 + config/container/packages.list | 2 ++ scripts/audit | 30 +++++++++++++++++++++++------- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 9021cf1..e7ba965 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,7 @@ build-fw: .PHONY: audit audit: + mkdir -p build/audit $(contain) audit .PHONY: hash diff --git a/config/container/packages.list b/config/container/packages.list index fa1bfb5..cb2fccf 100644 --- a/config/container/packages.list +++ b/config/container/packages.list @@ -70,6 +70,7 @@ dconf-service=0.30.1-2 debconf=1.5.71 debian-archive-keyring=2019.1 debianutils=4.8.6.1 +debsecan=0.4.19 default-jdk-headless=2:1.11-71 default-jre-headless=2:1.11-71 device-tree-compiler=1.4.7-3 @@ -950,6 +951,7 @@ psmisc=23.2-1 publicsuffix=20190415.1030-1 pxlib1=0.6.7-1 python=2.7.16-1 +python-apt=1.8.4.1 python-apt-common=1.8.4.1 python-asn1crypto=0.24.0-1 python-certifi=2018.8.24-1 diff --git a/scripts/audit b/scripts/audit index af77d30..27205bf 100755 --- a/scripts/audit +++ b/scripts/audit @@ -9,12 +9,24 @@ heads_dir="${build_dir}/heads" mkdir -p ${audit_dir} -printf "Generating OS source tar hashes... " -openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* > ${audit_dir}/os_src_hashes.txt +printf "Generating container package vulnerability stats... " +debsecan \ + --suite $(lsb_release --codename --short) \ + --format detail \ + > ${audit_dir}/container_package_cves.txt +container_package_cves="$( \ + cat ${audit_dir}/container_package_cves.txt | grep CVE | wc -l \ +)" +echo "done" + +printf "Generating target OS source tar hashes... " +openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* \ + > ${audit_dir}/os_src_hashes.txt echo "done" printf "Generating firmware source tar hashes... " -openssl sha256 -r ${heads_dir}/packages/* > ${audit_dir}/fw_src_hashes.txt +openssl sha256 -r ${heads_dir}/packages/* \ + > ${audit_dir}/fw_src_hashes.txt echo "done" printf "Generating combined/uniqued source tar hashes... " @@ -32,6 +44,9 @@ printf "Generating buildroot package stats... " && support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \ > /dev/null 2>&1 ) +target_os_source_cves=$( \ + cat build/audit/pkg-stats.json | jq '.stats["total-cves"]' \ +) echo "done" printf "Generating NIST CPE definitions... " @@ -43,13 +58,14 @@ printf "Generating license usage reports... " ( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 ) cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info echo "done" - +echo "------------------------------------------------" +echo "Wrote: build/audit/container_package_cves.txt" echo "Wrote: build/audit/os_src_hashes.txt" echo "Wrote: build/audit/fw_src_hashes.txt" echo "Wrote: build/audit/all_hashes.txt" echo "Wrote: build/audit/pkg-stats.json" echo "Wrote: build/audit/cpe-manifest.cve" echo "Wrote: build/audit/legal-info" - -total_cves=$(cat build/audit/pkg-stats.json | jq '.stats["total-cves"]') -printf "Total CVEs: ${total_cves}" +echo "------------------------------------------------" +echo "Build container package CVEs: ${container_package_cves}" +echo "Target OS source CVEs: ${target_os_source_cves}"