add build container cve reporting
This commit is contained in:
parent
bd5d947f1e
commit
1ad50ac4c8
1
Makefile
1
Makefile
|
@ -71,6 +71,7 @@ build-fw:
|
||||||
|
|
||||||
.PHONY: audit
|
.PHONY: audit
|
||||||
audit:
|
audit:
|
||||||
|
mkdir -p build/audit
|
||||||
$(contain) audit
|
$(contain) audit
|
||||||
|
|
||||||
.PHONY: hash
|
.PHONY: hash
|
||||||
|
|
|
@ -70,6 +70,7 @@ dconf-service=0.30.1-2
|
||||||
debconf=1.5.71
|
debconf=1.5.71
|
||||||
debian-archive-keyring=2019.1
|
debian-archive-keyring=2019.1
|
||||||
debianutils=4.8.6.1
|
debianutils=4.8.6.1
|
||||||
|
debsecan=0.4.19
|
||||||
default-jdk-headless=2:1.11-71
|
default-jdk-headless=2:1.11-71
|
||||||
default-jre-headless=2:1.11-71
|
default-jre-headless=2:1.11-71
|
||||||
device-tree-compiler=1.4.7-3
|
device-tree-compiler=1.4.7-3
|
||||||
|
@ -950,6 +951,7 @@ psmisc=23.2-1
|
||||||
publicsuffix=20190415.1030-1
|
publicsuffix=20190415.1030-1
|
||||||
pxlib1=0.6.7-1
|
pxlib1=0.6.7-1
|
||||||
python=2.7.16-1
|
python=2.7.16-1
|
||||||
|
python-apt=1.8.4.1
|
||||||
python-apt-common=1.8.4.1
|
python-apt-common=1.8.4.1
|
||||||
python-asn1crypto=0.24.0-1
|
python-asn1crypto=0.24.0-1
|
||||||
python-certifi=2018.8.24-1
|
python-certifi=2018.8.24-1
|
||||||
|
|
|
@ -9,12 +9,24 @@ heads_dir="${build_dir}/heads"
|
||||||
|
|
||||||
mkdir -p ${audit_dir}
|
mkdir -p ${audit_dir}
|
||||||
|
|
||||||
printf "Generating OS source tar hashes... "
|
printf "Generating container package vulnerability stats... "
|
||||||
openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* > ${audit_dir}/os_src_hashes.txt
|
debsecan \
|
||||||
|
--suite $(lsb_release --codename --short) \
|
||||||
|
--format detail \
|
||||||
|
> ${audit_dir}/container_package_cves.txt
|
||||||
|
container_package_cves="$( \
|
||||||
|
cat ${audit_dir}/container_package_cves.txt | grep CVE | wc -l \
|
||||||
|
)"
|
||||||
|
echo "done"
|
||||||
|
|
||||||
|
printf "Generating target OS source tar hashes... "
|
||||||
|
openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* \
|
||||||
|
> ${audit_dir}/os_src_hashes.txt
|
||||||
echo "done"
|
echo "done"
|
||||||
|
|
||||||
printf "Generating firmware source tar hashes... "
|
printf "Generating firmware source tar hashes... "
|
||||||
openssl sha256 -r ${heads_dir}/packages/* > ${audit_dir}/fw_src_hashes.txt
|
openssl sha256 -r ${heads_dir}/packages/* \
|
||||||
|
> ${audit_dir}/fw_src_hashes.txt
|
||||||
echo "done"
|
echo "done"
|
||||||
|
|
||||||
printf "Generating combined/uniqued source tar hashes... "
|
printf "Generating combined/uniqued source tar hashes... "
|
||||||
|
@ -32,6 +44,9 @@ printf "Generating buildroot package stats... "
|
||||||
&& support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \
|
&& support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \
|
||||||
> /dev/null 2>&1
|
> /dev/null 2>&1
|
||||||
)
|
)
|
||||||
|
target_os_source_cves=$( \
|
||||||
|
cat build/audit/pkg-stats.json | jq '.stats["total-cves"]' \
|
||||||
|
)
|
||||||
echo "done"
|
echo "done"
|
||||||
|
|
||||||
printf "Generating NIST CPE definitions... "
|
printf "Generating NIST CPE definitions... "
|
||||||
|
@ -43,13 +58,14 @@ printf "Generating license usage reports... "
|
||||||
( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 )
|
( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 )
|
||||||
cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info
|
cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info
|
||||||
echo "done"
|
echo "done"
|
||||||
|
echo "------------------------------------------------"
|
||||||
|
echo "Wrote: build/audit/container_package_cves.txt"
|
||||||
echo "Wrote: build/audit/os_src_hashes.txt"
|
echo "Wrote: build/audit/os_src_hashes.txt"
|
||||||
echo "Wrote: build/audit/fw_src_hashes.txt"
|
echo "Wrote: build/audit/fw_src_hashes.txt"
|
||||||
echo "Wrote: build/audit/all_hashes.txt"
|
echo "Wrote: build/audit/all_hashes.txt"
|
||||||
echo "Wrote: build/audit/pkg-stats.json"
|
echo "Wrote: build/audit/pkg-stats.json"
|
||||||
echo "Wrote: build/audit/cpe-manifest.cve"
|
echo "Wrote: build/audit/cpe-manifest.cve"
|
||||||
echo "Wrote: build/audit/legal-info"
|
echo "Wrote: build/audit/legal-info"
|
||||||
|
echo "------------------------------------------------"
|
||||||
total_cves=$(cat build/audit/pkg-stats.json | jq '.stats["total-cves"]')
|
echo "Build container package CVEs: ${container_package_cves}"
|
||||||
printf "Total CVEs: ${total_cves}"
|
echo "Target OS source CVEs: ${target_os_source_cves}"
|
||||||
|
|
Loading…
Reference in New Issue