add build container cve reporting

Makefile

@@ -71,6 +71,7 @@ build-fw:
 
 .PHONY: audit
 audit:
+	mkdir -p build/audit
 	$(contain) audit
 
 .PHONY: hash

config/container/packages.list

@@ -70,6 +70,7 @@ dconf-service=0.30.1-2
 debconf=1.5.71
 debian-archive-keyring=2019.1
 debianutils=4.8.6.1
+debsecan=0.4.19
 default-jdk-headless=2:1.11-71
 default-jre-headless=2:1.11-71
 device-tree-compiler=1.4.7-3
@@ -950,6 +951,7 @@ psmisc=23.2-1
 publicsuffix=20190415.1030-1
 pxlib1=0.6.7-1
 python=2.7.16-1
+python-apt=1.8.4.1
 python-apt-common=1.8.4.1
 python-asn1crypto=0.24.0-1
 python-certifi=2018.8.24-1

scripts/audit

@@ -9,12 +9,24 @@ heads_dir="${build_dir}/heads"
 
 mkdir -p ${audit_dir}
 
-printf "Generating OS source tar hashes... "
-openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* > ${audit_dir}/os_src_hashes.txt
+printf "Generating container package vulnerability stats... "
+debsecan \
+	--suite $(lsb_release --codename --short) \
+	--format detail \
+	> ${audit_dir}/container_package_cves.txt
+container_package_cves="$( \
+	cat ${audit_dir}/container_package_cves.txt | grep CVE | wc -l \
+)"
+echo "done"
+
+printf "Generating target OS source tar hashes... "
+openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* \
+	> ${audit_dir}/os_src_hashes.txt
 echo "done"
 
 printf "Generating firmware source tar hashes... "
-openssl sha256 -r ${heads_dir}/packages/* > ${audit_dir}/fw_src_hashes.txt
+openssl sha256 -r ${heads_dir}/packages/* \
+	> ${audit_dir}/fw_src_hashes.txt
 echo "done"
 
 printf "Generating combined/uniqued source tar hashes... "
@@ -32,6 +44,9 @@ printf "Generating buildroot package stats... "
 	&& support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \
 	> /dev/null 2>&1
 )
+target_os_source_cves=$( \
+	cat build/audit/pkg-stats.json | jq '.stats["total-cves"]' \
+)
 echo "done"
 
 printf "Generating NIST CPE definitions... "
@@ -43,13 +58,14 @@ printf "Generating license usage reports... "
 ( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 )
 cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info
 echo "done"
-
+echo "------------------------------------------------"
+echo "Wrote: build/audit/container_package_cves.txt"
 echo "Wrote: build/audit/os_src_hashes.txt"
 echo "Wrote: build/audit/fw_src_hashes.txt"
 echo "Wrote: build/audit/all_hashes.txt"
 echo "Wrote: build/audit/pkg-stats.json"
 echo "Wrote: build/audit/cpe-manifest.cve"
 echo "Wrote: build/audit/legal-info"
-
-total_cves=$(cat build/audit/pkg-stats.json | jq '.stats["total-cves"]')
-printf "Total CVEs: ${total_cves}"
+echo "------------------------------------------------"
+echo "Build container package CVEs: ${container_package_cves}"
+echo "Target OS source CVEs: ${target_os_source_cves}"