forked from public/airgap
72 lines
2.2 KiB
Bash
Executable File
72 lines
2.2 KiB
Bash
Executable File
#!/bin/bash
|
|
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
|
|
set -e; source environment
|
|
|
|
build_dir="${BUILD_DIR?}"
|
|
audit_dir="${BUILD_DIR?}/audit"
|
|
buildroot_dir="${build_dir}/buildroot"
|
|
heads_dir="${build_dir}/heads"
|
|
|
|
mkdir -p ${audit_dir}
|
|
|
|
printf "Generating container package vulnerability stats... "
|
|
debsecan \
|
|
--suite $(lsb_release --codename --short) \
|
|
--format detail \
|
|
> ${audit_dir}/container_package_cves.txt
|
|
container_package_cves="$( \
|
|
cat ${audit_dir}/container_package_cves.txt | grep CVE | wc -l \
|
|
)"
|
|
echo "done"
|
|
|
|
printf "Generating target OS source tar hashes... "
|
|
openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* \
|
|
> ${audit_dir}/os_src_hashes.txt
|
|
echo "done"
|
|
|
|
printf "Generating firmware source tar hashes... "
|
|
openssl sha256 -r ${heads_dir}/packages/* \
|
|
> ${audit_dir}/fw_src_hashes.txt
|
|
echo "done"
|
|
|
|
printf "Generating combined/uniqued source tar hashes... "
|
|
cat ${audit_dir}/os_src_hashes.txt \
|
|
${audit_dir}/fw_src_hashes.txt \
|
|
| sed 's/ .*\// /g' \
|
|
| awk '{ t = $1; $1 = $2; $2 = t; print;}' \
|
|
| sort \
|
|
| uniq \
|
|
> ${audit_dir}/all_hashes.txt
|
|
echo "done"
|
|
|
|
printf "Generating buildroot package stats... "
|
|
( cd ${buildroot_dir} \
|
|
&& support/scripts/pkg-stats --json ${audit_dir}/pkg-stats.json \
|
|
> /dev/null 2>&1
|
|
)
|
|
target_os_source_cves=$( \
|
|
cat build/audit/pkg-stats.json | jq '.stats["total-cves"]' \
|
|
)
|
|
echo "done"
|
|
|
|
printf "Generating NIST CPE definitions... "
|
|
( cd ${buildroot_dir} && make cpe-info > /dev/null 2>&1 )
|
|
cp ${buildroot_dir}/output/cpe-manifest.csv ${audit_dir}/cpe-manifest.csv
|
|
echo "done"
|
|
|
|
printf "Generating license usage reports... "
|
|
( cd ${buildroot_dir} && make legal-info > /dev/null 2>&1 )
|
|
cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info
|
|
echo "done"
|
|
echo "------------------------------------------------"
|
|
echo "Wrote: build/audit/container_package_cves.txt"
|
|
echo "Wrote: build/audit/os_src_hashes.txt"
|
|
echo "Wrote: build/audit/fw_src_hashes.txt"
|
|
echo "Wrote: build/audit/all_hashes.txt"
|
|
echo "Wrote: build/audit/pkg-stats.json"
|
|
echo "Wrote: build/audit/cpe-manifest.cve"
|
|
echo "Wrote: build/audit/legal-info"
|
|
echo "------------------------------------------------"
|
|
echo "Build container package CVEs: ${container_package_cves}"
|
|
echo "Target OS source CVEs: ${target_os_source_cves}"
|