[isar-cip-core,v2,1/3] scripts/run-cve-checks.sh: Add script to generate CVE report

Commit Message

Sai.Sathujoda@toshiba-tsip.com Jan. 18, 2024, 5:59 p.m. UTC

From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>

This script will extract latest dpkg-status files for all the deployed
targets and generate their CVE reports using the cve_checker.py script in
[1] and these report shall be uploaded back to cve-reports sub-directory
under cip-project.org in the s3 bucket.

[1] https://gitlab.com/cip-playground/debian-cve-checker

Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
 scripts/run-cve-checks.sh | 40 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100755 scripts/run-cve-checks.sh

Comments

Jan Kiszka Jan. 18, 2024, 6:20 p.m. UTC | #1

On 18.01.24 18:59, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
> 
> This script will extract latest dpkg-status files for all the deployed
> targets and generate their CVE reports using the cve_checker.py script in
> [1] and these report shall be uploaded back to cve-reports sub-directory
> under cip-project.org in the s3 bucket.
> 
> [1] https://gitlab.com/cip-playground/debian-cve-checker
> 
> Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
> ---
>  scripts/run-cve-checks.sh | 40 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 40 insertions(+)
>  create mode 100755 scripts/run-cve-checks.sh
> 
> diff --git a/scripts/run-cve-checks.sh b/scripts/run-cve-checks.sh
> new file mode 100755
> index 0000000..15a2bd8
> --- /dev/null
> +++ b/scripts/run-cve-checks.sh
> @@ -0,0 +1,40 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Toshiba Corp., 2023
> +#
> +# Authors:
> +#  Daniel Sangorrin <daniel.sangorrin@...>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +# This script is used in .gitlab-ci.yml to create
> +# CVE reports in CSV format for each deployed build target.
> +# It uses the dpkg status files generated during the
> +# build stages and saved as gitlab-ci artifacts.
> +
> +set -e
> +
> +# Install AWS CLI
> +if ! which aws 2>&1 >/dev/null; then

In scripts/run-cve-checks.sh line 21:
if ! which aws 2>&1 >/dev/null; then
               ^--^ SC2069 (warning): To redirect stdout+stderr, 2>&1 must be last (or use '{ cmd > file; } 2>&1' to clarify).

BTW, some alternative:

command -v aws >/dev/null

> +	echo "Installing awscli..."
> +	apt update
> +	apt install -y python3-wheel
> +	apt install -y awscli
> +fi
> +
> +# Retrieve the latest dpkg status files from AWS
> +aws s3 cp --no-progress --recursive s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/ ./
> +
> +# Create new CVE reports
> +mkdir cve-reports
> +for i in *.dpkg_status; do
> +	echo "Checking $i"
> +	filename=${i%.dpkg_status}
> +	cve_checker.py --status $i --output ./cve-reports/$filename.csv

In scripts/run-cve-checks.sh line 36:
        cve_checker.py --status $i --output ./cve-reports/$filename.csv
                                ^-- SC2086 (info): Double quote to prevent globbing and word splitting.
                                                          ^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.


Granted, this is pointless here as we break up *.dpkg_status into i 
above. But it would silence shellcheck cheaply.

Another nitpick: "i" is not the best name for this local var. Even "f" 
like "file" would be better than "i" like "integer". ;)

And then "filename" should likely be "basename"

> +done
> +
> +# Synchronize the CVE reports to AWS (it will delete old reports)
> +aws s3 sync --no-progress --delete --acl public-read cve-reports s3://download.cip-project.org/cip-core/cve-checks/cve-reports

I'm fixing these up while merging, no need for v2.

Jan

Patch

diff --git a/scripts/run-cve-checks.sh b/scripts/run-cve-checks.sh
new file mode 100755
index 0000000..15a2bd8
--- /dev/null
+++ b/scripts/run-cve-checks.sh
@@ -0,0 +1,40 @@ 
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Toshiba Corp., 2023
+#
+# Authors:
+#  Daniel Sangorrin <daniel.sangorrin@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+# This script is used in .gitlab-ci.yml to create
+# CVE reports in CSV format for each deployed build target.
+# It uses the dpkg status files generated during the
+# build stages and saved as gitlab-ci artifacts.
+
+set -e
+
+# Install AWS CLI
+if ! which aws 2>&1 >/dev/null; then
+	echo "Installing awscli..."
+	apt update
+	apt install -y python3-wheel
+	apt install -y awscli
+fi
+
+# Retrieve the latest dpkg status files from AWS
+aws s3 cp --no-progress --recursive s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/ ./
+
+# Create new CVE reports
+mkdir cve-reports
+for i in *.dpkg_status; do
+	echo "Checking $i"
+	filename=${i%.dpkg_status}
+	cve_checker.py --status $i --output ./cve-reports/$filename.csv
+done
+
+# Synchronize the CVE reports to AWS (it will delete old reports)
+aws s3 sync --no-progress --delete --acl public-read cve-reports s3://download.cip-project.org/cip-core/cve-checks/cve-reports