diff mbox series

[isar-cip-core,1/3] scripts/run-cve-checks.sh: Add script to generate CVE report

Message ID 20231221120423.2388639-2-Sai.Sathujoda@toshiba-tsip.com (mailing list archive)
State Superseded
Headers show
Series Generate CVE-reports during a tag release | expand

Commit Message

Sai.Sathujoda@toshiba-tsip.com Dec. 21, 2023, 12:04 p.m. UTC 
From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>

This script will extract latest dpkg-status files for all the deployed
targets and generate their CVE reports using the cve_checker.py script in
[1] and these report shall be uploaded back to cve-reports sub-directory
under cip-project.org in the s3 bucket.

[1] https://gitlab.com/cip-playground/debian-cve-checker

Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
 scripts/run-cve-checks.sh | 40 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100755 scripts/run-cve-checks.sh
diff mbox series

Patch

diff --git a/scripts/run-cve-checks.sh b/scripts/run-cve-checks.sh
new file mode 100755
index 0000000..b8da81d
--- /dev/null
+++ b/scripts/run-cve-checks.sh
@@ -0,0 +1,40 @@ 
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Toshiba Corp., 2023
+#
+# Authors:
+#  Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+# This script is used in .gitlab-ci.yml to create
+# CVE reports in CSV format for each deployed build target.
+# It uses the dpkg status files generated during the
+#build stages and saved as gitlab-ci artifacts.
+
+set -e
+
+# Install AWS CLI
+if ! which aws 2>&1 >/dev/null; then
+	echo "Installing awscli..."
+	apt update
+	apt install -y python3-wheel
+	apt install -y awscli
+fi
+
+# Retrieve the latest dpkg status files from AWS
+aws s3 cp --no-progress --recursive s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/ ./
+
+# Create new CVE reports
+mkdir cve-reports
+for i in *.dpkg_status; do
+	echo "Checking $i"
+	filename=${i%.dpkg_status}
+	cve_checker.py --status $i --output ./cve-reports/$filename.csv
+done
+
+# Synchronize the CVE reports to AWS (it will delete old reports)
+aws s3 sync --no-progress --delete --acl public-read cve-reports s3://download.cip-project.org/cip-core/cve-checks/cve-reports