Add CVEChecker which guesses the pkg name and version of an archive

flathub-infra · May 9, 2018 · abb9802 · abb9802
1 parent a0b1bad
commit abb9802
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 4 deletions.
diff --git a/src/checker.py b/src/checker.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2018 Endless Mobile, Inc.
 #
 # Authors:
+#       Andrew Hayzen <ahayzen@gmail.com>
 #       Joaquim Rocha <jrocha@endlessm.com>
 #
 # This program is free software; you can redistribute it and/or modify
@@ -68,6 +69,10 @@ def _get_finish_args_extra_data_from_json(self, json_data):
     def _get_module_data_from_json(self, json_data):
         external_data = []
         for module in json_data.get('modules', []):
+            # This is a guess at the package name from the name the author
+            # has given to the module block
+            pkg_name = module.get('name', None)
+
             for source in module.get('sources', []):
                 url = source.get('url', None)
                 if not url:
@@ -89,8 +94,8 @@ def _get_module_data_from_json(self, json_data):
                 size = source.get('size', -1)
                 checker_data = source.get('x-checker-data')
 
-                ext_data = ExternalData(data_type, name, url, sha256sum, size,
-                                        arches, checker_data)
+                ext_data = ExternalData(data_type, pkg_name, name, url,
+                                        sha256sum, size, arches, checker_data)
                 external_data.append(ext_data)
 
         return external_data

diff --git a/src/checkers/cvechecker.py b/src/checkers/cvechecker.py
@@ -0,0 +1,62 @@
+# Copyright (C) 2018 Endless Mobile, Inc.
+#
+# Authors:
+#       Andrew Hayzen <ahayzen@gmail.com>
+#       Joaquim Rocha <jrocha@endlessm.com>
+#       Patrick Griffis <tingping@tingping.se>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+import logging
+import re
+
+from lib.externaldata import ExternalData, CheckerRegistry, Checker
+from lib import utils
+
+
+class CVEChecker(Checker):
+
+    def check(self, external_data):
+        try:
+            version = CVEChecker.extract_version_from_url(
+                external_data.url, external_data.type,
+            )
+            logging.debug('CVEChecker: Found %s of the version %s' %
+                          (external_data.pkg_name, version))
+        except ValueError:
+            external_data.state = ExternalData.State.BROKEN
+        else:
+            external_data.state = ExternalData.State.VALID
+
+        # TODO: need similar to new_version but for cve_vuln
+        # this should also output to JSON
+
+    @staticmethod
+    def extract_version_from_url(url, data_type):
+        if data_type == ExternalData.Type.ARCHIVE:
+            filename = url.rpartition('/')[2]
+            match = re.search(r'(\d+\.\d+(?:\.\d+)?)', filename)
+
+            if match:
+                return match.groups()[-1]
+            else:
+                logging.debug('Version not found in {}'.format(sources))
+                raise ValueError
+        else:
+            logging.debug('CVEChecker: Unknown type %s' % data_type)
+            raise ValueError
+
+
+CheckerRegistry.register_checker(CVEChecker)
diff --git a/src/lib/externaldata.py b/src/lib/externaldata.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2018 Endless Mobile, Inc.
 #
 # Authors:
+#       Andrew Hayzen <ahayzen@gmail.com>
 #       Joaquim Rocha <jrocha@endlessm.com>
 #
 # This program is free software; you can redistribute it and/or modify
@@ -40,8 +41,9 @@ class State(Enum):
         VALID = 1 << 1 # URL is reachable
         BROKEN = 1 << 2 # URL couldn't be reached
 
-    def __init__(self, data_type, filename, url, checksum, size=-1, arches=[],
-                 checker_data=None):
+    def __init__(self, data_type, pkg_name, filename, url, checksum, size=-1,
+                 arches=[], checker_data=None):
+        self.pkg_name = pkg_name
         self.filename = filename
         self.url = url
         self.checksum = checksum
@@ -54,13 +56,15 @@ def __init__(self, data_type, filename, url, checksum, size=-1, arches=[],
 
     def __str__(self):
         info = '{filename}:\n' \
+               '  PkgName: {pkg_name}\n' \
                '  State:   {state}\n' \
                '  Type:    {type}\n' \
                '  URL:     {url}\n' \
                '  SHA256:  {checksum}\n' \
                '  Size:    {size}\n' \
                '  Arches:  {arches}\n' \
                '  Checker: {checker_data}'.format(state=self.state.name,
+                                                  pkg_name=self.pkg_name,
                                                   filename=self.filename,
                                                   type=self.type.name,
                                                   url=self.url,