Add CVEChecker which guesses the pkg name and version of an archive

src/checkers/cvechecker.py

@@ -0,0 +1,74 @@
+# Copyright (C) 2018 Endless Mobile, Inc.
+#
+# Authors:
+#       Andrew Hayzen <ahayzen@gmail.com>
+#       Joaquim Rocha <jrocha@endlessm.com>
+#       Patrick Griffis <tingping@tingping.se>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+import logging
+import re
+
+from lib.externaldata import ExternalData, CheckerRegistry, Checker
+
+
+class CVEChecker(Checker):
+
+    def check(self, external_data):
+        # TODO: if checker_data or package-name are None
+        # attempt to guess package name from url if archive
+
+        if external_data.checker_data is None:
+            external_data.state = ExternalData.State.BROKEN
+            return
+
+        pkg_name = external_data.checker_data.get("package-name", None)
+
+        if pkg_name is None:
+            logging.debug('CVEChecker: No package-name given')
+            external_data.state = ExternalData.State.BROKEN
+            return
+
+        try:
+            version = CVEChecker.extract_version_from_url(external_data.url, external_data.type)
+            logging.debug('CVEChecker: Found {} of the version {}'.format(pkg_name, version))
+        except ValueError:
+            external_data.state = ExternalData.State.BROKEN
+        else:
+            # TODO: we should probably provide the pkg_name as a hint here?
+            external_data.current_version = version
+            external_data.state = ExternalData.State.VALID
+
+        # TODO: need similar to new_version but for cve_vuln
+        # this should also output to JSON
+
+    @staticmethod
+    def extract_version_from_url(url, data_type):
+        if data_type == ExternalData.Type.ARCHIVE:
+            filename = url.rpartition('/')[2]
+            match = re.search(r'(\d+\.\d+(?:\.\d+)?)', filename)
+
+            if match:
+                return match.groups()[-1]
+            else:
+                logging.debug('CVEChecker: Version not found in {}'.format(url))
+                raise ValueError
+        else:
+            logging.debug('CVEChecker: Unknown type {}'.format(data_type))
+            raise ValueError
+
+
+CheckerRegistry.register_checker(CVEChecker)

src/lib/externaldata.py

@@ -49,6 +49,7 @@ def __init__(self, data_type, filename, url, checksum, size=-1, arches=[],
         self.arches = arches
         self.type = data_type
         self.checker_data = checker_data
+        self.current_version = None
         self.new_version = None
         self.state = ExternalData.State.UNKNOWN
 

tests/org.cvechecker.Manifest.json

@@ -0,0 +1,31 @@
+{
+    "app-id": "org.cvechecker.Checker",
+    "branch": "stable",
+    "runtime": "org.freedesktop.Platform",
+    "runtime-version": "1.6",
+    "sdk": "org.freedesktop.Sdk",
+    "command": "checker",
+    "finish-args": [
+    ],
+    "modules": [
+        {
+            "name": "phony",
+            "sources": [
+                {
+                    "type": "archive",
+                    "url": "https://some-gibberish-phony-url.phony/releases/pkga-1.2.3.tar.bz2",
+                    "sha256": "000000000000000000000000000000000000000000000000000000000000000000",
+                    "x-checker-data": {
+                        "package-name": "pkga"
+                    }
+                },
+                {
+                    "type": "archive",
+                    "url": "https://some-gibberish-phony-url.phony/releases/pkgb-4.5.6.tar.bz2",
+                    "sha256": "000000000000000000000000000000000000000000000000000000000000000000"
+                }
+            ]
+        }
+    ]
+}
+

tests/test_checker.py

@@ -30,6 +30,7 @@
 import checker
 
 TEST_MANIFEST = os.path.join(tests_dir, 'org.externaldatachecker.Manifest.json')
+CVE_TEST_MANIFEST = os.path.join(tests_dir, 'org.cvechecker.Manifest.json')
 NUM_ARCHIVE_IN_MANIFEST = 1
 NUM_FILE_IN_MANIFEST = 1
 NUM_EXTRA_DATA_IN_MANIFEST = 5
@@ -42,6 +43,30 @@ def check(self, external_data):
         logging.debug('Phony checker checking external data %s and all is always good',
                       external_data.filename)
 
+
+class TestCVEChecker(unittest.TestCase):
+    def setUp(self):
+        logging.basicConfig(level=logging.DEBUG)
+        self.checker = checker.ManifestChecker(CVE_TEST_MANIFEST)
+
+    def test_check(self):
+        ext_data = self.checker.check()
+
+        self.assertEqual(len(ext_data), 2)
+
+        external_data_with_current_version = 0
+        for data in ext_data:
+            if data.current_version:
+                external_data_with_current_version += 1
+
+        # For now expect only 1 as pkg names aren't detected from URL
+        self.assertEqual(external_data_with_current_version, 1)
+
+        # For now just check the current version is correct
+        # later we will supply a new version and plg_name
+        self.assertEqual(ext_data[0].current_version, "1.2.3")
+
+
 class TestExternalDataChecker(unittest.TestCase):
 
     def setUp(self):