diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 15:38:30 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 15:38:30 +0100 |
commit | 60926bc1d7d95e0f38e9d953b46a9ed85b7be772 (patch) | |
tree | 35bd3b311e4253bcd73dd938f8eca3b864ccd6d7 | |
parent | f235affc9df0f1882a4f36969355ad0eeb75b6fe (diff) | |
download | vulns-60926bc1d7d95e0f38e9d953b46a9ed85b7be772.tar.gz |
bippy: lots of updates for affected/unaffected json handling
Most is now complete, looks much better.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rwxr-xr-x | scripts/bippy | 108 |
1 files changed, 97 insertions, 11 deletions
diff --git a/scripts/bippy b/scripts/bippy index 989a34f9..40cf54c8 100755 --- a/scripts/bippy +++ b/scripts/bippy @@ -452,6 +452,9 @@ find_mainline_git_id() # Do the crazy matching mess listed up above fe="" ve="" +# the default state is unaffected, unless a mainline kernel is touched, +# and then we will switch it below to affected. +default_status="unaffected" for fixed_entry in ${fixed_kernels[@]}; do create=0 @@ -490,6 +493,7 @@ for fixed_entry in ${fixed_kernels[@]}; do if [[ "${og_vuln}" == "0" ]] ; then if [[ "${fixed_entry_mainline}" == "1" ]]; then create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + default_status="affected" else fe=$(find_stable_git_id ${GIT_SHA_FULL} ${fixed_entry}) create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} ${fe} @@ -511,6 +515,7 @@ for fixed_entry in ${fixed_kernels[@]}; do if [[ "${vuln_entry_mainline}" == "1" ]] ; then if [[ "${fixed_entry_mainline}" == "1" ]]; then create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + default_status="affected" else fe=$(find_stable_git_id ${GIT_SHA_FULL} ${fixed_entry}) create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${fe} @@ -524,6 +529,7 @@ for fixed_entry in ${fixed_kernels[@]}; do if [[ "${match}" == "1" ]] ; then if [[ "${fixed_entry_mainline}" == "1" ]]; then create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + default_status="affected" else ve=$(find_stable_git_id ${og_git} ${vuln_entry}) if [[ "${ve}" == "" ]] ; then @@ -543,6 +549,7 @@ for fixed_entry in ${fixed_kernels[@]}; do # If we haven't created anything yet, this must be it if [[ ${create} == 0 ]] ; then create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} "${GIT_SHA_SHORT}" + default_status="affected" fi done @@ -554,6 +561,7 @@ fi for entry in "${fixed_pairs[@]}"; do dbg " ${entry}" done +dbg "default_status=${default_status}" # Generate the "vulnerable" kernel json and mbox information vuln_array_json="" @@ -561,6 +569,40 @@ vuln_array_mbox=() url_array=() url_string_json="" git_array_json=() +if [[ "${default_status}" == "affected" ]]; then + # we need to now say what the "unaffected" range is, so loop + # through and find the "mainline" part to figure that out. + for entry in "${fixed_pairs[@]}"; do + x=(${entry//:/ }) + vuln=${x[0]} + fix=${x[1]} + vuln_git=${x[2]} + fix_git=${x[3]} + + if [[ "${vuln}" == "0" ]]; then + #FIXME this needs to handle this case + dbg "FIXME, vuln=${0}" + else + version_is_mainline "${vuln}" + is_mainline=$? + if [[ "${is_mainline}" == "1" ]]; then + dbg "adding ${vuln} as where everything was affected" + vuln_array_json+="versions[]=$(jo -- \ + -s version="${vuln}" \ + -s status="affected" \ + ) " + vuln_array_json+="versions[]=$(jo -- \ + -s version="0" \ + -s lessThan="${vuln}" \ + -s status="unaffected" \ + -s versionType="custom" \ + ) " + fi + break + fi + done +fi + for entry in "${fixed_pairs[@]}"; do x=(${entry//:/ }) vuln=${x[0]} @@ -569,12 +611,56 @@ for entry in "${fixed_pairs[@]}"; do fix_git=${x[3]} # create the json array for the version numbers - vuln_array_json+="versions[]=$(jo -- \ - -s version="${vuln}" \ - -s lessThan="${fix}" \ - -s status="affected" \ - -s versionType="custom" \ - ) " + if [[ "${default_status}" == "unaffected" ]]; then + # this is easy, our pairs are the versions that are + # affected, no tricky matching needs to happen here + vuln_array_json+="versions[]=$(jo -- \ + -s version="${vuln}" \ + -s lessThan="${fix}" \ + -s status="affected" \ + -s versionType="custom" \ + ) " + else + # much more tricky, we now need to say what ranges are + # both affected, AND unaffected. We handled the + # "affected" range above, so now our pairs show where + # things are "unaffected". + # + # By default, everything is affected from the "root" to + # the commit in mainline, so we have described that + # already above the loop, so this is just going to be + # the affected list... + # + # Note, the "mainline" fix shows where things "stop", + # so that gets a "short" record. + version_is_mainline "${fix}" + is_mainline=$? + if [[ "${is_mainline}" == "1" ]]; then + vuln_array_json+="versions[]=$(jo -- \ + -s version="${fix}" \ + -s lessThanOrEqual="*" \ + -s status="unaffected" \ + -s versionType="original_commit_for_fix" \ + ) " + else + # This is a stable range, so make an unaffected + # range with a wildcard + number_array=${fix} + REL_ARRAY=(${fix//./ }) + MAJOR=${REL_ARRAY[0]} + MINOR=${REL_ARRAY[1]} + vuln_array_json+="versions[]=$(jo -- \ + -s version="${fix}" \ + -s lessThanOrEqual="${MAJOR}.${MINOR}.*" \ + -s status="unaffected" \ + -s versionType="custom" \ + ) " + fi + # FIXME, I think we need more logic here, but I can't + # remember why... + + fi + # create the json array for the git ids git_array_json+="versions[]=$(jo -- \ @@ -675,11 +761,11 @@ if [[ "${JSON_FILE}" != "" ]] ; then # We want vuln_array_json to be expanded without quotes # shellcheck disable=SC2086 a=$(jo -- \ - product="Linux" \ - vendor="Linux" \ - defaultStatus="affected" \ - ${vuln_array_json} \ - ${git_array_json} \ + product="Linux" \ + vendor="Linux" \ + defaultStatus="${default_status}" \ + ${vuln_array_json} \ + ${git_array_json} \ ) affected=$(jo -a -- "${a}") |