cpe/predict-cpe.py at main · gardenlinux/cpe · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
"""CPE.

Usage:
  predict-cpe.py [-p | --print] [-o] <RELEASE>
  predict-cpe.py (-h | --help)
  predict-cpe.py --version

Options:
  -h --help     Show this screen.
  --version     Show version.
"""


import nvdlib
import datetime

from docopt import docopt

from glrd import *

from github import Github
from os import mkdir,access, F_OK
from sys import exit

from requests.exceptions import ReadTimeout, HTTPError


def write_to_disk(new_release, new_cpe, overwrite):
  # ToDo:
  # Right now we write this into a file, we should upload this to GH instead then.
  if not access(new_release, F_OK):
    mkdir(new_release)

  if overwrite:
      with open(f"{new_release}/gardenlinux-cpe.json", 'w+') as file:
          file.write(str(new_cpe).replace("'","\"").replace('False','false'))
  else:
    try:
          with open(f"{new_release}/gardenlinux-cpe.json", 'w') as file:
                file.write(str(new_cpe).replace("'","\"").replace('False','false'))
    except FileExistsError:
        print("File was already written, use -o to overwrite it!.")
        sys.exit("-1")


def rewrite_CPE(old_release_cpe, new_release, gh_release):
    """
    This function will take a vaild CPE entry and rewrites its entry to representation of the new
    release.
    """

    # Get the release we have in the CPU
    release = old_release_cpe.titles[0].title.split(" ")[-1]

    # Replace the local entry with the new one
    old_release_cpe.cpeName = old_release_cpe.cpeName.replace(release, new_release)
    old_release_cpe.cpeNameId = ''
    old_release_cpe.created = gh_release.created_at.isoformat()
    old_release_cpe.lastModified = gh_release.created_at.isoformat()
    old_release_cpe.titles[0].title = old_release_cpe.titles[0].title.replace(release, new_release)
    # This data set should overwrite it. However, it seems that at times the data maintained by
    # NIST is inconsistent.
    #old_release_cpe.refs[2].ref =  old_release_cpe.refs[2].ref.replace(release, new_release)
    old_release_cpe.refs = []
    old_release_cpe.refs.append({'ref':f"https://github.com/gardenlinux/gardenlinux/releases/tag/{new_release}",'type': 'Version'})

    return old_release_cpe


def get_gh_release(gh_repo, release):
    gh_releases = gh_repo.get_releases()
    for gh_release in gh_releases:
        if gh_release.title == arguments['<RELEASE>']:
            return gh_release
    return None


if __name__ == "__main__":
    arguments = docopt(__doc__, version="Get CVES 0.1")

    match arguments:
        case {'<RELEASE>': new_release}:
            print("Trying to talk to nvd...")
            try:
              CPEs = nvdlib.searchCPE(keywordSearch='gardenlinux')
            except ReadTimeout:
              print("Timeout occurred")
              exit(-1)
            except HTTPError:
              print("503 occurred")
              exit(-1)

            print("Got the CVE objects")

            g = Github()
            repo = g.get_repo("gardenlinux/gardenlinux")
            # ToDo: Write a function that validates that this is a vaild GH release.

            gh_release = get_gh_release(repo, new_release)
            new_cpe = rewrite_CPE(CPEs[-1], gh_release.title, gh_release)
            if arguments['-p'] or arguments['--print']:
              print(str(new_cpe).replace("'","\"").replace('False','false'))
            write_to_disk(new_release, new_cpe, arguments['-o'])
        case _:
            print(arguments)