This is an implementation of CPE tagger from Funtoo Linux Optimization Proposals. Main objective is to tag Funtoo meta-repo catpkgs with corresponding CPEs.
Check this example: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=openssh
Notice how easy is to list all CVEs for given CPE. Using CPEs allows you to have reliable CVE tracker for each version of a package that is present in the repo.
- Clone this repo
git clone https://github.com/mrl5/metarepo-cpe-tag/
cd metarepo-cpe-tag/
- Install dependencies:
On funtoo:
emerge dev-python/click dev-python/requests dev-python/jsonschema
or using pip
# optional but recommended - use poetry or at least run in venv
pip install .[cli]
or install poetry and:
poetry shell
poetry install --no-dev --extras cli
- Download CPE feed: Use existing script:
./bin/get_cpe_match_feed.py ~/feeds/json
or do it manually:
mkdir -p ~/feeds/json && cd $_
wget https://nvd.nist.gov/feeds/json/cpematch/1.0/nvdcpematch-1.0.json.gz &&
cd -
- See how it works:
feed=~/feeds/json/nvdcpematch-1.0.json.gz
single_input='{"name": "busybox", "versions": [{"version": "1.29.0"}, {"version": "1.29.3"}, {"version": "1.30.1"}, {"version": "1.31.0"}, {"version": "9999"}]}'
batch_input='[{"name": "busybox", "versions": [{"version": "1.29.3"}, {"version": "1.31.0"}]}, {"name":"libxml2", "versions":[{"version":"2.9.10-r5"}]}]'
export PYTHONPATH=./
./bin/tag_package_with_cpes.py --cpe-match-feed "$feed" "$single_input"
./bin/tag_package_with_cpes.py --cpe-match-feed "$feed" "$batch_input"
- Come back later and update CPE feed:
./bin/get_cpe_match_feed.py ~/feeds/json
emerge app-misc/jq
export PYTHONPATH=./
./bin/get_cves_on_system.sh
ls -l dump/
cat dump/*cves.json
Check out CONTRIBUTING