1 files changed, 379 insertions, 0 deletions
diff --git a/scripts/cvert-kernel b/scripts/cvert-kernel
new file mode 100755
index 0000000..adf2692
--- /dev/null
+++ b/scripts/cvert-kernel
@@ -0,0 +1,379 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2018 by Cisco Systems, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+""" Generate CVE report for the given Linux kernel GIT branch
+"""
+import re
+import sys
+import argparse
+import textwrap
+import subprocess
+import logging
+import logging.config
+import cvert
+def report_kernel():
+    """Generate Linux kernel CVE report"""
+    parser = argparse.ArgumentParser(
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        description=textwrap.dedent("""
+        Generate CVE report for the Linux kernel.
+        Inspect Linux kernel GIT tree and find all CVE patches commits.
+        """),
+        epilog=textwrap.dedent("""
+        @ run examples:
+        # Download (update) NVD feeds in "nvdfeed" directory
+        # and prepare the report for the "kernel-sources" directory
+        %% %(prog)s --feed-dir nvdfeed --output report-kernel.txt kernel-sources
+        # Use existed NVD feeds in "nvdfeed" directory
+        # and prepare the report for the "kernel-sources" directory
+        %% %(prog)s --offline --feed-dir nvdfeed --output report-kernel.txt kernel-sources
+        # (faster) Restore CVE dump from "cvedump" (must exist)
+        # and prepare the report for the "kernel-sources" directory
+        %% %(prog)s --restore cvedump --output report-kernel.txt kernel-sources
+        # Restore CVE dump from "cvedump" (must exist)
+        # and prepare the extended report for the "kernel-sources" directory
+        %% %(prog)s --restore cvedump --show-description --show-reference --output report-kernel.txt kernel-sources
+        @ report example output (NVD resource):
+        # 2018-10-10 15:41:52,213 %% CVERT %% INFO     %% kernel version: 4.9.132
+        . patched |  3.3 | CVE-2017-17807     | nvd: KEYS: add missing permission check for request_key() destination
+        unpatched |  3.3 | CVE-2017-17864     | 
+        unpatched |  4.4 | CVE-2016-9604      | 
+        unpatched |  4.4 | CVE-2017-12153     | 
+        unpatched |  4.4 | CVE-2017-14051     | 
+        . patched |  4.6 | CVE-2017-8924      | nvd: USB: serial: io_ti: fix information leak in completion handler
+        unpatched |  4.7 | CVE-2017-17449     | 
+        . patched |  4.7 | CVE-2017-18203     | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
+        . patched |  4.7 | CVE-2017-18224     | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
+        . patched |  4.7 | CVE-2018-1065      | nvd: netfilter: add back stackpointer size checks
+        ...
+        @ report example output (NVD+LKC resource):
+        # 2018-10-10 15:46:05,902 %% CVERT %% INFO     %% kernel version: 4.9.132
+        . patched |  3.3 | CVE-2017-17807     | nvd: KEYS: add missing permission check for request_key() destination
+        unpatched |  3.3 | CVE-2017-17864     | 
+        . patched |  4.4 | CVE-2016-9604      | lkc: a5c6e0a76817a3751f58d761aaff7c0b0c4001ff
+        . patched |  4.4 | CVE-2017-12153     | lkc: c820441a7a52e3626aede8df94069a50a9e4efdb
+        . patched |  4.4 | CVE-2017-14051     | lkc: 2a913aecc4f746ce15eb1bec98b134aff4190ae2
+        . patched |  4.6 | CVE-2017-8924      | nvd: USB: serial: io_ti: fix information leak in completion handler
+        . patched |  4.7 | CVE-2017-17449     | lkc: 0b18782288a2f1c2a25e85d2553c15ea83bb5802
+        . patched |  4.7 | CVE-2017-18203     | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
+        . patched |  4.7 | CVE-2017-18224     | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
+        . patched |  4.7 | CVE-2018-1065      | nvd: netfilter: add back stackpointer size checks
+        ...
+        """))
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("-f", "--feed-dir", help="feeds directory")
+    group.add_argument("-d", "--restore", help="load CVE data structures from file",
+                       metavar="FILENAME")
+    parser.add_argument("--offline", help="do not update from NVD site",
+                        action="store_true")
+    parser.add_argument("-o", "--output", help="save report to the file")
+    parser.add_argument("-k", "--kernel-ver", help='overwrite kernel version, '
+                                                   'default is "make kernelversion"',
+                        metavar="VERSION")
+    parser.add_argument("--show-description", help='show "Description" in the report',
+                        action="store_true")
+    parser.add_argument("--show-reference", help='show "Reference" in the report',
+                        action="store_true")
+    parser.add_argument("-r", "--resource", help='resources: e.g.: "--resource nvd lkc"',
+                        nargs="+", default=["nvd"])
+    parser.add_argument("--patched", help="patched CVE IDs",
+                        nargs="+", default=[])
+    parser.add_argument("--debug", help="print debug messages",
+                        action="store_true")
+    parser.add_argument("kernel_dir", help="kernel GIT directory",
+                        metavar="kernel-dir")
+    args = parser.parse_args()
+    logging.config.dictConfig(cvert.logconfig(args.debug))
+    kernel_dir = args.kernel_dir
+    if args.restore:
+        cve_struct = cvert.load_cve(args.restore)
+    elif args.feed_dir:
+        cve_struct = cvert.update_feeds(args.feed_dir, args.offline)
+    if not cve_struct and args.offline:
+        parser.error("No CVEs found. Try to turn off offline mode or use other file to restore.")
+    if args.output:
+        output = open(args.output, "w")
+    else:
+        output = sys.stdout
+    if args.kernel_ver:
+        kernel_ver = args.kernel_ver
+    else:
+        kernel_ver = get_version(kernel_dir)
+    logging.info("kernel version: %s", kernel_ver)
+    if "lkc" in args.resource:
+        lkc_ctx = prepare_lkc()
+    commits = get_commits(kernel_dir)
+    report = cvert.generate_report({"linux_kernel": {kernel_ver: list(args.patched)}}, cve_struct)
+    for cve in report:
+        cve["comment"] = ""
+        if "nvd" in args.resource and cve["status"] == "unpatched":
+            process_nvd(cve, kernel_dir, commits)
+        if "lkc" in args.resource and cve["status"] == "unpatched":
+            process_lkc(cve, kernel_dir, commits, lkc_ctx)
+    print_report(report,
+                 show_description=args.show_description,
+                 show_reference=args.show_reference,
+                 output=output)
+    if args.output:
+        output.close()
+def process_nvd(cve, kernel_dir, commits):
+    """Process NVD references.
+    Sometimes NVD "Reference" contains a link to the commit in the GIT
+    upstream mainline.
+    First, look if we have that commit ID in the current local GIT
+    branch. It happens if you created local branch after CVE has been
+    fixed in mainline.
+    Otherwise, don't give up, and try to find the same headline
+    commit. It works if local GIT tree has up-to-date mainline branch
+    fetched.
+    That is all we can do having only mainline commit ID.
+    """
+    for url in cve["reference"]:
+        iden = get_iden(url)
+        if iden and iden in commits["iden"]:
+            mark_patched(cve, "nvd: {0}".format(iden.decode()))
+            return
+        head = get_headline(kernel_dir, iden)
+        if head and head in commits["head"]:
+            mark_patched(cve, "nvd: {0}".format(head.decode()))
+            return
+def process_lkc(cve, kernel_dir, commits, ctx):
+    """Process Linux Kernel CVEs approach
+    [https://github.com/nluedtke/linux_kernel_cves]
+    "kernel" context contains mainline "fixes" commit ID. So, check
+    with that first.
+    "stream" context contains backported "cmd_id" for other upstream
+    branches. Check accordingly.
+    If no commit ID found in local current branch, than look for the
+    same headline commits. Rarely backported commit has different
+    headline, so look at the "cmt_msg" first.
+    """
+    iden_candidats = []
+    try:
+        iden = ctx["kernel"][cve["CVE"]]["fixes"].encode()
+    except KeyError:
+        logging.debug("%s: commit ID not found", cve["CVE"])
+        iden = None
+    if iden:
+        iden_candidats.append(iden)
+        if iden in commits["iden"]:
+            mark_patched(cve, "lkc: {0}".format(iden.decode()))
+            return
+    if cve["CVE"] in ctx["stream"]:
+        for kver in ctx["stream"][cve["CVE"]]:
+            try:
+                iden = ctx["stream"][cve["CVE"]][kver]["cmt_id"].encode()
+            except KeyError:
+                logging.debug("%s: commit ID not found", cve["CVE"])
+                iden = None
+            if iden:
+                iden_candidats.append(iden)
+                if iden in commits["iden"]:
+                    mark_patched(cve, "lkc: {0}".format(iden.decode()))
+                    return
+    try:
+        head = ctx["kernel"][cve["CVE"]]["cmt_msg"].encode()
+    except KeyError:
+        logging.debug("%s: commit message header not found", cve["CVE"])
+        head = None
+    if head and head in commits["head"]:
+        mark_patched(cve, "lkc: {0}".format(head.decode()))
+        return
+    # last chance
+    for iden in iden_candidats:
+        head = get_headline(kernel_dir, iden)
+        if head and head in commits["head"]:
+            mark_patched(cve, "lkc: {0}".format(head.decode()))
+            return
+def prepare_lkc():
+    """Prepare LKC context."""
+    import urllib.request
+    import json
+    ctx = {}
+    url_base = "https://github.com/nluedtke/linux_kernel_cves/raw/master"
+    with urllib.request.urlopen(url_base + "/kernel_cves.json") as url:
+        ctx["kernel"] = json.loads(url.read().decode())
+    with urllib.request.urlopen(url_base + "/stream_fixes.json") as url:
+        ctx["stream"] = json.loads(url.read().decode())
+    return ctx
+def mark_patched(cve, comment=""):
+    """Put a "patched" mark for the CVE."""
+    cve["status"] = "patched"
+    cve["comment"] = comment
+def get_version(kernel_dir):
+    """Return kernel version."""
+    return subprocess.check_output(
+        ["make", "kernelversion"],
+        cwd=kernel_dir,
+        stderr=subprocess.DEVNULL
+    ).decode().rstrip()
+def get_commits(kernel_dir):
+    """Return GIT commits dict."""
+    commits = {"iden": [], "head": []}
+    for gitlog in subprocess.check_output(["git", "log", "--format=%H %s"],
+                                          cwd=kernel_dir,
+                                          stderr=subprocess.DEVNULL
+                                         ).splitlines():
+        oneline = gitlog.split(maxsplit=1)
+        if len(oneline) > 1:
+            commits["head"].append(oneline[1])
+        else:
+            commits["head"].append(b"")
+        commits["iden"].append(oneline[0])
+    return commits
+def get_iden(url):
+    """Return kernel commit ID from URL."""
+    commit_re = [
+        r"^http://git\.kernel\.org/cgit/linux/kernel/git/torvalds/linux\.git/commit/\?id=(.+)$",
+        r"^https?://github\.com/torvalds/linux/commit/(.+)$"
+    ]
+    for regexp in commit_re:
+        matched = re.match(regexp, url)
+        if matched:
+            return matched.group(1)
+    return None
+def get_headline(kernel_dir, iden):
+    """Return commit headline."""
+    if not iden:
+        return None
+    try:
+        head = subprocess.check_output(["git", "show",
+                                        "--no-patch",
+                                        "--format=%s",
+                                        iden],
+                                       cwd=kernel_dir,
+                                       stderr=subprocess.DEVNULL
+                                      ).rstrip()
+    except subprocess.CalledProcessError:
+        logging.debug("%s: commit ID not found", iden)
+        head = None
+    return head
+def print_report(report, width=70, show_description=False, show_reference=False, output=sys.stdout):
+    """Output kernel report."""
+    for cve in report:
+        print("{0:>9s} | {1:>4s} | {2:18s} | {3}".format(cve["status"], cve["CVSS"],
+                                                         cve["CVE"], cve["comment"]),
+              file=output)
+        if show_description:
+            print("{0:>9s} + {1}".format(" ", "Description"), file=output)
+            for lin in textwrap.wrap(cve["description"], width=width):
+                print("{0:>9s}   {1}".format(" ", lin), file=output)
+        if show_reference:
+            print("{0:>9s} + {1}".format(" ", "Reference"), file=output)
+            for url in cve["reference"]:
+                print("{0:>9s}   {1}".format(" ", url), file=output)
+if __name__ == "__main__":
+    report_kernel()

diff --git a/scripts/cvert-kernel b/scripts/cvert-kernel new file mode 100755 index 0000000..adf2692 --- /dev/null +++ b/scripts/cvert-kernel
@@ -0,0 +1,379 @@
	1	#!/usr/bin/env python3
	2	#
	3	# Copyright (c) 2018 by Cisco Systems, Inc.
	4	#
	5	# This program is free software; you can redistribute it and/or modify
	6	# it under the terms of the GNU General Public License version 2 as
	7	# published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License along
	15	# with this program; if not, write to the Free Software Foundation, Inc.,
	16	# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	17	#
	18
	19	""" Generate CVE report for the given Linux kernel GIT branch
	20	"""
	21
	22	import re
	23	import sys
	24	import argparse
	25	import textwrap
	26	import subprocess
	27	import logging
	28	import logging.config
	29	import cvert
	30
	31
	32	def report_kernel():
	33	"""Generate Linux kernel CVE report"""
	34
	35	parser = argparse.ArgumentParser(
	36	formatter_class=argparse.RawDescriptionHelpFormatter,
	37	description=textwrap.dedent("""
	38	Generate CVE report for the Linux kernel.
	39	Inspect Linux kernel GIT tree and find all CVE patches commits.
	40	"""),
	41	epilog=textwrap.dedent("""
	42	@ run examples:
	43
	44	# Download (update) NVD feeds in "nvdfeed" directory
	45	# and prepare the report for the "kernel-sources" directory
	46	%% %(prog)s --feed-dir nvdfeed --output report-kernel.txt kernel-sources
	47
	48	# Use existed NVD feeds in "nvdfeed" directory
	49	# and prepare the report for the "kernel-sources" directory
	50	%% %(prog)s --offline --feed-dir nvdfeed --output report-kernel.txt kernel-sources
	51
	52	# (faster) Restore CVE dump from "cvedump" (must exist)
	53	# and prepare the report for the "kernel-sources" directory
	54	%% %(prog)s --restore cvedump --output report-kernel.txt kernel-sources
	55
	56	# Restore CVE dump from "cvedump" (must exist)
	57	# and prepare the extended report for the "kernel-sources" directory
	58	%% %(prog)s --restore cvedump --show-description --show-reference --output report-kernel.txt kernel-sources
	59
	60	@ report example output (NVD resource):
	61
	62	# 2018-10-10 15:41:52,213 %% CVERT %% INFO %% kernel version: 4.9.132
	63	. patched \| 3.3 \| CVE-2017-17807 \| nvd: KEYS: add missing permission check for request_key() destination
	64	unpatched \| 3.3 \| CVE-2017-17864 \|
	65	unpatched \| 4.4 \| CVE-2016-9604 \|
	66	unpatched \| 4.4 \| CVE-2017-12153 \|
	67	unpatched \| 4.4 \| CVE-2017-14051 \|
	68	. patched \| 4.6 \| CVE-2017-8924 \| nvd: USB: serial: io_ti: fix information leak in completion handler
	69	unpatched \| 4.7 \| CVE-2017-17449 \|
	70	. patched \| 4.7 \| CVE-2017-18203 \| nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
	71	. patched \| 4.7 \| CVE-2017-18224 \| nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
	72	. patched \| 4.7 \| CVE-2018-1065 \| nvd: netfilter: add back stackpointer size checks
	73	...
	74
	75	@ report example output (NVD+LKC resource):
	76
	77	# 2018-10-10 15:46:05,902 %% CVERT %% INFO %% kernel version: 4.9.132
	78	. patched \| 3.3 \| CVE-2017-17807 \| nvd: KEYS: add missing permission check for request_key() destination
	79	unpatched \| 3.3 \| CVE-2017-17864 \|
	80	. patched \| 4.4 \| CVE-2016-9604 \| lkc: a5c6e0a76817a3751f58d761aaff7c0b0c4001ff
	81	. patched \| 4.4 \| CVE-2017-12153 \| lkc: c820441a7a52e3626aede8df94069a50a9e4efdb
	82	. patched \| 4.4 \| CVE-2017-14051 \| lkc: 2a913aecc4f746ce15eb1bec98b134aff4190ae2
	83	. patched \| 4.6 \| CVE-2017-8924 \| nvd: USB: serial: io_ti: fix information leak in completion handler
	84	. patched \| 4.7 \| CVE-2017-17449 \| lkc: 0b18782288a2f1c2a25e85d2553c15ea83bb5802
	85	. patched \| 4.7 \| CVE-2017-18203 \| nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
	86	. patched \| 4.7 \| CVE-2017-18224 \| nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
	87	. patched \| 4.7 \| CVE-2018-1065 \| nvd: netfilter: add back stackpointer size checks
	88	...
	89	"""))
	90
	91	group = parser.add_mutually_exclusive_group(required=True)
	92	group.add_argument("-f", "--feed-dir", help="feeds directory")
	93	group.add_argument("-d", "--restore", help="load CVE data structures from file",
	94	metavar="FILENAME")
	95	parser.add_argument("--offline", help="do not update from NVD site",
	96	action="store_true")
	97	parser.add_argument("-o", "--output", help="save report to the file")
	98	parser.add_argument("-k", "--kernel-ver", help='overwrite kernel version, '
	99	'default is "make kernelversion"',
	100	metavar="VERSION")
	101	parser.add_argument("--show-description", help='show "Description" in the report',
	102	action="store_true")
	103	parser.add_argument("--show-reference", help='show "Reference" in the report',
	104	action="store_true")
	105	parser.add_argument("-r", "--resource", help='resources: e.g.: "--resource nvd lkc"',
	106	nargs="+", default=["nvd"])
	107	parser.add_argument("--patched", help="patched CVE IDs",
	108	nargs="+", default=[])
	109	parser.add_argument("--debug", help="print debug messages",
	110	action="store_true")
	111
	112	parser.add_argument("kernel_dir", help="kernel GIT directory",
	113	metavar="kernel-dir")
	114
	115	args = parser.parse_args()
	116
	117	logging.config.dictConfig(cvert.logconfig(args.debug))
	118
	119	kernel_dir = args.kernel_dir
	120
	121	if args.restore:
	122	cve_struct = cvert.load_cve(args.restore)
	123	elif args.feed_dir:
	124	cve_struct = cvert.update_feeds(args.feed_dir, args.offline)
	125
	126	if not cve_struct and args.offline:
	127	parser.error("No CVEs found. Try to turn off offline mode or use other file to restore.")
	128
	129	if args.output:
	130	output = open(args.output, "w")
	131	else:
	132	output = sys.stdout
	133
	134	if args.kernel_ver:
	135	kernel_ver = args.kernel_ver
	136	else:
	137	kernel_ver = get_version(kernel_dir)
	138
	139	logging.info("kernel version: %s", kernel_ver)
	140
	141	if "lkc" in args.resource:
	142	lkc_ctx = prepare_lkc()
	143
	144	commits = get_commits(kernel_dir)
	145	report = cvert.generate_report({"linux_kernel": {kernel_ver: list(args.patched)}}, cve_struct)
	146
	147	for cve in report:
	148	cve["comment"] = ""
	149
	150	if "nvd" in args.resource and cve["status"] == "unpatched":
	151	process_nvd(cve, kernel_dir, commits)
	152
	153	if "lkc" in args.resource and cve["status"] == "unpatched":
	154	process_lkc(cve, kernel_dir, commits, lkc_ctx)
	155
	156	print_report(report,
	157	show_description=args.show_description,
	158	show_reference=args.show_reference,
	159	output=output)
	160
	161	if args.output:
	162	output.close()
	163
	164
	165	def process_nvd(cve, kernel_dir, commits):
	166	"""Process NVD references.
	167
	168	Sometimes NVD "Reference" contains a link to the commit in the GIT
	169	upstream mainline.
	170
	171	First, look if we have that commit ID in the current local GIT
	172	branch. It happens if you created local branch after CVE has been
	173	fixed in mainline.
	174
	175	Otherwise, don't give up, and try to find the same headline
	176	commit. It works if local GIT tree has up-to-date mainline branch
	177	fetched.
	178
	179	That is all we can do having only mainline commit ID.
	180
	181	"""
	182
	183	for url in cve["reference"]:
	184	iden = get_iden(url)
	185
	186	if iden and iden in commits["iden"]:
	187	mark_patched(cve, "nvd: {0}".format(iden.decode()))
	188	return
	189
	190	head = get_headline(kernel_dir, iden)
	191
	192	if head and head in commits["head"]:
	193	mark_patched(cve, "nvd: {0}".format(head.decode()))
	194	return
	195
	196
	197	def process_lkc(cve, kernel_dir, commits, ctx):
	198	"""Process Linux Kernel CVEs approach
	199
	200	[https://github.com/nluedtke/linux_kernel_cves]
	201
	202	"kernel" context contains mainline "fixes" commit ID. So, check
	203	with that first.
	204
	205	"stream" context contains backported "cmd_id" for other upstream
	206	branches. Check accordingly.
	207
	208	If no commit ID found in local current branch, than look for the
	209	same headline commits. Rarely backported commit has different
	210	headline, so look at the "cmt_msg" first.
	211
	212	"""
	213
	214	iden_candidats = []
	215
	216	try:
	217	iden = ctx["kernel"][cve["CVE"]]["fixes"].encode()
	218	except KeyError:
	219	logging.debug("%s: commit ID not found", cve["CVE"])
	220	iden = None
	221
	222	if iden:
	223	iden_candidats.append(iden)
	224
	225	if iden in commits["iden"]:
	226	mark_patched(cve, "lkc: {0}".format(iden.decode()))
	227	return
	228
	229	if cve["CVE"] in ctx["stream"]:
	230	for kver in ctx["stream"][cve["CVE"]]:
	231	try:
	232	iden = ctx["stream"][cve["CVE"]][kver]["cmt_id"].encode()
	233	except KeyError:
	234	logging.debug("%s: commit ID not found", cve["CVE"])
	235	iden = None
	236
	237	if iden:
	238	iden_candidats.append(iden)
	239
	240	if iden in commits["iden"]:
	241	mark_patched(cve, "lkc: {0}".format(iden.decode()))
	242	return
	243
	244	try:
	245	head = ctx["kernel"][cve["CVE"]]["cmt_msg"].encode()
	246	except KeyError:
	247	logging.debug("%s: commit message header not found", cve["CVE"])
	248	head = None
	249
	250	if head and head in commits["head"]:
	251	mark_patched(cve, "lkc: {0}".format(head.decode()))
	252	return
	253
	254	# last chance
	255	for iden in iden_candidats:
	256	head = get_headline(kernel_dir, iden)
	257
	258	if head and head in commits["head"]:
	259	mark_patched(cve, "lkc: {0}".format(head.decode()))
	260	return
	261
	262
	263	def prepare_lkc():
	264	"""Prepare LKC context."""
	265
	266	import urllib.request
	267	import json
	268
	269	ctx = {}
	270	url_base = "https://github.com/nluedtke/linux_kernel_cves/raw/master"
	271
	272	with urllib.request.urlopen(url_base + "/kernel_cves.json") as url:
	273	ctx["kernel"] = json.loads(url.read().decode())
	274
	275	with urllib.request.urlopen(url_base + "/stream_fixes.json") as url:
	276	ctx["stream"] = json.loads(url.read().decode())
	277
	278	return ctx
	279
	280
	281	def mark_patched(cve, comment=""):
	282	"""Put a "patched" mark for the CVE."""
	283
	284	cve["status"] = "patched"
	285	cve["comment"] = comment
	286
	287
	288	def get_version(kernel_dir):
	289	"""Return kernel version."""
	290
	291	return subprocess.check_output(
	292	["make", "kernelversion"],
	293	cwd=kernel_dir,
	294	stderr=subprocess.DEVNULL
	295	).decode().rstrip()
	296
	297
	298	def get_commits(kernel_dir):
	299	"""Return GIT commits dict."""
	300
	301	commits = {"iden": [], "head": []}
	302
	303	for gitlog in subprocess.check_output(["git", "log", "--format=%H %s"],
	304	cwd=kernel_dir,
	305	stderr=subprocess.DEVNULL
	306	).splitlines():
	307	oneline = gitlog.split(maxsplit=1)
	308
	309	if len(oneline) > 1:
	310	commits["head"].append(oneline[1])
	311	else:
	312	commits["head"].append(b"")
	313
	314	commits["iden"].append(oneline[0])
	315
	316	return commits
	317
	318
	319	def get_iden(url):
	320	"""Return kernel commit ID from URL."""
	321
	322	commit_re = [
	323	r"^http://git\.kernel\.org/cgit/linux/kernel/git/torvalds/linux\.git/commit/\?id=(.+)$",
	324	r"^https?://github\.com/torvalds/linux/commit/(.+)$"
	325	]
	326
	327	for regexp in commit_re:
	328	matched = re.match(regexp, url)
	329
	330	if matched:
	331	return matched.group(1)
	332
	333	return None
	334
	335
	336	def get_headline(kernel_dir, iden):
	337	"""Return commit headline."""
	338
	339	if not iden:
	340	return None
	341
	342	try:
	343	head = subprocess.check_output(["git", "show",
	344	"--no-patch",
	345	"--format=%s",
	346	iden],
	347	cwd=kernel_dir,
	348	stderr=subprocess.DEVNULL
	349	).rstrip()
	350	except subprocess.CalledProcessError:
	351	logging.debug("%s: commit ID not found", iden)
	352	head = None
	353
	354	return head
	355
	356
	357	def print_report(report, width=70, show_description=False, show_reference=False, output=sys.stdout):
	358	"""Output kernel report."""
	359
	360	for cve in report:
	361	print("{0:>9s} \| {1:>4s} \| {2:18s} \| {3}".format(cve["status"], cve["CVSS"],
	362	cve["CVE"], cve["comment"]),
	363	file=output)
	364
	365	if show_description:
	366	print("{0:>9s} + {1}".format(" ", "Description"), file=output)
	367
	368	for lin in textwrap.wrap(cve["description"], width=width):
	369	print("{0:>9s} {1}".format(" ", lin), file=output)
	370
	371	if show_reference:
	372	print("{0:>9s} + {1}".format(" ", "Reference"), file=output)
	373
	374	for url in cve["reference"]:
	375	print("{0:>9s} {1}".format(" ", url), file=output)
	376
	377
	378	if __name__ == "__main__":
	379	report_kernel()