%define cve_group cve
%define backup cve-backup
%define history cve-history
%define download cve-download
%define import cve-import
%define map cpe-map
%define issues cve-issues
%define monitor cve-monitor
%define mail cve-mail
%define libcommon libcve-manager
%define common %{name}-common
%define python3_sp /usr/lib/python3/site-packages
%define common_sp %{python3_sp}/cve_manager
%define map_sp %{python3_sp}/cpe_map
%define choice_sp %{python3_sp}/cpe_map_choice
%define issues_sp %{python3_sp}/cve_issues
%define monitor_sp %{python3_sp}/cve_monitor
%define knowledge %{name}-inner-knowledge
%define lcontrolpp_ver 0.29
%define ltree_ver 0.8
%define ax_ver 0.16
%define knowledge_ver 2022.04.13
Name: cve-manager
Version: 0.67.2
Release: alt1
Summary: CVE-management toolkit
License: GPLv3
Group: Other
Url: https://www.altlinux.org/CVE-Manager
Packager: Alexey Appolonov <alexey@altlinux.org>
# http://git.altlinux.org/people/alexey/packages/?p=cve-manager.git
Source: %{name}-%{version}.tar
# For cve-import
BuildRequires: gcc-c++
BuildRequires: libcontrol++-devel >= %{lcontrolpp_ver}
BuildRequires: libtree-devel >= %{ltree_ver}
BuildRequires: libmysqlcppconn-devel
BuildRequires: libcurl-devel
# For py-modules
BuildRequires: rpm-build-python3
Requires: python3
Requires: python3-module-ax >= %{ax_ver}
Requires: python3-module-mysql
Requires: python3-module-Levenshtein
Requires(pre): %{common}
Requires: %{libcommon}
Requires: %{backup}
Requires: %{history}
Requires: %{download}
Requires: %{import}
Requires: %{map}
Requires: %{issues}
Requires: %{monitor}
ExclusiveArch: x86_64
%description
%{name} is an utilities toolkit used to form a database of vulnerabilities
(VUL DB) using MySQL, and to provide an easy interface to that DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{backup}
Summary: CVE DB backupper/restorer
Group: Other
Requires: %{common}
%description -n %{backup}
%{backup} is an utility used to backup and restore a VUL DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{history}
Summary: Tracker of CVE-dynamics
Group: Other
Requires: %{common}
%description -n %{history}
%{history} is an utility used to save records about currently unfixed issues
detected with the cve-issues module and to save a current map of names of
products to names of packages.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{download}
Summary: CVE-lists and CPE dictionary downloader
Group: Other
Requires: %{common}
Requires: python3-module-requests
Requires: git-core
%description -n %{download}
%{download} is an utility used to download lists with descriptions of
vulnerabilities (from various sources) and a CPE dictionary via HTTPS.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{import}
Summary: Data parser and MySQL DB importer
Group: Other
Requires: %{common}
Requires: %{libcommon}
Requires: libcontrol++ >= %{lcontrolpp_ver}
Obsoletes: cve-fixes
%description -n %{import}
%{import} is an utility used to import lists of packages of examined repos,
various lists with descriptions of vulnerabilities (in JSON and XML format)
and a CPE dictionary into VUL DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{map}
Summary: CPE list to software packages list mapper
Group: Other
Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}
%description -n %{map}
%{map} is an utility used to map names of products used in descriptions
of vulnerabilities (imported to a VUL DB) to names of packages (--//--).
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{issues}
Summary: CVE-issues detector
Group: Other
Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}
%description -n %{issues}
%{issues} is an utility used to detect issues related to vulnerabilities of
the packages and then create records for those issues in a VUL DB for latter
access via cve-monitor and cve-history modules.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{monitor}
Summary: CVE database monitor
Group: Other
Requires: %{common}
%description -n %{monitor}
%{monitor} is an utility used to query VUL DB and form human-readable reports
that can be sent via SMPT on request.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{libcommon}
Summary: C++ lib with common functionality
Group: Other
Requires: libtree >= %{ltree_ver}
%description -n %{libcommon}
C++ library with common functionality such as connecting to MySQL DB and
parsing the main configuration file.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{common}
Summary: Common files of the CVE manager
Group: Other
%description -n %{common}
Common files such as a config file and a cve-manager py-library.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%prep
%setup
%build
%make_build -C libcve-manager/
%make_build -C cve-import/
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%install
# Preparing dirs
mkdir -p \
%{buildroot}%{_bindir} \
%{buildroot}%{_libdir} \
%{buildroot}%{_defaultdocdir}/%{name} \
%{buildroot}%{_sysconfdir}/%{name} \
%{buildroot}%{map_sp} \
%{buildroot}%{choice_sp} \
%{buildroot}%{issues_sp} \
%{buildroot}%{monitor_sp} \
%{buildroot}%{common_sp}
# Installing executables
install -m0750 \
%{import}/bin/%{import} \
%{name} \
%{backup} \
%{history} \
%{download} \
%{map}* \
%{issues} \
%{buildroot}%{_bindir}
install -m0755 \
%{monitor} \
%{buildroot}%{_bindir}
install -m0750 cpe_map/* %{buildroot}%{map_sp}
install -m0750 cpe_map_choice/* %{buildroot}%{choice_sp}
install -m0750 cve_issues/* %{buildroot}%{issues_sp}
install -m0755 cve_monitor/* %{buildroot}%{monitor_sp}
install -m0755 cve_manager/* %{buildroot}%{common_sp}
install -m0755 %{libcommon}/bin/%{libcommon}.so %{buildroot}%{_libdir}
# Installing configs (user should be in the 'cve' group to use cve-manager)
cp -r samples/* %{buildroot}%{_sysconfdir}/%{name}
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{mail}.conf
chmod 664 %{buildroot}%{_sysconfdir}/%{name}/%{monitor}.conf
# Installing documentation
cp COPYING readme.txt %{buildroot}%{_defaultdocdir}/%{name}/
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Conf file and modules that modify CVEDB belong to the grp of cve-manager usrs
%post -n %{common}
# Creating group for cve-manager users if it doesn't exists
if ! grep -q %{cve_group} /etc/group; then
groupadd %{cve_group}
fi
chgrp cve %{_sysconfdir}/%{name}/%{name}.conf
%post
chgrp cve %{_bindir}/%{name}
%post -n %{backup}
chgrp cve %{_bindir}/%{backup}
%post -n %{history}
chgrp cve %{_bindir}/%{history}
%post -n %{download}
chgrp cve %{_bindir}/%{download}
%post -n %{import}
chgrp cve %{_bindir}/%{import}
%post -n %{map}
chgrp cve \
%{_bindir}/%{map}* \
%{map_sp}/* \
%{choice_sp}/*
%post -n %{issues}
chgrp cve \
%{_bindir}/%{issues} \
%{issues_sp}/*
%post -n %{monitor}
chgrp cve \
%{_sysconfdir}/%{name}/%{monitor}.conf \
%{_sysconfdir}/%{name}/%{mail}.conf
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%files
%{_bindir}/%{name}
%files -n %{download}
%{_bindir}/%{download}
%files -n %{backup}
%{_bindir}/%{backup}
%files -n %{history}
%{_bindir}/%{history}
%files -n %{import}
%{_bindir}/%{import}
%files -n %{map}
%{_bindir}/%{map}*
%{map_sp}
%{choice_sp}
%files -n %{issues}
%{_bindir}/%{issues}
%{issues_sp}
%files -n %{monitor}
%{_bindir}/%{monitor}
%{monitor_sp}
%config(noreplace) %{_sysconfdir}/%{name}/%{monitor}.conf
%config(noreplace) %{_sysconfdir}/%{name}/%{mail}.conf
%files -n %{libcommon}
%{_libdir}/%{libcommon}.so
%files -n %{common}
%{common_sp}
%{_defaultdocdir}/%{name}
%dir %{_sysconfdir}/%{name}/
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%changelog
* Fri May 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.2-alt1
- URLs from the "cpe-mapping-ignore.csv" list don't have to completely match
URLs of the analyzed packages (it's enough if one URL starts with another).
* Thu May 05 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.1-alt1
- A src package cannot be completely skipped solely because of the unwanted
suffixes of it's bin packages.
* Wed May 04 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.0-alt1
- New ability to analyze the system on which the cve-manager is running;
- New cve-manager mode "offline", that skips the "download" step;
- Bin package names that have the "-common" suffix are excluded from the
analysis;
- New ability to specify multiple product names of an excluded CPE in a single
row.
* Tue Apr 19 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.1-alt1
- Fixed determination of groups using package/products URLs.
* Fri Apr 15 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.0-alt1
- Improved mapping algorithm that now operates with the so-called "groups of
packages and products" (a product of one special group cannot be mapped to a
package of another special group) and takes into account special prefixes and
suffixes of products;
- Ability to specify multiple URLs for a single package in the list of ignored
matches;
- Minor fixes and improvements.
* Thu Mar 10 2022 Alexey Appolonov <alexey@altlinux.org> 0.65.0-alt1
- New ability to assign CPEs that will be recognized as related to each other;
- Improved interaction between the main module and the module "cpe-map"
(products will not be remapped using those types of mapping that have already
been used).
* Thu Mar 03 2022 Alexey Appolonov <alexey@altlinux.org> 0.64.0-alt1
- New ability to specify branches for ignored matches.
* Thu Feb 24 2022 Alexey Appolonov <alexey@altlinux.org> 0.63.0-alt1
- Improved mapping algorithm;
- Improved interaction between the main module and the module "cve-download"
(recently downloaded data will not be requested when restarting the module
"cve-download" in the cve-manager auto mode).
* Tue Feb 08 2022 Alexey Appolonov <alexey@altlinux.org> 0.62.0-alt1
- Improved mapping algorithm;
- New features of managing the list of ignored mapping pairs.
* Wed Jan 26 2022 Alexey Appolonov <alexey@altlinux.org> 0.61.0-alt1
- A package with the "lib" prefix and a package without it can be identified
as related packages;
- A product with the "lib" prefix/suffix and a product without it can be
identified as related products;
- Separators are not taken into account when checking whether product names are
related or not;
- Package URLs are taken into account when mapping related packages (package
URLs can be specified in the "cpe-mapping-ignore.csv" list).
* Fri Jan 14 2022 Alexey Appolonov <alexey@altlinux.org> 0.60.0-alt1
- Improved module "cve-backup";
- Improved exception handling;
- The names of sections for DB connection params and SMTP connection params,
as well as the names of the parameters themselves, have been changed (use
the "transitions/from-0.59-to-0.60" script for the transition).
* Tue Dec 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.59.0-alt1
- References from the NVD vulnerabilities lists, as well as names of products
that are recognized as related, are used to map product names to package
names.
* Mon Nov 29 2021 Alexey Appolonov <alexey@altlinux.org> 0.58.0-alt1
- Increased data storage efficiency.
* Tue Nov 09 2021 Alexey Appolonov <alexey@altlinux.org> 0.57.0-alt1
- Maintenance of the list of special package name prefixes is delegated to
the "cve-manager-inner-knowledge" package;
- Added several more pairs of related package name prefixes (used to identify
related packages).
* Fri Oct 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.1-alt1
- Results of mapping are stable, including cases where a mapping choice consists
of multiple products (a same string value is produced for a same set of
matched product names);
- Reports with new issues have the same format even if there are no new issues
(there is no special format for this case anymore).
* Mon Oct 04 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.0-alt1
- Fixed cpe-map-choice module (the bug was introduced in the cve-manager v0.55);
- Improved user interface of the cve-monitor;
- Slightly changed format of cve-monitor "diff" reports (a modified header and
an absence of a footer).
* Thu Sep 30 2021 Alexey Appolonov <alexey@altlinux.org> 0.55.0-alt1
- Ability to assign multiple product names to a single package using a list
of prescribed mapping pairs;
- Slightly changed format of some types of cve-monitor reports (a modified
header and an absence of a footer).
* Thu Sep 23 2021 Alexey Appolonov <alexey@altlinux.org> 0.54.0-alt1
- Ability to more accurately specify packages in the list of ignored mapping
pairs by specifying their URLs.
* Fri Sep 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.53.0-alt1
- The "gem" package name prefix is taken into account in the same way as other
special prefixes.
* Wed Jul 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.1-alt1
- Minor code improvements;
- Build with debuginfo enabled.
* Tue Jun 22 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.0-alt1
- Handling of descriptions of complex vulnerabilities that include combinations
of conditions for different software products.
* Tue May 25 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.2-alt1
- Fix of the exclusion of issues.
* Wed May 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.1-alt1
- Handling of misleading characters in ranges of vulnerable versions.
* Tue May 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt2
- Build update according with a latest modification of the build system.
* Sat Apr 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt1
- Disputed vulnerabilities are highlighted in cve-monitor reports;
- Improved algorithm of partial matching;
- Fixed handling of prescribed name matches (in some cases the prescriptions
had no effect).
* Thu Apr 08 2021 Alexey Appolonov <alexey@altlinux.org> 0.50.0-alt1
- Special way of handling of remaining special URLs (freedesktop.org,
debian.org, fedorahosted.org, mozilla.org);
- Those excluded mapping pairs that include a vendor and that didn't affect
results of a mapping, are taken into account at the issues-detection stage.
* Wed Apr 07 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.4-alt1
- Fix of the custom ordering of entries of cve-monitor reports;
- Proper handling of invalid combinations of cve-monitor parameters.
* Sat Mar 27 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.3-alt1
- Improved mapping algorithm.
* Fri Mar 19 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.2-alt1
- Improved mapping algorithm.
* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.1-alt1
- Improved issues detection.
* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt2
- Corrected manual.
* Thu Mar 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt1
- Ability to write "cve-monitor" reports into files inside specified directory
(the cve-monitor UI changed, use the "--mail --title <category>" option
instead of the "--mail <category>" option);
- Ability to prescribe completely different package names (that are not
"relatives") to a same product;
- Package prefixes "mediawiki-extensions", "kde4" and "kde5" are taken into
account in the same way as other special prefixes;
- Minor improvements throughout the project, including an improved UI of the
"cve-monitor" module (reports will be split by default).
* Fri Feb 26 2021 Alexey Appolonov <alexey@altlinux.org> 0.48.0-alt1
- URLs of distro lists turned into custom parameters;
- Execution of the "cve-download" module is terminated immediately if any of
the required info can't be downloaded;
- Ability to download FSTEC vulnerability list is fixed;
- Tolerance to the FSTEC source (the FSTEC source is not yet fully supported,
but cve-manager does not fail if the FSTEC source is not excluded and if any
operation regarding FSTEC fails).
* Thu Feb 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.1-alt1
- Bugfixes.
* Mon Feb 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.0-alt1
- Metadata of analyzed packages is collected and imported at the "import" stage,
which significantly reduces a probability of import failure of IDs of fixed
vulnerabilities and URLs of the packages (the "cve-fixes" module is removed);
- Ability to use binary RPM packages instead of source RPM packages;
- Improved algorithm for extracting fixed vulnerabilities IDs from changelogs;
- Improved user interface of the "cve-import" module.
* Fri Feb 05 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.1-alt1
- Corrected specification of package names when making queries with cve-monitor.
* Mon Jan 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.0-alt1
- Ability to monitor vulnerabilities of specified distributions (the 'download'
parameter must be assigned in the 'cve-monitor.conf').
* Thu Dec 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.45.0-alt1
- Much more efficient way of extracting vulnerability IDs from changelogs.
* Wed Dec 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.44.0-alt1
- The '-' version value of a product that is present in a list of vulnerable
software of a CVE entry is interpreted as 'any version' if there are no
specific versions and no ranges of versions for this product in this list;
- Better way of handling of versions that contain a date.
* Mon Nov 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.43.0-alt1
- Optimised DB structure;
- Improved performance of the cve-issues module;
- The '-d <distro_list>' option of the cve-import module is removed.
* Wed Nov 11 2020 Alexey Appolonov <alexey@altlinux.org> 0.42.0-alt1
- Consideration of names of vendors during a mapping of package names
to product names;
- Proper way of imposing a penalty for not being in the CPE dict;
- New penalty for being titled as a program for non-free operating systems only;
- Corrected descriptions of modules and corrected help messages.
* Tue Nov 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.41.0-alt1
- Ability to split reports by branches;
- Improved user interface of the cve-backup module.
* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.40.0-alt1
- Improved URL-matching;
- Optimized storage of the CPE dict.
* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.1-alt1
- Corrected reporting on a comparison of branches.
* Mon Oct 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.0-alt1
- Improved URL-matching;
- Corrected partial matching of short package/product names.
* Wed Oct 07 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.1-alt1
- Corrected procedure of making a mapping choice.
* Tue Oct 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.0-alt1
- Improved URL-matching;
- Minimally acceptable score of a matching is lowered;
- Ability to detect newly established/found matches of package names that
previously have not been matched to product names and to detect newly
denied/lost name matches;
- Display of a number of excluded NVD entries and a number of excluded CPEs
during an import process.
* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.37.0-alt1
- Re-evaluated ranking of types of matching;
- Ability to make multiple attempts to perform each step of the DB formation
without errors.
* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.8-alt1
- Fixed error handling in cve-import module;
- Optimized storage of timelines of packages.
* Thu Sep 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.7-alt1
- Corrected behavior of the modules when running them with no arguments;
- Build with a new version of the 'ax' library that adds more sence into
comparison of versions.
* Tue Sep 15 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.6-alt1
- Determinism of a mapping choice in any cornercase situation;
- Optimized usage of memory during import of timelines;
- Minor tweaks and fixes.
* Wed Sep 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.5-alt1
- Better way of normalization of scores of the 'fixes' type of matching.
* Wed Sep 02 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.4-alt1
- Handling of a situation when a branch that being processed with the
cve-history module has no *_src or *_issues tables;
- Comparisons of symbolic versions versus numeric versions are filtered out
during a detection of issues.
* Fri Aug 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.3-alt1
- Fixed issue of incorrect data splitting while using multiple cores
during a mapping;
- Handling of excluded mapping pairs that contain product names
that contain commas;
- Length of the 'MAPPED NAME' column of the reports is restricted.
* Thu Aug 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.2-alt1
- Fixed features used for testing of cpe-map* modules;
- Resolved rivalry between 'url' and 'complete' types of matching.
* Thu Aug 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.1-alt1
- Optimized memory usage when importing data.
* Thu Jul 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.0-alt1
- New type of matching of package names to names of vulnerable products that
uses URL-addresses from metadata of source packages and URL-addresses from
CPE dictionary.
* Tue Jul 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.35.0-alt1
- Simpler, more reliable algorithm of making a mapping choice (for mapping
package names to CPE/FSTEC product names).
* Wed Jul 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.1-alt1
- Fixed filtering of excluded issues;
- Corrected counter of related packages;
- Right way of handling some of the possible errors;
- Procedures that ensure that required configuration params are present;
- Ability to call for a list of modules without passing other params;
- Requirement of libcontrol++ 0.24.1 update that is really important;
- Complemented manual.
* Thu Jul 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.0-alt1
- New input data convention - a bin list (and it's simplified ver) is sufficient
for representing an investigated repository, src list is no longer supported;
- Correlations of build timelines of packages and mention dates of vulnerable
products are taken into account when making a mapping choice;
- New model of parallel processing + elimination of verbose logging for
cve-fixes, cpe-map and cve-issues that together result in improved
performance and much lighter and clearer log;
- cve-manager's dialog mode is deprecated (a user can learn about existing
modules with a use of the 'cve-manager --list_modules' command before running
the whole process or just it's particular parts through the main module).
* Mon Apr 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.1-alt1
- Sensibility to unconverted names during a process of complete name matching;
- Corrected supplementary function of custom-name mapping;
- Build with enhanced 'ax' module.
* Sat Apr 18 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.0-alt1
- Ability to keep track of a history of a map of package names;
- ACLs of packages can be fetched via cve-download;
- Packages that have names with related prefixes, or that differ only in letter
case, or with different delimiters in them can all be determined as relatives;
- Reports are made more compact.
* Mon Apr 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.2-alt1
- Corrected formation of fix records;
- Fixed and adjusted procedure of partial matching;
- Packages with 'python3-module' prefix can be mapped to vulnerable products on
the same terms as packages with 'python-module' or any other special prefix.
* Wed Apr 08 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.1-alt1
- Corrected functionality of comparison of branches.
* Wed Apr 01 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt2
- Corrected version of the required package.
* Tue Mar 31 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt1
- Handling of ACLs of the packages;
- Improved compactness of the reports;
- Optimized DB storage.
* Wed Feb 19 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.1-alt1
- Handling of special symbols used in some CPEs.
* Sun Feb 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.0-alt1
- Import of records of debuginfo bin packages not performed;
- Ability to exclude some of the CPEs (by placing "<vendor>, <product>" lines
in "cpe-excluded.csv" file).
* Sun Feb 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.30.0-alt1
- Import of CPE of other than 'application' part not performed except for
CPE of 'linux' vendor of 'operating system' part;
- Import of CPE with unknown version not performed if there is CPE with
specified version and with the same product name for that CVE record;
- Enhanced mapping algorithm.
* Wed Jan 29 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.5-alt1
- Fixed 'fixes' matching;
- Fixed monitoring of diff between branches.
* Sat Jan 25 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.4-alt1
- cve-monitor reports take less memory space (by means of not including
useless space symbols).
* Thu Jan 23 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.3-alt1
- Custom order of records of history/news reports is possible.
* Sun Jan 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.2-alt1
- Fix of monitoring of new unfixed issues.
* Mon Jan 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.1-alt1
- Fix of bug that was causing abortion of 'cve-issues' module.
* Fri Jan 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.0-alt1
- Enhanced data processing that makes for a much more accurate conclusions
about the range of vulnerable versions;
- Improved readability of the reports.
* Tue Dec 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.28.0-alt1
- Ability to monitor dynamics of the issues;
- Corrected processing of '*' versions;
- Displaying intervals of vulnerable versions in reports;
- Fixed functionality of customisation of ordering of a report entries;
- Corrected extraction of non-patch references.
* Sat Dec 07 2019 Alexey Appolonov <alexey@altlinux.org> 0.27.0-alt1
- Storage space and computing resource economy by means of optimised
representation of vulnerable software.
* Fri Dec 06 2019 Alexey Appolonov <alexey@altlinux.org> 0.26.0-alt1
- CVSS v2 scores take their place along with v3 scores.
* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.25.0-alt1
- Ability to manually discard incorrect matches.
* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.2-alt1
- Corrected CPE parser that runs at the issues-detection stage.
* Mon Dec 02 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.1-alt1
- Protection from quotation marks that can be found in CVE summary and
that messes up the CSV import;
- Corrected parser (according with CPE ver 2.3 format);
- Bugfixes.
* Sun Nov 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.0-alt1
- Downloading and importing NVD vulnerabilities lists in JSON format
with the use of newly created 'libtree';
- Ability to manually exclude some of the issues and make mapping prescriptions
with the use of newly created 'cve-manager-inner-knowledge'.
* Fri Sep 27 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.2-alt1
- Optimized XML-import.
* Sat Sep 21 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.1-alt1
- cve-monitor bugfixes.
* Wed Sep 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.0-alt1
- Patch references can be added to cve-monitor reports for unfixed
vulnerabilities;
- More than a half of DB storage is saved by storring the issues only for the
most generic versions;
- New view on 'fix' conclusions - there is 'unclear' fix status (for
vulnerabilities with no stated vulnerable versions, for example).
* Thu May 23 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.1-alt1
- Fix of couple flaws of the mapping process.
* Sun May 19 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.0-alt1
- Multithreading is arranged in a more optimal way;
- 'Complete' matching is not performed for a packages that got one of the
special prefixes ('python-module', 'perl', ...);
- Enhanced algorithm of the 'partial' matching;
- Package names that differ only by numerical part at the end
(so called 'relatives') is handled more wisely during mapping;
- Issues that differ only in additional part of CPE is ignored;
- cve-monitor is using only senior branches (that must be specified
in the conf) in 'cure' suggestions, 'cure' suggestions is optional;
- cve-monitor is placing too long lists of vulnerable versions in footnotes
of the reports.
* Wed Apr 17 2019 Alexey Appolonov <alexey@altlinux.org> 0.21.0-alt1
- Compatibility with MySQL 8.*;
- Modifyed mapping process - src/bin lists of all the branches are combined
as src_united/bin_united and then processed in that combined form;
- Much more intelligent approach to parallel execution of the modules,
especially two most time consuming modules - cpe-map and cve-issues;
- Improved feedback in multiprocessing mode;
- 'CURE' suggestions in cve-monitor's reports.
* Mon Mar 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.20.0-alt1
- Use of all existing names from vulnerabilities lists instead of names
from CPE dict for mapping;
- Completely redesigned mapping module: every type of mapping can be triggered
individually, results for every type of mapping are stored in the DB,
special algorithm is used for making the final mapping choice - all this
allows to created separate thread for each type of matching in auto mode;
- Ability to detect and go round format faults of the packages lists;
- Consideration of excluded data sources by cve-download and cve-monitor;
- Fully implemented restoring functionality of cve-backup;
- Ability to set the number of stored backup files;
- Fixed params handling of cve-monitor;
- Output functionality is adapted for situation when modules are triggered
by cron.
* Mon Dec 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.19.0-alt1
- Ability to run in multiprocessing mode;
- Ability to exclude data sources;
- Modified user interface of the cve-monitor;
- Showing CVSS score in cve-monitor reports;
- Ability to order monitoring results in various ways;
- Ability to group packages with unfixed vulnerabilities in cve-monitor reports;
- All printing operations carried by Printer class, which not only makes life
easier but brings cool features like buffering the input for later mailout;
- Ability to run in 'silent' mode;
- Ability to send emails with cve-monitor reports.
* Sun Oct 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt2
- Rebuilding with new libcontrol++.
* Wed Oct 17 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt1
- Correction of branch names validation.
* Mon Oct 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.0-alt1
- Names of avalible branches are section names of the conf;
- Each branch now have a set of params;
- Renaming 'paths' section of the conf to 'common';
- Skipping repetition of branch sections in conf;
- There is no cve-import's "--space" param anymore;
- Russian manual.
* Sun Sep 30 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.1-alt1
- Running downloader without 'noreplace' flag in auto mode;
- Fix of the 'cve-monitor --map' command;
- Printing with TPrinter of the libcontrol++.
* Mon Sep 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.0-alt1
- Prescribed mapping;
- Detecting 'relative' packages at the import stage
and using information about them as mapping attribute;
- Handling FSTEC vulnerabilities within current cve-issues concept;
- cve-monitor is working OK within current cve-issues concept;
- Revised comparison of versions that happens at the issues-detection stage;
- Revised packages-filtering function;
- Removing duplicates of src packages names at import stage
and corresponding bin-packages names, not vice versa;
- Not importing CPEs of 'hardware' part;
- Not importing Mitre list by default;
- Common bin package for conf file & common py module;
- Own config file for cve-monitor.
* Sun Sep 02 2018 Alexey Appolonov <alexey@altlinux.org> 0.16.0-alt1
- Versions of vulnerable programs are now taken into account when figuring out
the 'fix' entries of *_issues table;
- Ability to compare 'fix' entries of different branches;
- c7.1 and c8.1 branches are avalible for cve-manager;
- Fix of monitoring of the selected packages;
- Only members of the 'cve' group can run modules that modify
the vulnerabilities DB.
* Fri Jul 27 2018 Alexey Appolonov <alexey@altlinux.org> 0.15.0-alt1
- Proper output when running with 'tee' in auto mode;
- Correction in mapping algorithm, including 1) check if there are some
CPE/FSTEC names left to map, 2) additional break condition of the mapping
loop, so there could be no infinite loop, 3) fix of the wrong behavior
emerging for a names that differ only by number at the end, 4) avoidance of
complete match for the duplicates, 5) fix of the RemoveMapDups function;
- Ability to disable bin partial match;
- Filtering the package lists with distro list;
- Fix of the import of the last NVD CVE list;
- Working realisation of the 'packs' option of the cve-import;
- No more verbose output option in cve-import;
- cve-import's UI now looks more like UI of the py-modules;
- Introducing refs and const modifier wherever possible for the cve-import.
* Mon Jun 25 2018 Alexey Appolonov <alexey@altlinux.org> 0.14.0-alt1
- Aligning columns for the output of existing issues;
- Ability to omit the download of the old lists;
- Fixing the 'Fixes' entries matching in cve-issues.
* Thu Jun 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.2-alt1
- Handling the situation when the DB does not exist (by all modules).
* Wed Jun 20 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.1-alt1
- Ability to choose mapping type (FSTEC or CPE by now);
- Reducing bin packages dict before mapping if '--packages' option is used
(similar to src list reduction).
* Tue Jun 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.2-alt1
- Correction of the cve-fixes module;
- Checking DB-users grp existence before creating it at the postinstall stage.
* Sat Jun 09 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.1-alt1
- Fix of the 'plain' output mode.
* Thu Jun 07 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.0-alt1
- Ability to state beginning and ending steps for auto mode;
- Ability to state custom '/space' path;
- Ability to retrieve 'Fixes' entries for the given packages names;
- NVD CVE lists import fix;
- cpe-map infinite loop fix that was possible with some input data;
- Improved logic for the cve-monitor's user interface.
* Fri Jun 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.1-alt1
- Correction of params for cve-issues in auto mode.
* Thu May 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.0-alt1
- Ability to set starting step for auto mode in main module;
- Usage examples for cve-download;
- Arguments handling fix in cve-issues;
- Only root can modify cve-manager.conf.
* Mon May 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.10.0-alt1
- New module cve-backup;
- Ability to prepare database in auto mode.
* Fri May 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.9.0-alt1
- Full integration of the FSTEC vulnerabilities list;
- Bin packages matching fix;
- Ability to use custom mapping application;
- Memory leakage fix.
* Fri May 4 2018 Alexey Appolonov <alexey@altlinux.org> 0.8.0-alt1
- New module cve-download.py
- "Fixes" entries now stored in *_src tables;
- Importing bin lists;
- Enhanced mapping algorithm;
- Unescaping URL codes from CPE in cve-import;
- More flexibility in cve-import tables recreation;
- Ability to disable entireline output in cve-import;
- Catching run modes with cve-manager-common.py;
- Using argparse in majority of modules;
- cve-fixes new features;
- Monitoring CVE issues table and monitoring CVE descriptions for the packages;
- Single path for CVE lists and CPE dict import that specified
in configuration file.
* Fri Mar 16 2018 Alexey Appolonov <alexey@altlinux.org> 0.7.0-alt1
- Improved output format;
- CPE dict names import with sections separation;
- Fixed and improved mapping algorithm;
- Fixes-extraction parts completely removed from cve-import;
- Working version of cve-linker module under new name "cve-issues.py";
- New cve-monitor functionality;
- Various fixes and improvements in py-modules.
* Mon Mar 05 2018 Alexey Appolonov <alexey@altlinux.org> 0.6.0-alt1
- New cve-manager-common.py features and improvements;
- New module cve-linker.py;
- New module cve-fixes.py;
- Fixes tables structure changed;
- Error handling correction when applying configuration for cve-import module.
* Thu Mar 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.5.0-alt1
- Taking CPE name from "name" attribute of the "cpe-item" tag,
not from "cpe-23:cpe23-item" tag;
- CPE dictionary can be imported directly, without creating CSV file,
just like NVD XML can be;
- New cve-manager-common.py functionality;
- Sending cpe-packages map to the database;
- Monitoring mapped packages.
* Mon Feb 26 2018 Alexey Appolonov <alexey@altlinux.org> 0.4.0-alt1
- CPE dictionary import;
- New cve-manager-common.py module with common functions and classes
used by other cve-manager py-modules;
- cve-monitor rewritten with the use of cve-manager-common.py;
- CPE mapper (cpe-map.py) first draft;
- Changes in cve-manager.py debug mode.
* Thu Feb 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.3.0-alt1
- New version of main module written in Python;
- New module "cve-monitor";
- Minor fixes.
* Thu Feb 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.1-alt1
- common* and conf* files was removed from the project because
they are included in dynamically linked libcontrol++.
* Wed Feb 14 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.0-alt1
- What previously known as "cve-manager" now became
"cve-import" module of the cve-manager toolkit
with "cve-manager" script as top level module.
* Tue Feb 13 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.2-alt1
- Fixing usage of branches flags from configuration file;
- Changes in display output for the operations status.
* Wed Jan 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.1-alt1
- Chmod of configuration file (only system administrator
should know MySQL DB password);
- MySQL authentication bug fixed;
- Handling the situation when packages lists can not be found;
- Removing formed CSV file with NVD CVE list right after import to DB.
* Mon Jan 29 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.0-alt1
- Initial release.