Package cve-manager: Specfile

%define cve_group  cve
%define backup     cve-backup
%define history    cve-history
%define download   cve-download
%define import     cve-import
%define map        cpe-map
%define issues     cve-issues
%define monitor    cve-monitor
%define mail       cve-mail
%define libcommon  libcve-manager
%define common     %{name}-common
%define python3_sp /usr/lib/python3/site-packages
%define common_sp  %{python3_sp}/cve_manager
%define map_sp     %{python3_sp}/cpe_map
%define choice_sp  %{python3_sp}/cpe_map_choice
%define issues_sp  %{python3_sp}/cve_issues
%define monitor_sp %{python3_sp}/cve_monitor
%define knowledge  %{name}-inner-knowledge

%define lcontrolpp_ver 0.29
%define ltree_ver      0.9
%define ax_ver         0.16
%define knowledge_ver  2022.07.13

Name: cve-manager
Version: 0.70.0
Release: alt1

Summary: CVE-management toolkit
License: GPLv3
Group: Other
Url: https://www.altlinux.org/CVE-Manager

Packager: Alexey Appolonov <alexey@altlinux.org>

# http://git.altlinux.org/people/alexey/packages/?p=cve-manager.git
Source: %{name}-%{version}.tar

# For cve-import
BuildRequires: gcc-c++
BuildRequires: libcontrol++-devel >= %{lcontrolpp_ver}
BuildRequires: libtree-devel >= %{ltree_ver}
BuildRequires: libmysqlcppconn-devel
BuildRequires: libcurl-devel

# For py-modules
BuildRequires: rpm-build-python3
Requires: python3
Requires: python3-module-ax >= %{ax_ver}
Requires: python3-module-mysql
Requires: python3-module-Levenshtein
Requires(pre): %{common}
Requires: %{libcommon}
Requires: %{backup}
Requires: %{history}
Requires: %{download}
Requires: %{import}
Requires: %{map}
Requires: %{issues}
Requires: %{monitor}

ExcludeArch: i586
ExcludeArch: armh

%description
%{name} is an utilities toolkit used to form a database of vulnerabilities
(VUL DB) using MySQL, and to provide an easy interface to that DB.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{backup}
Summary: CVE DB backupper/restorer
Group: Other

Requires: %{common}

%description -n %{backup}
%{backup} is an utility used to backup and restore a VUL DB.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{history}
Summary: Tracker of CVE-dynamics
Group: Other

Requires: %{common}

%description -n %{history}
%{history} is an utility used to save records about currently unfixed issues
detected with the cve-issues module and to save a current map of names of
products to names of packages.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{download}
Summary: CVE-lists and CPE dictionary downloader
Group: Other

Requires: %{common}
Requires: python3-module-requests
Requires: git-core

%description -n %{download}
%{download} is an utility used to download lists with descriptions of
vulnerabilities (from various sources) and a CPE dictionary via HTTPS.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{import}
Summary: Data parser and MySQL DB importer
Group: Other

Requires: %{common}
Requires: %{libcommon}
Requires: libcontrol++ >= %{lcontrolpp_ver}

Obsoletes: cve-fixes

%description -n %{import}
%{import} is an utility used to import lists of packages of examined repos,
various lists with descriptions of vulnerabilities (in JSON and XML format)
and a CPE dictionary into VUL DB.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{map}
Summary: CPE list to software packages list mapper
Group: Other

Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}

%description -n %{map}
%{map} is an utility used to map names of products used in descriptions
of vulnerabilities (imported to a VUL DB) to names of packages (--//--).

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{issues}
Summary: CVE-issues detector
Group: Other

Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}

%description -n %{issues}
%{issues} is an utility used to detect issues related to vulnerabilities of
the packages and then create records for those issues in a VUL DB for latter
access via cve-monitor and cve-history modules.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{monitor}
Summary: CVE database monitor
Group: Other

Requires: %{common}

%description -n %{monitor}
%{monitor} is an utility used to query VUL DB and form human-readable reports
that can be sent via SMPT on request.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{libcommon}
Summary: C++ lib with common functionality
Group: Other

Requires: libtree >= %{ltree_ver}

%description -n %{libcommon}
C++ library with common functionality such as connecting to MySQL DB and
parsing the main configuration file.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%package -n %{common}
Summary: Common files of the CVE manager
Group: Other

%description -n %{common}
Common files such as a config file and a cve-manager py-library.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%prep
%setup

%build
%make_build -C libcve-manager/
%make_build -C cve-import/

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%install

# Preparing dirs
mkdir -p \
	%{buildroot}%{_bindir} \
	%{buildroot}%{_libdir} \
	%{buildroot}%{_defaultdocdir}/%{name} \
	%{buildroot}%{_sysconfdir}/%{name} \
	%{buildroot}%{map_sp} \
	%{buildroot}%{choice_sp} \
	%{buildroot}%{issues_sp} \
	%{buildroot}%{monitor_sp} \
	%{buildroot}%{common_sp}

# Installing executables
install -m0750 \
	%{import}/bin/%{import} \
	%{name} \
	%{backup} \
	%{history} \
	%{download} \
	%{map}* \
	%{issues} \
	%{buildroot}%{_bindir}
install -m0755 \
	%{monitor} \
	%{monitor}-check-update \
	%{buildroot}%{_bindir}
install -m0750 cpe_map/*        %{buildroot}%{map_sp}
install -m0750 cpe_map_choice/* %{buildroot}%{choice_sp}
install -m0750 cve_issues/*     %{buildroot}%{issues_sp}
install -m0755 cve_monitor/*    %{buildroot}%{monitor_sp}
install -m0755 cve_manager/*    %{buildroot}%{common_sp}
install -m0755 %{libcommon}/bin/%{libcommon}.so %{buildroot}%{_libdir}

# Installing configs (user should be in the 'cve' group to use cve-manager)
cp -r samples/* %{buildroot}%{_sysconfdir}/%{name}
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{mail}.conf
chmod 664 %{buildroot}%{_sysconfdir}/%{name}/%{monitor}.conf

# Installing documentation
cp COPYING readme.txt %{buildroot}%{_defaultdocdir}/%{name}/

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Conf file and modules that modify CVEDB belong to the grp of cve-manager usrs

%post -n %{common}
# Creating group for cve-manager users if it doesn't exists
if ! grep -q %{cve_group} /etc/group; then
	groupadd %{cve_group}
fi
chgrp cve %{_sysconfdir}/%{name}/%{name}.conf

%post
chgrp cve %{_bindir}/%{name}

%post -n %{backup}
chgrp cve %{_bindir}/%{backup}

%post -n %{history}
chgrp cve %{_bindir}/%{history}

%post -n %{download}
chgrp cve %{_bindir}/%{download}

%post -n %{import}
chgrp cve %{_bindir}/%{import}

%post -n %{map}
chgrp cve \
	%{_bindir}/%{map}* \
	%{map_sp}/* \
	%{choice_sp}/*

%post -n %{issues}
chgrp cve \
	%{_bindir}/%{issues} \
	%{issues_sp}/*

%post -n %{monitor}
chgrp cve \
	%{_sysconfdir}/%{name}/%{monitor}.conf \
	%{_sysconfdir}/%{name}/%{mail}.conf

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%files
%{_bindir}/%{name}

%files -n %{download}
%{_bindir}/%{download}

%files -n %{backup}
%{_bindir}/%{backup}

%files -n %{history}
%{_bindir}/%{history}

%files -n %{import}
%{_bindir}/%{import}

%files -n %{map}
%{_bindir}/%{map}*
%{map_sp}
%{choice_sp}

%files -n %{issues}
%{_bindir}/%{issues}
%{issues_sp}

%files -n %{monitor}
%{_bindir}/%{monitor}
%{_bindir}/%{monitor}-check-update
%{monitor_sp}
%config(noreplace) %{_sysconfdir}/%{name}/%{monitor}.conf
%config(noreplace) %{_sysconfdir}/%{name}/%{mail}.conf

%files -n %{libcommon}
%{_libdir}/%{libcommon}.so

%files -n %{common}
%{common_sp}
%{_defaultdocdir}/%{name}
%dir %{_sysconfdir}/%{name}/
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

%changelog
* Sat Nov 05 2022 Alexey Appolonov <alexey@altlinux.org> 0.70.0-alt1
- The linux_kernel_cves data (https://github.com/nluedtke/linux_kernel_cves)
  is used to detect fixed vulnerabilities.

* Thu Nov 02 2022 Alexey Appolonov <alexey@altlinux.org> 0.69.0-alt2
- Build for every arch except armh and i586 (both 32-bit).

* Thu Oct 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.69.0-alt1
- Excluding of all products via the *-excluded.csv files is prohibited, as well
  as stating everything as an exception from the exclusion;
- Not specifying a vendor when excluding products via the *-excluded.csv files
  is allowed.

* Thu Oct 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.2-alt1
- Symbols that aren't allowed to be part of product names, such as commas,
  colons and unicode spaces, are removed/replaced from the FSTEC vulnerability
  list (at the import stage).

* Fri Jul 15 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.1-alt1
- Non-printable characters that may be contained in the FSTEC vulnerability
  list are removed (at the import stage).

* Wed Jul 13 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.0-alt1
- Full support of the FSTEC data source;
- New module "cve-monitor-check-update" for searching vulnerabilities of a
  package, that have been fixed in a given range of versions.

* Tue Jul 12 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.6-alt1
- Fixed merging of vulnerable versions (which is performed for reports
  generated with the '--group' flag).

* Mon Jul 11 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.5-alt1
- Fixed filtering of new issues (which is performed using distro lists).

* Tue May 17 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.4-alt1
- Special prefixes of package names are defined only by the "groups.csv" file,
  which comes with the "cve-manager-inner-knowledge" package.

* Tue May 10 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.3-alt1
- Patch references are considered when mapping product names to package names.

* Fri May 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.2-alt1
- URLs from the "cpe-mapping-ignore.csv" list don't have to completely match
  URLs of the analyzed packages (it's enough if one URL starts with another).

* Thu May 05 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.1-alt1
- A src package cannot be completely skipped solely because of the unwanted
  suffixes of it's bin packages.

* Wed May 04 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.0-alt1
- New ability to analyze the system on which the cve-manager is running;
- New cve-manager mode "offline", that skips the "download" step;
- Bin package names that have the "-common" suffix are excluded from the
  analysis;
- New ability to specify multiple product names of an excluded CPE in a single
  row.

* Tue Apr 19 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.1-alt1
- Fixed determination of groups using package/products URLs.

* Fri Apr 15 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.0-alt1
- Improved mapping algorithm that now operates with the so-called "groups of
  packages and products" (a product of one special group cannot be mapped to a
  package of another special group) and takes into account special prefixes and
  suffixes of products;
- Ability to specify multiple URLs for a single package in the list of ignored
  matches;
- Minor fixes and improvements.

* Thu Mar 10 2022 Alexey Appolonov <alexey@altlinux.org> 0.65.0-alt1
- New ability to assign CPEs that will be recognized as related to each other;
- Improved interaction between the main module and the module "cpe-map"
  (products will not be remapped using those types of mapping that have already
  been used).

* Thu Mar 03 2022 Alexey Appolonov <alexey@altlinux.org> 0.64.0-alt1
- New ability to specify branches for ignored matches.

* Thu Feb 24 2022 Alexey Appolonov <alexey@altlinux.org> 0.63.0-alt1
- Improved mapping algorithm;
- Improved interaction between the main module and the module "cve-download"
  (recently downloaded data will not be requested when restarting the module
  "cve-download" in the cve-manager auto mode).

* Tue Feb 08 2022 Alexey Appolonov <alexey@altlinux.org> 0.62.0-alt1
- Improved mapping algorithm;
- New features of managing the list of ignored mapping pairs.

* Wed Jan 26 2022 Alexey Appolonov <alexey@altlinux.org> 0.61.0-alt1
- A package with the "lib" prefix and a package without it can be identified
  as related packages;
- A product with the "lib" prefix/suffix and a product without it can be
  identified as related products;
- Separators are not taken into account when checking whether product names are
  related or not;
- Package URLs are taken into account when mapping related packages (package
  URLs can be specified in the "cpe-mapping-ignore.csv" list).

* Fri Jan 14 2022 Alexey Appolonov <alexey@altlinux.org> 0.60.0-alt1
- Improved module "cve-backup";
- Improved exception handling;
- The names of sections for DB connection params and SMTP connection params,
  as well as the names of the parameters themselves, have been changed (use
  the "transitions/from-0.59-to-0.60" script for the transition).

* Tue Dec 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.59.0-alt1
- References from the NVD vulnerabilities lists, as well as names of products
  that are recognized as related, are used to map product names to package
  names.

* Mon Nov 29 2021 Alexey Appolonov <alexey@altlinux.org> 0.58.0-alt1
- Increased data storage efficiency.

* Tue Nov 09 2021 Alexey Appolonov <alexey@altlinux.org> 0.57.0-alt1
- Maintenance of the list of special package name prefixes is delegated to
  the "cve-manager-inner-knowledge" package;
- Added several more pairs of related package name prefixes (used to identify
  related packages).

* Fri Oct 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.1-alt1
- Results of mapping are stable, including cases where a mapping choice consists
  of multiple products (a same string value is produced for a same set of
  matched product names);
- Reports with new issues have the same format even if there are no new issues
  (there is no special format for this case anymore).

* Mon Oct 04 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.0-alt1
- Fixed cpe-map-choice module (the bug was introduced in the cve-manager v0.55);
- Improved user interface of the cve-monitor;
- Slightly changed format of cve-monitor "diff" reports (a modified header and
  an absence of a footer).

* Thu Sep 30 2021 Alexey Appolonov <alexey@altlinux.org> 0.55.0-alt1
- Ability to assign multiple product names to a single package using a list
  of prescribed mapping pairs;
- Slightly changed format of some types of cve-monitor reports (a modified
  header and an absence of a footer).

* Thu Sep 23 2021 Alexey Appolonov <alexey@altlinux.org> 0.54.0-alt1
- Ability to more accurately specify packages in the list of ignored mapping
  pairs by specifying their URLs.

* Fri Sep 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.53.0-alt1
- The "gem" package name prefix is taken into account in the same way as other
  special prefixes.

* Wed Jul 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.1-alt1
- Minor code improvements;
- Build with debuginfo enabled.

* Tue Jun 22 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.0-alt1
- Handling of descriptions of complex vulnerabilities that include combinations
  of conditions for different software products.

* Tue May 25 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.2-alt1
- Fix of the exclusion of issues.

* Wed May 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.1-alt1
- Handling of misleading characters in ranges of vulnerable versions.

* Tue May 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt2
- Build update according with a latest modification of the build system.

* Sat Apr 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt1
- Disputed vulnerabilities are highlighted in cve-monitor reports;
- Improved algorithm of partial matching;
- Fixed handling of prescribed name matches (in some cases the prescriptions
  had no effect).

* Thu Apr 08 2021 Alexey Appolonov <alexey@altlinux.org> 0.50.0-alt1
- Special way of handling of remaining special URLs (freedesktop.org,
  debian.org, fedorahosted.org, mozilla.org);
- Those excluded mapping pairs that include a vendor and that didn't affect
  results of a mapping, are taken into account at the issues-detection stage.

* Wed Apr 07 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.4-alt1
- Fix of the custom ordering of entries of cve-monitor reports;
- Proper handling of invalid combinations of cve-monitor parameters.

* Sat Mar 27 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.3-alt1
- Improved mapping algorithm.

* Fri Mar 19 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.2-alt1
- Improved mapping algorithm.

* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.1-alt1
- Improved issues detection.

* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt2
- Corrected manual.

* Thu Mar 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt1
- Ability to write "cve-monitor" reports into files inside specified directory
  (the cve-monitor UI changed, use the "--mail --title <category>" option
  instead of the "--mail <category>" option);
- Ability to prescribe completely different package names (that are not
  "relatives") to a same product;
- Package prefixes "mediawiki-extensions", "kde4" and "kde5" are taken into
  account in the same way as other special prefixes;
- Minor improvements throughout the project, including an improved UI of the
  "cve-monitor" module (reports will be split by default).

* Fri Feb 26 2021 Alexey Appolonov <alexey@altlinux.org> 0.48.0-alt1
- URLs of distro lists turned into custom parameters;
- Execution of the "cve-download" module is terminated immediately if any of
  the required info can't be downloaded;
- Ability to download FSTEC vulnerability list is fixed;
- Tolerance to the FSTEC source (the FSTEC source is not yet fully supported,
  but cve-manager does not fail if the FSTEC source is not excluded and if any
  operation regarding FSTEC fails).

* Thu Feb 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.1-alt1
- Bugfixes.

* Mon Feb 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.0-alt1
- Metadata of analyzed packages is collected and imported at the "import" stage,
  which significantly reduces a probability of import failure of IDs of fixed
  vulnerabilities and URLs of the packages (the "cve-fixes" module is removed);
- Ability to use binary RPM packages instead of source RPM packages;
- Improved algorithm for extracting fixed vulnerabilities IDs from changelogs;
- Improved user interface of the "cve-import" module.

* Fri Feb 05 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.1-alt1
- Corrected specification of package names when making queries with cve-monitor.

* Mon Jan 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.0-alt1
- Ability to monitor vulnerabilities of specified distributions (the 'download'
  parameter must be assigned in the 'cve-monitor.conf').

* Thu Dec 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.45.0-alt1
- Much more efficient way of extracting vulnerability IDs from changelogs.

* Wed Dec 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.44.0-alt1
- The '-' version value of a product that is present in a list of vulnerable
  software of a CVE entry is interpreted as 'any version' if there are no
  specific versions and no ranges of versions for this product in this list;
- Better way of handling of versions that contain a date.

* Mon Nov 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.43.0-alt1
- Optimised DB structure;
- Improved performance of the cve-issues module;
- The '-d <distro_list>' option of the cve-import module is removed.

* Wed Nov 11 2020 Alexey Appolonov <alexey@altlinux.org> 0.42.0-alt1
- Consideration of names of vendors during a mapping of package names
  to product names;
- Proper way of imposing a penalty for not being in the CPE dict;
- New penalty for being titled as a program for non-free operating systems only;
- Corrected descriptions of modules and corrected help messages.

* Tue Nov 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.41.0-alt1
- Ability to split reports by branches;
- Improved user interface of the cve-backup module.

* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.40.0-alt1
- Improved URL-matching;
- Optimized storage of the CPE dict.

* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.1-alt1
- Corrected reporting on a comparison of branches.

* Mon Oct 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.0-alt1
- Improved URL-matching;
- Corrected partial matching of short package/product names.

* Wed Oct 07 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.1-alt1
- Corrected procedure of making a mapping choice.

* Tue Oct 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.0-alt1
- Improved URL-matching;
- Minimally acceptable score of a matching is lowered;
- Ability to detect newly established/found matches of package names that
  previously have not been matched to product names and to detect newly
  denied/lost name matches;
- Display of a number of excluded NVD entries and a number of excluded CPEs
  during an import process.

* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.37.0-alt1
- Re-evaluated ranking of types of matching;
- Ability to make multiple attempts to perform each step of the DB formation
  without errors.

* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.8-alt1
- Fixed error handling in cve-import module;
- Optimized storage of timelines of packages.

* Thu Sep 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.7-alt1
- Corrected behavior of the modules when running them with no arguments;
- Build with a new version of the 'ax' library that adds more sence into
  comparison of versions.

* Tue Sep 15 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.6-alt1
- Determinism of a mapping choice in any cornercase situation;
- Optimized usage of memory during import of timelines;
- Minor tweaks and fixes.

* Wed Sep 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.5-alt1
- Better way of normalization of scores of the 'fixes' type of matching.

* Wed Sep 02 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.4-alt1
- Handling of a situation when a branch that being processed with the
  cve-history module has no *_src or *_issues tables;
- Comparisons of symbolic versions versus numeric versions are filtered out
  during a detection of issues.

* Fri Aug 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.3-alt1
- Fixed issue of incorrect data splitting while using multiple cores
  during a mapping;
- Handling of excluded mapping pairs that contain product names
  that contain commas;
- Length of the 'MAPPED NAME' column of the reports is restricted.

* Thu Aug 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.2-alt1
- Fixed features used for testing of cpe-map* modules;
- Resolved rivalry between 'url' and 'complete' types of matching.

* Thu Aug 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.1-alt1
- Optimized memory usage when importing data.

* Thu Jul 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.0-alt1
- New type of matching of package names to names of vulnerable products that
  uses URL-addresses from metadata of source packages and URL-addresses from
  CPE dictionary.

* Tue Jul 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.35.0-alt1
- Simpler, more reliable algorithm of making a mapping choice (for mapping
  package names to CPE/FSTEC product names).

* Wed Jul 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.1-alt1
- Fixed filtering of excluded issues;
- Corrected counter of related packages;
- Right way of handling some of the possible errors;
- Procedures that ensure that required configuration params are present;
- Ability to call for a list of modules without passing other params;
- Requirement of libcontrol++ 0.24.1 update that is really important;
- Complemented manual.

* Thu Jul 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.0-alt1
- New input data convention - a bin list (and it's simplified ver) is sufficient
  for representing an investigated repository, src list is no longer supported;
- Correlations of build timelines of packages and mention dates of vulnerable
  products are taken into account when making a mapping choice;
- New model of parallel processing + elimination of verbose logging for
  cve-fixes, cpe-map and cve-issues that together result in improved
  performance and much lighter and clearer log;
- cve-manager's dialog mode is deprecated (a user can learn about existing
  modules with a use of the 'cve-manager --list_modules' command before running
  the whole process or just it's particular parts through the main module).

* Mon Apr 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.1-alt1
- Sensibility to unconverted names during a process of complete name matching;
- Corrected supplementary function of custom-name mapping;
- Build with enhanced 'ax' module.

* Sat Apr 18 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.0-alt1
- Ability to keep track of a history of a map of package names;
- ACLs of packages can be fetched via cve-download;
- Packages that have names with related prefixes, or that differ only in letter
  case, or with different delimiters in them can all be determined as relatives;
- Reports are made more compact.

* Mon Apr 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.2-alt1
- Corrected formation of fix records;
- Fixed and adjusted procedure of partial matching;
- Packages with 'python3-module' prefix can be mapped to vulnerable products on
  the same terms as packages with 'python-module' or any other special prefix.

* Wed Apr 08 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.1-alt1
- Corrected functionality of comparison of branches.

* Wed Apr 01 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt2
- Corrected version of the required package.

* Tue Mar 31 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt1
- Handling of ACLs of the packages;
- Improved compactness of the reports;
- Optimized DB storage.

* Wed Feb 19 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.1-alt1
- Handling of special symbols used in some CPEs.

* Sun Feb 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.0-alt1
- Import of records of debuginfo bin packages not performed;
- Ability to exclude some of the CPEs (by placing "<vendor>, <product>" lines
  in "cpe-excluded.csv" file).

* Sun Feb 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.30.0-alt1
- Import of CPE of other than 'application' part not performed except for
  CPE of 'linux' vendor of 'operating system' part;
- Import of CPE with unknown version not performed if there is CPE with
  specified version and with the same product name for that CVE record;
- Enhanced mapping algorithm.

* Wed Jan 29 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.5-alt1
- Fixed 'fixes' matching;
- Fixed monitoring of diff between branches.

* Sat Jan 25 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.4-alt1
- cve-monitor reports take less memory space (by means of not including
  useless space symbols).

* Thu Jan 23 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.3-alt1
- Custom order of records of history/news reports is possible.

* Sun Jan 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.2-alt1
- Fix of monitoring of new unfixed issues.

* Mon Jan 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.1-alt1
- Fix of bug that was causing abortion of 'cve-issues' module.

* Fri Jan 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.0-alt1
- Enhanced data processing that makes for a much more accurate conclusions
  about the range of vulnerable versions;
- Improved readability of the reports.

* Tue Dec 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.28.0-alt1
- Ability to monitor dynamics of the issues;
- Corrected processing of '*' versions;
- Displaying intervals of vulnerable versions in reports;
- Fixed functionality of customisation of ordering of a report entries;
- Corrected extraction of non-patch references.

* Sat Dec 07 2019 Alexey Appolonov <alexey@altlinux.org> 0.27.0-alt1
- Storage space and computing resource economy by means of optimised
  representation of vulnerable software.

* Fri Dec 06 2019 Alexey Appolonov <alexey@altlinux.org> 0.26.0-alt1
- CVSS v2 scores take their place along with v3 scores.

* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.25.0-alt1
- Ability to manually discard incorrect matches.

* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.2-alt1
- Corrected CPE parser that runs at the issues-detection stage.

* Mon Dec 02 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.1-alt1
- Protection from quotation marks that can be found in CVE summary and
  that messes up the CSV import;
- Corrected parser (according with CPE ver 2.3 format);
- Bugfixes.

* Sun Nov 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.0-alt1
- Downloading and importing NVD vulnerabilities lists in JSON format
  with the use of newly created 'libtree';
- Ability to manually exclude some of the issues and make mapping prescriptions
  with the use of newly created 'cve-manager-inner-knowledge'.

* Fri Sep 27 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.2-alt1
- Optimized XML-import.

* Sat Sep 21 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.1-alt1
- cve-monitor bugfixes.

* Wed Sep 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.0-alt1
- Patch references can be added to cve-monitor reports for unfixed
  vulnerabilities;
- More than a half of DB storage is saved by storring the issues only for the
  most generic versions;
- New view on 'fix' conclusions - there is 'unclear' fix status (for
  vulnerabilities with no stated vulnerable versions, for example).

* Thu May 23 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.1-alt1
- Fix of couple flaws of the mapping process.

* Sun May 19 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.0-alt1
- Multithreading is arranged in a more optimal way;
- 'Complete' matching is not performed for a packages that got one of the
  special prefixes ('python-module', 'perl', ...);
- Enhanced algorithm of the 'partial' matching;
- Package names that differ only by numerical part at the end
  (so called 'relatives') is handled more wisely during mapping;
- Issues that differ only in additional part of CPE is ignored;
- cve-monitor is using only senior branches (that must be specified
  in the conf) in 'cure' suggestions, 'cure' suggestions is optional;
- cve-monitor is placing too long lists of vulnerable versions in footnotes
  of the reports.

* Wed Apr 17 2019 Alexey Appolonov <alexey@altlinux.org> 0.21.0-alt1
- Compatibility with MySQL 8.*;
- Modifyed mapping process - src/bin lists of all the branches are combined
  as src_united/bin_united and then processed in that combined form;
- Much more intelligent approach to parallel execution of the modules,
  especially two most time consuming modules - cpe-map and cve-issues;
- Improved feedback in multiprocessing mode;
- 'CURE' suggestions in cve-monitor's reports.

* Mon Mar 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.20.0-alt1
- Use of all existing names from vulnerabilities lists instead of names
  from CPE dict for mapping;
- Completely redesigned mapping module: every type of mapping can be triggered
  individually, results for every type of mapping are stored in the DB,
  special algorithm is used for making the final mapping choice - all this
  allows to created separate thread for each type of matching in auto mode;
- Ability to detect and go round format faults of the packages lists;
- Consideration of excluded data sources by cve-download and cve-monitor;
- Fully implemented restoring functionality of cve-backup;
- Ability to set the number of stored backup files;
- Fixed params handling of cve-monitor;
- Output functionality is adapted for situation when modules are triggered
  by cron.

* Mon Dec 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.19.0-alt1
- Ability to run in multiprocessing mode;
- Ability to exclude data sources;
- Modified user interface of the cve-monitor;
- Showing CVSS score in cve-monitor reports;
- Ability to order monitoring results in various ways;
- Ability to group packages with unfixed vulnerabilities in cve-monitor reports;
- All printing operations carried by Printer class, which not only makes life
  easier but brings cool features like buffering the input for later mailout;
- Ability to run in 'silent' mode;
- Ability to send emails with cve-monitor reports.

* Sun Oct 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt2
- Rebuilding with new libcontrol++.

* Wed Oct 17 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt1
- Correction of branch names validation.

* Mon Oct 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.0-alt1
- Names of avalible branches are section names of the conf;
- Each branch now have a set of params;
- Renaming 'paths' section of the conf to 'common';
- Skipping repetition of branch sections in conf;
- There is no cve-import's "--space" param anymore;
- Russian manual.

* Sun Sep 30 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.1-alt1
- Running downloader without 'noreplace' flag in auto mode;
- Fix of the 'cve-monitor --map' command;
- Printing with TPrinter of the libcontrol++.

* Mon Sep 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.0-alt1
- Prescribed mapping;
- Detecting 'relative' packages at the import stage
  and using information about them as mapping attribute;
- Handling FSTEC vulnerabilities within current cve-issues concept;
- cve-monitor is working OK within current cve-issues concept;
- Revised comparison of versions that happens at the issues-detection stage;
- Revised packages-filtering function;
- Removing duplicates of src packages names at import stage
  and corresponding bin-packages names, not vice versa;
- Not importing CPEs of 'hardware' part;
- Not importing Mitre list by default;
- Common bin package for conf file & common py module;
- Own config file for cve-monitor.

* Sun Sep 02 2018 Alexey Appolonov <alexey@altlinux.org> 0.16.0-alt1
- Versions of vulnerable programs are now taken into account when figuring out
  the 'fix' entries of *_issues table;
- Ability to compare 'fix' entries of different branches;
- c7.1 and c8.1 branches are avalible for cve-manager;
- Fix of monitoring of the selected packages;
- Only members of the 'cve' group can run modules that modify
  the vulnerabilities DB.

* Fri Jul 27 2018 Alexey Appolonov <alexey@altlinux.org> 0.15.0-alt1
- Proper output when running with 'tee' in auto mode;
- Correction in mapping algorithm, including 1) check if there are some
  CPE/FSTEC names left to map, 2) additional break condition of the mapping
  loop, so there could be no infinite loop, 3) fix of the wrong behavior
  emerging for a names that differ only by number at the end, 4) avoidance of
  complete match for the duplicates, 5) fix of the RemoveMapDups function;
- Ability to disable bin partial match;
- Filtering the package lists with distro list;
- Fix of the import of the last NVD CVE list;
- Working realisation of the 'packs' option of the cve-import;
- No more verbose output option in cve-import;
- cve-import's UI now looks more like UI of the py-modules;
- Introducing refs and const modifier wherever possible for the cve-import.

* Mon Jun 25 2018 Alexey Appolonov <alexey@altlinux.org> 0.14.0-alt1
- Aligning columns for the output of existing issues;
- Ability to omit the download of the old lists;
- Fixing the 'Fixes' entries matching in cve-issues.

* Thu Jun 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.2-alt1
- Handling the situation when the DB does not exist (by all modules).

* Wed Jun 20 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.1-alt1
- Ability to choose mapping type (FSTEC or CPE by now);
- Reducing bin packages dict before mapping if '--packages' option is used
  (similar to src list reduction).

* Tue Jun 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.2-alt1
- Correction of the cve-fixes module;
- Checking DB-users grp existence before creating it at the postinstall stage.

* Sat Jun 09 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.1-alt1
- Fix of the 'plain' output mode.

* Thu Jun 07 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.0-alt1
- Ability to state beginning and ending steps for auto mode;
- Ability to state custom '/space' path;
- Ability to retrieve 'Fixes' entries for the given packages names;
- NVD CVE lists import fix;
- cpe-map infinite loop fix that was possible with some input data;
- Improved logic for the cve-monitor's user interface.

* Fri Jun 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.1-alt1
- Correction of params for cve-issues in auto mode.

* Thu May 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.0-alt1
- Ability to set starting step for auto mode in main module;
- Usage examples for cve-download;
- Arguments handling fix in cve-issues;
- Only root can modify cve-manager.conf.

* Mon May 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.10.0-alt1
- New module cve-backup;
- Ability to prepare database in auto mode.

* Fri May 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.9.0-alt1
- Full integration of the FSTEC vulnerabilities list;
- Bin packages matching fix;
- Ability to use custom mapping application;
- Memory leakage fix.

* Fri May 4 2018 Alexey Appolonov <alexey@altlinux.org> 0.8.0-alt1
- New module cve-download.py
- "Fixes" entries now stored in *_src tables;
- Importing bin lists;
- Enhanced mapping algorithm;
- Unescaping URL codes from CPE in cve-import;
- More flexibility in cve-import tables recreation;
- Ability to disable entireline output in cve-import;
- Catching run modes with cve-manager-common.py;
- Using argparse in majority of modules;
- cve-fixes new features;
- Monitoring CVE issues table and monitoring CVE descriptions for the packages;
- Single path for CVE lists and CPE dict import that specified
  in configuration file.

* Fri Mar 16 2018 Alexey Appolonov <alexey@altlinux.org> 0.7.0-alt1
- Improved output format;
- CPE dict names import with sections separation;
- Fixed and improved mapping algorithm;
- Fixes-extraction parts completely removed from cve-import;
- Working version of cve-linker module under new name "cve-issues.py";
- New cve-monitor functionality;
- Various fixes and improvements in py-modules.

* Mon Mar 05 2018 Alexey Appolonov <alexey@altlinux.org> 0.6.0-alt1
- New cve-manager-common.py features and improvements;
- New module cve-linker.py;
- New module cve-fixes.py;
- Fixes tables structure changed;
- Error handling correction when applying configuration for cve-import module.

* Thu Mar 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.5.0-alt1
- Taking CPE name from "name" attribute of the "cpe-item" tag,
  not from "cpe-23:cpe23-item" tag;
- CPE dictionary can be imported directly, without creating CSV file,
  just like NVD XML can be;
- New cve-manager-common.py functionality;
- Sending cpe-packages map to the database;
- Monitoring mapped packages.

* Mon Feb 26 2018 Alexey Appolonov <alexey@altlinux.org> 0.4.0-alt1
- CPE dictionary import;
- New cve-manager-common.py module with common functions and classes
  used by other cve-manager py-modules;
- cve-monitor rewritten with the use of cve-manager-common.py;
- CPE mapper (cpe-map.py) first draft;
- Changes in cve-manager.py debug mode.

* Thu Feb 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.3.0-alt1
- New version of main module written in Python;
- New module "cve-monitor";
- Minor fixes.

* Thu Feb 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.1-alt1
- common* and conf* files was removed from the project because
  they are included in dynamically linked libcontrol++.

* Wed Feb 14 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.0-alt1
- What previously known as "cve-manager" now became
  "cve-import" module of the cve-manager toolkit
  with "cve-manager" script as top level module.

* Tue Feb 13 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.2-alt1
- Fixing usage of branches flags from configuration file;
- Changes in display output for the operations status.

* Wed Jan 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.1-alt1
- Chmod of configuration file (only system administrator
  should know MySQL DB password);
- MySQL authentication bug fixed;
- Handling the situation when packages lists can not be found;
- Removing formed CSV file with NVD CVE list right after import to DB.

* Mon Jan 29 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.0-alt1
- Initial release.