%define cve_group cve
%define backup cve-backup
%define history cve-history
%define download cve-download
%define import cve-import
%define map cpe-map
%define map_special *-map-special
%define issues cve-issues
%define monitor cve-monitor
%define mail cve-mail
%define vuln_list %{name}-vuln-list
%define libcommon libcve-manager
%define common %{name}-common
%define python3_sp /usr/lib/python3/site-packages
%define common_sp %{python3_sp}/cve_manager
%define map_sp %{python3_sp}/cpe_map
%define choice_sp %{python3_sp}/cpe_map_choice
%define issues_sp %{python3_sp}/cve_issues
%define monitor_sp %{python3_sp}/cve_monitor
%define knowledge %{name}-inner-knowledge
%define lcontrolpp_ver 0.29
%define ltree_ver 0.9
%define ax_ver 0.18
%define knowledge_ver 2023.04.03
Name: cve-manager
Version: 0.74.5
Release: alt1
Summary: CVE-management toolkit
License: GPLv3
Group: Other
Url: https://www.altlinux.org/CVE-Manager
Packager: Alexey Appolonov <alexey@altlinux.org>
# http://git.altlinux.org/people/alexey/packages/?p=cve-manager.git
Source: %{name}-%{version}.tar
# For cve-import
BuildRequires: gcc-c++
BuildRequires: libcontrol++-devel >= %{lcontrolpp_ver}
BuildRequires: libtree-devel >= %{ltree_ver}
BuildRequires: libmysqlcppconn-devel
BuildRequires: libcurl-devel
# For py-modules
BuildRequires: rpm-build-python3
Requires: python3
Requires: python3-module-ax >= %{ax_ver}
Requires: python3-module-mysql
Requires: python3-module-Levenshtein
Requires(pre): %{common}
Requires: %{libcommon}
Requires: %{backup}
Requires: %{history}
Requires: %{download}
Requires: %{import}
Requires: %{map}
Requires: %{issues}
Requires: %{monitor}
ExcludeArch: i586
ExcludeArch: armh
%description
%{name} is an utilities toolkit used to form a database of vulnerabilities
(VUL DB) using MySQL, and to provide an easy interface to that DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{backup}
Summary: CVE DB backupper/restorer
Group: Other
Requires: %{common}
%description -n %{backup}
%{backup} is an utility used to backup and restore a VUL DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{history}
Summary: Tracker of CVE-dynamics
Group: Other
Requires: %{common}
%description -n %{history}
%{history} is an utility used to save records about currently unfixed issues
detected with the cve-issues module and to save a current map of names of
products to names of packages.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{download}
Summary: CVE-lists and CPE dictionary downloader
Group: Other
Requires: %{common}
Requires: python3-module-requests
Requires: wget
Requires: git-core
%description -n %{download}
%{download} is an utility used to download lists with descriptions of
vulnerabilities (from various sources) and a CPE dictionary via HTTPS.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{import}
Summary: Data parser and MySQL DB importer
Group: Other
Requires: %{common}
Requires: %{libcommon}
Requires: libcontrol++ >= %{lcontrolpp_ver}
Obsoletes: cve-fixes
%description -n %{import}
%{import} is an utility used to import lists of packages of examined repos,
various lists with descriptions of vulnerabilities (in JSON and XML format)
and a CPE dictionary into VUL DB.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{map}
Summary: CPE list to software packages list mapper
Group: Other
Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}
%description -n %{map}
%{map} is an utility used to map names of products used in descriptions
of vulnerabilities (imported to a VUL DB) to names of packages (--//--).
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{issues}
Summary: CVE-issues detector
Group: Other
Requires: %{common}
Requires: %{knowledge} >= %{knowledge_ver}
%description -n %{issues}
%{issues} is an utility used to detect issues related to vulnerabilities of
the packages and then create records for those issues in a VUL DB for latter
access via cve-monitor and cve-history modules.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{monitor}
Summary: CVE database monitor
Group: Other
Requires: %{common}
%description -n %{monitor}
%{monitor} is an utility used to query VUL DB and form human-readable reports
that can be sent via SMPT on request.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{vuln_list}
Summary: Generator of "vuln-list" files for detected issues.
Group: Other
Requires: %{common}
Requires: %{issues}
%description -n %{vuln_list}
%{vuln_list} is an utility used to generate "vuln-list" files for all
vulnerability issues detected in specified repositories.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{libcommon}
Summary: C++ lib with common functionality
Group: Other
Requires: libtree >= %{ltree_ver}
%description -n %{libcommon}
C++ library with common functionality such as connecting to MySQL DB and
parsing the main configuration file.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%package -n %{common}
Summary: Common files of the CVE manager
Group: Other
%description -n %{common}
Common files such as a config file and a cve-manager py-library.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%prep
%setup
%build
%make_build -C libcve-manager/
%make_build -C cve-import/
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%install
# Preparing dirs
mkdir -p \
%{buildroot}%{_bindir} \
%{buildroot}%{_libdir} \
%{buildroot}%{_defaultdocdir}/%{name} \
%{buildroot}%{_sysconfdir}/%{name} \
%{buildroot}%{map_sp} \
%{buildroot}%{choice_sp} \
%{buildroot}%{issues_sp} \
%{buildroot}%{monitor_sp} \
%{buildroot}%{common_sp}
# Installing executables
install -m0750 \
%{import}/bin/%{import} \
%{name} \
%{backup} \
%{history} \
%{download} \
%{map}* \
%{map_special} \
%{issues} \
%{buildroot}%{_bindir}
install -m0755 \
%{monitor} \
%{vuln_list} \
%{buildroot}%{_bindir}
install -m0750 cpe_map/* %{buildroot}%{map_sp}
install -m0750 cpe_map_choice/* %{buildroot}%{choice_sp}
install -m0750 cve_issues/* %{buildroot}%{issues_sp}
install -m0755 cve_monitor/* %{buildroot}%{monitor_sp}
install -m0755 cve_manager/* %{buildroot}%{common_sp}
install -m0755 %{libcommon}/bin/%{libcommon}.so %{buildroot}%{_libdir}
# Installing configs (user should be in the 'cve' group to use cve-manager)
cp -r samples/* %{buildroot}%{_sysconfdir}/%{name}
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
chmod 660 %{buildroot}%{_sysconfdir}/%{name}/%{mail}.conf
chmod 664 %{buildroot}%{_sysconfdir}/%{name}/%{monitor}.conf
# Installing documentation
cp COPYING readme.txt %{buildroot}%{_defaultdocdir}/%{name}/
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Conf file and modules that modify CVEDB belong to the grp of cve-manager usrs
%post -n %{common}
# Creating group for cve-manager users if it doesn't exists
if ! grep -q %{cve_group} /etc/group; then
groupadd %{cve_group}
fi
chgrp cve %{_sysconfdir}/%{name}/%{name}.conf
%post
chgrp cve %{_bindir}/%{name}
%post -n %{backup}
chgrp cve %{_bindir}/%{backup}
%post -n %{history}
chgrp cve %{_bindir}/%{history}
%post -n %{download}
chgrp cve %{_bindir}/%{download}
%post -n %{import}
chgrp cve %{_bindir}/%{import}
%post -n %{map}
chgrp cve \
%{_bindir}/%{map}* \
%{_bindir}/%{map_special} \
%{map_sp}/* \
%{choice_sp}/*
%post -n %{issues}
chgrp cve \
%{_bindir}/%{issues} \
%{issues_sp}/*
%post -n %{monitor}
chgrp cve \
%{_sysconfdir}/%{name}/%{monitor}.conf \
%{_sysconfdir}/%{name}/%{mail}.conf
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%files
%{_bindir}/%{name}
%files -n %{download}
%{_bindir}/%{download}
%files -n %{backup}
%{_bindir}/%{backup}
%files -n %{history}
%{_bindir}/%{history}
%files -n %{import}
%{_bindir}/%{import}
%files -n %{map}
%{_bindir}/%{map}*
%{_bindir}/%{map_special}
%{map_sp}
%{choice_sp}
%files -n %{issues}
%{_bindir}/%{issues}
%{issues_sp}
%files -n %{monitor}
%{_bindir}/%{monitor}
%{monitor_sp}
%config(noreplace) %{_sysconfdir}/%{name}/%{monitor}.conf
%config(noreplace) %{_sysconfdir}/%{name}/%{mail}.conf
%files -n %{vuln_list}
%{_bindir}/%{vuln_list}
%files -n %{libcommon}
%{_libdir}/%{libcommon}.so
%files -n %{common}
%{common_sp}
%{_defaultdocdir}/%{name}
%dir %{_sysconfdir}/%{name}/
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
%changelog
* Thu Apr 20 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.5-alt1
- The list of related FSTEC products is taken into account.
* Sat Apr 15 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.4-alt1
- Fixed import of the FSTEC vulnerability list.
* Wed Apr 12 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.3-alt1
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
* Wed Apr 12 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.2-alt1
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
* Sat Apr 08 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.1-alt1
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
* Tue Apr 04 2023 Alexey Appolonov <alexey@altlinux.org> 0.74.0-alt1
- Workaround for a "missing TLS certificate" problem when downloading the FSTEC
vulnerability list;
- The "cve-monitor" module doesn't terminate immediately if there is some error
(for example if emails cannot be send, reports will still be written to files
if there is a request to do so).
* Thu Mar 30 2023 Alexey Appolonov <alexey@altlinux.org> 0.73.0-alt1
- A new module "cve-manager-vuln-list" that can generate "vuln-list" files for
detected issues.
* Fri Mar 24 2023 Alexey Appolonov <alexey@altlinux.org> 0.72.0-alt1
- Package releases are taken into account when excluding issues;
- The "cve-issues" module can process manually specified package
versions/releases (the "cve-monitor-check-update" module is no longer needed
and has been removed).
* Fri Mar 03 2023 Alexey Appolonov <alexey@altlinux.org> 0.71.6-alt1
- Fixed issues detection for the kernel packages.
* Sun Jan 22 2023 Alexey Appolonov <alexey@altlinux.org> 0.71.5-alt1
- Backslashes, which may be part of the names of vendors and products imported
from NVD lists, are ignored (they are used to escape special symbols in the
names and at the same time they complicate the processing or require the use
of escape symbols in the "cve-manager-inner-knowledge" lists).
* Thu Jan 12 2023 Alexey Appolonov <alexey@altlinux.org> 0.71.4-alt1
- Enhanced mapping algorithm;
- Corrected use of the list of ignored mapping pairs;
- Column header "CVE ID" of the detailed reports is changed to "VUL ID".
* Mon Jan 09 2023 Alexey Appolonov <alexey@altlinux.org> 0.71.3-alt1
- Fix of the column size shortage error that could occur when filling the
"nvd_products_timelines" table;
- Corrected use of the list of ignored mapping pairs.
* Sat Dec 17 2022 Alexey Appolonov <alexey@altlinux.org> 0.71.2-alt1
- CVE IDs of the FSTEC entries are taken into account when issues are being
detected.
* Tue Dec 13 2022 Alexey Appolonov <alexey@altlinux.org> 0.71.1-alt1
- Reduced processing time (partial matching of binary package names is disabled,
which currently doesn't affect the final result in any way).
* Thu Dec 08 2022 Alexey Appolonov <alexey@altlinux.org> 0.71.0-alt1
- Processing of the FSTEC data source is corrected;
- CVE IDs of the FSTEC entries are used to map FSTEC product names to package
names.
* Sat Nov 05 2022 Alexey Appolonov <alexey@altlinux.org> 0.70.0-alt1
- The linux_kernel_cves data (https://github.com/nluedtke/linux_kernel_cves)
is used to detect fixed vulnerabilities.
* Thu Nov 02 2022 Alexey Appolonov <alexey@altlinux.org> 0.69.0-alt2
- Build for every arch except armh and i586 (both 32-bit).
* Thu Oct 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.69.0-alt1
- Excluding of all products via the *-excluded.csv files is prohibited, as well
as stating everything as an exception from the exclusion;
- Not specifying a vendor when excluding products via the *-excluded.csv files
is allowed.
* Thu Oct 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.2-alt1
- Symbols that aren't allowed to be part of product names, such as commas,
colons and unicode spaces, are removed/replaced from the FSTEC vulnerability
list (at the import stage).
* Fri Jul 15 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.1-alt1
- Non-printable characters that may be contained in the FSTEC vulnerability
list are removed (at the import stage).
* Wed Jul 13 2022 Alexey Appolonov <alexey@altlinux.org> 0.68.0-alt1
- Full support of the FSTEC data source;
- New module "cve-monitor-check-update" for searching vulnerabilities of a
package, that have been fixed in a given range of versions.
* Tue Jul 12 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.6-alt1
- Fixed merging of vulnerable versions (which is performed for reports
generated with the '--group' flag).
* Mon Jul 11 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.5-alt1
- Fixed filtering of new issues (which is performed using distro lists).
* Tue May 17 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.4-alt1
- Special prefixes of package names are defined only by the "groups.csv" file,
which comes with the "cve-manager-inner-knowledge" package.
* Tue May 10 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.3-alt1
- Patch references are considered when mapping product names to package names.
* Fri May 06 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.2-alt1
- URLs from the "cpe-mapping-ignore.csv" list don't have to completely match
URLs of the analyzed packages (it's enough if one URL starts with another).
* Thu May 05 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.1-alt1
- A src package cannot be completely skipped solely because of the unwanted
suffixes of it's bin packages.
* Wed May 04 2022 Alexey Appolonov <alexey@altlinux.org> 0.67.0-alt1
- New ability to analyze the system on which the cve-manager is running;
- New cve-manager mode "offline", that skips the "download" step;
- Bin package names that have the "-common" suffix are excluded from the
analysis;
- New ability to specify multiple product names of an excluded CPE in a single
row.
* Tue Apr 19 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.1-alt1
- Fixed determination of groups using package/products URLs.
* Fri Apr 15 2022 Alexey Appolonov <alexey@altlinux.org> 0.66.0-alt1
- Improved mapping algorithm that now operates with the so-called "groups of
packages and products" (a product of one special group cannot be mapped to a
package of another special group) and takes into account special prefixes and
suffixes of products;
- Ability to specify multiple URLs for a single package in the list of ignored
matches;
- Minor fixes and improvements.
* Thu Mar 10 2022 Alexey Appolonov <alexey@altlinux.org> 0.65.0-alt1
- New ability to assign CPEs that will be recognized as related to each other;
- Improved interaction between the main module and the module "cpe-map"
(products will not be remapped using those types of mapping that have already
been used).
* Thu Mar 03 2022 Alexey Appolonov <alexey@altlinux.org> 0.64.0-alt1
- New ability to specify branches for ignored matches.
* Thu Feb 24 2022 Alexey Appolonov <alexey@altlinux.org> 0.63.0-alt1
- Improved mapping algorithm;
- Improved interaction between the main module and the module "cve-download"
(recently downloaded data will not be requested when restarting the module
"cve-download" in the cve-manager auto mode).
* Tue Feb 08 2022 Alexey Appolonov <alexey@altlinux.org> 0.62.0-alt1
- Improved mapping algorithm;
- New features of managing the list of ignored mapping pairs.
* Wed Jan 26 2022 Alexey Appolonov <alexey@altlinux.org> 0.61.0-alt1
- A package with the "lib" prefix and a package without it can be identified
as related packages;
- A product with the "lib" prefix/suffix and a product without it can be
identified as related products;
- Separators are not taken into account when checking whether product names are
related or not;
- Package URLs are taken into account when mapping related packages (package
URLs can be specified in the "cpe-mapping-ignore.csv" list).
* Fri Jan 14 2022 Alexey Appolonov <alexey@altlinux.org> 0.60.0-alt1
- Improved module "cve-backup";
- Improved exception handling;
- The names of sections for DB connection params and SMTP connection params,
as well as the names of the parameters themselves, have been changed (use
the "transitions/from-0.59-to-0.60" script for the transition).
* Tue Dec 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.59.0-alt1
- References from the NVD vulnerabilities lists, as well as names of products
that are recognized as related, are used to map product names to package
names.
* Mon Nov 29 2021 Alexey Appolonov <alexey@altlinux.org> 0.58.0-alt1
- Increased data storage efficiency.
* Tue Nov 09 2021 Alexey Appolonov <alexey@altlinux.org> 0.57.0-alt1
- Maintenance of the list of special package name prefixes is delegated to
the "cve-manager-inner-knowledge" package;
- Added several more pairs of related package name prefixes (used to identify
related packages).
* Fri Oct 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.1-alt1
- Results of mapping are stable, including cases where a mapping choice consists
of multiple products (a same string value is produced for a same set of
matched product names);
- Reports with new issues have the same format even if there are no new issues
(there is no special format for this case anymore).
* Mon Oct 04 2021 Alexey Appolonov <alexey@altlinux.org> 0.56.0-alt1
- Fixed cpe-map-choice module (the bug was introduced in the cve-manager v0.55);
- Improved user interface of the cve-monitor;
- Slightly changed format of cve-monitor "diff" reports (a modified header and
an absence of a footer).
* Thu Sep 30 2021 Alexey Appolonov <alexey@altlinux.org> 0.55.0-alt1
- Ability to assign multiple product names to a single package using a list
of prescribed mapping pairs;
- Slightly changed format of some types of cve-monitor reports (a modified
header and an absence of a footer).
* Thu Sep 23 2021 Alexey Appolonov <alexey@altlinux.org> 0.54.0-alt1
- Ability to more accurately specify packages in the list of ignored mapping
pairs by specifying their URLs.
* Fri Sep 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.53.0-alt1
- The "gem" package name prefix is taken into account in the same way as other
special prefixes.
* Wed Jul 28 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.1-alt1
- Minor code improvements;
- Build with debuginfo enabled.
* Tue Jun 22 2021 Alexey Appolonov <alexey@altlinux.org> 0.52.0-alt1
- Handling of descriptions of complex vulnerabilities that include combinations
of conditions for different software products.
* Tue May 25 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.2-alt1
- Fix of the exclusion of issues.
* Wed May 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.1-alt1
- Handling of misleading characters in ranges of vulnerable versions.
* Tue May 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt2
- Build update according with a latest modification of the build system.
* Sat Apr 17 2021 Alexey Appolonov <alexey@altlinux.org> 0.51.0-alt1
- Disputed vulnerabilities are highlighted in cve-monitor reports;
- Improved algorithm of partial matching;
- Fixed handling of prescribed name matches (in some cases the prescriptions
had no effect).
* Thu Apr 08 2021 Alexey Appolonov <alexey@altlinux.org> 0.50.0-alt1
- Special way of handling of remaining special URLs (freedesktop.org,
debian.org, fedorahosted.org, mozilla.org);
- Those excluded mapping pairs that include a vendor and that didn't affect
results of a mapping, are taken into account at the issues-detection stage.
* Wed Apr 07 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.4-alt1
- Fix of the custom ordering of entries of cve-monitor reports;
- Proper handling of invalid combinations of cve-monitor parameters.
* Sat Mar 27 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.3-alt1
- Improved mapping algorithm.
* Fri Mar 19 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.2-alt1
- Improved mapping algorithm.
* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.1-alt1
- Improved issues detection.
* Fri Mar 12 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt2
- Corrected manual.
* Thu Mar 11 2021 Alexey Appolonov <alexey@altlinux.org> 0.49.0-alt1
- Ability to write "cve-monitor" reports into files inside specified directory
(the cve-monitor UI changed, use the "--mail --title <category>" option
instead of the "--mail <category>" option);
- Ability to prescribe completely different package names (that are not
"relatives") to a same product;
- Package prefixes "mediawiki-extensions", "kde4" and "kde5" are taken into
account in the same way as other special prefixes;
- Minor improvements throughout the project, including an improved UI of the
"cve-monitor" module (reports will be split by default).
* Fri Feb 26 2021 Alexey Appolonov <alexey@altlinux.org> 0.48.0-alt1
- URLs of distro lists turned into custom parameters;
- Execution of the "cve-download" module is terminated immediately if any of
the required info can't be downloaded;
- Ability to download FSTEC vulnerability list is fixed;
- Tolerance to the FSTEC source (the FSTEC source is not yet fully supported,
but cve-manager does not fail if the FSTEC source is not excluded and if any
operation regarding FSTEC fails).
* Thu Feb 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.1-alt1
- Bugfixes.
* Mon Feb 15 2021 Alexey Appolonov <alexey@altlinux.org> 0.47.0-alt1
- Metadata of analyzed packages is collected and imported at the "import" stage,
which significantly reduces a probability of import failure of IDs of fixed
vulnerabilities and URLs of the packages (the "cve-fixes" module is removed);
- Ability to use binary RPM packages instead of source RPM packages;
- Improved algorithm for extracting fixed vulnerabilities IDs from changelogs;
- Improved user interface of the "cve-import" module.
* Fri Feb 05 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.1-alt1
- Corrected specification of package names when making queries with cve-monitor.
* Mon Jan 18 2021 Alexey Appolonov <alexey@altlinux.org> 0.46.0-alt1
- Ability to monitor vulnerabilities of specified distributions (the 'download'
parameter must be assigned in the 'cve-monitor.conf').
* Thu Dec 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.45.0-alt1
- Much more efficient way of extracting vulnerability IDs from changelogs.
* Wed Dec 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.44.0-alt1
- The '-' version value of a product that is present in a list of vulnerable
software of a CVE entry is interpreted as 'any version' if there are no
specific versions and no ranges of versions for this product in this list;
- Better way of handling of versions that contain a date.
* Mon Nov 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.43.0-alt1
- Optimised DB structure;
- Improved performance of the cve-issues module;
- The '-d <distro_list>' option of the cve-import module is removed.
* Wed Nov 11 2020 Alexey Appolonov <alexey@altlinux.org> 0.42.0-alt1
- Consideration of names of vendors during a mapping of package names
to product names;
- Proper way of imposing a penalty for not being in the CPE dict;
- New penalty for being titled as a program for non-free operating systems only;
- Corrected descriptions of modules and corrected help messages.
* Tue Nov 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.41.0-alt1
- Ability to split reports by branches;
- Improved user interface of the cve-backup module.
* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.40.0-alt1
- Improved URL-matching;
- Optimized storage of the CPE dict.
* Wed Oct 21 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.1-alt1
- Corrected reporting on a comparison of branches.
* Mon Oct 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.39.0-alt1
- Improved URL-matching;
- Corrected partial matching of short package/product names.
* Wed Oct 07 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.1-alt1
- Corrected procedure of making a mapping choice.
* Tue Oct 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.38.0-alt1
- Improved URL-matching;
- Minimally acceptable score of a matching is lowered;
- Ability to detect newly established/found matches of package names that
previously have not been matched to product names and to detect newly
denied/lost name matches;
- Display of a number of excluded NVD entries and a number of excluded CPEs
during an import process.
* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.37.0-alt1
- Re-evaluated ranking of types of matching;
- Ability to make multiple attempts to perform each step of the DB formation
without errors.
* Tue Sep 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.8-alt1
- Fixed error handling in cve-import module;
- Optimized storage of timelines of packages.
* Thu Sep 17 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.7-alt1
- Corrected behavior of the modules when running them with no arguments;
- Build with a new version of the 'ax' library that adds more sence into
comparison of versions.
* Tue Sep 15 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.6-alt1
- Determinism of a mapping choice in any cornercase situation;
- Optimized usage of memory during import of timelines;
- Minor tweaks and fixes.
* Wed Sep 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.5-alt1
- Better way of normalization of scores of the 'fixes' type of matching.
* Wed Sep 02 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.4-alt1
- Handling of a situation when a branch that being processed with the
cve-history module has no *_src or *_issues tables;
- Comparisons of symbolic versions versus numeric versions are filtered out
during a detection of issues.
* Fri Aug 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.3-alt1
- Fixed issue of incorrect data splitting while using multiple cores
during a mapping;
- Handling of excluded mapping pairs that contain product names
that contain commas;
- Length of the 'MAPPED NAME' column of the reports is restricted.
* Thu Aug 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.2-alt1
- Fixed features used for testing of cpe-map* modules;
- Resolved rivalry between 'url' and 'complete' types of matching.
* Thu Aug 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.1-alt1
- Optimized memory usage when importing data.
* Thu Jul 30 2020 Alexey Appolonov <alexey@altlinux.org> 0.36.0-alt1
- New type of matching of package names to names of vulnerable products that
uses URL-addresses from metadata of source packages and URL-addresses from
CPE dictionary.
* Tue Jul 28 2020 Alexey Appolonov <alexey@altlinux.org> 0.35.0-alt1
- Simpler, more reliable algorithm of making a mapping choice (for mapping
package names to CPE/FSTEC product names).
* Wed Jul 22 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.1-alt1
- Fixed filtering of excluded issues;
- Corrected counter of related packages;
- Right way of handling some of the possible errors;
- Procedures that ensure that required configuration params are present;
- Ability to call for a list of modules without passing other params;
- Requirement of libcontrol++ 0.24.1 update that is really important;
- Complemented manual.
* Thu Jul 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.34.0-alt1
- New input data convention - a bin list (and it's simplified ver) is sufficient
for representing an investigated repository, src list is no longer supported;
- Correlations of build timelines of packages and mention dates of vulnerable
products are taken into account when making a mapping choice;
- New model of parallel processing + elimination of verbose logging for
cve-fixes, cpe-map and cve-issues that together result in improved
performance and much lighter and clearer log;
- cve-manager's dialog mode is deprecated (a user can learn about existing
modules with a use of the 'cve-manager --list_modules' command before running
the whole process or just it's particular parts through the main module).
* Mon Apr 20 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.1-alt1
- Sensibility to unconverted names during a process of complete name matching;
- Corrected supplementary function of custom-name mapping;
- Build with enhanced 'ax' module.
* Sat Apr 18 2020 Alexey Appolonov <alexey@altlinux.org> 0.33.0-alt1
- Ability to keep track of a history of a map of package names;
- ACLs of packages can be fetched via cve-download;
- Packages that have names with related prefixes, or that differ only in letter
case, or with different delimiters in them can all be determined as relatives;
- Reports are made more compact.
* Mon Apr 13 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.2-alt1
- Corrected formation of fix records;
- Fixed and adjusted procedure of partial matching;
- Packages with 'python3-module' prefix can be mapped to vulnerable products on
the same terms as packages with 'python-module' or any other special prefix.
* Wed Apr 08 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.1-alt1
- Corrected functionality of comparison of branches.
* Wed Apr 01 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt2
- Corrected version of the required package.
* Tue Mar 31 2020 Alexey Appolonov <alexey@altlinux.org> 0.32.0-alt1
- Handling of ACLs of the packages;
- Improved compactness of the reports;
- Optimized DB storage.
* Wed Feb 19 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.1-alt1
- Handling of special symbols used in some CPEs.
* Sun Feb 16 2020 Alexey Appolonov <alexey@altlinux.org> 0.31.0-alt1
- Import of records of debuginfo bin packages not performed;
- Ability to exclude some of the CPEs (by placing "<vendor>, <product>" lines
in "cpe-excluded.csv" file).
* Sun Feb 09 2020 Alexey Appolonov <alexey@altlinux.org> 0.30.0-alt1
- Import of CPE of other than 'application' part not performed except for
CPE of 'linux' vendor of 'operating system' part;
- Import of CPE with unknown version not performed if there is CPE with
specified version and with the same product name for that CVE record;
- Enhanced mapping algorithm.
* Wed Jan 29 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.5-alt1
- Fixed 'fixes' matching;
- Fixed monitoring of diff between branches.
* Sat Jan 25 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.4-alt1
- cve-monitor reports take less memory space (by means of not including
useless space symbols).
* Thu Jan 23 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.3-alt1
- Custom order of records of history/news reports is possible.
* Sun Jan 12 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.2-alt1
- Fix of monitoring of new unfixed issues.
* Mon Jan 06 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.1-alt1
- Fix of bug that was causing abortion of 'cve-issues' module.
* Fri Jan 03 2020 Alexey Appolonov <alexey@altlinux.org> 0.29.0-alt1
- Enhanced data processing that makes for a much more accurate conclusions
about the range of vulnerable versions;
- Improved readability of the reports.
* Tue Dec 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.28.0-alt1
- Ability to monitor dynamics of the issues;
- Corrected processing of '*' versions;
- Displaying intervals of vulnerable versions in reports;
- Fixed functionality of customisation of ordering of a report entries;
- Corrected extraction of non-patch references.
* Sat Dec 07 2019 Alexey Appolonov <alexey@altlinux.org> 0.27.0-alt1
- Storage space and computing resource economy by means of optimised
representation of vulnerable software.
* Fri Dec 06 2019 Alexey Appolonov <alexey@altlinux.org> 0.26.0-alt1
- CVSS v2 scores take their place along with v3 scores.
* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.25.0-alt1
- Ability to manually discard incorrect matches.
* Wed Dec 04 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.2-alt1
- Corrected CPE parser that runs at the issues-detection stage.
* Mon Dec 02 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.1-alt1
- Protection from quotation marks that can be found in CVE summary and
that messes up the CSV import;
- Corrected parser (according with CPE ver 2.3 format);
- Bugfixes.
* Sun Nov 24 2019 Alexey Appolonov <alexey@altlinux.org> 0.24.0-alt1
- Downloading and importing NVD vulnerabilities lists in JSON format
with the use of newly created 'libtree';
- Ability to manually exclude some of the issues and make mapping prescriptions
with the use of newly created 'cve-manager-inner-knowledge'.
* Fri Sep 27 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.2-alt1
- Optimized XML-import.
* Sat Sep 21 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.1-alt1
- cve-monitor bugfixes.
* Wed Sep 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.23.0-alt1
- Patch references can be added to cve-monitor reports for unfixed
vulnerabilities;
- More than a half of DB storage is saved by storring the issues only for the
most generic versions;
- New view on 'fix' conclusions - there is 'unclear' fix status (for
vulnerabilities with no stated vulnerable versions, for example).
* Thu May 23 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.1-alt1
- Fix of couple flaws of the mapping process.
* Sun May 19 2019 Alexey Appolonov <alexey@altlinux.org> 0.22.0-alt1
- Multithreading is arranged in a more optimal way;
- 'Complete' matching is not performed for a packages that got one of the
special prefixes ('python-module', 'perl', ...);
- Enhanced algorithm of the 'partial' matching;
- Package names that differ only by numerical part at the end
(so called 'relatives') is handled more wisely during mapping;
- Issues that differ only in additional part of CPE is ignored;
- cve-monitor is using only senior branches (that must be specified
in the conf) in 'cure' suggestions, 'cure' suggestions is optional;
- cve-monitor is placing too long lists of vulnerable versions in footnotes
of the reports.
* Wed Apr 17 2019 Alexey Appolonov <alexey@altlinux.org> 0.21.0-alt1
- Compatibility with MySQL 8.*;
- Modifyed mapping process - src/bin lists of all the branches are combined
as src_united/bin_united and then processed in that combined form;
- Much more intelligent approach to parallel execution of the modules,
especially two most time consuming modules - cpe-map and cve-issues;
- Improved feedback in multiprocessing mode;
- 'CURE' suggestions in cve-monitor's reports.
* Mon Mar 18 2019 Alexey Appolonov <alexey@altlinux.org> 0.20.0-alt1
- Use of all existing names from vulnerabilities lists instead of names
from CPE dict for mapping;
- Completely redesigned mapping module: every type of mapping can be triggered
individually, results for every type of mapping are stored in the DB,
special algorithm is used for making the final mapping choice - all this
allows to created separate thread for each type of matching in auto mode;
- Ability to detect and go round format faults of the packages lists;
- Consideration of excluded data sources by cve-download and cve-monitor;
- Fully implemented restoring functionality of cve-backup;
- Ability to set the number of stored backup files;
- Fixed params handling of cve-monitor;
- Output functionality is adapted for situation when modules are triggered
by cron.
* Mon Dec 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.19.0-alt1
- Ability to run in multiprocessing mode;
- Ability to exclude data sources;
- Modified user interface of the cve-monitor;
- Showing CVSS score in cve-monitor reports;
- Ability to order monitoring results in various ways;
- Ability to group packages with unfixed vulnerabilities in cve-monitor reports;
- All printing operations carried by Printer class, which not only makes life
easier but brings cool features like buffering the input for later mailout;
- Ability to run in 'silent' mode;
- Ability to send emails with cve-monitor reports.
* Sun Oct 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt2
- Rebuilding with new libcontrol++.
* Wed Oct 17 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.1-alt1
- Correction of branch names validation.
* Mon Oct 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.18.0-alt1
- Names of avalible branches are section names of the conf;
- Each branch now have a set of params;
- Renaming 'paths' section of the conf to 'common';
- Skipping repetition of branch sections in conf;
- There is no cve-import's "--space" param anymore;
- Russian manual.
* Sun Sep 30 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.1-alt1
- Running downloader without 'noreplace' flag in auto mode;
- Fix of the 'cve-monitor --map' command;
- Printing with TPrinter of the libcontrol++.
* Mon Sep 10 2018 Alexey Appolonov <alexey@altlinux.org> 0.17.0-alt1
- Prescribed mapping;
- Detecting 'relative' packages at the import stage
and using information about them as mapping attribute;
- Handling FSTEC vulnerabilities within current cve-issues concept;
- cve-monitor is working OK within current cve-issues concept;
- Revised comparison of versions that happens at the issues-detection stage;
- Revised packages-filtering function;
- Removing duplicates of src packages names at import stage
and corresponding bin-packages names, not vice versa;
- Not importing CPEs of 'hardware' part;
- Not importing Mitre list by default;
- Common bin package for conf file & common py module;
- Own config file for cve-monitor.
* Sun Sep 02 2018 Alexey Appolonov <alexey@altlinux.org> 0.16.0-alt1
- Versions of vulnerable programs are now taken into account when figuring out
the 'fix' entries of *_issues table;
- Ability to compare 'fix' entries of different branches;
- c7.1 and c8.1 branches are avalible for cve-manager;
- Fix of monitoring of the selected packages;
- Only members of the 'cve' group can run modules that modify
the vulnerabilities DB.
* Fri Jul 27 2018 Alexey Appolonov <alexey@altlinux.org> 0.15.0-alt1
- Proper output when running with 'tee' in auto mode;
- Correction in mapping algorithm, including 1) check if there are some
CPE/FSTEC names left to map, 2) additional break condition of the mapping
loop, so there could be no infinite loop, 3) fix of the wrong behavior
emerging for a names that differ only by number at the end, 4) avoidance of
complete match for the duplicates, 5) fix of the RemoveMapDups function;
- Ability to disable bin partial match;
- Filtering the package lists with distro list;
- Fix of the import of the last NVD CVE list;
- Working realisation of the 'packs' option of the cve-import;
- No more verbose output option in cve-import;
- cve-import's UI now looks more like UI of the py-modules;
- Introducing refs and const modifier wherever possible for the cve-import.
* Mon Jun 25 2018 Alexey Appolonov <alexey@altlinux.org> 0.14.0-alt1
- Aligning columns for the output of existing issues;
- Ability to omit the download of the old lists;
- Fixing the 'Fixes' entries matching in cve-issues.
* Thu Jun 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.2-alt1
- Handling the situation when the DB does not exist (by all modules).
* Wed Jun 20 2018 Alexey Appolonov <alexey@altlinux.org> 0.13.1-alt1
- Ability to choose mapping type (FSTEC or CPE by now);
- Reducing bin packages dict before mapping if '--packages' option is used
(similar to src list reduction).
* Tue Jun 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.2-alt1
- Correction of the cve-fixes module;
- Checking DB-users grp existence before creating it at the postinstall stage.
* Sat Jun 09 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.1-alt1
- Fix of the 'plain' output mode.
* Thu Jun 07 2018 Alexey Appolonov <alexey@altlinux.org> 0.12.0-alt1
- Ability to state beginning and ending steps for auto mode;
- Ability to state custom '/space' path;
- Ability to retrieve 'Fixes' entries for the given packages names;
- NVD CVE lists import fix;
- cpe-map infinite loop fix that was possible with some input data;
- Improved logic for the cve-monitor's user interface.
* Fri Jun 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.1-alt1
- Correction of params for cve-issues in auto mode.
* Thu May 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.11.0-alt1
- Ability to set starting step for auto mode in main module;
- Usage examples for cve-download;
- Arguments handling fix in cve-issues;
- Only root can modify cve-manager.conf.
* Mon May 28 2018 Alexey Appolonov <alexey@altlinux.org> 0.10.0-alt1
- New module cve-backup;
- Ability to prepare database in auto mode.
* Fri May 21 2018 Alexey Appolonov <alexey@altlinux.org> 0.9.0-alt1
- Full integration of the FSTEC vulnerabilities list;
- Bin packages matching fix;
- Ability to use custom mapping application;
- Memory leakage fix.
* Fri May 4 2018 Alexey Appolonov <alexey@altlinux.org> 0.8.0-alt1
- New module cve-download.py
- "Fixes" entries now stored in *_src tables;
- Importing bin lists;
- Enhanced mapping algorithm;
- Unescaping URL codes from CPE in cve-import;
- More flexibility in cve-import tables recreation;
- Ability to disable entireline output in cve-import;
- Catching run modes with cve-manager-common.py;
- Using argparse in majority of modules;
- cve-fixes new features;
- Monitoring CVE issues table and monitoring CVE descriptions for the packages;
- Single path for CVE lists and CPE dict import that specified
in configuration file.
* Fri Mar 16 2018 Alexey Appolonov <alexey@altlinux.org> 0.7.0-alt1
- Improved output format;
- CPE dict names import with sections separation;
- Fixed and improved mapping algorithm;
- Fixes-extraction parts completely removed from cve-import;
- Working version of cve-linker module under new name "cve-issues.py";
- New cve-monitor functionality;
- Various fixes and improvements in py-modules.
* Mon Mar 05 2018 Alexey Appolonov <alexey@altlinux.org> 0.6.0-alt1
- New cve-manager-common.py features and improvements;
- New module cve-linker.py;
- New module cve-fixes.py;
- Fixes tables structure changed;
- Error handling correction when applying configuration for cve-import module.
* Thu Mar 01 2018 Alexey Appolonov <alexey@altlinux.org> 0.5.0-alt1
- Taking CPE name from "name" attribute of the "cpe-item" tag,
not from "cpe-23:cpe23-item" tag;
- CPE dictionary can be imported directly, without creating CSV file,
just like NVD XML can be;
- New cve-manager-common.py functionality;
- Sending cpe-packages map to the database;
- Monitoring mapped packages.
* Mon Feb 26 2018 Alexey Appolonov <alexey@altlinux.org> 0.4.0-alt1
- CPE dictionary import;
- New cve-manager-common.py module with common functions and classes
used by other cve-manager py-modules;
- cve-monitor rewritten with the use of cve-manager-common.py;
- CPE mapper (cpe-map.py) first draft;
- Changes in cve-manager.py debug mode.
* Thu Feb 19 2018 Alexey Appolonov <alexey@altlinux.org> 0.3.0-alt1
- New version of main module written in Python;
- New module "cve-monitor";
- Minor fixes.
* Thu Feb 15 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.1-alt1
- common* and conf* files was removed from the project because
they are included in dynamically linked libcontrol++.
* Wed Feb 14 2018 Alexey Appolonov <alexey@altlinux.org> 0.2.0-alt1
- What previously known as "cve-manager" now became
"cve-import" module of the cve-manager toolkit
with "cve-manager" script as top level module.
* Tue Feb 13 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.2-alt1
- Fixing usage of branches flags from configuration file;
- Changes in display output for the operations status.
* Wed Jan 31 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.1-alt1
- Chmod of configuration file (only system administrator
should know MySQL DB password);
- MySQL authentication bug fixed;
- Handling the situation when packages lists can not be found;
- Removing formed CSV file with NVD CVE list right after import to DB.
* Mon Jan 29 2018 Alexey Appolonov <alexey@altlinux.org> 0.1.0-alt1
- Initial release.