From 00b4efc1182039f10a4e797657457a1dfaaad39e Mon Sep 17 00:00:00 2001
From: Michael Drake <michael.drake@codethink.co.uk>
Date: Thu, 16 Apr 2015 14:25:08 +0000
Subject: Implement checking of version agains CVE ranges.

Change-Id: I028a255abb3be9ce1bcb8e90856e3b84a5527dd4
---
 morphlib/plugins/cve_check_plugin.py | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/morphlib/plugins/cve_check_plugin.py b/morphlib/plugins/cve_check_plugin.py
index 73351924..5d314c44 100644
--- a/morphlib/plugins/cve_check_plugin.py
+++ b/morphlib/plugins/cve_check_plugin.py
@@ -105,18 +105,23 @@ class CVEDetail:
         self.ranges = ranges
 
     def check_vulnerability(self, version):
-        print('    {}:'.format(self.id))
+        v = Version(version)
         for r in self.ranges:
-            print('      version is {}; vulnerable range is: {} to {}'.
-                  format(version, r[0], r[1]))
+            first = Version(r[0])
+            last = Version(r[1])
+            if v >= first and v <= last:
+                print('    {}:'.format(self.id))
+                print('      version is {}; vulnerable range is: {} to {}'.
+                      format(version, r[0], r[1]))
 
 class CVESoftware:
     """
     A piece of software we track CVEs for
     """
 
-    def __init__(self, name):
+    def __init__(self, name, filters):
         self.name = name
+        self.filters = filters
         self.cves = []
 
     def add_cve(self, id, ranges):
@@ -124,8 +129,12 @@ class CVESoftware:
         self.cves.append(cve)
 
     def check_vulnerability(self, version):
+        filtered_version = version
+        for f in self.filters:
+            filtered_version = re.sub(f[0], f[1], filtered_version)
+
         for v in self.cves:
-            v.check_vulnerability(version)
+            v.check_vulnerability(filtered_version)
 
 class CVEDataBase:
     """
@@ -146,13 +155,19 @@ class CVEDataBase:
         def _handle_software(doc):
             software = None
             cves = []
+            filters = []
             for key, value in doc.iteritems():
                 if key == 'software':
                     software = value
                 elif key == 'vulnerabilities':
                     for vuln in value:
                         cves.append([vuln['id'], vuln['ranges']])
-            self._add_software(software, cves)
+                elif key == 'tag-filters':
+                    for filter in value:
+                        filters.append([str(filter['match'] or ''),
+                                        str(filter['replacement'] or '')])
+
+            self._add_software(software, filters, cves)
 
         with open('cve.yaml') as f:
              docs = yaml.load_all(f)
@@ -166,8 +181,8 @@ class CVEDataBase:
                  else:
                      _handle_software(doc)
 
-    def _add_software(self, name, cves):
-        sw = CVESoftware(name)
+    def _add_software(self, name, filters, cves):
+        sw = CVESoftware(name, filters)
         for v in cves:
             sw.add_cve(v[0], v[1])
         self.db.append(sw)
-- 
cgit v1.2.1