@@ -91,6 +91,7 @@ def main(argp=None):
parser = argparse.ArgumentParser()
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git")
parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+ parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON")
args = parser.parse_args(argp)
datadir = args.datadir.resolve()
@@ -99,7 +100,10 @@ def main(argp=None):
data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True)
- print(f"""
+ cve_status = {}
+
+ if not args.output_json:
+ print(f"""
# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
# Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version}
# From {datadir.name} {data_version}
@@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
continue
first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version)
if not fixed:
- print(f"# {cve} has no known resolution")
+ cve_status[cve] = {
+ "active": True,
+ "message": "no known resolution"
+ }
+ if not args.output_json:
+ print(f"# {cve} has no known resolution")
elif first_affected and version < first_affected:
- print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
+ cve_status[cve] = {
+ "active": False,
+ "message": f"fixed-version: only affects {first_affected} onwards"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
elif fixed <= version:
- print(
- f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
- )
+ cve_status[cve] = {
+ "active": False,
+ "message": f"fixed-version: Fixed from version {fixed}"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"')
else:
if backport_ver:
if backport_ver <= version:
- print(
- f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
- )
+ cve_status[cve] = {
+ "active": False,
+ "message": f"cpe-stable-backport: Backported in {backport_ver}"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"')
else:
- print(f"# {cve} may need backporting (fixed from {backport_ver})")
+ cve_status[cve] = {
+ "active": True,
+ "message": f"May need backporting (fixed from {backport_ver})"
+ }
+ if not args.output_json:
+ print(f"# {cve} may need backporting (fixed from {backport_ver})")
else:
- print(f"# {cve} needs backporting (fixed from {fixed})")
-
- print()
-
+ cve_status[cve] = {
+ "active": True,
+ "message": f"#Needs backporting (fixed from {fixed})"
+ }
+ if not args.output_json:
+ print(f"# {cve} needs backporting (fixed from {fixed})")
+
+ if not args.output_json:
+ print()
+
+ # Emit structured output if --ret-struct was requested
+ if args.output_json:
+ print(json.dumps({
+ "cve_status": cve_status,
+ }, indent=2))
if __name__ == "__main__":
main()
This option "--output-json" can be used to return a json file instead of the standard .inc file provided. The JSON file can easily be manipulated contrary to the .inc file. Example output structure of the JSON file: ```json { "cve_status": { "CVE-2019-25160": { "active": false, "message": "fixed-version: Fixed from version 5.0" }, "CVE-2019-25162": { "active": false, "message": "fixed-version: Fixed from version 6.0" }, ... ``` Also, this commit doesn't affect or modify any existing behaviour of the script. Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com> --- .../linux/generate-cve-exclusions.py | 64 +++++++++++++++---- 1 file changed, 50 insertions(+), 14 deletions(-)