mrl5 / metarepo-cpe-tag Goto Github PK
View Code? Open in Web Editor NEWtags catpkgs from funtoo metarepo with cpe
License: Mozilla Public License 2.0
tags catpkgs from funtoo metarepo with cpe
License: Mozilla Public License 2.0
related to #1
incorporate existing tooling instead of metarepo-to-json
ego query versions $package
eix -nv -x -e $package
in CPE feed recent versions of nodejs programming language are for:
nodejs
node.js
this can result in false negatives because cpe-tag
logic searches for product nodejs
for some reason this line does not start many co-routines.
instead kits are processed one by one, however they should be processed in parallel
instead of
mkdir -p ~/feeds/json && cd $_
wget https://nvd.nist.gov/feeds/json/cpematch/1.0/nvdcpematch-1.0.json.gz &&
cd -
provide some script that downloads it
pop contracts are applied only if contracted function is called directly
if it's called by another function that is in the hub
contracts are ignored
overview:
this contract will be applied here:
$ pytest >/dev/null; echo $?
0
but will not be applied here:
$ input="/`uuidgen`/`uuidgen`/`uuidgen`" '{"name": "busybox", "versions": [{"version": "1.29.0"}]}'
$ ./bin/tag_package_with_cpes.py --cpe-match-feed $input
[ERROR ] [:busybox:1.29.0:] gzip: /f739b6e6-dfb5-4f96-ab4f-b043d2cdd900/6f1f86e3-9002-42c0-9d3b-c01962b85d14/3db9fd82-c9a0-408e-8580-1b5e5f86e66a.gz: No such file or directory
serialize_package_json() expects json
there should be some validator that:
pop contracts: https://pop-book.readthedocs.io/en/latest/main/contracts.html
related to #2
splits from #5
cpes can be retrieved from Official CPE Dictionary ia. by matching homepage
.
in cpe xml it is under <reference href=""></reference>
attribute
see also:
CPE 2.2 XML Schema
NVD API for CPE Retrieval
run pytest
for tests/
Luke just use the pop-seed
:D -> https://github.com/mrl5/private-wiki/blob/master/pop-framework-fairy-tale.md#luke-use-the-pop-seed
here:
we dont care about converting metarepo or package to json in this project
it just accepts proper input(s), serialize it and works on it
cpe_product
- strip -bin
from package namecpe_version
exclude 9999
cpe_update
should be _p2
part-r1
partssee also:
Official CPE Dictionary
cpe python lib
nvdtools
{"name": "firefox-bin", "versions": [{"version": "83.0"}]}
matches cpe:2.3:a:mozilla:firefox:83.0:*:*:*:*:android:*:*
there should be no match for android
(probably only *
and linux
)
steps to reproduce:
input='{"name": "firefox-bin", "versions": [{"version": "83.0"}]}'
./bin/tag_package_with_cpes.py "$input"
result:
{"name": "firefox-bin", "versions": [{"version": "83.0", "cpes": ["cpe:2.3:a:mozilla:firefox:83.0:*:*:*:*:android:*:*"]}]}
more info:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.