Группа :: Other
Пакет: cve-manager
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
18 февраля 2021 Alexey Appolonov <alexey at altlinux.org> 0.47.1-alt1
- Bugfixes.
- Metadata of analyzed packages is collected and imported at the "import" stage,
which significantly reduces a probability of import failure of IDs of fixed
vulnerabilities and URLs of the packages (the "cve-fixes" module is removed); - Ability to use binary RPM packages instead of source RPM packages;
- Improved algorithm for extracting fixed vulnerabilities IDs from changelogs;
- Improved user interface of the "cve-import" module.
- Corrected specification of package names when making queries with cve-monitor.
- Ability to monitor vulnerabilities of specified distributions (the 'download'
parameter must be assigned in the 'cve-monitor.conf').
- Much more efficient way of extracting vulnerability IDs from changelogs.
- The '-' version value of a product that is present in a list of vulnerable
software of a CVE entry is interpreted as 'any version' if there are no
specific versions and no ranges of versions for this product in this list; - Better way of handling of versions that contain a date.
- Optimised DB structure;
- Improved performance of the cve-issues module;
- The '-d <distro_list>' option of the cve-import module is removed.
- Consideration of names of vendors during a mapping of package names
to product names; - Proper way of imposing a penalty for not being in the CPE dict;
- New penalty for being titled as a program for non-free operating systems only;
- Corrected descriptions of modules and corrected help messages.
- Ability to split reports by branches;
- Improved user interface of the cve-backup module.
- Improved URL-matching;
- Optimized storage of the CPE dict.
- Corrected reporting on a comparison of branches.
- Improved URL-matching;
- Corrected partial matching of short package/product names.
- Corrected procedure of making a mapping choice.
- Improved URL-matching;
- Minimally acceptable score of a matching is lowered;
- Ability to detect newly established/found matches of package names that
previously have not been matched to product names and to detect newly
denied/lost name matches; - Display of a number of excluded NVD entries and a number of excluded CPEs
during an import process.
- Re-evaluated ranking of types of matching;
- Ability to make multiple attempts to perform each step of the DB formation
without errors.
- Fixed error handling in cve-import module;
- Optimized storage of timelines of packages.
- Corrected behavior of the modules when running them with no arguments;
- Build with a new version of the 'ax' library that adds more sence into
comparison of versions.
- Determinism of a mapping choice in any cornercase situation;
- Optimized usage of memory during import of timelines;
- Minor tweaks and fixes.
- Better way of normalization of scores of the 'fixes' type of matching.
- Handling of a situation when a branch that being processed with the
cve-history module has no *_src or *_issues tables; - Comparisons of symbolic versions versus numeric versions are filtered out
during a detection of issues.
- Fixed issue of incorrect data splitting while using multiple cores
during a mapping; - Handling of excluded mapping pairs that contain product names
that contain commas; - Length of the 'MAPPED NAME' column of the reports is restricted.
- Fixed features used for testing of cpe-map* modules;
- Resolved rivalry between 'url' and 'complete' types of matching.
- Optimized memory usage when importing data.
- New type of matching of package names to names of vulnerable products that
uses URL-addresses from metadata of source packages and URL-addresses from
CPE dictionary.
- Simpler, more reliable algorithm of making a mapping choice (for mapping
package names to CPE/FSTEC product names).
- Fixed filtering of excluded issues;
- Corrected counter of related packages;
- Right way of handling some of the possible errors;
- Procedures that ensure that required configuration params are present;
- Ability to call for a list of modules without passing other params;
- Requirement of libcontrol++ 0.24.1 update that is really important;
- Complemented manual.
- New input data convention - a bin list (and it's simplified ver) is sufficient
for representing an investigated repository, src list is no longer supported; - Correlations of build timelines of packages and mention dates of vulnerable
products are taken into account when making a mapping choice; - New model of parallel processing + elimination of verbose logging for
cve-fixes, cpe-map and cve-issues that together result in improved
performance and much lighter and clearer log; - cve-manager's dialog mode is deprecated (a user can learn about existing
modules with a use of the 'cve-manager --list_modules' command before running
the whole process or just it's particular parts through the main module).
- Sensibility to unconverted names during a process of complete name matching;
- Corrected supplementary function of custom-name mapping;
- Build with enhanced 'ax' module.
- Ability to keep track of a history of a map of package names;
- ACLs of packages can be fetched via cve-download;
- Packages that have names with related prefixes, or that differ only in letter
case, or with different delimiters in them can all be determined as relatives; - Reports are made more compact.
- Corrected formation of fix records;
- Fixed and adjusted procedure of partial matching;
- Packages with 'python3-module' prefix can be mapped to vulnerable products on
the same terms as packages with 'python-module' or any other special prefix.
- Corrected functionality of comparison of branches.
- Corrected version of the required package.
- Handling of ACLs of the packages;
- Improved compactness of the reports;
- Optimized DB storage.
- Handling of special symbols used in some CPEs.
- Import of records of debuginfo bin packages not performed;
- Ability to exclude some of the CPEs (by placing "<vendor>, <product>" lines
in "cpe-excluded.csv" file).
- Import of CPE of other than 'application' part not performed except for
CPE of 'linux' vendor of 'operating system' part; - Import of CPE with unknown version not performed if there is CPE with
specified version and with the same product name for that CVE record; - Enhanced mapping algorithm.
- Fixed 'fixes' matching;
- Fixed monitoring of diff between branches.
- cve-monitor reports take less memory space (by means of not including
useless space symbols).
- Custom order of records of history/news reports is possible.
- Fix of monitoring of new unfixed issues.
- Fix of bug that was causing abortion of 'cve-issues' module.
- Enhanced data processing that makes for a much more accurate conclusions
about the range of vulnerable versions; - Improved readability of the reports.
- Ability to monitor dynamics of the issues;
- Corrected processing of '*' versions;
- Displaying intervals of vulnerable versions in reports;
- Fixed functionality of customisation of ordering of a report entries;
- Corrected extraction of non-patch references.
- Storage space and computing resource economy by means of optimised
representation of vulnerable software.
- CVSS v2 scores take their place along with v3 scores.
- Ability to manually discard incorrect matches.
- Corrected CPE parser that runs at the issues-detection stage.
- Protection from quotation marks that can be found in CVE summary and
that messes up the CSV import; - Corrected parser (according with CPE ver 2.3 format);
- Bugfixes.
- Downloading and importing NVD vulnerabilities lists in JSON format
with the use of newly created 'libtree'; - Ability to manually exclude some of the issues and make mapping prescriptions
with the use of newly created 'cve-manager-inner-knowledge'.
- Optimized XML-import.
- cve-monitor bugfixes.
- Patch references can be added to cve-monitor reports for unfixed
vulnerabilities; - More than a half of DB storage is saved by storring the issues only for the
most generic versions; - New view on 'fix' conclusions - there is 'unclear' fix status (for
vulnerabilities with no stated vulnerable versions, for example).
- Fix of couple flaws of the mapping process.
- Multithreading is arranged in a more optimal way;
- 'Complete' matching is not performed for a packages that got one of the
special prefixes ('python-module', 'perl', ...); - Enhanced algorithm of the 'partial' matching;
- Package names that differ only by numerical part at the end
(so called 'relatives') is handled more wisely during mapping; - Issues that differ only in additional part of CPE is ignored;
- cve-monitor is using only senior branches (that must be specified
in the conf) in 'cure' suggestions, 'cure' suggestions is optional; - cve-monitor is placing too long lists of vulnerable versions in footnotes
of the reports.
- Compatibility with MySQL 8.*;
- Modifyed mapping process - src/bin lists of all the branches are combined
as src_united/bin_united and then processed in that combined form; - Much more intelligent approach to parallel execution of the modules,
especially two most time consuming modules - cpe-map and cve-issues; - Improved feedback in multiprocessing mode;
- 'CURE' suggestions in cve-monitor's reports.
- Use of all existing names from vulnerabilities lists instead of names
from CPE dict for mapping; - Completely redesigned mapping module: every type of mapping can be triggered
individually, results for every type of mapping are stored in the DB,
special algorithm is used for making the final mapping choice - all this
allows to created separate thread for each type of matching in auto mode; - Ability to detect and go round format faults of the packages lists;
- Consideration of excluded data sources by cve-download and cve-monitor;
- Fully implemented restoring functionality of cve-backup;
- Ability to set the number of stored backup files;
- Fixed params handling of cve-monitor;
- Output functionality is adapted for situation when modules are triggered
by cron.
- Ability to run in multiprocessing mode;
- Ability to exclude data sources;
- Modified user interface of the cve-monitor;
- Showing CVSS score in cve-monitor reports;
- Ability to order monitoring results in various ways;
- Ability to group packages with unfixed vulnerabilities in cve-monitor reports;
- All printing operations carried by Printer class, which not only makes life
easier but brings cool features like buffering the input for later mailout; - Ability to run in 'silent' mode;
- Ability to send emails with cve-monitor reports.
- Rebuilding with new libcontrol++.
- Correction of branch names validation.
- Names of avalible branches are section names of the conf;
- Each branch now have a set of params;
- Renaming 'paths' section of the conf to 'common';
- Skipping repetition of branch sections in conf;
- There is no cve-import's "--space" param anymore;
- Russian manual.
- Running downloader without 'noreplace' flag in auto mode;
- Fix of the 'cve-monitor --map' command;
- Printing with TPrinter of the libcontrol++.
- Prescribed mapping;
- Detecting 'relative' packages at the import stage
and using information about them as mapping attribute; - Handling FSTEC vulnerabilities within current cve-issues concept;
- cve-monitor is working OK within current cve-issues concept;
- Revised comparison of versions that happens at the issues-detection stage;
- Revised packages-filtering function;
- Removing duplicates of src packages names at import stage
and corresponding bin-packages names, not vice versa; - Not importing CPEs of 'hardware' part;
- Not importing Mitre list by default;
- Common bin package for conf file & common py module;
- Own config file for cve-monitor.
- Versions of vulnerable programs are now taken into account when figuring out
the 'fix' entries of *_issues table; - Ability to compare 'fix' entries of different branches;
- c7.1 and c8.1 branches are avalible for cve-manager;
- Fix of monitoring of the selected packages;
- Only members of the 'cve' group can run modules that modify
the vulnerabilities DB.
- Proper output when running with 'tee' in auto mode;
- Correction in mapping algorithm, including 1) check if there are some
CPE/FSTEC names left to map, 2) additional break condition of the mapping
loop, so there could be no infinite loop, 3) fix of the wrong behavior
emerging for a names that differ only by number at the end, 4) avoidance of
complete match for the duplicates, 5) fix of the RemoveMapDups function; - Ability to disable bin partial match;
- Filtering the package lists with distro list;
- Fix of the import of the last NVD CVE list;
- Working realisation of the 'packs' option of the cve-import;
- No more verbose output option in cve-import;
- cve-import's UI now looks more like UI of the py-modules;
- Introducing refs and const modifier wherever possible for the cve-import.
- Aligning columns for the output of existing issues;
- Ability to omit the download of the old lists;
- Fixing the 'Fixes' entries matching in cve-issues.
- Handling the situation when the DB does not exist (by all modules).
- Ability to choose mapping type (FSTEC or CPE by now);
- Reducing bin packages dict before mapping if '--packages' option is used
(similar to src list reduction).
- Correction of the cve-fixes module;
- Checking DB-users grp existence before creating it at the postinstall stage.
- Fix of the 'plain' output mode.
- Ability to state beginning and ending steps for auto mode;
- Ability to state custom '/space' path;
- Ability to retrieve 'Fixes' entries for the given packages names;
- NVD CVE lists import fix;
- cpe-map infinite loop fix that was possible with some input data;
- Improved logic for the cve-monitor's user interface.
- Correction of params for cve-issues in auto mode.
- Ability to set starting step for auto mode in main module;
- Usage examples for cve-download;
- Arguments handling fix in cve-issues;
- Only root can modify cve-manager.conf.
- New module cve-backup;
- Ability to prepare database in auto mode.
- Full integration of the FSTEC vulnerabilities list;
- Bin packages matching fix;
- Ability to use custom mapping application;
- Memory leakage fix.
- New module cve-download.py
- "Fixes" entries now stored in *_src tables;
- Importing bin lists;
- Enhanced mapping algorithm;
- Unescaping URL codes from CPE in cve-import;
- More flexibility in cve-import tables recreation;
- Ability to disable entireline output in cve-import;
- Catching run modes with cve-manager-common.py;
- Using argparse in majority of modules;
- cve-fixes new features;
- Monitoring CVE issues table and monitoring CVE descriptions for the packages;
- Single path for CVE lists and CPE dict import that specified
in configuration file.
- Improved output format;
- CPE dict names import with sections separation;
- Fixed and improved mapping algorithm;
- Fixes-extraction parts completely removed from cve-import;
- Working version of cve-linker module under new name "cve-issues.py";
- New cve-monitor functionality;
- Various fixes and improvements in py-modules.
- New cve-manager-common.py features and improvements;
- New module cve-linker.py;
- New module cve-fixes.py;
- Fixes tables structure changed;
- Error handling correction when applying configuration for cve-import module.
- Taking CPE name from "name" attribute of the "cpe-item" tag,
not from "cpe-23:cpe23-item" tag; - CPE dictionary can be imported directly, without creating CSV file,
just like NVD XML can be; - New cve-manager-common.py functionality;
- Sending cpe-packages map to the database;
- Monitoring mapped packages.
- CPE dictionary import;
- New cve-manager-common.py module with common functions and classes
used by other cve-manager py-modules; - cve-monitor rewritten with the use of cve-manager-common.py;
- CPE mapper (cpe-map.py) first draft;
- Changes in cve-manager.py debug mode.
- New version of main module written in Python;
- New module "cve-monitor";
- Minor fixes.
- common* and conf* files was removed from the project because
they are included in dynamically linked libcontrol++.
- What previously known as "cve-manager" now became
"cve-import" module of the cve-manager toolkit
with "cve-manager" script as top level module.
- Fixing usage of branches flags from configuration file;
- Changes in display output for the operations status.
- Chmod of configuration file (only system administrator
should know MySQL DB password); - MySQL authentication bug fixed;
- Handling the situation when packages lists can not be found;
- Removing formed CSV file with NVD CVE list right after import to DB.
- Initial release.