Группа :: Other
Пакет: cve-manager
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
9 сентября 2023 Alexey Appolonov <alexey at altlinux.org> 0.82.0-alt1
- New module "cve-issues-prep" used to export a shortened version of
a vulnerability database containing all the necessary information for
detecting vulnerabilities via the "cve-issues" module.
- Fixed filtering of cve-monitor reports using bin lists.
- New ability to filter cve-monitor reports using src lists as well as bin lists
that are stored on a mounted drive (in both cases).
- New ability to detect issues for all packages of a local system using
previously formed database.
- Fixed detection of issues for specified full package names (it has been
failing for particular packages).
- Bug fixes.
- Fixed build.
- Verification of TLS certificates is configurable;
- Slightly improved algorithm of mapping package names to product names
(detection of related CPEs).
- New ability to monitor CVE IDs mapped to BDU IDs;
- Fixed monitoring of map of package names to product names.
- Corrected mapping of related packages/products.
- Processing of CVEs that are missing from the NVD data, but are stated
as fixed in package changelogs; - The "cve-monitor" reports on FSTEC vulnerabilities are complimented
with patch-references.
- The issues can be detected even for packages that are not mapped to any
product name, if there are some "fixes" records in their changelog.
- Improved URL matching.
- The list of related FSTEC products is taken into account.
- Fixed import of the FSTEC vulnerability list.
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
- Corrected processing of manually specified package versions/releases,
performed by the "cve-issues" module.
- Workaround for a "missing TLS certificate" problem when downloading the FSTEC
vulnerability list; - The "cve-monitor" module doesn't terminate immediately if there is some error
(for example if emails cannot be send, reports will still be written to files
if there is a request to do so).
- A new module "cve-manager-vuln-list" that can generate "vuln-list" files for
detected issues.
- Package releases are taken into account when excluding issues;
- The "cve-issues" module can process manually specified package
versions/releases (the "cve-monitor-check-update" module is no longer needed
and has been removed).
- Fixed issues detection for the kernel packages.
- Backslashes, which may be part of the names of vendors and products imported
from NVD lists, are ignored (they are used to escape special symbols in the
names and at the same time they complicate the processing or require the use
of escape symbols in the "cve-manager-inner-knowledge" lists).
- Enhanced mapping algorithm;
- Corrected use of the list of ignored mapping pairs;
- Column header "CVE ID" of the detailed reports is changed to "VUL ID".
- Fix of the column size shortage error that could occur when filling the
"nvd_products_timelines" table; - Corrected use of the list of ignored mapping pairs.
- CVE IDs of the FSTEC entries are taken into account when issues are being
detected.
- Reduced processing time (partial matching of binary package names is disabled,
which currently doesn't affect the final result in any way).
- Processing of the FSTEC data source is corrected;
- CVE IDs of the FSTEC entries are used to map FSTEC product names to package
names.
- The linux_kernel_cves data (https://github.com/nluedtke/linux_kernel_cves)
is used to detect fixed vulnerabilities.
- Build for every arch except armh and i586 (both 32-bit).
- Excluding of all products via the *-excluded.csv files is prohibited, as well
as stating everything as an exception from the exclusion; - Not specifying a vendor when excluding products via the *-excluded.csv files
is allowed.
- Symbols that aren't allowed to be part of product names, such as commas,
colons and unicode spaces, are removed/replaced from the FSTEC vulnerability
list (at the import stage).
- Non-printable characters that may be contained in the FSTEC vulnerability
list are removed (at the import stage).
- Full support of the FSTEC data source;
- New module "cve-monitor-check-update" for searching vulnerabilities of a
package, that have been fixed in a given range of versions.
- Fixed merging of vulnerable versions (which is performed for reports
generated with the '--group' flag).
- Fixed filtering of new issues (which is performed using distro lists).
- Special prefixes of package names are defined only by the "groups.csv" file,
which comes with the "cve-manager-inner-knowledge" package.
- Patch references are considered when mapping product names to package names.
- URLs from the "cpe-mapping-ignore.csv" list don't have to completely match
URLs of the analyzed packages (it's enough if one URL starts with another).
- A src package cannot be completely skipped solely because of the unwanted
suffixes of it's bin packages.
- New ability to analyze the system on which the cve-manager is running;
- New cve-manager mode "offline", that skips the "download" step;
- Bin package names that have the "-common" suffix are excluded from the
analysis; - New ability to specify multiple product names of an excluded CPE in a single
row.
- Fixed determination of groups using package/products URLs.
- Improved mapping algorithm that now operates with the so-called "groups of
packages and products" (a product of one special group cannot be mapped to a
package of another special group) and takes into account special prefixes and
suffixes of products; - Ability to specify multiple URLs for a single package in the list of ignored
matches; - Minor fixes and improvements.
- New ability to assign CPEs that will be recognized as related to each other;
- Improved interaction between the main module and the module "cpe-map"
(products will not be remapped using those types of mapping that have already
been used).
- New ability to specify branches for ignored matches.
- Improved mapping algorithm;
- Improved interaction between the main module and the module "cve-download"
(recently downloaded data will not be requested when restarting the module
"cve-download" in the cve-manager auto mode).
- Improved mapping algorithm;
- New features of managing the list of ignored mapping pairs.
- A package with the "lib" prefix and a package without it can be identified
as related packages; - A product with the "lib" prefix/suffix and a product without it can be
identified as related products; - Separators are not taken into account when checking whether product names are
related or not; - Package URLs are taken into account when mapping related packages (package
URLs can be specified in the "cpe-mapping-ignore.csv" list).
- Improved module "cve-backup";
- Improved exception handling;
- The names of sections for DB connection params and SMTP connection params,
as well as the names of the parameters themselves, have been changed (use
the "transitions/from-0.59-to-0.60" script for the transition).
- References from the NVD vulnerabilities lists, as well as names of products
that are recognized as related, are used to map product names to package
names.
- Increased data storage efficiency.
- Maintenance of the list of special package name prefixes is delegated to
the "cve-manager-inner-knowledge" package; - Added several more pairs of related package name prefixes (used to identify
related packages).
- Results of mapping are stable, including cases where a mapping choice consists
of multiple products (a same string value is produced for a same set of
matched product names); - Reports with new issues have the same format even if there are no new issues
(there is no special format for this case anymore).
- Fixed cpe-map-choice module (the bug was introduced in the cve-manager v0.55);
- Improved user interface of the cve-monitor;
- Slightly changed format of cve-monitor "diff" reports (a modified header and
an absence of a footer).
- Ability to assign multiple product names to a single package using a list
of prescribed mapping pairs; - Slightly changed format of some types of cve-monitor reports (a modified
header and an absence of a footer).
- Ability to more accurately specify packages in the list of ignored mapping
pairs by specifying their URLs.
- The "gem" package name prefix is taken into account in the same way as other
special prefixes.
- Minor code improvements;
- Build with debuginfo enabled.
- Handling of descriptions of complex vulnerabilities that include combinations
of conditions for different software products.
- Fix of the exclusion of issues.
- Handling of misleading characters in ranges of vulnerable versions.
- Build update according with a latest modification of the build system.
- Disputed vulnerabilities are highlighted in cve-monitor reports;
- Improved algorithm of partial matching;
- Fixed handling of prescribed name matches (in some cases the prescriptions
had no effect).
- Special way of handling of remaining special URLs (freedesktop.org,
debian.org, fedorahosted.org, mozilla.org); - Those excluded mapping pairs that include a vendor and that didn't affect
results of a mapping, are taken into account at the issues-detection stage.
- Fix of the custom ordering of entries of cve-monitor reports;
- Proper handling of invalid combinations of cve-monitor parameters.
- Improved mapping algorithm.
- Improved mapping algorithm.
- Improved issues detection.
- Corrected manual.
- Ability to write "cve-monitor" reports into files inside specified directory
(the cve-monitor UI changed, use the "--mail --title <category>" option
instead of the "--mail <category>" option); - Ability to prescribe completely different package names (that are not
"relatives") to a same product; - Package prefixes "mediawiki-extensions", "kde4" and "kde5" are taken into
account in the same way as other special prefixes; - Minor improvements throughout the project, including an improved UI of the
"cve-monitor" module (reports will be split by default).
- URLs of distro lists turned into custom parameters;
- Execution of the "cve-download" module is terminated immediately if any of
the required info can't be downloaded; - Ability to download FSTEC vulnerability list is fixed;
- Tolerance to the FSTEC source (the FSTEC source is not yet fully supported,
but cve-manager does not fail if the FSTEC source is not excluded and if any
operation regarding FSTEC fails).
- Bugfixes.
- Metadata of analyzed packages is collected and imported at the "import" stage,
which significantly reduces a probability of import failure of IDs of fixed
vulnerabilities and URLs of the packages (the "cve-fixes" module is removed); - Ability to use binary RPM packages instead of source RPM packages;
- Improved algorithm for extracting fixed vulnerabilities IDs from changelogs;
- Improved user interface of the "cve-import" module.
- Corrected specification of package names when making queries with cve-monitor.
- Ability to monitor vulnerabilities of specified distributions (the 'download'
parameter must be assigned in the 'cve-monitor.conf').
- Much more efficient way of extracting vulnerability IDs from changelogs.
- The '-' version value of a product that is present in a list of vulnerable
software of a CVE entry is interpreted as 'any version' if there are no
specific versions and no ranges of versions for this product in this list; - Better way of handling of versions that contain a date.
- Optimised DB structure;
- Improved performance of the cve-issues module;
- The '-d <distro_list>' option of the cve-import module is removed.
- Consideration of names of vendors during a mapping of package names
to product names; - Proper way of imposing a penalty for not being in the CPE dict;
- New penalty for being titled as a program for non-free operating systems only;
- Corrected descriptions of modules and corrected help messages.
- Ability to split reports by branches;
- Improved user interface of the cve-backup module.
- Improved URL-matching;
- Optimized storage of the CPE dict.
- Corrected reporting on a comparison of branches.
- Improved URL-matching;
- Corrected partial matching of short package/product names.
- Corrected procedure of making a mapping choice.
- Improved URL-matching;
- Minimally acceptable score of a matching is lowered;
- Ability to detect newly established/found matches of package names that
previously have not been matched to product names and to detect newly
denied/lost name matches; - Display of a number of excluded NVD entries and a number of excluded CPEs
during an import process.
- Re-evaluated ranking of types of matching;
- Ability to make multiple attempts to perform each step of the DB formation
without errors.
- Fixed error handling in cve-import module;
- Optimized storage of timelines of packages.
- Corrected behavior of the modules when running them with no arguments;
- Build with a new version of the 'ax' library that adds more sence into
comparison of versions.
- Determinism of a mapping choice in any cornercase situation;
- Optimized usage of memory during import of timelines;
- Minor tweaks and fixes.
- Better way of normalization of scores of the 'fixes' type of matching.
- Handling of a situation when a branch that being processed with the
cve-history module has no *_src or *_issues tables; - Comparisons of symbolic versions versus numeric versions are filtered out
during a detection of issues.
- Fixed issue of incorrect data splitting while using multiple cores
during a mapping; - Handling of excluded mapping pairs that contain product names
that contain commas; - Length of the 'MAPPED NAME' column of the reports is restricted.
- Fixed features used for testing of cpe-map* modules;
- Resolved rivalry between 'url' and 'complete' types of matching.
- Optimized memory usage when importing data.
- New type of matching of package names to names of vulnerable products that
uses URL-addresses from metadata of source packages and URL-addresses from
CPE dictionary.
- Simpler, more reliable algorithm of making a mapping choice (for mapping
package names to CPE/FSTEC product names).
- Fixed filtering of excluded issues;
- Corrected counter of related packages;
- Right way of handling some of the possible errors;
- Procedures that ensure that required configuration params are present;
- Ability to call for a list of modules without passing other params;
- Requirement of libcontrol++ 0.24.1 update that is really important;
- Complemented manual.
- New input data convention - a bin list (and it's simplified ver) is sufficient
for representing an investigated repository, src list is no longer supported; - Correlations of build timelines of packages and mention dates of vulnerable
products are taken into account when making a mapping choice; - New model of parallel processing + elimination of verbose logging for
cve-fixes, cpe-map and cve-issues that together result in improved
performance and much lighter and clearer log; - cve-manager's dialog mode is deprecated (a user can learn about existing
modules with a use of the 'cve-manager --list_modules' command before running
the whole process or just it's particular parts through the main module).
- Sensibility to unconverted names during a process of complete name matching;
- Corrected supplementary function of custom-name mapping;
- Build with enhanced 'ax' module.
- Ability to keep track of a history of a map of package names;
- ACLs of packages can be fetched via cve-download;
- Packages that have names with related prefixes, or that differ only in letter
case, or with different delimiters in them can all be determined as relatives; - Reports are made more compact.
- Corrected formation of fix records;
- Fixed and adjusted procedure of partial matching;
- Packages with 'python3-module' prefix can be mapped to vulnerable products on
the same terms as packages with 'python-module' or any other special prefix.
- Corrected functionality of comparison of branches.
- Corrected version of the required package.
- Handling of ACLs of the packages;
- Improved compactness of the reports;
- Optimized DB storage.
- Handling of special symbols used in some CPEs.
- Import of records of debuginfo bin packages not performed;
- Ability to exclude some of the CPEs (by placing "<vendor>, <product>" lines
in "cpe-excluded.csv" file).
- Import of CPE of other than 'application' part not performed except for
CPE of 'linux' vendor of 'operating system' part; - Import of CPE with unknown version not performed if there is CPE with
specified version and with the same product name for that CVE record; - Enhanced mapping algorithm.
- Fixed 'fixes' matching;
- Fixed monitoring of diff between branches.
- cve-monitor reports take less memory space (by means of not including
useless space symbols).
- Custom order of records of history/news reports is possible.
- Fix of monitoring of new unfixed issues.
- Fix of bug that was causing abortion of 'cve-issues' module.
- Enhanced data processing that makes for a much more accurate conclusions
about the range of vulnerable versions; - Improved readability of the reports.
- Ability to monitor dynamics of the issues;
- Corrected processing of '*' versions;
- Displaying intervals of vulnerable versions in reports;
- Fixed functionality of customisation of ordering of a report entries;
- Corrected extraction of non-patch references.
- Storage space and computing resource economy by means of optimised
representation of vulnerable software.
- CVSS v2 scores take their place along with v3 scores.
- Ability to manually discard incorrect matches.
- Corrected CPE parser that runs at the issues-detection stage.
- Protection from quotation marks that can be found in CVE summary and
that messes up the CSV import; - Corrected parser (according with CPE ver 2.3 format);
- Bugfixes.
- Downloading and importing NVD vulnerabilities lists in JSON format
with the use of newly created 'libtree'; - Ability to manually exclude some of the issues and make mapping prescriptions
with the use of newly created 'cve-manager-inner-knowledge'.
- Optimized XML-import.
- cve-monitor bugfixes.
- Patch references can be added to cve-monitor reports for unfixed
vulnerabilities; - More than a half of DB storage is saved by storring the issues only for the
most generic versions; - New view on 'fix' conclusions - there is 'unclear' fix status (for
vulnerabilities with no stated vulnerable versions, for example).
- Fix of couple flaws of the mapping process.
- Multithreading is arranged in a more optimal way;
- 'Complete' matching is not performed for a packages that got one of the
special prefixes ('python-module', 'perl', ...); - Enhanced algorithm of the 'partial' matching;
- Package names that differ only by numerical part at the end
(so called 'relatives') is handled more wisely during mapping; - Issues that differ only in additional part of CPE is ignored;
- cve-monitor is using only senior branches (that must be specified
in the conf) in 'cure' suggestions, 'cure' suggestions is optional; - cve-monitor is placing too long lists of vulnerable versions in footnotes
of the reports.
- Compatibility with MySQL 8.*;
- Modifyed mapping process - src/bin lists of all the branches are combined
as src_united/bin_united and then processed in that combined form; - Much more intelligent approach to parallel execution of the modules,
especially two most time consuming modules - cpe-map and cve-issues; - Improved feedback in multiprocessing mode;
- 'CURE' suggestions in cve-monitor's reports.
- Use of all existing names from vulnerabilities lists instead of names
from CPE dict for mapping; - Completely redesigned mapping module: every type of mapping can be triggered
individually, results for every type of mapping are stored in the DB,
special algorithm is used for making the final mapping choice - all this
allows to created separate thread for each type of matching in auto mode; - Ability to detect and go round format faults of the packages lists;
- Consideration of excluded data sources by cve-download and cve-monitor;
- Fully implemented restoring functionality of cve-backup;
- Ability to set the number of stored backup files;
- Fixed params handling of cve-monitor;
- Output functionality is adapted for situation when modules are triggered
by cron.
- Ability to run in multiprocessing mode;
- Ability to exclude data sources;
- Modified user interface of the cve-monitor;
- Showing CVSS score in cve-monitor reports;
- Ability to order monitoring results in various ways;
- Ability to group packages with unfixed vulnerabilities in cve-monitor reports;
- All printing operations carried by Printer class, which not only makes life
easier but brings cool features like buffering the input for later mailout; - Ability to run in 'silent' mode;
- Ability to send emails with cve-monitor reports.
- Rebuilding with new libcontrol++.
- Correction of branch names validation.
- Names of avalible branches are section names of the conf;
- Each branch now have a set of params;
- Renaming 'paths' section of the conf to 'common';
- Skipping repetition of branch sections in conf;
- There is no cve-import's "--space" param anymore;
- Russian manual.
- Running downloader without 'noreplace' flag in auto mode;
- Fix of the 'cve-monitor --map' command;
- Printing with TPrinter of the libcontrol++.
- Prescribed mapping;
- Detecting 'relative' packages at the import stage
and using information about them as mapping attribute; - Handling FSTEC vulnerabilities within current cve-issues concept;
- cve-monitor is working OK within current cve-issues concept;
- Revised comparison of versions that happens at the issues-detection stage;
- Revised packages-filtering function;
- Removing duplicates of src packages names at import stage
and corresponding bin-packages names, not vice versa; - Not importing CPEs of 'hardware' part;
- Not importing Mitre list by default;
- Common bin package for conf file & common py module;
- Own config file for cve-monitor.
- Versions of vulnerable programs are now taken into account when figuring out
the 'fix' entries of *_issues table; - Ability to compare 'fix' entries of different branches;
- c7.1 and c8.1 branches are avalible for cve-manager;
- Fix of monitoring of the selected packages;
- Only members of the 'cve' group can run modules that modify
the vulnerabilities DB.
- Proper output when running with 'tee' in auto mode;
- Correction in mapping algorithm, including 1) check if there are some
CPE/FSTEC names left to map, 2) additional break condition of the mapping
loop, so there could be no infinite loop, 3) fix of the wrong behavior
emerging for a names that differ only by number at the end, 4) avoidance of
complete match for the duplicates, 5) fix of the RemoveMapDups function; - Ability to disable bin partial match;
- Filtering the package lists with distro list;
- Fix of the import of the last NVD CVE list;
- Working realisation of the 'packs' option of the cve-import;
- No more verbose output option in cve-import;
- cve-import's UI now looks more like UI of the py-modules;
- Introducing refs and const modifier wherever possible for the cve-import.
- Aligning columns for the output of existing issues;
- Ability to omit the download of the old lists;
- Fixing the 'Fixes' entries matching in cve-issues.
- Handling the situation when the DB does not exist (by all modules).
- Ability to choose mapping type (FSTEC or CPE by now);
- Reducing bin packages dict before mapping if '--packages' option is used
(similar to src list reduction).
- Correction of the cve-fixes module;
- Checking DB-users grp existence before creating it at the postinstall stage.
- Fix of the 'plain' output mode.
- Ability to state beginning and ending steps for auto mode;
- Ability to state custom '/space' path;
- Ability to retrieve 'Fixes' entries for the given packages names;
- NVD CVE lists import fix;
- cpe-map infinite loop fix that was possible with some input data;
- Improved logic for the cve-monitor's user interface.
- Correction of params for cve-issues in auto mode.
- Ability to set starting step for auto mode in main module;
- Usage examples for cve-download;
- Arguments handling fix in cve-issues;
- Only root can modify cve-manager.conf.
- New module cve-backup;
- Ability to prepare database in auto mode.
- Full integration of the FSTEC vulnerabilities list;
- Bin packages matching fix;
- Ability to use custom mapping application;
- Memory leakage fix.
- New module cve-download.py
- "Fixes" entries now stored in *_src tables;
- Importing bin lists;
- Enhanced mapping algorithm;
- Unescaping URL codes from CPE in cve-import;
- More flexibility in cve-import tables recreation;
- Ability to disable entireline output in cve-import;
- Catching run modes with cve-manager-common.py;
- Using argparse in majority of modules;
- cve-fixes new features;
- Monitoring CVE issues table and monitoring CVE descriptions for the packages;
- Single path for CVE lists and CPE dict import that specified
in configuration file.
- Improved output format;
- CPE dict names import with sections separation;
- Fixed and improved mapping algorithm;
- Fixes-extraction parts completely removed from cve-import;
- Working version of cve-linker module under new name "cve-issues.py";
- New cve-monitor functionality;
- Various fixes and improvements in py-modules.
- New cve-manager-common.py features and improvements;
- New module cve-linker.py;
- New module cve-fixes.py;
- Fixes tables structure changed;
- Error handling correction when applying configuration for cve-import module.
- Taking CPE name from "name" attribute of the "cpe-item" tag,
not from "cpe-23:cpe23-item" tag; - CPE dictionary can be imported directly, without creating CSV file,
just like NVD XML can be; - New cve-manager-common.py functionality;
- Sending cpe-packages map to the database;
- Monitoring mapped packages.
- CPE dictionary import;
- New cve-manager-common.py module with common functions and classes
used by other cve-manager py-modules; - cve-monitor rewritten with the use of cve-manager-common.py;
- CPE mapper (cpe-map.py) first draft;
- Changes in cve-manager.py debug mode.
- New version of main module written in Python;
- New module "cve-monitor";
- Minor fixes.
- common* and conf* files was removed from the project because
they are included in dynamically linked libcontrol++.
- What previously known as "cve-manager" now became
"cve-import" module of the cve-manager toolkit
with "cve-manager" script as top level module.
- Fixing usage of branches flags from configuration file;
- Changes in display output for the operations status.
- Chmod of configuration file (only system administrator
should know MySQL DB password); - MySQL authentication bug fixed;
- Handling the situation when packages lists can not be found;
- Removing formed CSV file with NVD CVE list right after import to DB.
- Initial release.