nvdtools icon indicating copy to clipboard operation
nvdtools copied to clipboard

Published 20 hours ago verified publisher icon facebookincubator

Use with Debian based packages

Open akzincsystems opened this issue 4 years ago • 1 comments

Hi, and thanks for an interesting project.

Whilst my servers are all rpm package based, all my engineers use Debian based distros. I've had a play with dpkg to try and emulate rpm output. However I get a significant number of misses. e.g.

dpkg-query --show -f='${binary:Package}-${Version}.${Architecture}\n' | rpm2cpe -rpm=1 -cpe=2

appears to give valid results e.g.:

wamerican-2018.04.16-1.all      cpe:/a::wamerican:2018.04.16:1:~~~~all~                                                                                                                         
wbritish-2018.04.16-1.all       cpe:/a::wbritish:2018.04.16:1:~~~~all~                                                                                                                          
wget-1.20.3-1ubuntu1.amd64      cpe:/a::wget:1.20.3:1ubuntu1:~~~~amd64~                                                                                                                         
whiptail-0.52.21-4ubuntu2.amd64 cpe:/a::whiptail:0.52.21:4ubuntu2:~~~~amd64~                                                                                                                    
whoopsie-preferences-22.amd64   cpe:/a::whoopsie:preferences:22:~~~~amd64~

but also a lot of errors e.g.:

rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "zoom-5.4.54779.1115.amd64": can't get fields from "zoom-5.4.54779.1115.amd64": can't find version in pkg "zoom"
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "whois-5.5.6.amd64": can't get fields from "whois-5.5.6.amd64": can't find versi
on in pkg "whois"                                                                                                                                                                               
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "whoopsie-0.2.69ubuntu0.3.amd64": can't get fields from "whoopsie-0.2.69ubuntu0.3.amd64": can't find version in p
kg "whoopsie"                                                                                                                                                                                   
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "xorg-1:7.7+19ubuntu14.amd64": can't get fields from "xorg-1:7.7+19ubuntu14.amd64": can't find version in pkg "xo
rg"

I could clean up the dpkg output to remove the errors, but that will mean missing substantial numbers of packages. Any suggestions on how I perhaps modify my one-liner? Or is there a better method to achieve what I want?

My eventual aim is to install a cron on all the engineer's development machines to input their stack to a central database and run the CVE checks for them alongside doing the same for the servers. Any help appreciated.

akzincsystems avatar Feb 19 '21 06:02 akzincsystems

Hi, thanks for your interest in the project!

I think the best option would be to build a new binary like rpm2cpe, maybe called dpkg2cpe. That way we can put dpkg-specific implementation details in that code. The code shouldn’t be too hard to implement and would likely be pretty similar to the rpm2cpe code, if you want to give that a go.

This seems like a generally useful tool to have so we might look at implementing it in the future if you don’t.

scottcunningham avatar Feb 19 '21 15:02 scottcunningham