geronzi/full_updater
2
0
Fork 0
Code Issues Pull requests Projects Releases 27 Packages Wiki Activity Actions

fix(cve): parse HTML instead of non-existent JSON API
All checks were successful
Build and Release .deb / build-deb (push) Successful in 21s
Details

Browse source 
- Debian Security Tracker has no public JSON API for individual CVEs
- Now fetches and parses the HTML page directly
- Searches for 'bookworm ... fixed' pattern in the vulnerability table
- Cache files changed from .json to .html
This commit is contained in:
enzo 2026-05-13 02:56:16 +02:00
parent 9c4e40505b
commit 3bb213a00d
1 changed files with 19 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

34
full_updater/backend/scanner.py
View file

@ -17,37 +17,41 @@ def _ensure_cve_api_cache() -> None:
os.makedirs(CVE_API_CACHE, exist_ok=True) os.makedirs(CVE_API_CACHE, exist_ok=True)
def _fetch_cve_status(cve_id: str) -> dict: def _fetch_cve_html(cve_id: str) -> str:
"""Interroge l'API Debian Security Tracker pour une CVE, avec cache local.""" """Récupère le HTML de la page Debian Security Tracker pour une CVE."""
_ensure_cve_api_cache() _ensure_cve_api_cache()
cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json") cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.html")
if os.path.exists(cache_path): if os.path.exists(cache_path):
try: try:
with open(cache_path, "r", encoding="utf-8") as f: with open(cache_path, "r", encoding="utf-8") as f:
return json.load(f) return f.read()
except Exception: except Exception:
pass pass
url = f"https://security-tracker.debian.org/tracker/{cve_id}/json" url = f"https://security-tracker.debian.org/tracker/{cve_id}"
try: try:
req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"}) req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"})
with urllib.request.urlopen(req, timeout=15) as resp: with urllib.request.urlopen(req, timeout=15) as resp:
data = json.load(resp) html = resp.read().decode("utf-8")
with open(cache_path, "w", encoding="utf-8") as f: with open(cache_path, "w", encoding="utf-8") as f:
json.dump(data, f) f.write(html)
return data return html
except Exception: except Exception:
return {} return ""
def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
"""Retourne True si la CVE a un fixed_version pour le suite donné.""" """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML."""
data = _fetch_cve_status(cve_id) html = _fetch_cve_html(cve_id)
cve_data = data.get(cve_id, {}) if not html:
debian = cve_data.get("debian", {}) return False
suite_data = debian.get(suite, {})
return suite_data.get("status") == "resolved" and "fixed_version" in suite_data # Chercher dans le tableau des packages vulnérables/fixed
# Pattern: suite (security)? version fixed
# Ex: bookworm 3.0.18-1~deb12u1 fixed
pattern = re.compile(rf"<td[^>]*>\s*{re.escape(suite)}\s*(?:\(security\))?\s*</td>\s*<td[^>]*>[^<]+</td>\s*<td[^>]*>\s*fixed\s*</td>", re.IGNORECASE)
return bool(pattern.search(html))
def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: