From 8f623e1df693513cdc7218951d54568cb5dc5848 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:54:57 +0200 Subject: [PATCH 01/17] fix(ui): remove reactive vars in SummaryPanel, use direct widget update - Replace reactive attributes with direct widget updates in set_target - Delay _select_target by 0.1s after pop_screen to ensure DOM is stable - Remove summary.refresh() calls that interfere with direct updates --- full_updater/app.py | 3 +- full_updater/ui/summary.py | 73 ++++++++++++-------------------------- 2 files changed, 23 insertions(+), 53 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 969a526..0df0f6d 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -109,7 +109,7 @@ class FullUpdaterApp(App): ) sidebar.refresh() if self.targets: - self._select_target(self.targets[0].target_id) + self.set_timer(0.1, lambda: self._select_target(self.targets[0].target_id)) def _select_target(self, target_id: str): self.selected_target = target_id @@ -130,7 +130,6 @@ class FullUpdaterApp(App): skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) ) - summary.refresh() def on_sidebar_target_selected(self, event: Sidebar.TargetSelected): self._select_target(event.target_id) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index b012b9f..fb93ca0 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -1,6 +1,5 @@ from textual.widgets import Static, Button from textual.containers import Vertical, Horizontal -from textual.reactive import reactive from textual.message import Message @@ -26,10 +25,6 @@ class SummaryPanel(Vertical): height: auto; margin: 1 0; } - .summary-count { - color: $primary; - text-style: bold; - } .summary-error { color: $error; text-style: bold; @@ -55,13 +50,8 @@ class SummaryPanel(Vertical): self.target_id = target_id super().__init__() - cache_time = reactive("") - apt_count = reactive(0) - cve_count = reactive(0) - target_id = reactive("") - target_name = reactive("") - error_msg = reactive("") - is_skipped = reactive(False) + _current_target_id: str = "" + _current_target_name: str = "" def compose(self): with Horizontal(id="summary-header"): @@ -75,31 +65,21 @@ class SummaryPanel(Vertical): yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def watch_cache_time(self, value: str): - self.query_one("#summary-cache", Static).update(f"Cache : {value}" if value else "") + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): + self._current_target_id = target_id + self._current_target_name = name - def watch_apt_count(self, value: int): - self._update_display() - - def watch_cve_count(self, value: int): - self._update_display() - - def watch_error_msg(self, value: str): - self._update_display() - - def watch_is_skipped(self, value: bool): - self._update_display() - - def watch_target_name(self, value: str): - self.query_one("#summary-title", Static).update(value if value else "Sélectionnez une cible") - - def _update_display(self): + title = self.query_one("#summary-title", Static) apt_btn = self.query_one("#btn-apt", Button) cve_btn = self.query_one("#btn-cve", Button) err_label = self.query_one("#summary-error", Static) btn = self.query_one("#btn-upgrade", Button) + cache_label = self.query_one("#summary-cache", Static) - if self.is_skipped: + title.update(name if name else "Sélectionnez une cible") + cache_label.update(f"Cache : {cache_time}" if cache_time else "") + + if skipped: apt_btn.label = "Mises à jour : LXC éteint" cve_btn.label = "CVE : LXC éteint" err_label.update("") @@ -108,37 +88,28 @@ class SummaryPanel(Vertical): cve_btn.disabled = True return - if self.error_msg: - apt_btn.label = f"Mises à jour : {self.apt_count}" + if error: + apt_btn.label = f"Mises à jour : {apt_count}" cve_btn.label = "CVE : ERREUR" - err_label.update(self.error_msg) + err_label.update(error) btn.disabled = False - apt_btn.disabled = self.apt_count == 0 + apt_btn.disabled = apt_count == 0 cve_btn.disabled = True return - apt_btn.label = f"Mises à jour : {self.apt_count}" - cve_btn.label = f"CVE : {self.cve_count}" + apt_btn.label = f"Mises à jour : {apt_count}" + cve_btn.label = f"CVE : {cve_count}" err_label.update("") btn.disabled = False - apt_btn.disabled = self.apt_count == 0 - cve_btn.disabled = self.cve_count == 0 - - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): - self.target_id = target_id - self.target_name = name - self.apt_count = apt_count - self.cve_count = cve_count - self.error_msg = error - self.is_skipped = skipped - self.cache_time = cache_time + apt_btn.disabled = apt_count == 0 + cve_btn.disabled = cve_count == 0 def on_button_pressed(self, event: Button.Pressed): if event.button.id == "btn-reload": self.post_message(self.ReloadPressed()) elif event.button.id == "btn-upgrade": - self.post_message(self.UpgradePressed(self.target_id, self.target_name)) + self.post_message(self.UpgradePressed(self._current_target_id, self._current_target_name)) elif event.button.id == "btn-apt": - self.post_message(self.AptClicked(self.target_id)) + self.post_message(self.AptClicked(self._current_target_id)) elif event.button.id == "btn-cve": - self.post_message(self.CveClicked(self.target_id)) + self.post_message(self.CveClicked(self._current_target_id)) From f4db16327f246aa81f1084bb9ae81f37abed33b0 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:00:48 +0200 Subject: [PATCH 02/17] fix(cache): purge cache only once at startup, not on every write - Add clear_cache() called once in on_mount - ensure_cache_dir() no longer deletes existing files - This fixes the issue where only the last target's cache survived - Add widget.refresh() calls to force UI updates --- full_updater/app.py | 7 +++++-- full_updater/backend/cache.py | 5 ++++- full_updater/ui/summary.py | 7 +++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 0df0f6d..3d8e895 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -6,7 +6,7 @@ from textual.containers import Horizontal, Vertical from textual.reactive import reactive from textual import work -from full_updater.backend.cache import ensure_cache_dir, read_cache, get_cache_timestamp +from full_updater.backend.cache import clear_cache, ensure_cache_dir, read_cache, get_cache_timestamp from full_updater.backend.scanner import ( Target, ScanResult, get_lxc_list, lxc_is_running, ensure_debsecan_installed, scan_apt, scan_cve, write_cache, scan_target @@ -46,6 +46,7 @@ class FullUpdaterApp(App): yield SummaryPanel() def on_mount(self): + clear_cache() ensure_cache_dir() self.targets = [Target(target_id="host", name="hote", is_host=True)] + get_lxc_list() sidebar = self.query_one(Sidebar) @@ -93,6 +94,7 @@ class FullUpdaterApp(App): result.error, result.status == "skipped" ) + sidebar.refresh() def _finish_scan(self): self.pop_screen() @@ -109,7 +111,7 @@ class FullUpdaterApp(App): ) sidebar.refresh() if self.targets: - self.set_timer(0.1, lambda: self._select_target(self.targets[0].target_id)) + self.set_timer(0.2, lambda: self._select_target(self.targets[0].target_id)) def _select_target(self, target_id: str): self.selected_target = target_id @@ -130,6 +132,7 @@ class FullUpdaterApp(App): skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) ) + summary.refresh() def on_sidebar_target_selected(self, event: Sidebar.TargetSelected): self._select_target(event.target_id) diff --git a/full_updater/backend/cache.py b/full_updater/backend/cache.py index 1edb94d..5172ca9 100644 --- a/full_updater/backend/cache.py +++ b/full_updater/backend/cache.py @@ -7,9 +7,12 @@ from typing import Any CACHE_DIR = "/tmp/full-updater-cache" -def ensure_cache_dir() -> None: +def clear_cache() -> None: if os.path.exists(CACHE_DIR): shutil.rmtree(CACHE_DIR) + + +def ensure_cache_dir() -> None: os.makedirs(CACHE_DIR, exist_ok=True) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index fb93ca0..46dc560 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -104,6 +104,13 @@ class SummaryPanel(Vertical): apt_btn.disabled = apt_count == 0 cve_btn.disabled = cve_count == 0 + # Forcer le refresh de tous les widgets modifiés + apt_btn.refresh() + cve_btn.refresh() + err_label.refresh() + btn.refresh() + cache_label.refresh() + def on_button_pressed(self, event: Button.Pressed): if event.button.id == "btn-reload": self.post_message(self.ReloadPressed()) From eed84f36e8197806b0dc832e9419ac85e664d221 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:07:25 +0200 Subject: [PATCH 03/17] fix(log_panel): rename self.log to self._log_widget to avoid Textual property conflict --- full_updater/ui/log_panel.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/full_updater/ui/log_panel.py b/full_updater/ui/log_panel.py index 0ccfb15..1022d1c 100644 --- a/full_updater/ui/log_panel.py +++ b/full_updater/ui/log_panel.py @@ -23,21 +23,21 @@ class LogPanel(Vertical): def __init__(self): super().__init__() - self.log = None + self._log_widget = None def compose(self): with Horizontal(id="log-toolbar"): yield Button("⬅ Retour", id="log-back") - self.log = RichLog(id="log-view", highlight=True) - yield self.log + self._log_widget = RichLog(id="log-view", highlight=True) + yield self._log_widget def write(self, line: str): - if self.log: - self.log.write(line) + if self._log_widget: + self._log_widget.write(line) def clear(self): - if self.log: - self.log.clear() + if self._log_widget: + self._log_widget.clear() def on_button_pressed(self, event: Button.Pressed): if event.button.id == "log-back": From af9e061ab586b9f1d5a9907d792ff008cbfebc9e Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:11:08 +0200 Subject: [PATCH 04/17] fix(upgrade): remove call_from_thread in async worker, call log_panel.write directly --- full_updater/app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/full_updater/app.py b/full_updater/app.py index 3d8e895..ebc400b 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -208,7 +208,7 @@ class FullUpdaterApp(App): return executor = UpgradeExecutor( target_id, is_host, - on_line=lambda line: self.call_from_thread(log_panel.write, line) + on_line=lambda line: log_panel.write(line) ) ok = await executor.run() if ok: From e22f416500f220c9a1c6e7de0971aa9ff4488cf2 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:27:22 +0200 Subject: [PATCH 05/17] feat(cve): filter actionable CVEs via Debian Security Tracker API - Add filter_actionable_cves() that queries security-tracker.debian.org - Cache API responses in /tmp/full-updater-cache/cve-api/ - Use ThreadPoolExecutor(max_workers=10) for parallel API calls - cve_count now shows only actionable CVEs (with fixed_version) - cve_total stored for info, shown as 'CVE: X (Y non corrigeables)' --- full_updater/app.py | 4 +- full_updater/backend/scanner.py | 90 +++++++++++++++++++++++++++++++-- full_updater/ui/summary.py | 7 ++- 3 files changed, 95 insertions(+), 6 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index ebc400b..d2540cc 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -128,6 +128,7 @@ class FullUpdaterApp(App): name=name, apt_count=data.get("apt_count", 0), cve_count=data.get("cve_count", 0), + cve_total=data.get("cve_total", 0), error=data.get("error", ""), skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) @@ -158,7 +159,7 @@ class FullUpdaterApp(App): write_cache(target.target_id, { "timestamp": datetime.now().isoformat(), "apt_count": 0, "apt_packages": [], - "cve_count": 0, "cve_list": [], + "cve_count": 0, "cve_total": 0, "cve_list": [], "error": "LXC éteint" }) self._update_sidebar(target.target_id, result) @@ -176,6 +177,7 @@ class FullUpdaterApp(App): "apt_count": result.apt_count, "apt_packages": result.apt_packages, "cve_count": result.cve_count, + "cve_total": result.cve_total, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 4271c74..6180049 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -1,10 +1,83 @@ +import json +import os import re import subprocess +import urllib.request +from concurrent.futures import ThreadPoolExecutor from dataclasses import dataclass, field from datetime import datetime from typing import Callable -from full_updater.backend.cache import write_cache +from full_updater.backend.cache import write_cache, ensure_cache_dir + +CVE_API_CACHE = "/tmp/full-updater-cache/cve-api" + + +def _ensure_cve_api_cache() -> None: + os.makedirs(CVE_API_CACHE, exist_ok=True) + + +def _fetch_cve_status(cve_id: str) -> dict: + """Interroge l'API Debian Security Tracker pour une CVE, avec cache local.""" + _ensure_cve_api_cache() + cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json") + + if os.path.exists(cache_path): + try: + with open(cache_path, "r", encoding="utf-8") as f: + return json.load(f) + except Exception: + pass + + url = f"https://security-tracker.debian.org/tracker/{cve_id}/json" + try: + req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"}) + with urllib.request.urlopen(req, timeout=15) as resp: + data = json.load(resp) + with open(cache_path, "w", encoding="utf-8") as f: + json.dump(data, f) + return data + except Exception: + return {} + + +def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: + """Retourne True si la CVE a un fixed_version pour le suite donné.""" + data = _fetch_cve_status(cve_id) + cve_data = data.get(cve_id, {}) + debian = cve_data.get("debian", {}) + suite_data = debian.get(suite, {}) + return suite_data.get("status") == "resolved" and "fixed_version" in suite_data + + +def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: + """Filtre la liste des CVE pour ne garder que les actionnables. + Retourne (cve_actionnables, cve_total).""" + if not cves: + return [], 0 + + total = len(cves) + + def check(cve: dict) -> dict | None: + try: + if _is_cve_actionable(cve["id"]): + return cve + except Exception: + pass + return None + + actionable = [] + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [executor.submit(check, cve) for cve in cves] + for future in futures: + try: + result = future.result() + if result: + actionable.append(result) + except Exception: + pass + + return actionable, total @dataclass @@ -21,6 +94,7 @@ class ScanResult: cve_ok: bool = False apt_count: int = 0 cve_count: int = 0 + cve_total: int = 0 apt_packages: list[dict[str, str]] = field(default_factory=list) cve_list: list[dict[str, str]] = field(default_factory=list) error: str = "" @@ -139,10 +213,19 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: if debsecan_ok: cve_ok, cve_list, cve_err = scan_cve(target) result.cve_ok = cve_ok - result.cve_count = len(cve_list) - result.cve_list = cve_list if not cve_ok: result.error = cve_err + + # Filtrer les CVE actionnables via l'API Debian + if cve_list: + actionable, total = filter_actionable_cves(cve_list) + result.cve_list = actionable + result.cve_count = len(actionable) + result.cve_total = total + else: + result.cve_list = [] + result.cve_count = 0 + result.cve_total = 0 else: result.cve_ok = False result.error = f"debsecan: {debsecan_err}" @@ -157,6 +240,7 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: "apt_count": result.apt_count, "apt_packages": result.apt_packages, "cve_count": result.cve_count, + "cve_total": result.cve_total, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index 46dc560..e750712 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -65,7 +65,7 @@ class SummaryPanel(Vertical): yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, error: str, skipped: bool, cache_time: str): self._current_target_id = target_id self._current_target_name = name @@ -98,7 +98,10 @@ class SummaryPanel(Vertical): return apt_btn.label = f"Mises à jour : {apt_count}" - cve_btn.label = f"CVE : {cve_count}" + if cve_total > cve_count: + cve_btn.label = f"CVE : {cve_count} ({cve_total - cve_count} non corrigeables)" + else: + cve_btn.label = f"CVE : {cve_count}" err_label.update("") btn.disabled = False apt_btn.disabled = apt_count == 0 From 86eda73eb9ab0b81039e1b5a886a708f6353b316 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:35:15 +0200 Subject: [PATCH 06/17] feat(cve): show all CVEs with fixable indicator in list screen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - filter_actionable_cves now marks all CVEs with 'fixable' boolean - cve_list in cache contains ALL CVEs (not just actionable ones) - CVEListScreen adds 'Corrigeable' column with 🟢/🔴 indicator - Sidebar counter still shows only actionable CVEs (cve_count) --- full_updater/backend/scanner.py | 37 ++++++++++++++++--------------- full_updater/ui/detail_screens.py | 20 +++++++++++++++-- 2 files changed, 37 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 6180049..6fd044a 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -51,33 +51,34 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: - """Filtre la liste des CVE pour ne garder que les actionnables. - Retourne (cve_actionnables, cve_total).""" + """Filtre la liste des CVE pour ajouter un flag 'fixable'. + Retourne (cve_avec_flag, nombre_actionnables).""" if not cves: return [], 0 - total = len(cves) - - def check(cve: dict) -> dict | None: + def check(cve: dict) -> dict: try: - if _is_cve_actionable(cve["id"]): - return cve + is_fixable = _is_cve_actionable(cve["id"]) + cve["fixable"] = is_fixable + return cve except Exception: - pass - return None + cve["fixable"] = False + return cve - actionable = [] + all_cves = [] + actionable_count = 0 with ThreadPoolExecutor(max_workers=10) as executor: futures = [executor.submit(check, cve) for cve in cves] for future in futures: try: - result = future.result() - if result: - actionable.append(result) + cve = future.result() + all_cves.append(cve) + if cve.get("fixable"): + actionable_count += 1 except Exception: pass - return actionable, total + return all_cves, actionable_count @dataclass @@ -218,10 +219,10 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: # Filtrer les CVE actionnables via l'API Debian if cve_list: - actionable, total = filter_actionable_cves(cve_list) - result.cve_list = actionable - result.cve_count = len(actionable) - result.cve_total = total + all_cves, actionable_count = filter_actionable_cves(cve_list) + result.cve_list = all_cves + result.cve_count = actionable_count + result.cve_total = len(all_cves) else: result.cve_list = [] result.cve_count = 0 diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index dc64962..78b31b4 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -9,6 +9,21 @@ except Exception: PYPERCLIP_OK = False +SCREEN_CSS = """ + align: left top; + padding: 1 2; + #toolbar { + height: auto; + dock: top; + margin-bottom: 1; + } + DataTable { + height: 1fr; + border: solid $primary; + } +""" + + class PackageListScreen(Screen): BINDINGS = [("b", "back", "Retour")] DEFAULT_CSS = """ @@ -75,14 +90,15 @@ class CVEListScreen(Screen): with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="cve-back", variant="default") table = DataTable(id="cve-table") - table.add_columns("CVE-ID", "Paquet", "Lien") + table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien") table.cursor_type = "row" for i, cve in enumerate(self.cves): cve_id = cve.get("id", "?") pkg = cve.get("package", "?") url = cve.get("url", "") + fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non" self.urls[i] = url - table.add_row(cve_id, pkg, url) + table.add_row(cve_id, pkg, fixable, url) yield table def on_data_table_row_selected(self, event: DataTable.RowSelected): From 9c4e40505b926dec5dc1cfa25dbbed79f63c682b Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:38:58 +0200 Subject: [PATCH 07/17] fix(summary): enable CVE button when non-fixable CVEs exist - Use cve_total instead of cve_count to determine button disabled state - Allows viewing all CVEs even when none are fixable --- full_updater/ui/summary.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index e750712..dd48ae9 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -105,7 +105,7 @@ class SummaryPanel(Vertical): err_label.update("") btn.disabled = False apt_btn.disabled = apt_count == 0 - cve_btn.disabled = cve_count == 0 + cve_btn.disabled = cve_total == 0 # Forcer le refresh de tous les widgets modifiés apt_btn.refresh() From 3bb213a00dfc466ba931f6c9e52e8216f147c423 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:56:16 +0200 Subject: [PATCH 08/17] fix(cve): parse HTML instead of non-existent JSON API - Debian Security Tracker has no public JSON API for individual CVEs - Now fetches and parses the HTML page directly - Searches for 'bookworm ... fixed' pattern in the vulnerability table - Cache files changed from .json to .html --- full_updater/backend/scanner.py | 34 ++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 6fd044a..c002ce7 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -17,37 +17,41 @@ def _ensure_cve_api_cache() -> None: os.makedirs(CVE_API_CACHE, exist_ok=True) -def _fetch_cve_status(cve_id: str) -> dict: - """Interroge l'API Debian Security Tracker pour une CVE, avec cache local.""" +def _fetch_cve_html(cve_id: str) -> str: + """Récupère le HTML de la page Debian Security Tracker pour une CVE.""" _ensure_cve_api_cache() - cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json") + cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.html") if os.path.exists(cache_path): try: with open(cache_path, "r", encoding="utf-8") as f: - return json.load(f) + return f.read() except Exception: pass - url = f"https://security-tracker.debian.org/tracker/{cve_id}/json" + url = f"https://security-tracker.debian.org/tracker/{cve_id}" try: req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"}) with urllib.request.urlopen(req, timeout=15) as resp: - data = json.load(resp) + html = resp.read().decode("utf-8") with open(cache_path, "w", encoding="utf-8") as f: - json.dump(data, f) - return data + f.write(html) + return html except Exception: - return {} + return "" def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: - """Retourne True si la CVE a un fixed_version pour le suite donné.""" - data = _fetch_cve_status(cve_id) - cve_data = data.get(cve_id, {}) - debian = cve_data.get("debian", {}) - suite_data = debian.get(suite, {}) - return suite_data.get("status") == "resolved" and "fixed_version" in suite_data + """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML.""" + html = _fetch_cve_html(cve_id) + if not html: + return False + + # Chercher dans le tableau des packages vulnérables/fixed + # Pattern: suite (security)? version fixed + # Ex: bookworm 3.0.18-1~deb12u1 fixed + pattern = re.compile(rf"]*>\s*{re.escape(suite)}\s*(?:\(security\))?\s*\s*]*>[^<]+\s*]*>\s*fixed\s*", re.IGNORECASE) + return bool(pattern.search(html)) def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: From 6e707da98d350e41c9da66789320dde960d13226 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:07:28 +0200 Subject: [PATCH 09/17] feat(ui): display OS name and version in SummaryPanel - Add scan_os() to detect OS via lsb_release or /etc/os-release - Store os_info in cache and ScanResult - Display OS info in SummaryPanel below the target name --- full_updater/app.py | 3 +++ full_updater/backend/scanner.py | 28 ++++++++++++++++++++++++++++ full_updater/ui/summary.py | 5 ++++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/full_updater/app.py b/full_updater/app.py index d2540cc..0bee8a2 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -129,6 +129,7 @@ class FullUpdaterApp(App): apt_count=data.get("apt_count", 0), cve_count=data.get("cve_count", 0), cve_total=data.get("cve_total", 0), + os_info=data.get("os_info", ""), error=data.get("error", ""), skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) @@ -160,6 +161,7 @@ class FullUpdaterApp(App): "timestamp": datetime.now().isoformat(), "apt_count": 0, "apt_packages": [], "cve_count": 0, "cve_total": 0, "cve_list": [], + "os_info": "LXC éteint", "error": "LXC éteint" }) self._update_sidebar(target.target_id, result) @@ -178,6 +180,7 @@ class FullUpdaterApp(App): "apt_packages": result.apt_packages, "cve_count": result.cve_count, "cve_total": result.cve_total, + "os_info": result.os_info, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index c002ce7..420215e 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -100,6 +100,7 @@ class ScanResult: apt_count: int = 0 cve_count: int = 0 cve_total: int = 0 + os_info: str = "" apt_packages: list[dict[str, str]] = field(default_factory=list) cve_list: list[dict[str, str]] = field(default_factory=list) error: str = "" @@ -135,6 +136,28 @@ def lxc_is_running(vmid: str) -> bool: return ok and "running" in stdout.lower() +def scan_os(target: Target) -> str: + """Récupère le nom et la version de l'OS.""" + if target.is_host: + cmd = ["lsb_release", "-ds"] + else: + cmd = ["pct", "exec", target.target_id, "--", "lsb_release", "-ds"] + ok, stdout, _ = run_cmd(cmd, timeout=30) + if ok: + return stdout.strip() + # Fallback si lsb_release n'est pas installé + if target.is_host: + cmd = ["cat", "/etc/os-release"] + else: + cmd = ["pct", "exec", target.target_id, "--", "cat", "/etc/os-release"] + ok, stdout, _ = run_cmd(cmd, timeout=30) + if ok: + name = re.search(r'PRETTY_NAME="([^"]+)"', stdout) + if name: + return name.group(1) + return "OS inconnu" + + def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: if is_host: ok, _, _ = run_cmd(["which", "debsecan"]) @@ -236,6 +259,10 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: result.error = f"debsecan: {debsecan_err}" progress_cb() + # Scan OS + result.os_info = scan_os(target) + progress_cb() + result.status = "done" if (result.apt_ok and result.cve_ok) else "error" if result.error: result.status = "error" @@ -246,6 +273,7 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: "apt_packages": result.apt_packages, "cve_count": result.cve_count, "cve_total": result.cve_total, + "os_info": result.os_info, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index dd48ae9..4b9fe7d 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -60,16 +60,18 @@ class SummaryPanel(Vertical): with Vertical(id="summary-body"): yield Static("Sélectionnez une cible", id="summary-title") + yield Static("", id="summary-os", classes="summary-row") yield Button("Mises à jour : -", id="btn-apt", classes="summary-row", variant="default") yield Button("CVE : -", id="btn-cve", classes="summary-row", variant="default") yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, error: str, skipped: bool, cache_time: str): + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, os_info: str, error: str, skipped: bool, cache_time: str): self._current_target_id = target_id self._current_target_name = name title = self.query_one("#summary-title", Static) + os_label = self.query_one("#summary-os", Static) apt_btn = self.query_one("#btn-apt", Button) cve_btn = self.query_one("#btn-cve", Button) err_label = self.query_one("#summary-error", Static) @@ -77,6 +79,7 @@ class SummaryPanel(Vertical): cache_label = self.query_one("#summary-cache", Static) title.update(name if name else "Sélectionnez une cible") + os_label.update(os_info if os_info else "") cache_label.update(f"Cache : {cache_time}" if cache_time else "") if skipped: From 2d339cc397957451ce260272058c078e3eb375bf Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:52:10 +0200 Subject: [PATCH 10/17] feat(os): show full version number from /etc/debian_version - Use lsb_release -is/-cs for name and codename - Use /etc/debian_version for full version (e.g. 12.9) - Display format: 'Debian GNU/Linux 12.9 (bookworm)' --- full_updater/backend/scanner.py | 52 +++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 420215e..a721c21 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -137,25 +137,39 @@ def lxc_is_running(vmid: str) -> bool: def scan_os(target: Target) -> str: - """Récupère le nom et la version de l'OS.""" - if target.is_host: - cmd = ["lsb_release", "-ds"] - else: - cmd = ["pct", "exec", target.target_id, "--", "lsb_release", "-ds"] - ok, stdout, _ = run_cmd(cmd, timeout=30) - if ok: - return stdout.strip() - # Fallback si lsb_release n'est pas installé - if target.is_host: - cmd = ["cat", "/etc/os-release"] - else: - cmd = ["pct", "exec", target.target_id, "--", "cat", "/etc/os-release"] - ok, stdout, _ = run_cmd(cmd, timeout=30) - if ok: - name = re.search(r'PRETTY_NAME="([^"]+)"', stdout) - if name: - return name.group(1) - return "OS inconnu" + """Récupère le nom, la version complète et le codename de l'OS.""" + prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] + + # 1. Récupérer le nom (Debian, Ubuntu...) + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" + + # 2. Récupérer le codename (bookworm, trixie...) + ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) + codename = code_out.strip() if ok else "" + + # 3. Récupérer la version complète depuis /etc/debian_version (ex: 12.9) + ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) + version = ver_out.strip() if ok else "" + + # 4. Fallback sur lsb_release -rs si /etc/debian_version vide + if not version: + ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) + version = ver_out.strip() if ok else "" + + # 5. Fallback sur /etc/os-release si tout le reste échoue + if not os_name or not version: + ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) + if ok: + pretty = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) + if pretty: + return pretty.group(1) + return "OS inconnu" + + # Construire le libellé final + if codename: + return f"{os_name} GNU/Linux {version} ({codename})" + return f"{os_name} GNU/Linux {version}" def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From d90f74dd8f0f1c8126cc0b70812c6269db430dc4 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:59:47 +0200 Subject: [PATCH 11/17] fix(os): use VERSION_ID from /etc/os-release for full version number in LXC --- full_updater/backend/scanner.py | 49 +++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index a721c21..27aee27 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,36 +140,45 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Récupérer le nom (Debian, Ubuntu...) - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + # 1. Lire /etc/os-release pour VERSION_ID (ex: 12.9) et PRETTY_NAME + ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) + version_id = "" + pretty_name = "" + if ok: + ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1) + pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) + if pretty_match: + pretty_name = pretty_match.group(1) - # 2. Récupérer le codename (bookworm, trixie...) + # 2. Récupérer le codename via lsb_release ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) codename = code_out.strip() if ok else "" - # 3. Récupérer la version complète depuis /etc/debian_version (ex: 12.9) - ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) - version = ver_out.strip() if ok else "" + # 3. Fallback sur /etc/debian_version si VERSION_ID vide + if not version_id: + ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) + version_id = ver_out.strip() if ok else "" - # 4. Fallback sur lsb_release -rs si /etc/debian_version vide - if not version: + # 4. Fallback sur lsb_release -rs + if not version_id: ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) - version = ver_out.strip() if ok else "" + version_id = ver_out.strip() if ok else "" - # 5. Fallback sur /etc/os-release si tout le reste échoue - if not os_name or not version: - ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) - if ok: - pretty = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) - if pretty: - return pretty.group(1) - return "OS inconnu" + # 5. Récupérer le nom via lsb_release + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" + + if not os_name and pretty_name: + return pretty_name + if not os_name or not version_id: + return pretty_name if pretty_name else "OS inconnu" # Construire le libellé final if codename: - return f"{os_name} GNU/Linux {version} ({codename})" - return f"{os_name} GNU/Linux {version}" + return f"{os_name} GNU/Linux {version_id} ({codename})" + return f"{os_name} GNU/Linux {version_id}" def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From f0f59f04682c395a669864b9c6c58a61a9ea4a8d Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:05:45 +0200 Subject: [PATCH 12/17] fix(os): read DEBIAN_VERSION_FULL from /etc/os-release first - Check DEBIAN_VERSION_FULL (ex: 13.4) as primary source - Fallback to VERSION, then VERSION_ID, then /etc/debian_version --- full_updater/backend/scanner.py | 40 ++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 27aee27..486b9fe 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,33 +140,41 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Lire /etc/os-release pour VERSION_ID (ex: 12.9) et PRETTY_NAME + # 1. Lire /etc/os-release ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) version_id = "" pretty_name = "" + codename = "" if ok: - ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1) + # Priorité 1 : DEBIAN_VERSION_FULL (ex: 13.4) + ver_full_match = re.search(r'DEBIAN_VERSION_FULL="?([^"\n]+)"?', osrel_out) + if ver_full_match: + version_id = ver_full_match.group(1).strip() + # Priorité 2 : VERSION (ex: "13 (trixie)") + if not version_id: + ver_match = re.search(r'VERSION="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1).strip() + # Priorité 3 : VERSION_ID (ex: "13") + if not version_id: + ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1).strip() + # Nom affichable pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) if pretty_match: - pretty_name = pretty_match.group(1) + pretty_name = pretty_match.group(1).strip() + # Codename + code_match = re.search(r'VERSION_CODENAME="?([^"\n]+)"?', osrel_out) + if code_match: + codename = code_match.group(1).strip() - # 2. Récupérer le codename via lsb_release - ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) - codename = code_out.strip() if ok else "" - - # 3. Fallback sur /etc/debian_version si VERSION_ID vide + # 2. Fallback sur /etc/debian_version si tout vide if not version_id: ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) version_id = ver_out.strip() if ok else "" - # 4. Fallback sur lsb_release -rs - if not version_id: - ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) - version_id = ver_out.strip() if ok else "" - - # 5. Récupérer le nom via lsb_release + # 3. Récupérer le nom via lsb_release ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) os_name = name_out.strip() if ok else "" From c1f462d2093e16ee495164865a79f57afb8350be Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:10:01 +0200 Subject: [PATCH 13/17] fix(os): parse /etc/os-release line-by-line instead of regex - pct exec returns stdout differently than local cat - Line-by-line parsing is more robust across LXC boundaries - Handles quotes correctly --- full_updater/backend/scanner.py | 55 +++++++++++++++------------------ 1 file changed, 25 insertions(+), 30 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 486b9fe..818a35c 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,43 +140,38 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Lire /etc/os-release + # 1. Lire /etc/os-release et parser ligne par ligne ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) - version_id = "" - pretty_name = "" - codename = "" + os_data = {} if ok: - # Priorité 1 : DEBIAN_VERSION_FULL (ex: 13.4) - ver_full_match = re.search(r'DEBIAN_VERSION_FULL="?([^"\n]+)"?', osrel_out) - if ver_full_match: - version_id = ver_full_match.group(1).strip() - # Priorité 2 : VERSION (ex: "13 (trixie)") - if not version_id: - ver_match = re.search(r'VERSION="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1).strip() - # Priorité 3 : VERSION_ID (ex: "13") - if not version_id: - ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1).strip() - # Nom affichable - pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) - if pretty_match: - pretty_name = pretty_match.group(1).strip() - # Codename - code_match = re.search(r'VERSION_CODENAME="?([^"\n]+)"?', osrel_out) - if code_match: - codename = code_match.group(1).strip() + for line in osrel_out.splitlines(): + line = line.strip() + if "=" in line: + key, val = line.split("=", 1) + # Supprimer les guillemets + val = val.strip().strip('"').strip("'") + os_data[key] = val - # 2. Fallback sur /etc/debian_version si tout vide + # 2. Extraire les champs + version_id = os_data.get("DEBIAN_VERSION_FULL", "") + if not version_id: + version_id = os_data.get("VERSION", "") + if not version_id: + version_id = os_data.get("VERSION_ID", "") + + codename = os_data.get("VERSION_CODENAME", "") + pretty_name = os_data.get("PRETTY_NAME", "") + os_name = os_data.get("NAME", "") + + # 3. Fallback sur /etc/debian_version si tout vide if not version_id: ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) version_id = ver_out.strip() if ok else "" - # 3. Récupérer le nom via lsb_release - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + # 4. Fallback sur lsb_release pour le nom + if not os_name: + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" if not os_name and pretty_name: return pretty_name From 721e677fa648afc1004f0c000d3e4f0b3e1af57a Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:15:57 +0200 Subject: [PATCH 14/17] fix(os): use NAME directly, avoid double 'GNU/Linux' - NAME already contains 'Debian GNU/Linux', don't append it again - With DEBIAN_VERSION_FULL: NAME + DEBIAN_VERSION_FULL + (codename) - Without: NAME + VERSION_ID + (codename) - Fixes duplication bug --- full_updater/backend/scanner.py | 39 +++++++++++---------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 818a35c..4d2d768 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -148,40 +148,27 @@ def scan_os(target: Target) -> str: line = line.strip() if "=" in line: key, val = line.split("=", 1) - # Supprimer les guillemets val = val.strip().strip('"').strip("'") os_data[key] = val # 2. Extraire les champs - version_id = os_data.get("DEBIAN_VERSION_FULL", "") - if not version_id: - version_id = os_data.get("VERSION", "") - if not version_id: - version_id = os_data.get("VERSION_ID", "") - + name = os_data.get("NAME", "") codename = os_data.get("VERSION_CODENAME", "") - pretty_name = os_data.get("PRETTY_NAME", "") - os_name = os_data.get("NAME", "") + debian_version_full = os_data.get("DEBIAN_VERSION_FULL", "") + version_id = os_data.get("VERSION_ID", "") - # 3. Fallback sur /etc/debian_version si tout vide - if not version_id: - ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) - version_id = ver_out.strip() if ok else "" + # 3. Construire le libellé final + # Avec DEBIAN_VERSION_FULL : NAME DEBIAN_VERSION_FULL (VERSION_CODENAME) + # Sans : NAME VERSION_ID (VERSION_CODENAME) + version = debian_version_full if debian_version_full else version_id - # 4. Fallback sur lsb_release pour le nom - if not os_name: - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + if name and version and codename: + return f"{name} {version} ({codename})" + if name and version: + return f"{name} {version}" - if not os_name and pretty_name: - return pretty_name - if not os_name or not version_id: - return pretty_name if pretty_name else "OS inconnu" - - # Construire le libellé final - if codename: - return f"{os_name} GNU/Linux {version_id} ({codename})" - return f"{os_name} GNU/Linux {version_id}" + # Fallback : PRETTY_NAME ou "OS inconnu" + return os_data.get("PRETTY_NAME", "OS inconnu") def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From 13d826ecd2322bc78b74719a954f9a1568640d39 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:20:14 +0200 Subject: [PATCH 15/17] feat(cve): add severity and vector columns to CVE list - Parse [remote|local] and [severity] from debsecan output - Display Severity and Vector columns in CVEListScreen - Severity values: unimportant, low, medium, high, critical --- full_updater/backend/scanner.py | 11 +++++++++-- full_updater/ui/detail_screens.py | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 4d2d768..2ae08ad 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -226,9 +226,16 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: cves = [] for line in stdout.splitlines(): - m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) + # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description + m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)(?:\s+\[(remote|local)\])?(?:\s+\[(unimportant|low|medium|high|critical)\])?", line) if m: - cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"}) + cves.append({ + "id": m.group(1), + "package": m.group(2), + "vector": m.group(3) or "?", + "severity": m.group(4) or "?", + "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" + }) return True, cves, "" diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index 78b31b4..5e95e10 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -90,15 +90,17 @@ class CVEListScreen(Screen): with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="cve-back", variant="default") table = DataTable(id="cve-table") - table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien") + table.add_columns("CVE-ID", "Paquet", "Severite", "Vecteur", "Corrigeable", "Lien") table.cursor_type = "row" for i, cve in enumerate(self.cves): cve_id = cve.get("id", "?") pkg = cve.get("package", "?") url = cve.get("url", "") + severity = cve.get("severity", "?") + vector = cve.get("vector", "?") fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non" self.urls[i] = url - table.add_row(cve_id, pkg, fixable, url) + table.add_row(cve_id, pkg, severity, vector, fixable, url) yield table def on_data_table_row_selected(self, event: DataTable.RowSelected): From 9107009370de3b4f2827a3d2849f1ed0234c3e34 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:23:45 +0200 Subject: [PATCH 16/17] fix(cve): robust parsing of [remote|local] and [severity] flags - Use re.findall to extract all bracketed flags instead of positional regex - Fixes issue where optional groups were not captured correctly --- full_updater/backend/scanner.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 2ae08ad..9e317bb 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -227,13 +227,22 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: cves = [] for line in stdout.splitlines(): # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description - m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)(?:\s+\[(remote|local)\])?(?:\s+\[(unimportant|low|medium|high|critical)\])?", line) + m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: + # Extraire tous les flags entre crochets + flags = re.findall(r"\[(\w+)\]", line) + vector = "?" + severity = "?" + for f in flags: + if f in ("remote", "local"): + vector = f + elif f in ("unimportant", "low", "medium", "high", "critical"): + severity = f cves.append({ "id": m.group(1), "package": m.group(2), - "vector": m.group(3) or "?", - "severity": m.group(4) or "?", + "vector": vector, + "severity": severity, "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" }) return True, cves, "" From 11ada690a121c3759b334a66cc692a37dd46de9a Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:33:05 +0200 Subject: [PATCH 17/17] fix(cve): enrich CVEs with severity/vector from Debian Security Tracker HTML - debsecan default format has no [remote|local] or [severity] flags - Now fetches severity and vector from security-tracker.debian.org HTML - scan_cve uses default format (no --format report) - enrich_cves replaces filter_actionable_cves, adds severity+vector --- full_updater/backend/scanner.py | 58 +++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 9e317bb..f00185a 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -41,6 +41,29 @@ def _fetch_cve_html(cve_id: str) -> str: return "" +def _enrich_cve(cve_id: str) -> dict[str, str]: + """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker.""" + html = _fetch_cve_html(cve_id) + if not html: + return {"severity": "?", "vector": "?"} + + result = {"severity": "?", "vector": "?"} + + # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages" + # Recherche du motif: remote ou local + vector_match = re.search(r']*>\s*(remote|local)\s*', html, re.IGNORECASE) + if vector_match: + result["vector"] = vector_match.group(1).lower() + + # Extraction de la sévérité depuis les notes ou le tableau + # Format courant: [low], [medium], [high], [critical] dans les notes + severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE) + if severity_match: + result["severity"] = severity_match.group(1).lower() + + return result + + def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML.""" html = _fetch_cve_html(cve_id) @@ -54,16 +77,20 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: return bool(pattern.search(html)) -def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: - """Filtre la liste des CVE pour ajouter un flag 'fixable'. - Retourne (cve_avec_flag, nombre_actionnables).""" +def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]: + """Enrichit les CVEs avec fixable, severity, vector via l'API Debian. + Retourne (cve_enrichies, nombre_actionnables).""" if not cves: return [], 0 def check(cve: dict) -> dict: try: - is_fixable = _is_cve_actionable(cve["id"]) - cve["fixable"] = is_fixable + # Vérifie si corrigeable + cve["fixable"] = _is_cve_actionable(cve["id"]) + # Enrichit avec severity et vector + enriched = _enrich_cve(cve["id"]) + cve["severity"] = enriched["severity"] + cve["vector"] = enriched["vector"] return cve except Exception: cve["fixable"] = False @@ -219,30 +246,21 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: - cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"] + # Format par défaut (pas de --format) retourne: CVE-ID package + cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"] ok, stdout, stderr = run_cmd(cmd, timeout=120) if not ok: return False, [], stderr or stdout cves = [] for line in stdout.splitlines(): - # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: - # Extraire tous les flags entre crochets - flags = re.findall(r"\[(\w+)\]", line) - vector = "?" - severity = "?" - for f in flags: - if f in ("remote", "local"): - vector = f - elif f in ("unimportant", "low", "medium", "high", "critical"): - severity = f cves.append({ "id": m.group(1), "package": m.group(2), - "vector": vector, - "severity": severity, + "vector": "?", + "severity": "?", "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" }) return True, cves, "" @@ -273,9 +291,9 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: if not cve_ok: result.error = cve_err - # Filtrer les CVE actionnables via l'API Debian + # Enrichir les CVE via l'API Debian (severity, vector, fixable) if cve_list: - all_cves, actionable_count = filter_actionable_cves(cve_list) + all_cves, actionable_count = enrich_cves(cve_list) result.cve_list = all_cves result.cve_count = actionable_count result.cve_total = len(all_cves)