From 978297455a6deb028a5453d15d3b6ac09d79f9de Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:02:23 +0200 Subject: [PATCH 01/24] fix(debian): remove git and pct from Depends, not available on standard Debian --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 034e858..cebb2e7 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,7 @@ Standards-Version: 4.6.0 Package: full-updater Architecture: all -Depends: python3, python3-venv, git, pct +Depends: python3, python3-venv Description: TUI for APT/CVE updates on Proxmox host and LXC Full Updater is a terminal user interface (TUI) that visualizes available APT updates and CVEs for the Proxmox host and all LXC From e2e504cefffa3623184e85e37a8bf7d9c143647b Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:06:54 +0200 Subject: [PATCH 02/24] fix(scripts): add PYTHONPATH so venv finds full_updater module --- scripts/fullupdater | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/fullupdater b/scripts/fullupdater index 8eb8655..ebee933 100644 --- a/scripts/fullupdater +++ b/scripts/fullupdater @@ -11,4 +11,5 @@ if [ ! -d "$VENV_DIR" ]; then fi source "$VENV_DIR/bin/activate" +export PYTHONPATH="/opt/full-updater:$PYTHONPATH" python3 -m full_updater "$@" From 8f7cb33a9c56acbb0acc30d5ec01aaa8dc56f36c Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:18:08 +0200 Subject: [PATCH 03/24] fix(ui,backend): parallel scan, fix DataTable init, force refresh - Use ThreadPoolExecutor for parallel scanning of all targets - Fix PackageTable and CVETable crash by initializing columns in compose() - Force widget refresh after scan completion to update counters --- full_updater/app.py | 72 ++++++++--------------------- full_updater/backend/scanner.py | 78 ++++++++++++++++---------------- full_updater/ui/cve_table.py | 7 +-- full_updater/ui/package_table.py | 7 +-- 4 files changed, 60 insertions(+), 104 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 9797244..9a477d4 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -10,7 +10,8 @@ from textual import work from full_updater.backend.cache import ensure_cache_dir, read_cache, get_cache_timestamp from full_updater.backend.scanner import ( Target, ScanResult, get_lxc_list, lxc_is_running, - ensure_debsecan_installed, scan_apt, scan_cve, write_cache + ensure_debsecan_installed, scan_apt, scan_cve, write_cache, + run_full_scan ) from full_updater.backend.executor import UpgradeExecutor from full_updater.ui.loader import LoaderScreen @@ -67,61 +68,19 @@ class FullUpdaterApp(App): pct = min(100.0, (completed / (total * 4)) * 100) self.call_from_thread(self._update_loader, pct) - for idx, target in enumerate(self.targets): - self.call_from_thread(self._update_loader_status, idx, "running") - - if not target.is_host and not lxc_is_running(target.target_id): - self.call_from_thread(self._update_loader_status, idx, "skipped") - result = ScanResult(target=target) - result.status = "skipped" - self.results[target.target_id] = result - for _ in range(4): - progress_cb() - continue - - debsecan_ok, debsecan_err = ensure_debsecan_installed(target.is_host, target.target_id) - progress_cb() - - apt_ok, apt_packages, apt_err = scan_apt(target) - progress_cb() - - cve_ok = False - cve_list = [] - cve_err = "" - if debsecan_ok: - cve_ok, cve_list, cve_err = scan_cve(target) - else: - cve_err = f"debsecan: {debsecan_err}" - progress_cb() - - result = ScanResult( - target=target, - apt_ok=apt_ok, - cve_ok=cve_ok, - apt_count=len(apt_packages), - cve_count=len(cve_list), - apt_packages=apt_packages, - cve_list=cve_list, - error=apt_err or cve_err, - status="done" if (apt_ok and (cve_ok or not debsecan_ok)) else "error" - ) - if result.error: - result.status = "error" - self.results[target.target_id] = result - - cache_id = "host" if target.is_host else target.target_id - write_cache(cache_id, { - "timestamp": datetime.now().isoformat(), - "apt_count": result.apt_count, - "apt_packages": result.apt_packages, - "cve_count": result.cve_count, - "cve_list": result.cve_list, - "error": result.error - }) - + def on_result(result: ScanResult): + self.results[result.target.target_id] = result + idx = 0 + for i, t in enumerate(self.targets): + if t.target_id == result.target.target_id: + idx = i + break self.call_from_thread(self._update_loader_status, idx, result.status) - self.call_from_thread(self._update_sidebar, target.target_id, result) + self.call_from_thread(self._update_sidebar, result.target.target_id, result) + results = run_full_scan(progress_cb) + for r in results: + on_result(r) self.call_from_thread(self._finish_scan) def _update_loader(self, pct: float): @@ -157,8 +116,12 @@ class FullUpdaterApp(App): res.error, res.status == "skipped" ) + # Forcer le rafraichissement de l'interface + sidebar.refresh() if self.targets: self._select_target(self.targets[0].target_id) + summary = self.query_one(SummaryPanel) + summary.refresh() def _select_target(self, target_id: str): self.selected_target = target_id @@ -179,6 +142,7 @@ class FullUpdaterApp(App): skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) ) + summary.refresh() def on_sidebar_target_selected(self, event: Sidebar.TargetSelected): self._select_target(event.target_id) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 2f738fe..9462621 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -1,7 +1,5 @@ -import asyncio -import json +import concurrent.futures import re -import shutil import subprocess from dataclasses import dataclass, field from typing import Any @@ -65,7 +63,6 @@ def lxc_is_running(vmid: str) -> bool: def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: """Retourne (ok, error_msg)""" if is_host: - # Vérifier si debsecan est installé sur l'hôte ok, _, _ = run_cmd(["which", "debsecan"]) if ok: return True, "" @@ -77,7 +74,6 @@ def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str] return False, f"apt-get install debsecan failed: {err}" return True, "" else: - # Vérifier dans le LXC ok, _, _ = run_cmd(["pct", "exec", vmid, "--", "which", "debsecan"]) if ok: return True, "" @@ -108,12 +104,10 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: if len(parts) < 2: continue name = parts[0].strip() - rest = parts[1] - # Format: apt list --upgradable -> name/arch version suite [upgradable from: oldver] + # Essayer d'extraire la nouvelle version et l'ancienne m = re.search(r"\[upgradable from:\s+([^\]]+)\]", line) if m: old_ver = m.group(1).strip() - # Essayer d'extraire la nouvelle version (avant le [upgradable from:]) prefix = line.split("[upgradable from:")[0].strip() ver_m = re.search(r"/\S+\s+(\S+)\s+\S+", prefix) new_ver = ver_m.group(1) if ver_m else "?" @@ -124,7 +118,6 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: "size": "-" }) else: - # fallback simple packages.append({ "name": name, "current": "?", @@ -146,7 +139,6 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: cves = [] for line in stdout.splitlines(): - # Format debsecan: CVE-XXXX-XXXX package [remote] [low] - description m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: cve_id = m.group(1) @@ -159,38 +151,25 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: return True, cves, "" -async def scan_target(target: Target, result: ScanResult, progress_cb: Any) -> None: - """Scanne une cible (APT puis CVE) et écrit le cache.""" +def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: + """Scanne une cible (APT + CVE) et retourne le résultat.""" + result = ScanResult(target=target) result.status = "running" - await progress_cb() + progress_cb() - # Vérifier si LXC est allumé if not target.is_host and not lxc_is_running(target.target_id): result.status = "skipped" - result.apt_ok = False - result.cve_ok = False - write_cache(target.target_id, { - "timestamp": "", - "apt_count": 0, - "apt_packages": [], - "cve_count": 0, - "cve_list": [], - "error": "LXC éteint" - }) - await progress_cb() - return + return result - # Auto-install debsecan debsecan_ok, debsecan_err = ensure_debsecan_installed(target.is_host, target.target_id) + progress_cb() - # Scan APT apt_ok, apt_packages, apt_err = scan_apt(target) result.apt_ok = apt_ok result.apt_count = len(apt_packages) result.apt_packages = apt_packages - await progress_cb() + progress_cb() - # Scan CVE if debsecan_ok: cve_ok, cve_list, cve_err = scan_cve(target) result.cve_ok = cve_ok @@ -200,29 +179,48 @@ async def scan_target(target: Target, result: ScanResult, progress_cb: Any) -> N result.error = cve_err else: result.cve_ok = False - result.cve_count = 0 - result.cve_list = [] result.error = f"debsecan: {debsecan_err}" - await progress_cb() + progress_cb() result.status = "done" if (result.apt_ok and result.cve_ok) else "error" if result.error: result.status = "error" - write_cache(target.target_id if not target.is_host else "host", { - "timestamp": "", # sera rempli par l'appelant + cache_id = "host" if target.is_host else target.target_id + from datetime import datetime + write_cache(cache_id, { + "timestamp": datetime.now().isoformat(), "apt_count": result.apt_count, "apt_packages": result.apt_packages, "cve_count": result.cve_count, "cve_list": result.cve_list, "error": result.error }) - await progress_cb() + progress_cb() + return result -async def run_full_scan(progress_cb: Any) -> list[ScanResult]: +def run_full_scan(progress_cb: Any) -> list[ScanResult]: targets = [Target(target_id="host", name="hote", is_host=True)] + get_lxc_list() - results = [ScanResult(target=t) for t in targets] - tasks = [scan_target(r.target, r, progress_cb) for r in results] - await asyncio.gather(*tasks) + results = [] + completed = 0 + total = len(targets) + + def _progress(): + nonlocal completed + completed += 1 + pct = min(100.0, (completed / (total * 4)) * 100) + progress_cb(pct) + + with concurrent.futures.ThreadPoolExecutor(max_workers=8) as executor: + futures = {executor.submit(scan_single_target, t, _progress): t for t in targets} + for future in concurrent.futures.as_completed(futures): + try: + result = future.result() + results.append(result) + except Exception as e: + target = futures[future] + result = ScanResult(target=target, status="error", error=str(e)) + results.append(result) + return results diff --git a/full_updater/ui/cve_table.py b/full_updater/ui/cve_table.py index ae4a144..c12d1d4 100644 --- a/full_updater/ui/cve_table.py +++ b/full_updater/ui/cve_table.py @@ -28,18 +28,15 @@ class CVETable(Vertical): def __init__(self): super().__init__() - self.table = None + self.table = DataTable(id="cve-table") self.urls = {} def compose(self): with Horizontal(id="cve-toolbar"): yield Button("⬅ Retour", id="cve-back") - self.table = DataTable(id="cve-table") - yield self.table - - def on_mount(self): self.table.add_columns("CVE-ID", "Paquet", "Lien") self.table.cursor_type = "row" + yield self.table def load_data(self, cves: list[dict]): self.table.clear() diff --git a/full_updater/ui/package_table.py b/full_updater/ui/package_table.py index 25f4fcd..274f94c 100644 --- a/full_updater/ui/package_table.py +++ b/full_updater/ui/package_table.py @@ -22,16 +22,13 @@ class PackageTable(Vertical): def __init__(self): super().__init__() - self.table = None + self.table = DataTable(id="pkg-table") def compose(self): with Horizontal(id="pkg-toolbar"): yield Button("⬅ Retour", id="pkg-back") - self.table = DataTable(id="pkg-table") - yield self.table - - def on_mount(self): self.table.add_columns("Nom", "Version actuelle", "Nouvelle version", "Taille") + yield self.table def load_data(self, packages: list[dict]): self.table.clear() From 2237d83ddd2f6dca39b0ce6961427d4d75c3e2d0 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:26:18 +0200 Subject: [PATCH 04/24] fix(ui,backend): async scan with asyncio.gather, fix CVE back button focus - Replace ThreadPoolExecutor with asyncio.gather + asyncio.to_thread - Use @work async worker for proper Textual integration - Add table.focus() after mount to ensure button events are received - Remove all call_from_thread calls (now in main thread) --- full_updater/app.py | 20 ++++---- full_updater/backend/scanner.py | 89 ++++++++++++++++++++++++--------- 2 files changed, 75 insertions(+), 34 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 9a477d4..76a0f6c 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -11,7 +11,7 @@ from full_updater.backend.cache import ensure_cache_dir, read_cache, get_cache_t from full_updater.backend.scanner import ( Target, ScanResult, get_lxc_list, lxc_is_running, ensure_debsecan_installed, scan_apt, scan_cve, write_cache, - run_full_scan + run_full_scan_async ) from full_updater.backend.executor import UpgradeExecutor from full_updater.ui.loader import LoaderScreen @@ -57,16 +57,16 @@ class FullUpdaterApp(App): self.push_screen(self.loader_screen) self.run_scan_all() - @work(thread=True) - def run_scan_all(self): + @work + async def run_scan_all(self): total = len(self.targets) completed = 0 - def progress_cb(): + async def progress_cb(): nonlocal completed completed += 1 pct = min(100.0, (completed / (total * 4)) * 100) - self.call_from_thread(self._update_loader, pct) + self._update_loader(pct) def on_result(result: ScanResult): self.results[result.target.target_id] = result @@ -75,13 +75,13 @@ class FullUpdaterApp(App): if t.target_id == result.target.target_id: idx = i break - self.call_from_thread(self._update_loader_status, idx, result.status) - self.call_from_thread(self._update_sidebar, result.target.target_id, result) + self._update_loader_status(idx, result.status) + self._update_sidebar(result.target.target_id, result) - results = run_full_scan(progress_cb) + results = await run_full_scan_async(progress_cb) for r in results: on_result(r) - self.call_from_thread(self._finish_scan) + self._finish_scan() def _update_loader(self, pct: float): if self.loader_screen: @@ -257,6 +257,7 @@ class FullUpdaterApp(App): self.mount(table) self.query_one("#main-layout").display = False table.load_data(pkgs) + table.focus() def on_summary_panel_cve_clicked(self, event: SummaryPanel.CveClicked): cache_id = "host" if event.target_id == "host" else event.target_id @@ -268,6 +269,7 @@ class FullUpdaterApp(App): self.mount(table) self.query_one("#main-layout").display = False table.load_data(cves) + table.focus() def on_package_table_back_pressed(self, event: PackageTable.BackPressed): self.query_one("#main-layout").display = True diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 9462621..1933c3b 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -1,10 +1,11 @@ -import concurrent.futures +import asyncio import re import subprocess from dataclasses import dataclass, field from typing import Any from full_updater.backend.cache import write_cache +from datetime import datetime @dataclass @@ -187,7 +188,6 @@ def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: result.status = "error" cache_id = "host" if target.is_host else target.target_id - from datetime import datetime write_cache(cache_id, { "timestamp": datetime.now().isoformat(), "apt_count": result.apt_count, @@ -200,27 +200,66 @@ def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: return result -def run_full_scan(progress_cb: Any) -> list[ScanResult]: +async def scan_single_target_async(target: Target, progress_cb: Any) -> ScanResult: + """Version async de scan_single_target (pour asyncio.gather).""" + result = ScanResult(target=target) + result.status = "running" + await progress_cb() + + if not target.is_host and not lxc_is_running(target.target_id): + result.status = "skipped" + await progress_cb() + await progress_cb() + await progress_cb() + await progress_cb() + return result + + debsecan_ok, debsecan_err = await asyncio.to_thread(ensure_debsecan_installed, target.is_host, target.target_id) + await progress_cb() + + apt_ok, apt_packages, apt_err = await asyncio.to_thread(scan_apt, target) + result.apt_ok = apt_ok + result.apt_count = len(apt_packages) + result.apt_packages = apt_packages + await progress_cb() + + if debsecan_ok: + cve_ok, cve_list, cve_err = await asyncio.to_thread(scan_cve, target) + result.cve_ok = cve_ok + result.cve_count = len(cve_list) + result.cve_list = cve_list + if not cve_ok: + result.error = cve_err + else: + result.cve_ok = False + result.error = f"debsecan: {debsecan_err}" + await progress_cb() + + result.status = "done" if (result.apt_ok and result.cve_ok) else "error" + if result.error: + result.status = "error" + + cache_id = "host" if target.is_host else target.target_id + write_cache(cache_id, { + "timestamp": datetime.now().isoformat(), + "apt_count": result.apt_count, + "apt_packages": result.apt_packages, + "cve_count": result.cve_count, + "cve_list": result.cve_list, + "error": result.error + }) + await progress_cb() + return result + + +async def run_full_scan_async(progress_cb: Any) -> list[ScanResult]: targets = [Target(target_id="host", name="hote", is_host=True)] + get_lxc_list() - results = [] - completed = 0 - total = len(targets) - - def _progress(): - nonlocal completed - completed += 1 - pct = min(100.0, (completed / (total * 4)) * 100) - progress_cb(pct) - - with concurrent.futures.ThreadPoolExecutor(max_workers=8) as executor: - futures = {executor.submit(scan_single_target, t, _progress): t for t in targets} - for future in concurrent.futures.as_completed(futures): - try: - result = future.result() - results.append(result) - except Exception as e: - target = futures[future] - result = ScanResult(target=target, status="error", error=str(e)) - results.append(result) - - return results + coros = [scan_single_target_async(t, progress_cb) for t in targets] + results = await asyncio.gather(*coros, return_exceptions=True) + out = [] + for r in results: + if isinstance(r, Exception): + out.append(ScanResult(target=Target(target_id="unknown", name="unknown", is_host=False), status="error", error=str(r))) + else: + out.append(r) + return out From 76eb75d4a6370aaf0dede479b66ebbe16f80aa90 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:36:45 +0200 Subject: [PATCH 05/24] refactor: sequential scan, screens for details, new sidebar layout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Scan sequential with asyncio.to_thread for proper Textual integration - Use push_screen/pop_screen for package/CVE lists (no more mount/remove) - Sidebar now shows 'APT X CVE X' with right-aligned indicators - Loader uses black circles (⚫) for pending tasks - Removed unused package_table.py and cve_table.py --- full_updater/app.py | 88 +++++------------- full_updater/backend/scanner.py | 145 +++++------------------------- full_updater/ui/cve_table.py | 69 -------------- full_updater/ui/detail_screens.py | 80 +++++++++++++++++ full_updater/ui/loader.py | 16 ++-- full_updater/ui/package_table.py | 45 ---------- full_updater/ui/sidebar.py | 26 ++++-- 7 files changed, 150 insertions(+), 319 deletions(-) delete mode 100644 full_updater/ui/cve_table.py create mode 100644 full_updater/ui/detail_screens.py delete mode 100644 full_updater/ui/package_table.py diff --git a/full_updater/app.py b/full_updater/app.py index 76a0f6c..969a526 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -4,21 +4,18 @@ from datetime import datetime from textual.app import App, ComposeResult from textual.containers import Horizontal, Vertical from textual.reactive import reactive -from textual.worker import get_current_worker from textual import work from full_updater.backend.cache import ensure_cache_dir, read_cache, get_cache_timestamp from full_updater.backend.scanner import ( Target, ScanResult, get_lxc_list, lxc_is_running, - ensure_debsecan_installed, scan_apt, scan_cve, write_cache, - run_full_scan_async + ensure_debsecan_installed, scan_apt, scan_cve, write_cache, scan_target ) from full_updater.backend.executor import UpgradeExecutor from full_updater.ui.loader import LoaderScreen from full_updater.ui.sidebar import Sidebar from full_updater.ui.summary import SummaryPanel -from full_updater.ui.package_table import PackageTable -from full_updater.ui.cve_table import CVETable +from full_updater.ui.detail_screens import PackageListScreen, CVEListScreen from full_updater.ui.log_panel import LogPanel from full_updater.ui.confirm_modal import ConfirmModal @@ -27,7 +24,7 @@ class FullUpdaterApp(App): CSS = """ Screen { align: center middle; } #main-layout { layout: horizontal; height: 100%; } - Sidebar { width: 30; } + Sidebar { width: 42; } #content { width: 1fr; } """ @@ -62,25 +59,19 @@ class FullUpdaterApp(App): total = len(self.targets) completed = 0 - async def progress_cb(): + def progress_cb(): nonlocal completed completed += 1 pct = min(100.0, (completed / (total * 4)) * 100) self._update_loader(pct) - def on_result(result: ScanResult): - self.results[result.target.target_id] = result - idx = 0 - for i, t in enumerate(self.targets): - if t.target_id == result.target.target_id: - idx = i - break + for idx, target in enumerate(self.targets): + self._update_loader_status(idx, "running") + result = await asyncio.to_thread(scan_target, target, progress_cb) + self.results[target.target_id] = result self._update_loader_status(idx, result.status) - self._update_sidebar(result.target.target_id, result) + self._update_sidebar(target.target_id, result) - results = await run_full_scan_async(progress_cb) - for r in results: - on_result(r) self._finish_scan() def _update_loader(self, pct: float): @@ -116,12 +107,9 @@ class FullUpdaterApp(App): res.error, res.status == "skipped" ) - # Forcer le rafraichissement de l'interface sidebar.refresh() if self.targets: self._select_target(self.targets[0].target_id) - summary = self.query_one(SummaryPanel) - summary.refresh() def _select_target(self, target_id: str): self.selected_target = target_id @@ -151,8 +139,8 @@ class FullUpdaterApp(App): if self.selected_target: self._reload_target(self.selected_target) - @work(thread=True) - def _reload_target(self, target_id: str): + @work + async def _reload_target(self, target_id: str): target = None for t in self.targets: if t.target_id == target_id: @@ -167,32 +155,18 @@ class FullUpdaterApp(App): self.results[target.target_id] = result write_cache(target.target_id, { "timestamp": datetime.now().isoformat(), - "apt_count": 0, - "apt_packages": [], - "cve_count": 0, - "cve_list": [], + "apt_count": 0, "apt_packages": [], + "cve_count": 0, "cve_list": [], "error": "LXC éteint" }) - self.call_from_thread(self._update_sidebar, target.target_id, result) - self.call_from_thread(self._select_target, target.target_id) + self._update_sidebar(target.target_id, result) + self._select_target(target.target_id) return - ensure_debsecan_installed(target.is_host, target.target_id) - apt_ok, apt_packages, apt_err = scan_apt(target) - cve_ok, cve_list, cve_err = scan_cve(target) - error = apt_err or cve_err + def dummy_progress(): + pass - result = ScanResult( - target=target, - apt_ok=apt_ok, - cve_ok=cve_ok, - apt_count=len(apt_packages), - cve_count=len(cve_list), - apt_packages=apt_packages, - cve_list=cve_list, - error=error, - status="done" if (apt_ok and cve_ok) else "error" - ) + result = await asyncio.to_thread(scan_target, target, dummy_progress) self.results[target.target_id] = result cache_id = "host" if target.is_host else target.target_id write_cache(cache_id, { @@ -203,8 +177,8 @@ class FullUpdaterApp(App): "cve_list": result.cve_list, "error": result.error }) - self.call_from_thread(self._update_sidebar, target.target_id, result) - self.call_from_thread(self._select_target, target.target_id) + self._update_sidebar(target.target_id, result) + self._select_target(target.target_id) def on_summary_panel_upgrade_pressed(self, event: SummaryPanel.UpgradePressed): self.push_screen( @@ -253,11 +227,7 @@ class FullUpdaterApp(App): pkgs = data.get("apt_packages", []) if not pkgs: return - table = PackageTable() - self.mount(table) - self.query_one("#main-layout").display = False - table.load_data(pkgs) - table.focus() + self.push_screen(PackageListScreen(pkgs)) def on_summary_panel_cve_clicked(self, event: SummaryPanel.CveClicked): cache_id = "host" if event.target_id == "host" else event.target_id @@ -265,18 +235,4 @@ class FullUpdaterApp(App): cves = data.get("cve_list", []) if not cves: return - table = CVETable() - self.mount(table) - self.query_one("#main-layout").display = False - table.load_data(cves) - table.focus() - - def on_package_table_back_pressed(self, event: PackageTable.BackPressed): - self.query_one("#main-layout").display = True - for widget in self.query(PackageTable): - widget.remove() - - def on_cve_table_back_pressed(self, event: CVETable.BackPressed): - self.query_one("#main-layout").display = True - for widget in self.query(CVETable): - widget.remove() + self.push_screen(CVEListScreen(cves)) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 1933c3b..4271c74 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -1,17 +1,16 @@ -import asyncio import re import subprocess from dataclasses import dataclass, field -from typing import Any +from datetime import datetime +from typing import Callable from full_updater.backend.cache import write_cache -from datetime import datetime @dataclass class Target: - target_id: str # 'host' ou '100' - name: str # 'hote' ou '100 traefik' + target_id: str + name: str is_host: bool @@ -25,14 +24,12 @@ class ScanResult: apt_packages: list[dict[str, str]] = field(default_factory=list) cve_list: list[dict[str, str]] = field(default_factory=list) error: str = "" - status: str = "pending" # pending | running | done | error | skipped + status: str = "pending" def run_cmd(cmd: list[str], timeout: int = 120) -> tuple[bool, str, str]: try: - proc = subprocess.run( - cmd, capture_output=True, text=True, timeout=timeout, check=False - ) + proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, check=False) return proc.returncode == 0, proc.stdout, proc.stderr except subprocess.TimeoutExpired: return False, "", "Command timed out" @@ -41,7 +38,7 @@ def run_cmd(cmd: list[str], timeout: int = 120) -> tuple[bool, str, str]: def get_lxc_list() -> list[Target]: - ok, stdout, stderr = run_cmd(["pct", "list"]) + ok, stdout, _ = run_cmd(["pct", "list"]) if not ok: return [] targets = [] @@ -56,43 +53,32 @@ def get_lxc_list() -> list[Target]: def lxc_is_running(vmid: str) -> bool: ok, stdout, _ = run_cmd(["pct", "status", vmid]) - if ok and "running" in stdout.lower(): - return True - return False + return ok and "running" in stdout.lower() def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: - """Retourne (ok, error_msg)""" if is_host: ok, _, _ = run_cmd(["which", "debsecan"]) if ok: return True, "" - ok, out, err = run_cmd(["apt-get", "update"], timeout=60) + ok, _, err = run_cmd(["apt-get", "update"], timeout=60) if not ok: return False, f"apt-get update failed: {err}" - ok, out, err = run_cmd(["apt-get", "install", "-y", "debsecan"], timeout=120) - if not ok: - return False, f"apt-get install debsecan failed: {err}" - return True, "" + ok, _, err = run_cmd(["apt-get", "install", "-y", "debsecan"], timeout=120) + return (True, "") if ok else (False, f"apt-get install debsecan failed: {err}") else: ok, _, _ = run_cmd(["pct", "exec", vmid, "--", "which", "debsecan"]) if ok: return True, "" - ok, out, err = run_cmd(["pct", "exec", vmid, "--", "apt-get", "update"], timeout=60) + ok, _, err = run_cmd(["pct", "exec", vmid, "--", "apt-get", "update"], timeout=60) if not ok: return False, f"apt-get update failed in {vmid}: {err}" - ok, out, err = run_cmd(["pct", "exec", vmid, "--", "apt-get", "install", "-y", "debsecan"], timeout=120) - if not ok: - return False, f"apt-get install debsecan failed in {vmid}: {err}" - return True, "" + ok, _, err = run_cmd(["pct", "exec", vmid, "--", "apt-get", "install", "-y", "debsecan"], timeout=120) + return (True, "") if ok else (False, f"apt-get install debsecan failed in {vmid}: {err}") def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: - if target.is_host: - cmd = ["apt", "list", "--upgradable"] - else: - cmd = ["pct", "exec", target.target_id, "--", "apt", "list", "--upgradable"] - + cmd = ["apt", "list", "--upgradable"] if target.is_host else ["pct", "exec", target.target_id, "--", "apt", "list", "--upgradable"] ok, stdout, stderr = run_cmd(cmd, timeout=120) if not ok: return False, [], stderr or stdout @@ -105,35 +91,20 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: if len(parts) < 2: continue name = parts[0].strip() - # Essayer d'extraire la nouvelle version et l'ancienne m = re.search(r"\[upgradable from:\s+([^\]]+)\]", line) if m: old_ver = m.group(1).strip() prefix = line.split("[upgradable from:")[0].strip() ver_m = re.search(r"/\S+\s+(\S+)\s+\S+", prefix) new_ver = ver_m.group(1) if ver_m else "?" - packages.append({ - "name": name, - "current": old_ver, - "new": new_ver, - "size": "-" - }) + packages.append({"name": name, "current": old_ver, "new": new_ver, "size": "-"}) else: - packages.append({ - "name": name, - "current": "?", - "new": "?", - "size": "-" - }) + packages.append({"name": name, "current": "?", "new": "?", "size": "-"}) return True, packages, "" def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: - if target.is_host: - cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] - else: - cmd = ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"] - + cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"] ok, stdout, stderr = run_cmd(cmd, timeout=120) if not ok: return False, [], stderr or stdout @@ -142,24 +113,18 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: for line in stdout.splitlines(): m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: - cve_id = m.group(1) - pkg = m.group(2) - cves.append({ - "id": cve_id, - "package": pkg, - "url": f"https://security-tracker.debian.org/tracker/{cve_id}" - }) + cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"}) return True, cves, "" -def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: - """Scanne une cible (APT + CVE) et retourne le résultat.""" +def scan_target(target: Target, progress_cb: Callable) -> ScanResult: result = ScanResult(target=target) result.status = "running" progress_cb() if not target.is_host and not lxc_is_running(target.target_id): result.status = "skipped" + progress_cb(); progress_cb(); progress_cb(); progress_cb() return result debsecan_ok, debsecan_err = ensure_debsecan_installed(target.is_host, target.target_id) @@ -187,8 +152,7 @@ def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: if result.error: result.status = "error" - cache_id = "host" if target.is_host else target.target_id - write_cache(cache_id, { + write_cache("host" if target.is_host else target.target_id, { "timestamp": datetime.now().isoformat(), "apt_count": result.apt_count, "apt_packages": result.apt_packages, @@ -198,68 +162,3 @@ def scan_single_target(target: Target, progress_cb: Any) -> ScanResult: }) progress_cb() return result - - -async def scan_single_target_async(target: Target, progress_cb: Any) -> ScanResult: - """Version async de scan_single_target (pour asyncio.gather).""" - result = ScanResult(target=target) - result.status = "running" - await progress_cb() - - if not target.is_host and not lxc_is_running(target.target_id): - result.status = "skipped" - await progress_cb() - await progress_cb() - await progress_cb() - await progress_cb() - return result - - debsecan_ok, debsecan_err = await asyncio.to_thread(ensure_debsecan_installed, target.is_host, target.target_id) - await progress_cb() - - apt_ok, apt_packages, apt_err = await asyncio.to_thread(scan_apt, target) - result.apt_ok = apt_ok - result.apt_count = len(apt_packages) - result.apt_packages = apt_packages - await progress_cb() - - if debsecan_ok: - cve_ok, cve_list, cve_err = await asyncio.to_thread(scan_cve, target) - result.cve_ok = cve_ok - result.cve_count = len(cve_list) - result.cve_list = cve_list - if not cve_ok: - result.error = cve_err - else: - result.cve_ok = False - result.error = f"debsecan: {debsecan_err}" - await progress_cb() - - result.status = "done" if (result.apt_ok and result.cve_ok) else "error" - if result.error: - result.status = "error" - - cache_id = "host" if target.is_host else target.target_id - write_cache(cache_id, { - "timestamp": datetime.now().isoformat(), - "apt_count": result.apt_count, - "apt_packages": result.apt_packages, - "cve_count": result.cve_count, - "cve_list": result.cve_list, - "error": result.error - }) - await progress_cb() - return result - - -async def run_full_scan_async(progress_cb: Any) -> list[ScanResult]: - targets = [Target(target_id="host", name="hote", is_host=True)] + get_lxc_list() - coros = [scan_single_target_async(t, progress_cb) for t in targets] - results = await asyncio.gather(*coros, return_exceptions=True) - out = [] - for r in results: - if isinstance(r, Exception): - out.append(ScanResult(target=Target(target_id="unknown", name="unknown", is_host=False), status="error", error=str(r))) - else: - out.append(r) - return out diff --git a/full_updater/ui/cve_table.py b/full_updater/ui/cve_table.py deleted file mode 100644 index c12d1d4..0000000 --- a/full_updater/ui/cve_table.py +++ /dev/null @@ -1,69 +0,0 @@ -from textual.widgets import DataTable, Button -from textual.containers import Vertical, Horizontal -from textual.message import Message - -try: - import pyperclip - PYPERCLIP_OK = True -except Exception: - PYPERCLIP_OK = False - - -class CVETable(Vertical): - DEFAULT_CSS = """ - CVETable { - padding: 1 2; - } - #cve-toolbar { - height: auto; - margin-bottom: 1; - } - DataTable { - height: 1fr; - } - """ - - class BackPressed(Message): - pass - - def __init__(self): - super().__init__() - self.table = DataTable(id="cve-table") - self.urls = {} - - def compose(self): - with Horizontal(id="cve-toolbar"): - yield Button("⬅ Retour", id="cve-back") - self.table.add_columns("CVE-ID", "Paquet", "Lien") - self.table.cursor_type = "row" - yield self.table - - def load_data(self, cves: list[dict]): - self.table.clear() - self.urls = {} - for i, cve in enumerate(cves): - cve_id = cve.get("id", "?") - pkg = cve.get("package", "?") - url = cve.get("url", "") - self.urls[i] = url - self.table.add_row(cve_id, pkg, url) - - def on_data_table_row_selected(self, event: DataTable.RowSelected): - row_key = event.row_key - row_index = list(self.table.rows.keys()).index(row_key) - url = self.urls.get(row_index, "") - if not url: - return - if PYPERCLIP_OK: - try: - pyperclip.copy(url) - self.notify(f"Lien copié : {url}", severity="information") - return - except Exception: - pass - # Fallback : afficher le lien dans une notification - self.notify(f"Lien (copie manuelle) : {url}", severity="warning") - - def on_button_pressed(self, event: Button.Pressed): - if event.button.id == "cve-back": - self.post_message(self.BackPressed()) diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py new file mode 100644 index 0000000..31723fb --- /dev/null +++ b/full_updater/ui/detail_screens.py @@ -0,0 +1,80 @@ +from textual.screen import Screen +from textual.widgets import DataTable, Button, Static +from textual.containers import Vertical, Horizontal + +try: + import pyperclip + PYPERCLIP_OK = True +except Exception: + PYPERCLIP_OK = False + + +class PackageListScreen(Screen): + BINDINGS = [("b", "back", "Retour")] + + def __init__(self, packages: list[dict]): + super().__init__() + self.packages = packages + + def compose(self): + with Vertical(): + with Horizontal(id="pkg-toolbar"): + yield Button("⬅ Retour", id="pkg-back", variant="default") + table = DataTable(id="pkg-table") + table.add_columns("Nom", "Version actuelle", "Nouvelle version", "Taille") + for pkg in self.packages: + table.add_row(pkg.get("name", "?"), pkg.get("current", "?"), pkg.get("new", "?"), pkg.get("size", "-")) + yield table + + def on_button_pressed(self, event: Button.Pressed): + if event.button.id == "pkg-back": + self.app.pop_screen() + + def action_back(self): + self.app.pop_screen() + + +class CVEListScreen(Screen): + BINDINGS = [("b", "back", "Retour")] + + def __init__(self, cves: list[dict]): + super().__init__() + self.cves = cves + self.urls = {} + + def compose(self): + with Vertical(): + with Horizontal(id="cve-toolbar"): + yield Button("⬅ Retour", id="cve-back", variant="default") + table = DataTable(id="cve-table") + table.add_columns("CVE-ID", "Paquet", "Lien") + table.cursor_type = "row" + for i, cve in enumerate(self.cves): + cve_id = cve.get("id", "?") + pkg = cve.get("package", "?") + url = cve.get("url", "") + self.urls[i] = url + table.add_row(cve_id, pkg, url) + yield table + + def on_data_table_row_selected(self, event: DataTable.RowSelected): + row_key = event.row_key + row_index = list(self.query_one("#cve-table").rows.keys()).index(row_key) + url = self.urls.get(row_index, "") + if not url: + return + if PYPERCLIP_OK: + try: + pyperclip.copy(url) + self.notify(f"Lien copié : {url}", severity="information") + return + except Exception: + pass + self.notify(f"Lien (copie manuelle) : {url}", severity="warning") + + def on_button_pressed(self, event: Button.Pressed): + if event.button.id == "cve-back": + self.app.pop_screen() + + def action_back(self): + self.app.pop_screen() diff --git a/full_updater/ui/loader.py b/full_updater/ui/loader.py index 2fc36c2..3943cf0 100644 --- a/full_updater/ui/loader.py +++ b/full_updater/ui/loader.py @@ -16,7 +16,7 @@ class LoaderScreen(Screen): self.status_lines = [self._fmt_line(t) for t in targets] def _fmt_line(self, target) -> str: - return f"{target.name}: 🟠 🟠" + return f"{target.name:20} ⚫ ⚫" def compose(self): with Container(id="loader-container"): @@ -29,10 +29,8 @@ class LoaderScreen(Screen): def watch_progress(self, value: float): try: - bar = self.query_one("#loader-bar", ProgressBar) - bar.progress = value - pct = self.query_one("#loader-percent", Static) - pct.update(f"{value:.0f} %") + self.query_one("#loader-bar", ProgressBar).progress = value + self.query_one("#loader-percent", Static).update(f"{value:.0f} %") except Exception: pass @@ -51,11 +49,11 @@ class LoaderScreen(Screen): lines = list(self.status_lines) t = self._targets[idx] if status == "done": - lines[idx] = f"{t.name}: 🟢 🟢" + lines[idx] = f"{t.name:20} 🟢 🟢" elif status == "error": - lines[idx] = f"{t.name}: 🔴 🔴" + lines[idx] = f"{t.name:20} 🔴 🔴" elif status == "skipped": - lines[idx] = f"{t.name}: ⚪ ⚪" + lines[idx] = f"{t.name:20} ⚪ ⚪" else: - lines[idx] = f"{t.name}: 🟠 🟠" + lines[idx] = f"{t.name:20} 🟠 🟠" self.status_lines = lines diff --git a/full_updater/ui/package_table.py b/full_updater/ui/package_table.py deleted file mode 100644 index 274f94c..0000000 --- a/full_updater/ui/package_table.py +++ /dev/null @@ -1,45 +0,0 @@ -from textual.widgets import DataTable, Button -from textual.containers import Vertical, Horizontal -from textual.message import Message - - -class PackageTable(Vertical): - DEFAULT_CSS = """ - PackageTable { - padding: 1 2; - } - #pkg-toolbar { - height: auto; - margin-bottom: 1; - } - DataTable { - height: 1fr; - } - """ - - class BackPressed(Message): - pass - - def __init__(self): - super().__init__() - self.table = DataTable(id="pkg-table") - - def compose(self): - with Horizontal(id="pkg-toolbar"): - yield Button("⬅ Retour", id="pkg-back") - self.table.add_columns("Nom", "Version actuelle", "Nouvelle version", "Taille") - yield self.table - - def load_data(self, packages: list[dict]): - self.table.clear() - for pkg in packages: - self.table.add_row( - pkg.get("name", "?"), - pkg.get("current", "?"), - pkg.get("new", "?"), - pkg.get("size", "-") - ) - - def on_button_pressed(self, event: Button.Pressed): - if event.button.id == "pkg-back": - self.post_message(self.BackPressed()) diff --git a/full_updater/ui/sidebar.py b/full_updater/ui/sidebar.py index 88f0c22..892d76b 100644 --- a/full_updater/ui/sidebar.py +++ b/full_updater/ui/sidebar.py @@ -6,7 +6,7 @@ from textual.message import Message class Sidebar(Vertical): DEFAULT_CSS = """ Sidebar { - width: 28; + width: 40; border-right: solid $primary-lighten-2; padding: 0 1; } @@ -42,7 +42,8 @@ class Sidebar(Vertical): lv.clear() self._items = [] for t in targets: - label = f"{t.name} 🟠 🟠" + # Format: "100 traefik APT ⚫ CVE ⚫" + label = f"{t.name:20} APT ⚫ CVE ⚫" item = ListItem(Label(label), id=f"target-{t.target_id}") lv.append(item) self._items.append((t.target_id, t.name, item)) @@ -51,13 +52,24 @@ class Sidebar(Vertical): for tid, name, item in self._items: if tid == target_id: if skipped: - label = f"{name} ⚪ ⚪" + apt_color = "⚪" + cve_color = "⚪" elif error: - label = f"{name} 🔴 🔴" - elif apt_count > 0 or cve_count > 0: - label = f"{name} {'🔴' if apt_count > 0 else '🟢'} {'🔴' if cve_count > 0 else '🟢'}" + apt_color = "🔴" + cve_color = "🔴" + elif apt_count > 0: + apt_color = "🔴" else: - label = f"{name} 🟢 🟢" + apt_color = "🟢" + + if error and cve_count == 0: + cve_color = "🔴" + elif cve_count > 0: + cve_color = "🔴" + else: + cve_color = "🟢" + + label = f"{name:20} APT {apt_color} CVE {cve_color}" item.children[0].update(label) break From 1715a6cf0136c9509a284f82fafffa2fcd5693af Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:44:28 +0200 Subject: [PATCH 06/24] fix(ui): add proper CSS layout for detail screens - Add dock: top and fixed height for toolbar buttons - DataTable now fills remaining space with height: 1fr - Add borders and padding for better visual separation --- full_updater/ui/detail_screens.py | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index 31723fb..7299705 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -1,5 +1,5 @@ from textual.screen import Screen -from textual.widgets import DataTable, Button, Static +from textual.widgets import DataTable, Button from textual.containers import Vertical, Horizontal try: @@ -9,8 +9,24 @@ except Exception: PYPERCLIP_OK = False +SCREEN_CSS = """ + align: left top; + padding: 1 2; + #toolbar { + height: auto; + dock: top; + margin-bottom: 1; + } + DataTable { + height: 1fr; + border: solid $primary; + } +""" + + class PackageListScreen(Screen): BINDINGS = [("b", "back", "Retour")] + CSS = SCREEN_CSS def __init__(self, packages: list[dict]): super().__init__() @@ -18,7 +34,7 @@ class PackageListScreen(Screen): def compose(self): with Vertical(): - with Horizontal(id="pkg-toolbar"): + with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="pkg-back", variant="default") table = DataTable(id="pkg-table") table.add_columns("Nom", "Version actuelle", "Nouvelle version", "Taille") @@ -36,6 +52,7 @@ class PackageListScreen(Screen): class CVEListScreen(Screen): BINDINGS = [("b", "back", "Retour")] + CSS = SCREEN_CSS def __init__(self, cves: list[dict]): super().__init__() @@ -44,7 +61,7 @@ class CVEListScreen(Screen): def compose(self): with Vertical(): - with Horizontal(id="cve-toolbar"): + with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="cve-back", variant="default") table = DataTable(id="cve-table") table.add_columns("CVE-ID", "Paquet", "Lien") From 07e84ae69f78b6be588382149504adbebb2f1d36 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:48:00 +0200 Subject: [PATCH 07/24] fix(ui): use DEFAULT_CSS with selectors in detail screens - Replace inline CSS string with DEFAULT_CSS class attribute - Add proper Textual CSS selectors (ScreenName, #toolbar, DataTable) - Remove invalid align at root level --- full_updater/ui/detail_screens.py | 37 ++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index 7299705..dc64962 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -9,24 +9,22 @@ except Exception: PYPERCLIP_OK = False -SCREEN_CSS = """ - align: left top; - padding: 1 2; - #toolbar { +class PackageListScreen(Screen): + BINDINGS = [("b", "back", "Retour")] + DEFAULT_CSS = """ + PackageListScreen { + align: left top; + padding: 1 2; + } + PackageListScreen #toolbar { height: auto; - dock: top; margin-bottom: 1; } - DataTable { + PackageListScreen DataTable { height: 1fr; border: solid $primary; } -""" - - -class PackageListScreen(Screen): - BINDINGS = [("b", "back", "Retour")] - CSS = SCREEN_CSS + """ def __init__(self, packages: list[dict]): super().__init__() @@ -52,7 +50,20 @@ class PackageListScreen(Screen): class CVEListScreen(Screen): BINDINGS = [("b", "back", "Retour")] - CSS = SCREEN_CSS + DEFAULT_CSS = """ + CVEListScreen { + align: left top; + padding: 1 2; + } + CVEListScreen #toolbar { + height: auto; + margin-bottom: 1; + } + CVEListScreen DataTable { + height: 1fr; + border: solid $primary; + } + """ def __init__(self, cves: list[dict]): super().__init__() From 8f623e1df693513cdc7218951d54568cb5dc5848 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 01:54:57 +0200 Subject: [PATCH 08/24] fix(ui): remove reactive vars in SummaryPanel, use direct widget update - Replace reactive attributes with direct widget updates in set_target - Delay _select_target by 0.1s after pop_screen to ensure DOM is stable - Remove summary.refresh() calls that interfere with direct updates --- full_updater/app.py | 3 +- full_updater/ui/summary.py | 73 ++++++++++++-------------------------- 2 files changed, 23 insertions(+), 53 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 969a526..0df0f6d 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -109,7 +109,7 @@ class FullUpdaterApp(App): ) sidebar.refresh() if self.targets: - self._select_target(self.targets[0].target_id) + self.set_timer(0.1, lambda: self._select_target(self.targets[0].target_id)) def _select_target(self, target_id: str): self.selected_target = target_id @@ -130,7 +130,6 @@ class FullUpdaterApp(App): skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) ) - summary.refresh() def on_sidebar_target_selected(self, event: Sidebar.TargetSelected): self._select_target(event.target_id) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index b012b9f..fb93ca0 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -1,6 +1,5 @@ from textual.widgets import Static, Button from textual.containers import Vertical, Horizontal -from textual.reactive import reactive from textual.message import Message @@ -26,10 +25,6 @@ class SummaryPanel(Vertical): height: auto; margin: 1 0; } - .summary-count { - color: $primary; - text-style: bold; - } .summary-error { color: $error; text-style: bold; @@ -55,13 +50,8 @@ class SummaryPanel(Vertical): self.target_id = target_id super().__init__() - cache_time = reactive("") - apt_count = reactive(0) - cve_count = reactive(0) - target_id = reactive("") - target_name = reactive("") - error_msg = reactive("") - is_skipped = reactive(False) + _current_target_id: str = "" + _current_target_name: str = "" def compose(self): with Horizontal(id="summary-header"): @@ -75,31 +65,21 @@ class SummaryPanel(Vertical): yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def watch_cache_time(self, value: str): - self.query_one("#summary-cache", Static).update(f"Cache : {value}" if value else "") + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): + self._current_target_id = target_id + self._current_target_name = name - def watch_apt_count(self, value: int): - self._update_display() - - def watch_cve_count(self, value: int): - self._update_display() - - def watch_error_msg(self, value: str): - self._update_display() - - def watch_is_skipped(self, value: bool): - self._update_display() - - def watch_target_name(self, value: str): - self.query_one("#summary-title", Static).update(value if value else "Sélectionnez une cible") - - def _update_display(self): + title = self.query_one("#summary-title", Static) apt_btn = self.query_one("#btn-apt", Button) cve_btn = self.query_one("#btn-cve", Button) err_label = self.query_one("#summary-error", Static) btn = self.query_one("#btn-upgrade", Button) + cache_label = self.query_one("#summary-cache", Static) - if self.is_skipped: + title.update(name if name else "Sélectionnez une cible") + cache_label.update(f"Cache : {cache_time}" if cache_time else "") + + if skipped: apt_btn.label = "Mises à jour : LXC éteint" cve_btn.label = "CVE : LXC éteint" err_label.update("") @@ -108,37 +88,28 @@ class SummaryPanel(Vertical): cve_btn.disabled = True return - if self.error_msg: - apt_btn.label = f"Mises à jour : {self.apt_count}" + if error: + apt_btn.label = f"Mises à jour : {apt_count}" cve_btn.label = "CVE : ERREUR" - err_label.update(self.error_msg) + err_label.update(error) btn.disabled = False - apt_btn.disabled = self.apt_count == 0 + apt_btn.disabled = apt_count == 0 cve_btn.disabled = True return - apt_btn.label = f"Mises à jour : {self.apt_count}" - cve_btn.label = f"CVE : {self.cve_count}" + apt_btn.label = f"Mises à jour : {apt_count}" + cve_btn.label = f"CVE : {cve_count}" err_label.update("") btn.disabled = False - apt_btn.disabled = self.apt_count == 0 - cve_btn.disabled = self.cve_count == 0 - - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): - self.target_id = target_id - self.target_name = name - self.apt_count = apt_count - self.cve_count = cve_count - self.error_msg = error - self.is_skipped = skipped - self.cache_time = cache_time + apt_btn.disabled = apt_count == 0 + cve_btn.disabled = cve_count == 0 def on_button_pressed(self, event: Button.Pressed): if event.button.id == "btn-reload": self.post_message(self.ReloadPressed()) elif event.button.id == "btn-upgrade": - self.post_message(self.UpgradePressed(self.target_id, self.target_name)) + self.post_message(self.UpgradePressed(self._current_target_id, self._current_target_name)) elif event.button.id == "btn-apt": - self.post_message(self.AptClicked(self.target_id)) + self.post_message(self.AptClicked(self._current_target_id)) elif event.button.id == "btn-cve": - self.post_message(self.CveClicked(self.target_id)) + self.post_message(self.CveClicked(self._current_target_id)) From f4db16327f246aa81f1084bb9ae81f37abed33b0 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:00:48 +0200 Subject: [PATCH 09/24] fix(cache): purge cache only once at startup, not on every write - Add clear_cache() called once in on_mount - ensure_cache_dir() no longer deletes existing files - This fixes the issue where only the last target's cache survived - Add widget.refresh() calls to force UI updates --- full_updater/app.py | 7 +++++-- full_updater/backend/cache.py | 5 ++++- full_updater/ui/summary.py | 7 +++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index 0df0f6d..3d8e895 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -6,7 +6,7 @@ from textual.containers import Horizontal, Vertical from textual.reactive import reactive from textual import work -from full_updater.backend.cache import ensure_cache_dir, read_cache, get_cache_timestamp +from full_updater.backend.cache import clear_cache, ensure_cache_dir, read_cache, get_cache_timestamp from full_updater.backend.scanner import ( Target, ScanResult, get_lxc_list, lxc_is_running, ensure_debsecan_installed, scan_apt, scan_cve, write_cache, scan_target @@ -46,6 +46,7 @@ class FullUpdaterApp(App): yield SummaryPanel() def on_mount(self): + clear_cache() ensure_cache_dir() self.targets = [Target(target_id="host", name="hote", is_host=True)] + get_lxc_list() sidebar = self.query_one(Sidebar) @@ -93,6 +94,7 @@ class FullUpdaterApp(App): result.error, result.status == "skipped" ) + sidebar.refresh() def _finish_scan(self): self.pop_screen() @@ -109,7 +111,7 @@ class FullUpdaterApp(App): ) sidebar.refresh() if self.targets: - self.set_timer(0.1, lambda: self._select_target(self.targets[0].target_id)) + self.set_timer(0.2, lambda: self._select_target(self.targets[0].target_id)) def _select_target(self, target_id: str): self.selected_target = target_id @@ -130,6 +132,7 @@ class FullUpdaterApp(App): skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) ) + summary.refresh() def on_sidebar_target_selected(self, event: Sidebar.TargetSelected): self._select_target(event.target_id) diff --git a/full_updater/backend/cache.py b/full_updater/backend/cache.py index 1edb94d..5172ca9 100644 --- a/full_updater/backend/cache.py +++ b/full_updater/backend/cache.py @@ -7,9 +7,12 @@ from typing import Any CACHE_DIR = "/tmp/full-updater-cache" -def ensure_cache_dir() -> None: +def clear_cache() -> None: if os.path.exists(CACHE_DIR): shutil.rmtree(CACHE_DIR) + + +def ensure_cache_dir() -> None: os.makedirs(CACHE_DIR, exist_ok=True) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index fb93ca0..46dc560 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -104,6 +104,13 @@ class SummaryPanel(Vertical): apt_btn.disabled = apt_count == 0 cve_btn.disabled = cve_count == 0 + # Forcer le refresh de tous les widgets modifiés + apt_btn.refresh() + cve_btn.refresh() + err_label.refresh() + btn.refresh() + cache_label.refresh() + def on_button_pressed(self, event: Button.Pressed): if event.button.id == "btn-reload": self.post_message(self.ReloadPressed()) From eed84f36e8197806b0dc832e9419ac85e664d221 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:07:25 +0200 Subject: [PATCH 10/24] fix(log_panel): rename self.log to self._log_widget to avoid Textual property conflict --- full_updater/ui/log_panel.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/full_updater/ui/log_panel.py b/full_updater/ui/log_panel.py index 0ccfb15..1022d1c 100644 --- a/full_updater/ui/log_panel.py +++ b/full_updater/ui/log_panel.py @@ -23,21 +23,21 @@ class LogPanel(Vertical): def __init__(self): super().__init__() - self.log = None + self._log_widget = None def compose(self): with Horizontal(id="log-toolbar"): yield Button("⬅ Retour", id="log-back") - self.log = RichLog(id="log-view", highlight=True) - yield self.log + self._log_widget = RichLog(id="log-view", highlight=True) + yield self._log_widget def write(self, line: str): - if self.log: - self.log.write(line) + if self._log_widget: + self._log_widget.write(line) def clear(self): - if self.log: - self.log.clear() + if self._log_widget: + self._log_widget.clear() def on_button_pressed(self, event: Button.Pressed): if event.button.id == "log-back": From af9e061ab586b9f1d5a9907d792ff008cbfebc9e Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:11:08 +0200 Subject: [PATCH 11/24] fix(upgrade): remove call_from_thread in async worker, call log_panel.write directly --- full_updater/app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/full_updater/app.py b/full_updater/app.py index 3d8e895..ebc400b 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -208,7 +208,7 @@ class FullUpdaterApp(App): return executor = UpgradeExecutor( target_id, is_host, - on_line=lambda line: self.call_from_thread(log_panel.write, line) + on_line=lambda line: log_panel.write(line) ) ok = await executor.run() if ok: From e22f416500f220c9a1c6e7de0971aa9ff4488cf2 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:27:22 +0200 Subject: [PATCH 12/24] feat(cve): filter actionable CVEs via Debian Security Tracker API - Add filter_actionable_cves() that queries security-tracker.debian.org - Cache API responses in /tmp/full-updater-cache/cve-api/ - Use ThreadPoolExecutor(max_workers=10) for parallel API calls - cve_count now shows only actionable CVEs (with fixed_version) - cve_total stored for info, shown as 'CVE: X (Y non corrigeables)' --- full_updater/app.py | 4 +- full_updater/backend/scanner.py | 90 +++++++++++++++++++++++++++++++-- full_updater/ui/summary.py | 7 ++- 3 files changed, 95 insertions(+), 6 deletions(-) diff --git a/full_updater/app.py b/full_updater/app.py index ebc400b..d2540cc 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -128,6 +128,7 @@ class FullUpdaterApp(App): name=name, apt_count=data.get("apt_count", 0), cve_count=data.get("cve_count", 0), + cve_total=data.get("cve_total", 0), error=data.get("error", ""), skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) @@ -158,7 +159,7 @@ class FullUpdaterApp(App): write_cache(target.target_id, { "timestamp": datetime.now().isoformat(), "apt_count": 0, "apt_packages": [], - "cve_count": 0, "cve_list": [], + "cve_count": 0, "cve_total": 0, "cve_list": [], "error": "LXC éteint" }) self._update_sidebar(target.target_id, result) @@ -176,6 +177,7 @@ class FullUpdaterApp(App): "apt_count": result.apt_count, "apt_packages": result.apt_packages, "cve_count": result.cve_count, + "cve_total": result.cve_total, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 4271c74..6180049 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -1,10 +1,83 @@ +import json +import os import re import subprocess +import urllib.request +from concurrent.futures import ThreadPoolExecutor from dataclasses import dataclass, field from datetime import datetime from typing import Callable -from full_updater.backend.cache import write_cache +from full_updater.backend.cache import write_cache, ensure_cache_dir + +CVE_API_CACHE = "/tmp/full-updater-cache/cve-api" + + +def _ensure_cve_api_cache() -> None: + os.makedirs(CVE_API_CACHE, exist_ok=True) + + +def _fetch_cve_status(cve_id: str) -> dict: + """Interroge l'API Debian Security Tracker pour une CVE, avec cache local.""" + _ensure_cve_api_cache() + cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json") + + if os.path.exists(cache_path): + try: + with open(cache_path, "r", encoding="utf-8") as f: + return json.load(f) + except Exception: + pass + + url = f"https://security-tracker.debian.org/tracker/{cve_id}/json" + try: + req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"}) + with urllib.request.urlopen(req, timeout=15) as resp: + data = json.load(resp) + with open(cache_path, "w", encoding="utf-8") as f: + json.dump(data, f) + return data + except Exception: + return {} + + +def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: + """Retourne True si la CVE a un fixed_version pour le suite donné.""" + data = _fetch_cve_status(cve_id) + cve_data = data.get(cve_id, {}) + debian = cve_data.get("debian", {}) + suite_data = debian.get(suite, {}) + return suite_data.get("status") == "resolved" and "fixed_version" in suite_data + + +def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: + """Filtre la liste des CVE pour ne garder que les actionnables. + Retourne (cve_actionnables, cve_total).""" + if not cves: + return [], 0 + + total = len(cves) + + def check(cve: dict) -> dict | None: + try: + if _is_cve_actionable(cve["id"]): + return cve + except Exception: + pass + return None + + actionable = [] + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [executor.submit(check, cve) for cve in cves] + for future in futures: + try: + result = future.result() + if result: + actionable.append(result) + except Exception: + pass + + return actionable, total @dataclass @@ -21,6 +94,7 @@ class ScanResult: cve_ok: bool = False apt_count: int = 0 cve_count: int = 0 + cve_total: int = 0 apt_packages: list[dict[str, str]] = field(default_factory=list) cve_list: list[dict[str, str]] = field(default_factory=list) error: str = "" @@ -139,10 +213,19 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: if debsecan_ok: cve_ok, cve_list, cve_err = scan_cve(target) result.cve_ok = cve_ok - result.cve_count = len(cve_list) - result.cve_list = cve_list if not cve_ok: result.error = cve_err + + # Filtrer les CVE actionnables via l'API Debian + if cve_list: + actionable, total = filter_actionable_cves(cve_list) + result.cve_list = actionable + result.cve_count = len(actionable) + result.cve_total = total + else: + result.cve_list = [] + result.cve_count = 0 + result.cve_total = 0 else: result.cve_ok = False result.error = f"debsecan: {debsecan_err}" @@ -157,6 +240,7 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: "apt_count": result.apt_count, "apt_packages": result.apt_packages, "cve_count": result.cve_count, + "cve_total": result.cve_total, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index 46dc560..e750712 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -65,7 +65,7 @@ class SummaryPanel(Vertical): yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, error: str, skipped: bool, cache_time: str): + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, error: str, skipped: bool, cache_time: str): self._current_target_id = target_id self._current_target_name = name @@ -98,7 +98,10 @@ class SummaryPanel(Vertical): return apt_btn.label = f"Mises à jour : {apt_count}" - cve_btn.label = f"CVE : {cve_count}" + if cve_total > cve_count: + cve_btn.label = f"CVE : {cve_count} ({cve_total - cve_count} non corrigeables)" + else: + cve_btn.label = f"CVE : {cve_count}" err_label.update("") btn.disabled = False apt_btn.disabled = apt_count == 0 From 86eda73eb9ab0b81039e1b5a886a708f6353b316 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:35:15 +0200 Subject: [PATCH 13/24] feat(cve): show all CVEs with fixable indicator in list screen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - filter_actionable_cves now marks all CVEs with 'fixable' boolean - cve_list in cache contains ALL CVEs (not just actionable ones) - CVEListScreen adds 'Corrigeable' column with 🟢/🔴 indicator - Sidebar counter still shows only actionable CVEs (cve_count) --- full_updater/backend/scanner.py | 37 ++++++++++++++++--------------- full_updater/ui/detail_screens.py | 20 +++++++++++++++-- 2 files changed, 37 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 6180049..6fd044a 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -51,33 +51,34 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: - """Filtre la liste des CVE pour ne garder que les actionnables. - Retourne (cve_actionnables, cve_total).""" + """Filtre la liste des CVE pour ajouter un flag 'fixable'. + Retourne (cve_avec_flag, nombre_actionnables).""" if not cves: return [], 0 - total = len(cves) - - def check(cve: dict) -> dict | None: + def check(cve: dict) -> dict: try: - if _is_cve_actionable(cve["id"]): - return cve + is_fixable = _is_cve_actionable(cve["id"]) + cve["fixable"] = is_fixable + return cve except Exception: - pass - return None + cve["fixable"] = False + return cve - actionable = [] + all_cves = [] + actionable_count = 0 with ThreadPoolExecutor(max_workers=10) as executor: futures = [executor.submit(check, cve) for cve in cves] for future in futures: try: - result = future.result() - if result: - actionable.append(result) + cve = future.result() + all_cves.append(cve) + if cve.get("fixable"): + actionable_count += 1 except Exception: pass - return actionable, total + return all_cves, actionable_count @dataclass @@ -218,10 +219,10 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: # Filtrer les CVE actionnables via l'API Debian if cve_list: - actionable, total = filter_actionable_cves(cve_list) - result.cve_list = actionable - result.cve_count = len(actionable) - result.cve_total = total + all_cves, actionable_count = filter_actionable_cves(cve_list) + result.cve_list = all_cves + result.cve_count = actionable_count + result.cve_total = len(all_cves) else: result.cve_list = [] result.cve_count = 0 diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index dc64962..78b31b4 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -9,6 +9,21 @@ except Exception: PYPERCLIP_OK = False +SCREEN_CSS = """ + align: left top; + padding: 1 2; + #toolbar { + height: auto; + dock: top; + margin-bottom: 1; + } + DataTable { + height: 1fr; + border: solid $primary; + } +""" + + class PackageListScreen(Screen): BINDINGS = [("b", "back", "Retour")] DEFAULT_CSS = """ @@ -75,14 +90,15 @@ class CVEListScreen(Screen): with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="cve-back", variant="default") table = DataTable(id="cve-table") - table.add_columns("CVE-ID", "Paquet", "Lien") + table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien") table.cursor_type = "row" for i, cve in enumerate(self.cves): cve_id = cve.get("id", "?") pkg = cve.get("package", "?") url = cve.get("url", "") + fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non" self.urls[i] = url - table.add_row(cve_id, pkg, url) + table.add_row(cve_id, pkg, fixable, url) yield table def on_data_table_row_selected(self, event: DataTable.RowSelected): From 9c4e40505b926dec5dc1cfa25dbbed79f63c682b Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:38:58 +0200 Subject: [PATCH 14/24] fix(summary): enable CVE button when non-fixable CVEs exist - Use cve_total instead of cve_count to determine button disabled state - Allows viewing all CVEs even when none are fixable --- full_updater/ui/summary.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index e750712..dd48ae9 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -105,7 +105,7 @@ class SummaryPanel(Vertical): err_label.update("") btn.disabled = False apt_btn.disabled = apt_count == 0 - cve_btn.disabled = cve_count == 0 + cve_btn.disabled = cve_total == 0 # Forcer le refresh de tous les widgets modifiés apt_btn.refresh() From 3bb213a00dfc466ba931f6c9e52e8216f147c423 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 02:56:16 +0200 Subject: [PATCH 15/24] fix(cve): parse HTML instead of non-existent JSON API - Debian Security Tracker has no public JSON API for individual CVEs - Now fetches and parses the HTML page directly - Searches for 'bookworm ... fixed' pattern in the vulnerability table - Cache files changed from .json to .html --- full_updater/backend/scanner.py | 34 ++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 6fd044a..c002ce7 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -17,37 +17,41 @@ def _ensure_cve_api_cache() -> None: os.makedirs(CVE_API_CACHE, exist_ok=True) -def _fetch_cve_status(cve_id: str) -> dict: - """Interroge l'API Debian Security Tracker pour une CVE, avec cache local.""" +def _fetch_cve_html(cve_id: str) -> str: + """Récupère le HTML de la page Debian Security Tracker pour une CVE.""" _ensure_cve_api_cache() - cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json") + cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.html") if os.path.exists(cache_path): try: with open(cache_path, "r", encoding="utf-8") as f: - return json.load(f) + return f.read() except Exception: pass - url = f"https://security-tracker.debian.org/tracker/{cve_id}/json" + url = f"https://security-tracker.debian.org/tracker/{cve_id}" try: req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"}) with urllib.request.urlopen(req, timeout=15) as resp: - data = json.load(resp) + html = resp.read().decode("utf-8") with open(cache_path, "w", encoding="utf-8") as f: - json.dump(data, f) - return data + f.write(html) + return html except Exception: - return {} + return "" def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: - """Retourne True si la CVE a un fixed_version pour le suite donné.""" - data = _fetch_cve_status(cve_id) - cve_data = data.get(cve_id, {}) - debian = cve_data.get("debian", {}) - suite_data = debian.get(suite, {}) - return suite_data.get("status") == "resolved" and "fixed_version" in suite_data + """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML.""" + html = _fetch_cve_html(cve_id) + if not html: + return False + + # Chercher dans le tableau des packages vulnérables/fixed + # Pattern: suite (security)? version fixed + # Ex: bookworm 3.0.18-1~deb12u1 fixed + pattern = re.compile(rf"]*>\s*{re.escape(suite)}\s*(?:\(security\))?\s*\s*]*>[^<]+\s*]*>\s*fixed\s*", re.IGNORECASE) + return bool(pattern.search(html)) def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: From 6e707da98d350e41c9da66789320dde960d13226 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:07:28 +0200 Subject: [PATCH 16/24] feat(ui): display OS name and version in SummaryPanel - Add scan_os() to detect OS via lsb_release or /etc/os-release - Store os_info in cache and ScanResult - Display OS info in SummaryPanel below the target name --- full_updater/app.py | 3 +++ full_updater/backend/scanner.py | 28 ++++++++++++++++++++++++++++ full_updater/ui/summary.py | 5 ++++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/full_updater/app.py b/full_updater/app.py index d2540cc..0bee8a2 100644 --- a/full_updater/app.py +++ b/full_updater/app.py @@ -129,6 +129,7 @@ class FullUpdaterApp(App): apt_count=data.get("apt_count", 0), cve_count=data.get("cve_count", 0), cve_total=data.get("cve_total", 0), + os_info=data.get("os_info", ""), error=data.get("error", ""), skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets), cache_time=get_cache_timestamp(cache_id) @@ -160,6 +161,7 @@ class FullUpdaterApp(App): "timestamp": datetime.now().isoformat(), "apt_count": 0, "apt_packages": [], "cve_count": 0, "cve_total": 0, "cve_list": [], + "os_info": "LXC éteint", "error": "LXC éteint" }) self._update_sidebar(target.target_id, result) @@ -178,6 +180,7 @@ class FullUpdaterApp(App): "apt_packages": result.apt_packages, "cve_count": result.cve_count, "cve_total": result.cve_total, + "os_info": result.os_info, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index c002ce7..420215e 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -100,6 +100,7 @@ class ScanResult: apt_count: int = 0 cve_count: int = 0 cve_total: int = 0 + os_info: str = "" apt_packages: list[dict[str, str]] = field(default_factory=list) cve_list: list[dict[str, str]] = field(default_factory=list) error: str = "" @@ -135,6 +136,28 @@ def lxc_is_running(vmid: str) -> bool: return ok and "running" in stdout.lower() +def scan_os(target: Target) -> str: + """Récupère le nom et la version de l'OS.""" + if target.is_host: + cmd = ["lsb_release", "-ds"] + else: + cmd = ["pct", "exec", target.target_id, "--", "lsb_release", "-ds"] + ok, stdout, _ = run_cmd(cmd, timeout=30) + if ok: + return stdout.strip() + # Fallback si lsb_release n'est pas installé + if target.is_host: + cmd = ["cat", "/etc/os-release"] + else: + cmd = ["pct", "exec", target.target_id, "--", "cat", "/etc/os-release"] + ok, stdout, _ = run_cmd(cmd, timeout=30) + if ok: + name = re.search(r'PRETTY_NAME="([^"]+)"', stdout) + if name: + return name.group(1) + return "OS inconnu" + + def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: if is_host: ok, _, _ = run_cmd(["which", "debsecan"]) @@ -236,6 +259,10 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: result.error = f"debsecan: {debsecan_err}" progress_cb() + # Scan OS + result.os_info = scan_os(target) + progress_cb() + result.status = "done" if (result.apt_ok and result.cve_ok) else "error" if result.error: result.status = "error" @@ -246,6 +273,7 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: "apt_packages": result.apt_packages, "cve_count": result.cve_count, "cve_total": result.cve_total, + "os_info": result.os_info, "cve_list": result.cve_list, "error": result.error }) diff --git a/full_updater/ui/summary.py b/full_updater/ui/summary.py index dd48ae9..4b9fe7d 100644 --- a/full_updater/ui/summary.py +++ b/full_updater/ui/summary.py @@ -60,16 +60,18 @@ class SummaryPanel(Vertical): with Vertical(id="summary-body"): yield Static("Sélectionnez une cible", id="summary-title") + yield Static("", id="summary-os", classes="summary-row") yield Button("Mises à jour : -", id="btn-apt", classes="summary-row", variant="default") yield Button("CVE : -", id="btn-cve", classes="summary-row", variant="default") yield Static("", id="summary-error", classes="summary-row summary-error") yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary") - def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, error: str, skipped: bool, cache_time: str): + def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, os_info: str, error: str, skipped: bool, cache_time: str): self._current_target_id = target_id self._current_target_name = name title = self.query_one("#summary-title", Static) + os_label = self.query_one("#summary-os", Static) apt_btn = self.query_one("#btn-apt", Button) cve_btn = self.query_one("#btn-cve", Button) err_label = self.query_one("#summary-error", Static) @@ -77,6 +79,7 @@ class SummaryPanel(Vertical): cache_label = self.query_one("#summary-cache", Static) title.update(name if name else "Sélectionnez une cible") + os_label.update(os_info if os_info else "") cache_label.update(f"Cache : {cache_time}" if cache_time else "") if skipped: From 2d339cc397957451ce260272058c078e3eb375bf Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:52:10 +0200 Subject: [PATCH 17/24] feat(os): show full version number from /etc/debian_version - Use lsb_release -is/-cs for name and codename - Use /etc/debian_version for full version (e.g. 12.9) - Display format: 'Debian GNU/Linux 12.9 (bookworm)' --- full_updater/backend/scanner.py | 52 +++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 420215e..a721c21 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -137,25 +137,39 @@ def lxc_is_running(vmid: str) -> bool: def scan_os(target: Target) -> str: - """Récupère le nom et la version de l'OS.""" - if target.is_host: - cmd = ["lsb_release", "-ds"] - else: - cmd = ["pct", "exec", target.target_id, "--", "lsb_release", "-ds"] - ok, stdout, _ = run_cmd(cmd, timeout=30) - if ok: - return stdout.strip() - # Fallback si lsb_release n'est pas installé - if target.is_host: - cmd = ["cat", "/etc/os-release"] - else: - cmd = ["pct", "exec", target.target_id, "--", "cat", "/etc/os-release"] - ok, stdout, _ = run_cmd(cmd, timeout=30) - if ok: - name = re.search(r'PRETTY_NAME="([^"]+)"', stdout) - if name: - return name.group(1) - return "OS inconnu" + """Récupère le nom, la version complète et le codename de l'OS.""" + prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] + + # 1. Récupérer le nom (Debian, Ubuntu...) + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" + + # 2. Récupérer le codename (bookworm, trixie...) + ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) + codename = code_out.strip() if ok else "" + + # 3. Récupérer la version complète depuis /etc/debian_version (ex: 12.9) + ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) + version = ver_out.strip() if ok else "" + + # 4. Fallback sur lsb_release -rs si /etc/debian_version vide + if not version: + ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) + version = ver_out.strip() if ok else "" + + # 5. Fallback sur /etc/os-release si tout le reste échoue + if not os_name or not version: + ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) + if ok: + pretty = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) + if pretty: + return pretty.group(1) + return "OS inconnu" + + # Construire le libellé final + if codename: + return f"{os_name} GNU/Linux {version} ({codename})" + return f"{os_name} GNU/Linux {version}" def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From d90f74dd8f0f1c8126cc0b70812c6269db430dc4 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 03:59:47 +0200 Subject: [PATCH 18/24] fix(os): use VERSION_ID from /etc/os-release for full version number in LXC --- full_updater/backend/scanner.py | 49 +++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index a721c21..27aee27 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,36 +140,45 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Récupérer le nom (Debian, Ubuntu...) - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + # 1. Lire /etc/os-release pour VERSION_ID (ex: 12.9) et PRETTY_NAME + ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) + version_id = "" + pretty_name = "" + if ok: + ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1) + pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) + if pretty_match: + pretty_name = pretty_match.group(1) - # 2. Récupérer le codename (bookworm, trixie...) + # 2. Récupérer le codename via lsb_release ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) codename = code_out.strip() if ok else "" - # 3. Récupérer la version complète depuis /etc/debian_version (ex: 12.9) - ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) - version = ver_out.strip() if ok else "" + # 3. Fallback sur /etc/debian_version si VERSION_ID vide + if not version_id: + ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) + version_id = ver_out.strip() if ok else "" - # 4. Fallback sur lsb_release -rs si /etc/debian_version vide - if not version: + # 4. Fallback sur lsb_release -rs + if not version_id: ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) - version = ver_out.strip() if ok else "" + version_id = ver_out.strip() if ok else "" - # 5. Fallback sur /etc/os-release si tout le reste échoue - if not os_name or not version: - ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) - if ok: - pretty = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) - if pretty: - return pretty.group(1) - return "OS inconnu" + # 5. Récupérer le nom via lsb_release + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" + + if not os_name and pretty_name: + return pretty_name + if not os_name or not version_id: + return pretty_name if pretty_name else "OS inconnu" # Construire le libellé final if codename: - return f"{os_name} GNU/Linux {version} ({codename})" - return f"{os_name} GNU/Linux {version}" + return f"{os_name} GNU/Linux {version_id} ({codename})" + return f"{os_name} GNU/Linux {version_id}" def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From f0f59f04682c395a669864b9c6c58a61a9ea4a8d Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:05:45 +0200 Subject: [PATCH 19/24] fix(os): read DEBIAN_VERSION_FULL from /etc/os-release first - Check DEBIAN_VERSION_FULL (ex: 13.4) as primary source - Fallback to VERSION, then VERSION_ID, then /etc/debian_version --- full_updater/backend/scanner.py | 40 ++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 27aee27..486b9fe 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,33 +140,41 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Lire /etc/os-release pour VERSION_ID (ex: 12.9) et PRETTY_NAME + # 1. Lire /etc/os-release ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) version_id = "" pretty_name = "" + codename = "" if ok: - ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1) + # Priorité 1 : DEBIAN_VERSION_FULL (ex: 13.4) + ver_full_match = re.search(r'DEBIAN_VERSION_FULL="?([^"\n]+)"?', osrel_out) + if ver_full_match: + version_id = ver_full_match.group(1).strip() + # Priorité 2 : VERSION (ex: "13 (trixie)") + if not version_id: + ver_match = re.search(r'VERSION="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1).strip() + # Priorité 3 : VERSION_ID (ex: "13") + if not version_id: + ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) + if ver_match: + version_id = ver_match.group(1).strip() + # Nom affichable pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) if pretty_match: - pretty_name = pretty_match.group(1) + pretty_name = pretty_match.group(1).strip() + # Codename + code_match = re.search(r'VERSION_CODENAME="?([^"\n]+)"?', osrel_out) + if code_match: + codename = code_match.group(1).strip() - # 2. Récupérer le codename via lsb_release - ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30) - codename = code_out.strip() if ok else "" - - # 3. Fallback sur /etc/debian_version si VERSION_ID vide + # 2. Fallback sur /etc/debian_version si tout vide if not version_id: ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) version_id = ver_out.strip() if ok else "" - # 4. Fallback sur lsb_release -rs - if not version_id: - ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30) - version_id = ver_out.strip() if ok else "" - - # 5. Récupérer le nom via lsb_release + # 3. Récupérer le nom via lsb_release ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) os_name = name_out.strip() if ok else "" From c1f462d2093e16ee495164865a79f57afb8350be Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:10:01 +0200 Subject: [PATCH 20/24] fix(os): parse /etc/os-release line-by-line instead of regex - pct exec returns stdout differently than local cat - Line-by-line parsing is more robust across LXC boundaries - Handles quotes correctly --- full_updater/backend/scanner.py | 55 +++++++++++++++------------------ 1 file changed, 25 insertions(+), 30 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 486b9fe..818a35c 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -140,43 +140,38 @@ def scan_os(target: Target) -> str: """Récupère le nom, la version complète et le codename de l'OS.""" prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"] - # 1. Lire /etc/os-release + # 1. Lire /etc/os-release et parser ligne par ligne ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30) - version_id = "" - pretty_name = "" - codename = "" + os_data = {} if ok: - # Priorité 1 : DEBIAN_VERSION_FULL (ex: 13.4) - ver_full_match = re.search(r'DEBIAN_VERSION_FULL="?([^"\n]+)"?', osrel_out) - if ver_full_match: - version_id = ver_full_match.group(1).strip() - # Priorité 2 : VERSION (ex: "13 (trixie)") - if not version_id: - ver_match = re.search(r'VERSION="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1).strip() - # Priorité 3 : VERSION_ID (ex: "13") - if not version_id: - ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out) - if ver_match: - version_id = ver_match.group(1).strip() - # Nom affichable - pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out) - if pretty_match: - pretty_name = pretty_match.group(1).strip() - # Codename - code_match = re.search(r'VERSION_CODENAME="?([^"\n]+)"?', osrel_out) - if code_match: - codename = code_match.group(1).strip() + for line in osrel_out.splitlines(): + line = line.strip() + if "=" in line: + key, val = line.split("=", 1) + # Supprimer les guillemets + val = val.strip().strip('"').strip("'") + os_data[key] = val - # 2. Fallback sur /etc/debian_version si tout vide + # 2. Extraire les champs + version_id = os_data.get("DEBIAN_VERSION_FULL", "") + if not version_id: + version_id = os_data.get("VERSION", "") + if not version_id: + version_id = os_data.get("VERSION_ID", "") + + codename = os_data.get("VERSION_CODENAME", "") + pretty_name = os_data.get("PRETTY_NAME", "") + os_name = os_data.get("NAME", "") + + # 3. Fallback sur /etc/debian_version si tout vide if not version_id: ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) version_id = ver_out.strip() if ok else "" - # 3. Récupérer le nom via lsb_release - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + # 4. Fallback sur lsb_release pour le nom + if not os_name: + ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) + os_name = name_out.strip() if ok else "" if not os_name and pretty_name: return pretty_name From 721e677fa648afc1004f0c000d3e4f0b3e1af57a Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:15:57 +0200 Subject: [PATCH 21/24] fix(os): use NAME directly, avoid double 'GNU/Linux' - NAME already contains 'Debian GNU/Linux', don't append it again - With DEBIAN_VERSION_FULL: NAME + DEBIAN_VERSION_FULL + (codename) - Without: NAME + VERSION_ID + (codename) - Fixes duplication bug --- full_updater/backend/scanner.py | 39 +++++++++++---------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 818a35c..4d2d768 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -148,40 +148,27 @@ def scan_os(target: Target) -> str: line = line.strip() if "=" in line: key, val = line.split("=", 1) - # Supprimer les guillemets val = val.strip().strip('"').strip("'") os_data[key] = val # 2. Extraire les champs - version_id = os_data.get("DEBIAN_VERSION_FULL", "") - if not version_id: - version_id = os_data.get("VERSION", "") - if not version_id: - version_id = os_data.get("VERSION_ID", "") - + name = os_data.get("NAME", "") codename = os_data.get("VERSION_CODENAME", "") - pretty_name = os_data.get("PRETTY_NAME", "") - os_name = os_data.get("NAME", "") + debian_version_full = os_data.get("DEBIAN_VERSION_FULL", "") + version_id = os_data.get("VERSION_ID", "") - # 3. Fallback sur /etc/debian_version si tout vide - if not version_id: - ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30) - version_id = ver_out.strip() if ok else "" + # 3. Construire le libellé final + # Avec DEBIAN_VERSION_FULL : NAME DEBIAN_VERSION_FULL (VERSION_CODENAME) + # Sans : NAME VERSION_ID (VERSION_CODENAME) + version = debian_version_full if debian_version_full else version_id - # 4. Fallback sur lsb_release pour le nom - if not os_name: - ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30) - os_name = name_out.strip() if ok else "" + if name and version and codename: + return f"{name} {version} ({codename})" + if name and version: + return f"{name} {version}" - if not os_name and pretty_name: - return pretty_name - if not os_name or not version_id: - return pretty_name if pretty_name else "OS inconnu" - - # Construire le libellé final - if codename: - return f"{os_name} GNU/Linux {version_id} ({codename})" - return f"{os_name} GNU/Linux {version_id}" + # Fallback : PRETTY_NAME ou "OS inconnu" + return os_data.get("PRETTY_NAME", "OS inconnu") def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]: From 13d826ecd2322bc78b74719a954f9a1568640d39 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:20:14 +0200 Subject: [PATCH 22/24] feat(cve): add severity and vector columns to CVE list - Parse [remote|local] and [severity] from debsecan output - Display Severity and Vector columns in CVEListScreen - Severity values: unimportant, low, medium, high, critical --- full_updater/backend/scanner.py | 11 +++++++++-- full_updater/ui/detail_screens.py | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 4d2d768..2ae08ad 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -226,9 +226,16 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: cves = [] for line in stdout.splitlines(): - m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) + # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description + m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)(?:\s+\[(remote|local)\])?(?:\s+\[(unimportant|low|medium|high|critical)\])?", line) if m: - cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"}) + cves.append({ + "id": m.group(1), + "package": m.group(2), + "vector": m.group(3) or "?", + "severity": m.group(4) or "?", + "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" + }) return True, cves, "" diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py index 78b31b4..5e95e10 100644 --- a/full_updater/ui/detail_screens.py +++ b/full_updater/ui/detail_screens.py @@ -90,15 +90,17 @@ class CVEListScreen(Screen): with Horizontal(id="toolbar"): yield Button("⬅ Retour", id="cve-back", variant="default") table = DataTable(id="cve-table") - table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien") + table.add_columns("CVE-ID", "Paquet", "Severite", "Vecteur", "Corrigeable", "Lien") table.cursor_type = "row" for i, cve in enumerate(self.cves): cve_id = cve.get("id", "?") pkg = cve.get("package", "?") url = cve.get("url", "") + severity = cve.get("severity", "?") + vector = cve.get("vector", "?") fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non" self.urls[i] = url - table.add_row(cve_id, pkg, fixable, url) + table.add_row(cve_id, pkg, severity, vector, fixable, url) yield table def on_data_table_row_selected(self, event: DataTable.RowSelected): From 9107009370de3b4f2827a3d2849f1ed0234c3e34 Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:23:45 +0200 Subject: [PATCH 23/24] fix(cve): robust parsing of [remote|local] and [severity] flags - Use re.findall to extract all bracketed flags instead of positional regex - Fixes issue where optional groups were not captured correctly --- full_updater/backend/scanner.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 2ae08ad..9e317bb 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -227,13 +227,22 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: cves = [] for line in stdout.splitlines(): # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description - m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)(?:\s+\[(remote|local)\])?(?:\s+\[(unimportant|low|medium|high|critical)\])?", line) + m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: + # Extraire tous les flags entre crochets + flags = re.findall(r"\[(\w+)\]", line) + vector = "?" + severity = "?" + for f in flags: + if f in ("remote", "local"): + vector = f + elif f in ("unimportant", "low", "medium", "high", "critical"): + severity = f cves.append({ "id": m.group(1), "package": m.group(2), - "vector": m.group(3) or "?", - "severity": m.group(4) or "?", + "vector": vector, + "severity": severity, "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" }) return True, cves, "" From 11ada690a121c3759b334a66cc692a37dd46de9a Mon Sep 17 00:00:00 2001 From: enzo Date: Wed, 13 May 2026 04:33:05 +0200 Subject: [PATCH 24/24] fix(cve): enrich CVEs with severity/vector from Debian Security Tracker HTML - debsecan default format has no [remote|local] or [severity] flags - Now fetches severity and vector from security-tracker.debian.org HTML - scan_cve uses default format (no --format report) - enrich_cves replaces filter_actionable_cves, adds severity+vector --- full_updater/backend/scanner.py | 58 +++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py index 9e317bb..f00185a 100644 --- a/full_updater/backend/scanner.py +++ b/full_updater/backend/scanner.py @@ -41,6 +41,29 @@ def _fetch_cve_html(cve_id: str) -> str: return "" +def _enrich_cve(cve_id: str) -> dict[str, str]: + """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker.""" + html = _fetch_cve_html(cve_id) + if not html: + return {"severity": "?", "vector": "?"} + + result = {"severity": "?", "vector": "?"} + + # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages" + # Recherche du motif: remote ou local + vector_match = re.search(r']*>\s*(remote|local)\s*', html, re.IGNORECASE) + if vector_match: + result["vector"] = vector_match.group(1).lower() + + # Extraction de la sévérité depuis les notes ou le tableau + # Format courant: [low], [medium], [high], [critical] dans les notes + severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE) + if severity_match: + result["severity"] = severity_match.group(1).lower() + + return result + + def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML.""" html = _fetch_cve_html(cve_id) @@ -54,16 +77,20 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool: return bool(pattern.search(html)) -def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]: - """Filtre la liste des CVE pour ajouter un flag 'fixable'. - Retourne (cve_avec_flag, nombre_actionnables).""" +def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]: + """Enrichit les CVEs avec fixable, severity, vector via l'API Debian. + Retourne (cve_enrichies, nombre_actionnables).""" if not cves: return [], 0 def check(cve: dict) -> dict: try: - is_fixable = _is_cve_actionable(cve["id"]) - cve["fixable"] = is_fixable + # Vérifie si corrigeable + cve["fixable"] = _is_cve_actionable(cve["id"]) + # Enrichit avec severity et vector + enriched = _enrich_cve(cve["id"]) + cve["severity"] = enriched["severity"] + cve["vector"] = enriched["vector"] return cve except Exception: cve["fixable"] = False @@ -219,30 +246,21 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]: def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]: - cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"] + # Format par défaut (pas de --format) retourne: CVE-ID package + cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"] ok, stdout, stderr = run_cmd(cmd, timeout=120) if not ok: return False, [], stderr or stdout cves = [] for line in stdout.splitlines(): - # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line) if m: - # Extraire tous les flags entre crochets - flags = re.findall(r"\[(\w+)\]", line) - vector = "?" - severity = "?" - for f in flags: - if f in ("remote", "local"): - vector = f - elif f in ("unimportant", "low", "medium", "high", "critical"): - severity = f cves.append({ "id": m.group(1), "package": m.group(2), - "vector": vector, - "severity": severity, + "vector": "?", + "severity": "?", "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}" }) return True, cves, "" @@ -273,9 +291,9 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult: if not cve_ok: result.error = cve_err - # Filtrer les CVE actionnables via l'API Debian + # Enrichir les CVE via l'API Debian (severity, vector, fixable) if cve_list: - all_cves, actionable_count = filter_actionable_cves(cve_list) + all_cves, actionable_count = enrich_cves(cve_list) result.cve_list = all_cves result.cve_count = actionable_count result.cve_total = len(all_cves)