diff --git a/full_updater/backend/scanner.py b/full_updater/backend/scanner.py
index f00185a..27aee27 100644
--- a/full_updater/backend/scanner.py
+++ b/full_updater/backend/scanner.py
@@ -41,29 +41,6 @@ def _fetch_cve_html(cve_id: str) -> str:
return ""
-def _enrich_cve(cve_id: str) -> dict[str, str]:
- """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker."""
- html = _fetch_cve_html(cve_id)
- if not html:
- return {"severity": "?", "vector": "?"}
-
- result = {"severity": "?", "vector": "?"}
-
- # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages"
- # Recherche du motif: | remote | ou local |
- vector_match = re.search(r']*>\s*(remote|local)\s*', html, re.IGNORECASE)
- if vector_match:
- result["vector"] = vector_match.group(1).lower()
-
- # Extraction de la sévérité depuis les notes ou le tableau
- # Format courant: [low], [medium], [high], [critical] dans les notes
- severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE)
- if severity_match:
- result["severity"] = severity_match.group(1).lower()
-
- return result
-
-
def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
"""Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML."""
html = _fetch_cve_html(cve_id)
@@ -77,20 +54,16 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
return bool(pattern.search(html))
-def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]:
- """Enrichit les CVEs avec fixable, severity, vector via l'API Debian.
- Retourne (cve_enrichies, nombre_actionnables)."""
+def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]:
+ """Filtre la liste des CVE pour ajouter un flag 'fixable'.
+ Retourne (cve_avec_flag, nombre_actionnables)."""
if not cves:
return [], 0
def check(cve: dict) -> dict:
try:
- # Vérifie si corrigeable
- cve["fixable"] = _is_cve_actionable(cve["id"])
- # Enrichit avec severity et vector
- enriched = _enrich_cve(cve["id"])
- cve["severity"] = enriched["severity"]
- cve["vector"] = enriched["vector"]
+ is_fixable = _is_cve_actionable(cve["id"])
+ cve["fixable"] = is_fixable
return cve
except Exception:
cve["fixable"] = False
@@ -167,35 +140,45 @@ def scan_os(target: Target) -> str:
"""Récupère le nom, la version complète et le codename de l'OS."""
prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"]
- # 1. Lire /etc/os-release et parser ligne par ligne
+ # 1. Lire /etc/os-release pour VERSION_ID (ex: 12.9) et PRETTY_NAME
ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30)
- os_data = {}
+ version_id = ""
+ pretty_name = ""
if ok:
- for line in osrel_out.splitlines():
- line = line.strip()
- if "=" in line:
- key, val = line.split("=", 1)
- val = val.strip().strip('"').strip("'")
- os_data[key] = val
+ ver_match = re.search(r'VERSION_ID="([^"]+)"', osrel_out)
+ if ver_match:
+ version_id = ver_match.group(1)
+ pretty_match = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out)
+ if pretty_match:
+ pretty_name = pretty_match.group(1)
- # 2. Extraire les champs
- name = os_data.get("NAME", "")
- codename = os_data.get("VERSION_CODENAME", "")
- debian_version_full = os_data.get("DEBIAN_VERSION_FULL", "")
- version_id = os_data.get("VERSION_ID", "")
+ # 2. Récupérer le codename via lsb_release
+ ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30)
+ codename = code_out.strip() if ok else ""
- # 3. Construire le libellé final
- # Avec DEBIAN_VERSION_FULL : NAME DEBIAN_VERSION_FULL (VERSION_CODENAME)
- # Sans : NAME VERSION_ID (VERSION_CODENAME)
- version = debian_version_full if debian_version_full else version_id
+ # 3. Fallback sur /etc/debian_version si VERSION_ID vide
+ if not version_id:
+ ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30)
+ version_id = ver_out.strip() if ok else ""
- if name and version and codename:
- return f"{name} {version} ({codename})"
- if name and version:
- return f"{name} {version}"
+ # 4. Fallback sur lsb_release -rs
+ if not version_id:
+ ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30)
+ version_id = ver_out.strip() if ok else ""
- # Fallback : PRETTY_NAME ou "OS inconnu"
- return os_data.get("PRETTY_NAME", "OS inconnu")
+ # 5. Récupérer le nom via lsb_release
+ ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30)
+ os_name = name_out.strip() if ok else ""
+
+ if not os_name and pretty_name:
+ return pretty_name
+ if not os_name or not version_id:
+ return pretty_name if pretty_name else "OS inconnu"
+
+ # Construire le libellé final
+ if codename:
+ return f"{os_name} GNU/Linux {version_id} ({codename})"
+ return f"{os_name} GNU/Linux {version_id}"
def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]:
@@ -246,8 +229,7 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]:
def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
- # Format par défaut (pas de --format) retourne: CVE-ID package
- cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"]
+ cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"]
ok, stdout, stderr = run_cmd(cmd, timeout=120)
if not ok:
return False, [], stderr or stdout
@@ -256,13 +238,7 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
for line in stdout.splitlines():
m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line)
if m:
- cves.append({
- "id": m.group(1),
- "package": m.group(2),
- "vector": "?",
- "severity": "?",
- "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"
- })
+ cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"})
return True, cves, ""
@@ -291,9 +267,9 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
if not cve_ok:
result.error = cve_err
- # Enrichir les CVE via l'API Debian (severity, vector, fixable)
+ # Filtrer les CVE actionnables via l'API Debian
if cve_list:
- all_cves, actionable_count = enrich_cves(cve_list)
+ all_cves, actionable_count = filter_actionable_cves(cve_list)
result.cve_list = all_cves
result.cve_count = actionable_count
result.cve_total = len(all_cves)
diff --git a/full_updater/ui/detail_screens.py b/full_updater/ui/detail_screens.py
index 5e95e10..78b31b4 100644
--- a/full_updater/ui/detail_screens.py
+++ b/full_updater/ui/detail_screens.py
@@ -90,17 +90,15 @@ class CVEListScreen(Screen):
with Horizontal(id="toolbar"):
yield Button("⬅ Retour", id="cve-back", variant="default")
table = DataTable(id="cve-table")
- table.add_columns("CVE-ID", "Paquet", "Severite", "Vecteur", "Corrigeable", "Lien")
+ table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien")
table.cursor_type = "row"
for i, cve in enumerate(self.cves):
cve_id = cve.get("id", "?")
pkg = cve.get("package", "?")
url = cve.get("url", "")
- severity = cve.get("severity", "?")
- vector = cve.get("vector", "?")
fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non"
self.urls[i] = url
- table.add_row(cve_id, pkg, severity, vector, fixable, url)
+ table.add_row(cve_id, pkg, fixable, url)
yield table
def on_data_table_row_selected(self, event: DataTable.RowSelected):