full_updater/backend/scanner.py

@@ -41,29 +41,6 @@ def _fetch_cve_html(cve_id: str) -> str:
         return ""
 
 
-def _enrich_cve(cve_id: str) -> dict[str, str]:
-    """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker."""
-    html = _fetch_cve_html(cve_id)
-    if not html:
-        return {"severity": "?", "vector": "?"}
-
-    result = {"severity": "?", "vector": "?"}
-
-    # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages"
-    # Recherche du motif: <td>remote</td> ou <td>local</td>
-    vector_match = re.search(r'<td[^>]*>\s*(remote|local)\s*</td>', html, re.IGNORECASE)
-    if vector_match:
-        result["vector"] = vector_match.group(1).lower()
-
-    # Extraction de la sévérité depuis les notes ou le tableau
-    # Format courant: [low], [medium], [high], [critical] dans les notes
-    severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE)
-    if severity_match:
-        result["severity"] = severity_match.group(1).lower()
-
-    return result
-
-
 def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
     """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML."""
     html = _fetch_cve_html(cve_id)
@@ -77,20 +54,16 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
     return bool(pattern.search(html))
 
 
-def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]:
-    """Enrichit les CVEs avec fixable, severity, vector via l'API Debian.
-    Retourne (cve_enrichies, nombre_actionnables)."""
+def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]:
+    """Filtre la liste des CVE pour ajouter un flag 'fixable'.
+    Retourne (cve_avec_flag, nombre_actionnables)."""
     if not cves:
         return [], 0
 
     def check(cve: dict) -> dict:
         try:
-            # Vérifie si corrigeable
-            cve["fixable"] = _is_cve_actionable(cve["id"])
-            # Enrichit avec severity et vector
-            enriched = _enrich_cve(cve["id"])
-            cve["severity"] = enriched["severity"]
-            cve["vector"] = enriched["vector"]
+            is_fixable = _is_cve_actionable(cve["id"])
+            cve["fixable"] = is_fixable
             return cve
         except Exception:
             cve["fixable"] = False
@@ -167,35 +140,36 @@ def scan_os(target: Target) -> str:
     """Récupère le nom, la version complète et le codename de l'OS."""
     prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"]
 
-    # 1. Lire /etc/os-release et parser ligne par ligne
+    # 1. Récupérer le nom (Debian, Ubuntu...)
+    ok, name_out, _ = run_cmd(prefix + ["lsb_release", "-is"], timeout=30)
+    os_name = name_out.strip() if ok else ""
+
+    # 2. Récupérer le codename (bookworm, trixie...)
+    ok, code_out, _ = run_cmd(prefix + ["lsb_release", "-cs"], timeout=30)
+    codename = code_out.strip() if ok else ""
+
+    # 3. Récupérer la version complète depuis /etc/debian_version (ex: 12.9)
+    ok, ver_out, _ = run_cmd(prefix + ["cat", "/etc/debian_version"], timeout=30)
+    version = ver_out.strip() if ok else ""
+
+    # 4. Fallback sur lsb_release -rs si /etc/debian_version vide
+    if not version:
+        ok, ver_out, _ = run_cmd(prefix + ["lsb_release", "-rs"], timeout=30)
+        version = ver_out.strip() if ok else ""
+
+    # 5. Fallback sur /etc/os-release si tout le reste échoue
+    if not os_name or not version:
         ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30)
-    os_data = {}
         if ok:
-        for line in osrel_out.splitlines():
-            line = line.strip()
-            if "=" in line:
-                key, val = line.split("=", 1)
-                val = val.strip().strip('"').strip("'")
-                os_data[key] = val
+            pretty = re.search(r'PRETTY_NAME="([^"]+)"', osrel_out)
+            if pretty:
+                return pretty.group(1)
+        return "OS inconnu"
 
-    # 2. Extraire les champs
-    name = os_data.get("NAME", "")
-    codename = os_data.get("VERSION_CODENAME", "")
-    debian_version_full = os_data.get("DEBIAN_VERSION_FULL", "")
-    version_id = os_data.get("VERSION_ID", "")
-
-    # 3. Construire le libellé final
-    # Avec DEBIAN_VERSION_FULL : NAME DEBIAN_VERSION_FULL (VERSION_CODENAME)
-    # Sans : NAME VERSION_ID (VERSION_CODENAME)
-    version = debian_version_full if debian_version_full else version_id
-
-    if name and version and codename:
-        return f"{name} {version} ({codename})"
-    if name and version:
-        return f"{name} {version}"
-
-    # Fallback : PRETTY_NAME ou "OS inconnu"
-    return os_data.get("PRETTY_NAME", "OS inconnu")
+    # Construire le libellé final
+    if codename:
+        return f"{os_name} GNU/Linux {version} ({codename})"
+    return f"{os_name} GNU/Linux {version}"
 
 
 def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]:
@@ -246,8 +220,7 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]:
 
 
 def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
-    # Format par défaut (pas de --format) retourne: CVE-ID package
-    cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"]
+    cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"]
     ok, stdout, stderr = run_cmd(cmd, timeout=120)
     if not ok:
         return False, [], stderr or stdout
@@ -256,13 +229,7 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
     for line in stdout.splitlines():
         m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line)
         if m:
-            cves.append({
-                "id": m.group(1),
-                "package": m.group(2),
-                "vector": "?",
-                "severity": "?",
-                "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"
-            })
+            cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"})
     return True, cves, ""
 
 
@@ -291,9 +258,9 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
         if not cve_ok:
             result.error = cve_err
 
-        # Enrichir les CVE via l'API Debian (severity, vector, fixable)
+        # Filtrer les CVE actionnables via l'API Debian
         if cve_list:
-            all_cves, actionable_count = enrich_cves(cve_list)
+            all_cves, actionable_count = filter_actionable_cves(cve_list)
             result.cve_list = all_cves
             result.cve_count = actionable_count
             result.cve_total = len(all_cves)

full_updater/ui/detail_screens.py

@@ -90,17 +90,15 @@ class CVEListScreen(Screen):
             with Horizontal(id="toolbar"):
                 yield Button("⬅ Retour", id="cve-back", variant="default")
             table = DataTable(id="cve-table")
-            table.add_columns("CVE-ID", "Paquet", "Severite", "Vecteur", "Corrigeable", "Lien")
+            table.add_columns("CVE-ID", "Paquet", "Corrigeable", "Lien")
             table.cursor_type = "row"
             for i, cve in enumerate(self.cves):
                 cve_id = cve.get("id", "?")
                 pkg = cve.get("package", "?")
                 url = cve.get("url", "")
-                severity = cve.get("severity", "?")
-                vector = cve.get("vector", "?")
                 fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non"
                 self.urls[i] = url
-                table.add_row(cve_id, pkg, severity, vector, fixable, url)
+                table.add_row(cve_id, pkg, fixable, url)
             yield table
 
     def on_data_table_row_selected(self, event: DataTable.RowSelected):