fix(cve): enrich CVEs with severity/vector from Debian Security Tracker HTML

- debsecan default format has no [remote|local] or [severity] flags - Now fetches severity and vector from security-tracker.debian.org HTML - scan_cve uses default format (no --format report) - enrich_cves replaces filter_actionable_cves, adds severity+vector
fix(cve): robust parsing of [remote|local] and [severity] flags
2026-05-13 04:33:05 +02:00 · 2026-05-13 04:23:45 +02:00
1 changed files with 39 additions and 12 deletions
--- a/full_updater/backend/scanner.py
+++ b/full_updater/backend/scanner.py
@ -41,6 +41,29 @@ def _fetch_cve_html(cve_id: str) -> str:
        return ""
 def _enrich_cve(cve_id: str) -> dict[str, str]:
    """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker."""
    html = _fetch_cve_html(cve_id)
    if not html:
        return {"severity": "?", "vector": "?"}
    result = {"severity": "?", "vector": "?"}
    # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages"
    # Recherche du motif: <td>remote</td> ou <td>local</td>
    vector_match = re.search(r'<td[^>]*>\s*(remote|local)\s*</td>', html, re.IGNORECASE)
    if vector_match:
        result["vector"] = vector_match.group(1).lower()
    # Extraction de la sévérité depuis les notes ou le tableau
    # Format courant: [low], [medium], [high], [critical] dans les notes
    severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE)
    if severity_match:
        result["severity"] = severity_match.group(1).lower()
    return result
 def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
    """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML."""
    html = _fetch_cve_html(cve_id)
@ -54,16 +77,20 @@ def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
    return bool(pattern.search(html))
-def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]:
+def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]:
-    """Filtre la liste des CVE pour ajouter un flag 'fixable'.
+    """Enrichit les CVEs avec fixable, severity, vector via l'API Debian.
-    Retourne (cve_avec_flag, nombre_actionnables)."""
+    Retourne (cve_enrichies, nombre_actionnables)."""
    if not cves:
        return [], 0
    def check(cve: dict) -> dict:
        try:
-            is_fixable = _is_cve_actionable(cve["id"])
+            # Vérifie si corrigeable
-            cve["fixable"] = is_fixable
+            cve["fixable"] = _is_cve_actionable(cve["id"])
            # Enrichit avec severity et vector
            enriched = _enrich_cve(cve["id"])
            cve["severity"] = enriched["severity"]
            cve["vector"] = enriched["vector"]
            return cve
        except Exception:
            cve["fixable"] = False
@ -219,21 +246,21 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]:
 def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
-    cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"]
+    # Format par défaut (pas de --format) retourne: CVE-ID package
    cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"]
    ok, stdout, stderr = run_cmd(cmd, timeout=120)
    if not ok:
        return False, [], stderr or stdout
    cves = []
    for line in stdout.splitlines():
-        # Format: CVE-XXXX-XXXX package [remote|local] [severity] - description
+        m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line)
        m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)(?:\s+\[(remote|local)\])?(?:\s+\[(unimportant|low|medium|high|critical)\])?", line)
        if m:
            cves.append({
                "id": m.group(1),
                "package": m.group(2),
-                "vector": m.group(3) or "?",
+                "vector": "?",
-                "severity": m.group(4) or "?",
+                "severity": "?",
                "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"
            })
    return True, cves, ""
@ -264,9 +291,9 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
        if not cve_ok:
            result.error = cve_err
-        # Filtrer les CVE actionnables via l'API Debian
+        # Enrichir les CVE via l'API Debian (severity, vector, fixable)
        if cve_list:
-            all_cves, actionable_count = filter_actionable_cves(cve_list)
+            all_cves, actionable_count = enrich_cves(cve_list)
            result.cve_list = all_cves
            result.cve_count = actionable_count
            result.cve_total = len(all_cves)
Author	SHA1	Message	Date
enzo	11ada690a1	fix(cve): enrich CVEs with severity/vector from Debian Security Tracker HTML All checks were successful Build and Release .deb / build-deb (push) Successful in 21s Details - debsecan default format has no [remote\|local] or [severity] flags - Now fetches severity and vector from security-tracker.debian.org HTML - scan_cve uses default format (no --format report) - enrich_cves replaces filter_actionable_cves, adds severity+vector	2026-05-13 04:33:05 +02:00
enzo	9107009370	fix(cve): robust parsing of [remote\|local] and [severity] flags All checks were successful Build and Release .deb / build-deb (push) Successful in 22s Details - Use re.findall to extract all bracketed flags instead of positional regex - Fixes issue where optional groups were not captured correctly	2026-05-13 04:23:45 +02:00