fix(cve): enrich CVEs with severity/vector from Debian Security Tracker HTML

- debsecan default format has no [remote|local] or [severity] flags
- Now fetches severity and vector from security-tracker.debian.org HTML
- scan_cve uses default format (no --format report)
- enrich_cves replaces filter_actionable_cves, adds severity+vector

full_updater/app.py

@@ -129,6 +129,7 @@ class FullUpdaterApp(App):
             apt_count=data.get("apt_count", 0),
             cve_count=data.get("cve_count", 0),
             cve_total=data.get("cve_total", 0),
+            os_info=data.get("os_info", ""),
             error=data.get("error", ""),
             skipped=not data and any(t.target_id == target_id and not t.is_host and not lxc_is_running(t.target_id) for t in self.targets),
             cache_time=get_cache_timestamp(cache_id)
@@ -160,6 +161,7 @@ class FullUpdaterApp(App):
                 "timestamp": datetime.now().isoformat(),
                 "apt_count": 0, "apt_packages": [],
                 "cve_count": 0, "cve_total": 0, "cve_list": [],
+                "os_info": "LXC éteint",
                 "error": "LXC éteint"
             })
             self._update_sidebar(target.target_id, result)
@@ -178,6 +180,7 @@ class FullUpdaterApp(App):
             "apt_packages": result.apt_packages,
             "cve_count": result.cve_count,
             "cve_total": result.cve_total,
+            "os_info": result.os_info,
             "cve_list": result.cve_list,
             "error": result.error
         })

full_updater/backend/scanner.py

@@ -17,67 +17,99 @@ def _ensure_cve_api_cache() -> None:
     os.makedirs(CVE_API_CACHE, exist_ok=True)
 
 
-def _fetch_cve_status(cve_id: str) -> dict:
-    """Interroge l'API Debian Security Tracker pour une CVE, avec cache local."""
+def _fetch_cve_html(cve_id: str) -> str:
+    """Récupère le HTML de la page Debian Security Tracker pour une CVE."""
     _ensure_cve_api_cache()
-    cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.json")
+    cache_path = os.path.join(CVE_API_CACHE, f"{cve_id}.html")
 
     if os.path.exists(cache_path):
         try:
             with open(cache_path, "r", encoding="utf-8") as f:
-                return json.load(f)
+                return f.read()
         except Exception:
             pass
 
-    url = f"https://security-tracker.debian.org/tracker/{cve_id}/json"
+    url = f"https://security-tracker.debian.org/tracker/{cve_id}"
     try:
         req = urllib.request.Request(url, headers={"User-Agent": "full-updater/1.0"})
         with urllib.request.urlopen(req, timeout=15) as resp:
-            data = json.load(resp)
+            html = resp.read().decode("utf-8")
             with open(cache_path, "w", encoding="utf-8") as f:
-                json.dump(data, f)
-            return data
+                f.write(html)
+            return html
     except Exception:
-        return {}
+        return ""
+
+
+def _enrich_cve(cve_id: str) -> dict[str, str]:
+    """Récupère la sévérité et le vecteur d'attaque depuis le HTML Debian Security Tracker."""
+    html = _fetch_cve_html(cve_id)
+    if not html:
+        return {"severity": "?", "vector": "?"}
+
+    result = {"severity": "?", "vector": "?"}
+
+    # Extraction de la sévérité depuis le bloc "Vulnerable and fixed packages"
+    # Recherche du motif: <td>remote</td> ou <td>local</td>
+    vector_match = re.search(r'<td[^>]*>\s*(remote|local)\s*</td>', html, re.IGNORECASE)
+    if vector_match:
+        result["vector"] = vector_match.group(1).lower()
+
+    # Extraction de la sévérité depuis les notes ou le tableau
+    # Format courant: [low], [medium], [high], [critical] dans les notes
+    severity_match = re.search(r'\b(unimportant|low|medium|high|critical)\b', html, re.IGNORECASE)
+    if severity_match:
+        result["severity"] = severity_match.group(1).lower()
+
+    return result
 
 
 def _is_cve_actionable(cve_id: str, suite: str = "bookworm") -> bool:
-    """Retourne True si la CVE a un fixed_version pour le suite donné."""
-    data = _fetch_cve_status(cve_id)
-    cve_data = data.get(cve_id, {})
-    debian = cve_data.get("debian", {})
-    suite_data = debian.get(suite, {})
-    return suite_data.get("status") == "resolved" and "fixed_version" in suite_data
+    """Retourne True si la CVE est marquée 'fixed' pour le suite donné dans le HTML."""
+    html = _fetch_cve_html(cve_id)
+    if not html:
+        return False
+
+    # Chercher dans le tableau des packages vulnérables/fixed
+    # Pattern: suite (security)? version fixed
+    # Ex: bookworm 3.0.18-1~deb12u1 fixed
+    pattern = re.compile(rf"<td[^>]*>\s*{re.escape(suite)}\s*(?:\(security\))?\s*</td>\s*<td[^>]*>[^<]+</td>\s*<td[^>]*>\s*fixed\s*</td>", re.IGNORECASE)
+    return bool(pattern.search(html))
 
 
-def filter_actionable_cves(cves: list[dict]) -> tuple[list[dict], int]:
-    """Filtre la liste des CVE pour ne garder que les actionnables.
-    Retourne (cve_actionnables, cve_total)."""
+def enrich_cves(cves: list[dict]) -> tuple[list[dict], int]:
+    """Enrichit les CVEs avec fixable, severity, vector via l'API Debian.
+    Retourne (cve_enrichies, nombre_actionnables)."""
     if not cves:
         return [], 0
 
-    total = len(cves)
-
-    def check(cve: dict) -> dict | None:
+    def check(cve: dict) -> dict:
         try:
-            if _is_cve_actionable(cve["id"]):
+            # Vérifie si corrigeable
+            cve["fixable"] = _is_cve_actionable(cve["id"])
+            # Enrichit avec severity et vector
+            enriched = _enrich_cve(cve["id"])
+            cve["severity"] = enriched["severity"]
+            cve["vector"] = enriched["vector"]
             return cve
         except Exception:
-            pass
-        return None
+            cve["fixable"] = False
+            return cve
 
-    actionable = []
+    all_cves = []
+    actionable_count = 0
     with ThreadPoolExecutor(max_workers=10) as executor:
         futures = [executor.submit(check, cve) for cve in cves]
         for future in futures:
             try:
-                result = future.result()
-                if result:
-                    actionable.append(result)
+                cve = future.result()
+                all_cves.append(cve)
+                if cve.get("fixable"):
+                    actionable_count += 1
             except Exception:
                 pass
 
-    return actionable, total
+    return all_cves, actionable_count
 
 
 @dataclass
@@ -95,6 +127,7 @@ class ScanResult:
     apt_count: int = 0
     cve_count: int = 0
     cve_total: int = 0
+    os_info: str = ""
     apt_packages: list[dict[str, str]] = field(default_factory=list)
     cve_list: list[dict[str, str]] = field(default_factory=list)
     error: str = ""
@@ -130,6 +163,41 @@ def lxc_is_running(vmid: str) -> bool:
     return ok and "running" in stdout.lower()
 
 
+def scan_os(target: Target) -> str:
+    """Récupère le nom, la version complète et le codename de l'OS."""
+    prefix = [] if target.is_host else ["pct", "exec", target.target_id, "--"]
+
+    # 1. Lire /etc/os-release et parser ligne par ligne
+    ok, osrel_out, _ = run_cmd(prefix + ["cat", "/etc/os-release"], timeout=30)
+    os_data = {}
+    if ok:
+        for line in osrel_out.splitlines():
+            line = line.strip()
+            if "=" in line:
+                key, val = line.split("=", 1)
+                val = val.strip().strip('"').strip("'")
+                os_data[key] = val
+
+    # 2. Extraire les champs
+    name = os_data.get("NAME", "")
+    codename = os_data.get("VERSION_CODENAME", "")
+    debian_version_full = os_data.get("DEBIAN_VERSION_FULL", "")
+    version_id = os_data.get("VERSION_ID", "")
+
+    # 3. Construire le libellé final
+    # Avec DEBIAN_VERSION_FULL : NAME DEBIAN_VERSION_FULL (VERSION_CODENAME)
+    # Sans : NAME VERSION_ID (VERSION_CODENAME)
+    version = debian_version_full if debian_version_full else version_id
+
+    if name and version and codename:
+        return f"{name} {version} ({codename})"
+    if name and version:
+        return f"{name} {version}"
+
+    # Fallback : PRETTY_NAME ou "OS inconnu"
+    return os_data.get("PRETTY_NAME", "OS inconnu")
+
+
 def ensure_debsecan_installed(is_host: bool, vmid: str = "") -> tuple[bool, str]:
     if is_host:
         ok, _, _ = run_cmd(["which", "debsecan"])
@@ -178,7 +246,8 @@ def scan_apt(target: Target) -> tuple[bool, list[dict[str, str]], str]:
 
 
 def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
-    cmd = ["debsecan", "--format", "report", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--format", "report", "--suite", "bookworm"]
+    # Format par défaut (pas de --format) retourne: CVE-ID package
+    cmd = ["debsecan", "--suite", "bookworm"] if target.is_host else ["pct", "exec", target.target_id, "--", "debsecan", "--suite", "bookworm"]
     ok, stdout, stderr = run_cmd(cmd, timeout=120)
     if not ok:
         return False, [], stderr or stdout
@@ -187,7 +256,13 @@ def scan_cve(target: Target) -> tuple[bool, list[dict[str, str]], str]:
     for line in stdout.splitlines():
         m = re.match(r"(CVE-\d{4}-\d+)\s+(\S+)", line)
         if m:
-            cves.append({"id": m.group(1), "package": m.group(2), "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"})
+            cves.append({
+                "id": m.group(1),
+                "package": m.group(2),
+                "vector": "?",
+                "severity": "?",
+                "url": f"https://security-tracker.debian.org/tracker/{m.group(1)}"
+            })
     return True, cves, ""
 
 
@@ -216,12 +291,12 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
         if not cve_ok:
             result.error = cve_err
 
-        # Filtrer les CVE actionnables via l'API Debian
+        # Enrichir les CVE via l'API Debian (severity, vector, fixable)
         if cve_list:
-            actionable, total = filter_actionable_cves(cve_list)
-            result.cve_list = actionable
-            result.cve_count = len(actionable)
-            result.cve_total = total
+            all_cves, actionable_count = enrich_cves(cve_list)
+            result.cve_list = all_cves
+            result.cve_count = actionable_count
+            result.cve_total = len(all_cves)
         else:
             result.cve_list = []
             result.cve_count = 0
@@ -231,6 +306,10 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
         result.error = f"debsecan: {debsecan_err}"
     progress_cb()
 
+    # Scan OS
+    result.os_info = scan_os(target)
+    progress_cb()
+
     result.status = "done" if (result.apt_ok and result.cve_ok) else "error"
     if result.error:
         result.status = "error"
@@ -241,6 +320,7 @@ def scan_target(target: Target, progress_cb: Callable) -> ScanResult:
         "apt_packages": result.apt_packages,
         "cve_count": result.cve_count,
         "cve_total": result.cve_total,
+        "os_info": result.os_info,
         "cve_list": result.cve_list,
         "error": result.error
     })

full_updater/ui/detail_screens.py

@@ -9,6 +9,21 @@ except Exception:
     PYPERCLIP_OK = False
 
 
+SCREEN_CSS = """
+    align: left top;
+    padding: 1 2;
+    #toolbar {
+        height: auto;
+        dock: top;
+        margin-bottom: 1;
+    }
+    DataTable {
+        height: 1fr;
+        border: solid $primary;
+    }
+"""
+
+
 class PackageListScreen(Screen):
     BINDINGS = [("b", "back", "Retour")]
     DEFAULT_CSS = """
@@ -75,14 +90,17 @@ class CVEListScreen(Screen):
             with Horizontal(id="toolbar"):
                 yield Button("⬅ Retour", id="cve-back", variant="default")
             table = DataTable(id="cve-table")
-            table.add_columns("CVE-ID", "Paquet", "Lien")
+            table.add_columns("CVE-ID", "Paquet", "Severite", "Vecteur", "Corrigeable", "Lien")
             table.cursor_type = "row"
             for i, cve in enumerate(self.cves):
                 cve_id = cve.get("id", "?")
                 pkg = cve.get("package", "?")
                 url = cve.get("url", "")
+                severity = cve.get("severity", "?")
+                vector = cve.get("vector", "?")
+                fixable = "🟢 Oui" if cve.get("fixable") else "🔴 Non"
                 self.urls[i] = url
-                table.add_row(cve_id, pkg, url)
+                table.add_row(cve_id, pkg, severity, vector, fixable, url)
             yield table
 
     def on_data_table_row_selected(self, event: DataTable.RowSelected):

full_updater/ui/summary.py

@@ -60,16 +60,18 @@ class SummaryPanel(Vertical):
 
         with Vertical(id="summary-body"):
             yield Static("Sélectionnez une cible", id="summary-title")
+            yield Static("", id="summary-os", classes="summary-row")
             yield Button("Mises à jour : -", id="btn-apt", classes="summary-row", variant="default")
             yield Button("CVE : -", id="btn-cve", classes="summary-row", variant="default")
             yield Static("", id="summary-error", classes="summary-row summary-error")
             yield Button("📦 Mettre à jour", id="btn-upgrade", variant="primary")
 
-    def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, error: str, skipped: bool, cache_time: str):
+    def set_target(self, target_id: str, name: str, apt_count: int, cve_count: int, cve_total: int, os_info: str, error: str, skipped: bool, cache_time: str):
         self._current_target_id = target_id
         self._current_target_name = name
 
         title = self.query_one("#summary-title", Static)
+        os_label = self.query_one("#summary-os", Static)
         apt_btn = self.query_one("#btn-apt", Button)
         cve_btn = self.query_one("#btn-cve", Button)
         err_label = self.query_one("#summary-error", Static)
@@ -77,6 +79,7 @@ class SummaryPanel(Vertical):
         cache_label = self.query_one("#summary-cache", Static)
 
         title.update(name if name else "Sélectionnez une cible")
+        os_label.update(os_info if os_info else "")
         cache_label.update(f"Cache : {cache_time}" if cache_time else "")
 
         if skipped:
@@ -105,7 +108,7 @@ class SummaryPanel(Vertical):
         err_label.update("")
         btn.disabled = False
         apt_btn.disabled = apt_count == 0
-        cve_btn.disabled = cve_count == 0
+        cve_btn.disabled = cve_total == 0
 
         # Forcer le refresh de tous les widgets modifiés
         apt_btn.refresh()