blob: b43770167672094d38fc013245c19928a54cd3a4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
PYTHON = python
PYTHON_MODULES = $(wildcard lib/python/*.py)
# The following variables need to be kept up-to-date and can be adjusted
OLDOLDSTABLE = wheezy
OLDSTABLE = jessie
STABLE = stretch
TESTING = buster
MIRROR = http://debian.csail.mit.edu/debian
SECURITY_MIRROR = http://security.debian.org/debian-security
wheezy_ARCHS = amd64 armel armhf i386
jessie_ARCHS = amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x
stretch_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
buster_ARCHS = amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x
sid_ARCHS = amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mips64el mipsel powerpc ppc64el s390x
# The rest of the file should not need to be edited
# Include the definitions of the releases to be fetched
include lib/*-releases.mk
# There's a "RELEASES" variable defining the name of all releases to
# process. Then for each release, there are 5 associated variables:
# <name>_MIRROR: the base URL of the mirror hosting the repository
# <name>_DIST: the sub-directory in $MIRROR/dists so that
# $MIRROR/dists/$DIST/Release is a valid URL
# <name>_ARCHS: the list of architectures supported in this release
# <name>_RELEASE: the release name for the security tracker
# <name>_SUBRELEASE: the sub-release identifier for the security tracker
Q=@
ifneq ($(V),)
Q=
endif
all:
$(PYTHON) bin/update-db data/security.db
clean:
-rm -f data/security.db lib/python/test_security.db
-rm -f stamps/*-*
.PHONY: check check-syntax
test check: check-syntax
check-syntax: stamps/CVE-syntax \
stamps/DSA-syntax stamps/DTSA-syntax stamps/DLA-syntax
stamps/CVE-syntax: data/CVE/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax CVE data/CVE/list
touch $@
stamps/DSA-syntax: data/DSA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DSA data/DSA/list
touch $@
stamps/DTSA-syntax: data/DTSA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DTSA data/DTSA/list
touch $@
stamps/DLA-syntax: data/DLA/list bin/check-syntax $(PYTHON_MODULES)
$(PYTHON) bin/check-syntax DLA data/DLA/list
touch $@
.PHONY: serve
serve:
@bash bin/test-web-server
.PHONY: update-packages
update-packages: $(foreach release,$(RELEASES),update-$(release))
# This rule is a bit complicated as we need to escape $ for the shell twice,
# once for the eval and once for the usual make processing
define add_update_rule =
.PHONY: update-$(1)
update-$(1):
$$(Q)set -e; \
prefix="$$($(1)_RELEASE)_$$($(1)_SUBRELEASE)"; \
dist="$$($(1)_DIST)"; \
mirror="$$($(1)_MIRROR)"; \
for section in main contrib non-free ; do \
echo "Fetching $$$$mirror/dists/$$$$dist/$$$$section/source/Sources"; \
$$(PYTHON) bin/apt-update-file \
$$$$mirror/dists/$$$$dist/$$$$section/source/Sources \
data/packages/$$$${prefix}_$$$${section}_Sources ; \
for arch in $$($(1)_ARCHS) ; do \
echo "Fetching $$$$mirror/dists/$$$$dist/$$$$section/binary-$$$$arch/Packages"; \
$$(PYTHON) bin/apt-update-file \
$$$$mirror/dists/$$$$dist/$$$$section/binary-$$$$arch/Packages \
data/packages/$$$${prefix}_$$$${section}_$$$${arch}_Packages ; \
done; \
done
endef
$(foreach release,$(RELEASES),$(eval $(call add_update_rule,$(release))))
update-lists:
git fetch -q origin && git checkout -f origin/master -- data
# Since October 16, 2015 the XML data feeds are no longer available for
# download in an uncompressed format.
update-nvd:
mkdir -p data/nvd
for x in $$(seq 2002 $$(date +%Y)) ; do \
name=nvdcve-$$x.xml.gz; \
wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name || true; \
gzip -f -d data/nvd/$$name || true; \
done
python bin/update-nvd data/nvd/nvdcve-*.xml
# Experimental code to compare the Debian and NVD CVE databases using
# CPE values as common key.
update-compare-nvd:
mkdir -p data/nvd2
for x in $$(seq 2002 $$(date +%Y)) ; do \
name=nvdcve-2.0-$$x.xml.gz; \
wget -q -Odata/nvd2/$$name https://static.nvd.nist.gov/feeds/xml/cve/$$name || true ; \
gzip -f -d data/nvd2/$$name || true; \
done
bin/compare-nvd-cve 2> compare-nvd-cve.log
update-all: update-nvd update-lists update-packages all
|