Send list of installed packages to API

[vpetersson]

In order to assess the security state of the installed packages, we need to submit the list upstream. This is of course a rather complicated task, so we need to make some assumptions to limit the scope. In the initial version, let's only worry about Debian/Raspbian.

For instance, we can extract all the installed packages, along with their versions from Raspbian by running:

$ sudo dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                                                  Version                                         Architecture                                    Description
+++-=====================================================================================-===============================================-===============================================-===============================================================================================================================================================================
ii  adduser                                                                               3.115                                           all                                             add and remove users and groups
ii  alsa-utils                                                                            1.1.3-1                                         armhf                                           Utilities for configuring and using ALSA
ii  apparmor                                                                              2.11.0-3+deb9u2                                 armhf                                           user-space parser utility for AppArmor
ii  apt                                                                                   1.4.9                                           armhf                                           commandline package manager
ii  apt-listchanges                                                                       3.10                                            all                                             package change history notification tool
[...]

This is of course not very easily parseable, but serves the purpose of the kind of data we want to send upstream.

[vpetersson]

Let's take a shortcut here for now by doing the following:

We include debsecan into our package. There's no need for the debian package, as we can just include the Python file as follows:

$ wget  http://git.enyo.de/fw/debian/debsecan.git/debsecan.py
$ python debsecan.py --suite $(lsb_release -sc) --only-fixed
[...]
CVE-2018-1999014 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-1999015 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-6392 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-6621 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-6912 libavcodec57 (fixed, remotely exploitable, low urgency)
CVE-2018-7557 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-7751 libavcodec57 (fixed, remotely exploitable, medium urgency)
CVE-2018-9841 libavcodec57 (fixed, remotely exploitable, low urgency)
CVE-2019-1000016 libavcodec57 (fixed, remotely exploitable, low urgency)
[...]

Since we don't want to call on this directly, we might need to modify the script slightly.

We then submit this data upstream to our backend so that it is accessible in the dashboard.

As a side-note, we should link each CVE to the following URL for more info:
https://nvd.nist.gov/vuln/detail/{CVE}

[a-martynovich]

A list of installed packages can be retrieved by

import apt
cache = apt.Cache()
for p in cache:
     if p.is_installed:
         print('{} {}'.format(p.installed.package.name, p.installed.version))