forked from alexmurray/ubuntu-cve-status
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ubuntu-cve-status
executable file
·39 lines (29 loc) · 1.51 KB
/
ubuntu-cve-status
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
set -e
source /etc/lsb-release
if [ "$DISTRIB_ID" != "Ubuntu" ]; then
echo "$SNAP_NAME is only supported on Ubuntu."
exit 1
fi
# the OVAL definition contains a test that the target machine is running
# $DISTRIB_CODENAME - and this is done via opendir(/etc) and then finding
# the lsb-release file - but snaps can't open /etc (although they can read
# /etc/lsb-release directly) so we copy /etc/lsb-release to
# $SNAP_USER_COMMON such that oscap can then opendir() within
# $SNAP_USER_COMMON as it has full r/w access there
if [ ! -z $SNAP_USER_COMMON ]; then
mkdir -p $SNAP_USER_COMMON/etc
cp -f /etc/lsb-release $SNAP_USER_COMMON/etc
cd $SNAP_USER_COMMON
fi
OVAL_XML="com.ubuntu.$DISTRIB_CODENAME.cve.oval.xml"
echo "Downloading OVAL data for release $DISTRIB_DESCRIPTION..."
wget -q -c "https://people.canonical.com/~ubuntu-security/oval/$OVAL_XML.bz2" -O - | bunzip2 | sed "s|<ind-def:path>/etc</ind-def:path>|<ind-def:path>$SNAP_USER_COMMON/etc</ind-def:path>|" > "$OVAL_XML"
REPORT_XML="ubuntu-cve-status-$(date -I).xml"
REPORT_HTML="ubuntu-cve-status-$(date -I).html"
echo "Running oscap analysis and generating report $REPORT_HTML..."
oscap oval eval --results "$REPORT_XML" --report "$REPORT_HTML" --verbose ERROR $OVAL_XML
# update links to point to our CVE tracker in the report
sed -i 's|https://cve.mitre.org/cgi-bin/cvename.cgi?name=|http://people.canonical.com/~ubuntu-security/cve/|g' "$REPORT_HTML"
echo "Launching browser to view report $(pwd)/$REPORT_HTML..."
xdg-open "file:///$(pwd)/$REPORT_HTML"