def metadata(self) -> dict:
result = utils.from_yaml(METADATA_PATH)
result.update(utils.from_yaml(CONTRIB_METADATA_PATH))
if not isinstance(result, dict):
raise ExtensionsConfigurationError(
f"Unable to parse metadata: {METADATA_PATH} {CONTRIB_METADATA_PATH}")
return result
def main():
metadata_filepath = sys.argv[1]
contrib_metadata_filepath = sys.argv[2]
output_filename = sys.argv[3]
generated_rst_dir = os.path.dirname(output_filename)
security_rst_root = os.path.join(generated_rst_dir,
"intro/arch_overview/security")
extension_db = utils.from_yaml(metadata_filepath)
contrib_extension_db = utils.from_yaml(contrib_metadata_filepath)
for contrib_extension in contrib_extension_db.keys():
contrib_extension_db[contrib_extension]['contrib'] = True
extension_db.update(contrib_extension_db)
pathlib.Path(security_rst_root).mkdir(parents=True, exist_ok=True)
security_postures = defaultdict(list)
for extension, metadata in extension_db.items():
security_postures[metadata['security_posture']].append(extension)
for sp, extensions in security_postures.items():
output_path = pathlib.Path(security_rst_root, 'secpos_%s.rst' % sp)
content = '\n'.join(
format_item(extension, extension_db[extension])
for extension in sorted(extensions)
if extension_db[extension].get('status') != 'wip')
output_path.write_text(content)
with tarfile.open(output_filename, "w") as tar:
tar.add(generated_rst_dir, arcname=".")
def __init__(self):
# Load as YAML, emit as JSON and then parse as proto to provide type
# checking.
protodoc_manifest_untyped = utils.from_yaml(
r.Rlocation('envoy/docs/protodoc_manifest.yaml'))
self.protodoc_manifest = manifest_pb2.Manifest()
json_format.Parse(json.dumps(protodoc_manifest_untyped),
self.protodoc_manifest)
'alpha':
'This extension is functional but has not had substantial production burn time, use only with this caveat.',
'wip':
'This extension is work-in-progress. Functionality is incomplete and it is not intended for production use.',
}
WIP_WARNING = (
'.. warning::\n This API feature is currently work-in-progress. API features marked as '
'work-in-progress are not considered stable, are not covered by the :ref:`threat model '
'<arch_overview_threat_model>`, are not supported by the security team, and are subject to '
'breaking changes. Do not use this feature without understanding each of the previous '
'points.\n\n')
r = runfiles.Create()
EXTENSION_DB = utils.from_yaml(r.Rlocation("envoy/source/extensions/extensions_metadata.yaml"))
CONTRIB_EXTENSION_DB = utils.from_yaml(r.Rlocation("envoy/contrib/extensions_metadata.yaml"))
# create an index of extension categories from extension db
def build_categories(extensions_db):
ret = {}
for _k, _v in extensions_db.items():
for _cat in _v['categories']:
ret.setdefault(_cat, []).append(_k)
return ret
EXTENSION_CATEGORIES = build_categories(EXTENSION_DB)
CONTRIB_EXTENSION_CATEGORIES = build_categories(CONTRIB_EXTENSION_DB)
if cpe == 'N/A':
continue
candidate_cve_ids = cpe_revmap.get(
str(Cpe.from_string(cpe).vendor_normalized()), [])
for cve_id in candidate_cve_ids:
cve = cves[cve_id]
if cve.id in cve_allowlist:
continue
if cve_match(cve, metadata):
possible_cves[cve_id] = cve
cve_deps[cve_id].append(dep)
return possible_cves, cve_deps
if __name__ == '__main__':
cve_config = utils.from_yaml(sys.argv[1])
# Allow local overrides for NIST CVE database URLs via args.
urls = sys.argv[2:]
if not urls:
current_year = dt.datetime.now().year
scan_years = range(cve_config["start_year"], current_year + 1)
urls = [
cve_config["ndist_url"].format(year=year) for year in scan_years
]
cves, cpe_revmap = download_cve_data(urls)
possible_cves, cve_deps = cve_scan(cves, cpe_revmap, cve_config["ignore"],
dep_utils.repository_locations())
if possible_cves:
print(
