def metadata(self) -> dict: result = utils.from_yaml(METADATA_PATH) result.update(utils.from_yaml(CONTRIB_METADATA_PATH)) if not isinstance(result, dict): raise ExtensionsConfigurationError( f"Unable to parse metadata: {METADATA_PATH} {CONTRIB_METADATA_PATH}") return result
def main(): metadata_filepath = sys.argv[1] contrib_metadata_filepath = sys.argv[2] output_filename = sys.argv[3] generated_rst_dir = os.path.dirname(output_filename) security_rst_root = os.path.join(generated_rst_dir, "intro/arch_overview/security") extension_db = utils.from_yaml(metadata_filepath) contrib_extension_db = utils.from_yaml(contrib_metadata_filepath) for contrib_extension in contrib_extension_db.keys(): contrib_extension_db[contrib_extension]['contrib'] = True extension_db.update(contrib_extension_db) pathlib.Path(security_rst_root).mkdir(parents=True, exist_ok=True) security_postures = defaultdict(list) for extension, metadata in extension_db.items(): security_postures[metadata['security_posture']].append(extension) for sp, extensions in security_postures.items(): output_path = pathlib.Path(security_rst_root, 'secpos_%s.rst' % sp) content = '\n'.join( format_item(extension, extension_db[extension]) for extension in sorted(extensions) if extension_db[extension].get('status') != 'wip') output_path.write_text(content) with tarfile.open(output_filename, "w") as tar: tar.add(generated_rst_dir, arcname=".")
def __init__(self): # Load as YAML, emit as JSON and then parse as proto to provide type # checking. protodoc_manifest_untyped = utils.from_yaml( r.Rlocation('envoy/docs/protodoc_manifest.yaml')) self.protodoc_manifest = manifest_pb2.Manifest() json_format.Parse(json.dumps(protodoc_manifest_untyped), self.protodoc_manifest)
'alpha': 'This extension is functional but has not had substantial production burn time, use only with this caveat.', 'wip': 'This extension is work-in-progress. Functionality is incomplete and it is not intended for production use.', } WIP_WARNING = ( '.. warning::\n This API feature is currently work-in-progress. API features marked as ' 'work-in-progress are not considered stable, are not covered by the :ref:`threat model ' '<arch_overview_threat_model>`, are not supported by the security team, and are subject to ' 'breaking changes. Do not use this feature without understanding each of the previous ' 'points.\n\n') r = runfiles.Create() EXTENSION_DB = utils.from_yaml(r.Rlocation("envoy/source/extensions/extensions_metadata.yaml")) CONTRIB_EXTENSION_DB = utils.from_yaml(r.Rlocation("envoy/contrib/extensions_metadata.yaml")) # create an index of extension categories from extension db def build_categories(extensions_db): ret = {} for _k, _v in extensions_db.items(): for _cat in _v['categories']: ret.setdefault(_cat, []).append(_k) return ret EXTENSION_CATEGORIES = build_categories(EXTENSION_DB) CONTRIB_EXTENSION_CATEGORIES = build_categories(CONTRIB_EXTENSION_DB)
if cpe == 'N/A': continue candidate_cve_ids = cpe_revmap.get( str(Cpe.from_string(cpe).vendor_normalized()), []) for cve_id in candidate_cve_ids: cve = cves[cve_id] if cve.id in cve_allowlist: continue if cve_match(cve, metadata): possible_cves[cve_id] = cve cve_deps[cve_id].append(dep) return possible_cves, cve_deps if __name__ == '__main__': cve_config = utils.from_yaml(sys.argv[1]) # Allow local overrides for NIST CVE database URLs via args. urls = sys.argv[2:] if not urls: current_year = dt.datetime.now().year scan_years = range(cve_config["start_year"], current_year + 1) urls = [ cve_config["ndist_url"].format(year=year) for year in scan_years ] cves, cpe_revmap = download_cve_data(urls) possible_cves, cve_deps = cve_scan(cves, cpe_revmap, cve_config["ignore"], dep_utils.repository_locations()) if possible_cves: print(