github.com/quay/claircore@v1.5.28/etc/debug/bin/check-oval (about) 1 #!/bin/sh 2 # Takes a list of identifiers as arguments and prints OVAL definitions from the specified OVAL XML. 3 # The "p" flag allows for specifying a substring of a package name to return objects naming it from the Vulnerability. 4 set -e 5 6 needcmd() { 7 for cmd in "$@"; do 8 if ! command -v "$cmd" 1>/dev/null 2>&1; then 9 printf 'need command: %s\n' "$cmd" >&2 10 exit 99 11 fi 12 done 13 } 14 needcmd wget xmllint zstd 15 16 pkgname='' 17 dofetch=0 18 url='' 19 while getopts fp:u: flag; do 20 case $flag in 21 f) dofetch=1;; 22 p) pkgname="$OPTARG";; 23 u) url="$OPTARG";; 24 ?) 25 printf "Usage: %s: [-f] [-p package_name] -u URL ID...\n" "$0" >&2 26 exit 2;; 27 esac 28 done 29 shift $((OPTIND - 1)) 30 if [ "$#" -eq 0 ] || [ -z "$url" ]; then 31 printf "Usage: %s: [-f] [-p package_name] -u URL ID...\n" "$0" >&2 32 exit 2 33 fi 34 : "$url" 35 : "$@" 36 37 workdir=/tmp/OVAL 38 test -d "$workdir" || mkdir -p "$workdir" 39 infile="${workdir}/$(basename "$url").zst" 40 41 if test "$dofetch" -eq 1 || ! test -f "$infile"; then 42 echo \# fetching "$(basename "$url")" >&2 43 wget -q -O - "$url" | 44 xmllint --format - | 45 zstd > "$infile" 46 echo \# OK >&2 47 fi 48 49 # OVAL documents use namespaces, which xmllint has poor support for from the command line. 50 # The query needs to end up looking something like: 51 # 52 # xmllint --xpath '//*[local-name()="definition"][.//*[local-name()="criterion" and contains(@comment, "pkg")]]/ 53 54 q='' 55 for id in "$@"; do 56 q="${q}${q:+ or }(local-name()='reference' and @ref_id='${id}')" 57 done 58 q="//*[local-name()='definition'][.//*[(${q})" 59 if test -n "$pkgname"; then 60 q="${q} or (local-name()='criterion' and contains(@name, '${pkgname}'))" 61 fi 62 q="${q}]]" 63 : "$q" 64 65 zstdcat "$infile" | 66 xmllint --xpath "$q" -