-
Notifications
You must be signed in to change notification settings - Fork 10
/
cve-age.pl
115 lines (102 loc) · 2.62 KB
/
cve-age.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/usr/bin/perl
# NOTE:
#
# This accesses the web site git repo to find the 'vuln.pm' file with the
# proper meta-data!
#
# Shows the number of days each CVE was present in a curl release before
# fixed.
#
my $webroot = $ARGV[0] || "../curl-www";
require "$webroot/docs/vuln.pm";
$csv = "$webroot/docs/releases.csv";
sub relinfo {
open(C, "<$csv");
while(<C>) {
chomp;
my ($index, $version, $vulns, $date, $since, $ddays, $adays, $dbugs, $abugs,
$dchanges, $achanges) = split(';', $_);
$release{$version}=$date;
push @inorder, $version;
$p = $date; # remmeber the last date, which is the earliest
}
close(C);
}
relinfo();
sub deltadays {
my ($prev, $date) = @_;
my $psecs = `date +%s -d "$prev"`;
my $secs = `date +%s -d "$date"`;
return int(($secs-$psecs)/86400);
}
sub average {
my @p = @_;
my $sum;
for my $y (@p) {
$sum += $y;
}
return $sum / scalar(@p);
}
sub median {
my @a = @_;
my @vals = sort {$a <=> $b} @a;
my $len = @vals;
if($len%2) { #odd?
return $vals[int($len/2)];
}
else {
#even
return ($vals[int($len/2)-1] + $vals[int($len/2)])/2;
}
}
my $amount = 0;
my $prevdate = "1998-03-20";
my $flaws;
my @pp;
my @da;
for(reverse @vuln) {
my ($id, $start, $stop, $desc, $cve, $date, $rdate, $cwe, $award,
$area, $cissue, $where, $severity, $issue)=split('\|');
if($date =~ /^(\d\d\d\d)(\d\d)(\d\d)/) {
($y, $m, $d)=(0+$1, 0+$2, 0+$3);
$date = sprintf("%04d-%02d-%02d", $y, $m, $d);
}
my $delta = deltadays($release{$start}, $date);
push @da, $date;
push @pp, $delta;
push @ppall, $delta;
if($cissue ne "-") {
# only C flaws
push @call, $delta;
}
else {
# only non-C flaws
push @ncall, $delta;
}
if(($severity eq "high") || ($severity eq "critical")) {
# only high/critical
push @highall, $delta;
}
else {
push @nhighall, $delta;
}
while(deltadays($da[0], $date) > 365) {
shift @pp;
shift @da;
}
my $av = average(@pp);
my $avall = average(@ppall);
my $med = median(@pp);
my $medall = median(@ppall);
my $medc = median(@call);
my $medhigh = median(@highall);
my $mednc = median(@ncall);
my $mednhigh = median(@nhighall);
printf "%s;%s;%d;%d;%d;%d;%.1f;%.1f;%1.f;%1.f;%u;%u;%u;%u\n", $cve, $date,
$delta,
deltadays("1998-03-20", $date),
deltadays($prevdate, $date),
++$flaws,
$av, $avall, $med, $medall, $medc, $medhigh, $mednc, $mednhigh;
$prevdate = $date;
}