summaryrefslogtreecommitdiffstats
path: root/Makefile
blob: d58e9b0e7e57a834f32da67ec0bcb17550baccfb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
PYTHON_MODULES = $(wildcard lib/python/*.py)

MIRROR = http://debian.csail.mit.edu/debian
SECURITY_MIRROR = http://security.debian.org/debian-security

# Include the definitions of the releases to be fetched
include lib/*-releases.mk

# There's a "RELEASES" variable defining the name of all releases to
# process. Then for each release, there are 5 associated variables:
# <name>_MIRROR: the base URL of the mirror hosting the repository
# <name>_DIST: the sub-directory in $MIRROR/dists so that
#              $MIRROR/dists/$DIST/Release is a valid URL
# <name>_ARCHS: the list of architectures supported in this release
# <name>_RELEASE: the release name for the security tracker
# <name>_SUBRELEASE: the sub-release identifier for the security tracker

all:
	bin/update-db data/security.db

clean:
	-rm -f data/security.db lib/python/test_security.db
	-rm -f stamps/*-*

.PHONY: check check-syntax

test check: check-syntax

SYNTAX_STAMPS = $(patsubst %,stamps/%-syntax,$(shell bin/check-syntax --get))
check-syntax: $(SYNTAX_STAMPS)
stamps/%-syntax: data/%/list bin/check-syntax $(PYTHON_MODULES)
	bin/check-syntax $* data/$*/list
	touch $@

.PHONY: serve
serve:
	@bash bin/test-web-server

.PHONY: update-packages
update-packages: $(foreach release,$(RELEASES),update-$(release))

# This rule is a bit complicated as we need to escape $ for the shell twice,
# once for the eval and once for the usual make processing
define add_update_rule =
.PHONY: update-$(1)
update-$(1):
	set -e; \
	prefix="$$($(1)_RELEASE)_$$($(1)_SUBRELEASE)"; \
	dist="$$($(1)_DIST)"; \
	mirror="$$($(1)_MIRROR)"; \
	for section in main contrib non-free ; do \
		bin/apt-update-file \
		    $$$$mirror/dists/$$$$dist/$$$$section/source/Sources \
		    data/packages/$$$${prefix}_$$$${section}_Sources ; \
	        for arch in $$($(1)_ARCHS) ; do \
			bin/apt-update-file \
				$$$$mirror/dists/$$$$dist/$$$$section/binary-$$$$arch/Packages \
				data/packages/$$$${prefix}_$$$${section}_$$$${arch}_Packages ; \
		done; \
	done

endef
$(foreach release,$(RELEASES),$(eval $(call add_update_rule,$(release))))

# Define some common aliases
.PHONY: update-main update-security update-backports
update-main: $(foreach release,$(MAIN_RELEASES),update-$(release))
update-security: $(foreach release,$(SECURITY_RELEASES),update-$(release)_security)
update-backports: $(foreach release,$(BACKPORT_RELEASES),update-$(release)_backports)

supported-update-targets:
	@echo -n "main security backports "
	@echo -n "$(RELEASES) "
	@echo -n "packages lists nvd"

# Other custom update rules
update-lists:
	git fetch -q origin && git checkout -f origin/master -- data

# Since October 16, 2015 the XML data feeds are no longer available for
# download in an uncompressed format.
# As per October 16, 2019, the XML data feeds were discontinued and NVD
# only provides JSON feeds. Cf. https://bugs.debian.org/942670
update-nvd:
	mkdir -p data/nvd
	for x in $$(seq 2002 $$(date +%Y)) ; do \
	  name=nvdcve-1.1-$$x.json.gz; \
	  wget -q -Odata/nvd/$$name https://nvd.nist.gov/feeds/json/cve/1.1/$$name || true; \
	  gzip -f -d data/nvd/$$name || true; \
	done
	bin/update-nvd data/nvd/nvdcve-*.json

# Experimental code to compare the Debian and NVD CVE databases using
# CPE values as common key.
update-compare-nvd:
	mkdir -p data/nvd2
	for x in $$(seq 2002 $$(date +%Y)) ; do \
	  name=nvdcve-2.0-$$x.xml.gz; \
	  wget -q -Odata/nvd2/$$name https://static.nvd.nist.gov/feeds/xml/cve/$$name || true ; \
	  gzip -f -d data/nvd2/$$name || true; \
	done
	bin/compare-nvd-cve 2> compare-nvd-cve.log

update-all: update-nvd update-lists update-packages all

© 2014-2022 Faster IT GmbH | imprint | privacy policy