#!/usr/bin/perl-w
# 

my $dn = `dirname $0`;chomp($dn);
my $pwd = `pwd`;chomp($pwd);
if ($dn !~ /^\//) { $dn = $pwd . "/" . $dn; }
push @INC,$dn;

require CanDBReader;
require SMASHData;

use strict;

my $osc = "osc -A https://api.suse.de/";

my %cves = ();	# { CVE -> { PKG -> 1 } }
my %unfixedcves = ();
my %pkgs = ();

my %cve2cvss = ();
my %cve2state = ();

open(CAR,"$osc ls SUSE:Carwos:1|")||die "could not osc ls SUSE:Carwos:1:$!";
while (my $pkg = <CAR>) {
	chomp $pkg;

	next if ($pkg =~ /kernel-obs-build/);	# forked, internal, not updated

	$pkgs{$pkg} = 1;
	open(CHANGES,"$osc cat SUSE:Carwos:1 $pkg $pkg.changes|")||die "$osc cat SUSE:Carwos:1 $pkg $pkg.changes:$!";
	while (<CHANGES>) {
		while (/(CVE-\d\d\d\d-\d\d\d\d\d*)/) {
			my $cve = $1;

			my %pkgs = ();
			if ($cves{$cve}) {
				%pkgs = %{$cves{$cve}};
			}
			$pkgs{$pkg} = 1;
			$cves{$cve} = \%pkgs;
			s/CVE-\d\d\d\d-\d\d\d\d\d*//;
		}
	}
	close(CHANGES);
}
close(CAR);

#print "Fixed car cves: " . join(",",sort keys %cves) . "\n";

#open(CVSS,">allreports.txt");
foreach my $cve (sort keys %CanDBReader::bugzillas) {
	next if ($cves{$cve}); # already fixed

	read_smash_issue($cve);

	my $refetchsmash = 0;

	if (!defined($SMASHData::pkgstate{$cve})) {
		next;
	}

	my %prods = %{$SMASHData::pkgstate{$cve}};

	my $basescore 		= "unknown";
	my $basevector		= "unknown";
	my $nvdbasescore	= "unknown";
	my $nvdbasevector	= "unknown";

	my $iskernel = 0;
	my $isglibc = 0;
	my $isopenssl = 0;
	my $isinanalysis = 0;

	if (defined($SMASHData::cvssv3{$cve}))  {
		my %entry = %{$SMASHData::cvssv3{$cve}};
		my %score;
		my %nvdscore;

		if (defined($entry{'SUSE'})) {
			%score = %{$entry{'SUSE'}};
			$basescore = $score{'base_score'};
			$basevector = $score{'base_vector'};
		}
		if (defined($entry{'National Vulnerability Database'})) {
			%nvdscore = %{$entry{'National Vulnerability Database'}};
			$nvdbasescore = $nvdscore{'base_score'};
			$nvdbasevector = $nvdscore{'base_vector'};
		}
	}
	# { PROD -> { PKG -> STATE } }

	foreach my $prod (keys %prods) {

		next if ($prod !~ /15-SP2/);	# carwos based on 15-sp2

		my %pkgstates = %{$prods{$prod}};
		#print STDERR "$prod\n";

		foreach my $pkg (sort keys %pkgstates) {
			#$pkg = "kernel-source-rt" if ($pkg eq "kernel-source");
			next unless ($pkgs{$pkg}); # not in car os

			my $state = $pkgstates{$pkg};

			next if ($state eq "Not affected");
			next if ($state eq "Ignore");

			#print STDERR "\t$pkg -> $pkgstates{$pkg}\n";

			my %unfixed = ();
			if (defined($unfixedcves{$cve})) {
				%unfixed = %{$unfixedcves{$cve}};
			}
			$unfixed{$pkg} = 1;
			$unfixedcves{$cve} = \%unfixed;
			#$refetchsmash = 1;

			$cve2state{$cve} = $state;
		}
	}

	my $basenum = 42;
	if ($nvdbasescore  =~ /^(\d*)/) {
		$basenum = $1;
	}
	$cve2cvss{$cve} = $basenum;

	read_smash_issue($cve,1) if ($refetchsmash);

}

print "Following CVEs are unfixed for Carwos:\n";
print "# CVE,state,pkgs,bug\n";
foreach my $cve (sort keys %unfixedcves) {
	my $bug = $CanDBReader::bugzillas{$cve};

	my @bugs = sort split(/,/,$bug);

	print "$cve,$cve2state{$cve}," . join(";",sort keys %{$unfixedcves{$cve}}) . "," . $bugs[0] ."\n";
}

print "This report was generated by $0 from https://gitlab.suse.de/security/cve-database.git at meissner\@maintenance.suse.de\n";