-
Notifications
You must be signed in to change notification settings - Fork 10
/
cve-fixtime.pl
62 lines (55 loc) · 1.43 KB
/
cve-fixtime.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/perl
# NOTE:
#
# This accesses the web site git repo to find the 'vuln.pm' file with the
# proper meta-data!
#
# Shows the number of days each CVE was present in a curl release before
# fixed.
#
my $webroot = $ARGV[0] || "../curl-www";
require "$webroot/docs/vuln.pm";
sub deltadays {
my ($prev, $date) = @_;
my $psecs = `date +%s -d "$prev"`;
my $secs = `date +%s -d "$date"`;
return int(($secs-$psecs)/86400);
}
sub average {
my @p = @_;
my $sum;
for my $y (@p) {
$sum += $y;
}
return $sum / scalar(@p);
}
my @pp;
my @da;
for(reverse @vuln) {
my ($id, $start, $stop, $desc, $cve, $date, $report)=split('\|');
if($date =~ /^(\d\d\d\d)(\d\d)(\d\d)/) {
my ($y, $m, $d)=(0+$1, 0+$2, 0+$3);
$date = sprintf("%04d-%02d-%02d", $y, $m, $d);
}
if($report =~ /^(\d\d\d\d)(\d\d)(\d\d)/) {
my ($y, $m, $d)=(0+$1, 0+$2, 0+$3);
$report = sprintf("%04d-%02d-%02d", $y, $m, $d);
}
my $delta = deltadays($report, $date);
if($delta < 0) {
# ignore invalid date ranges
next;
}
push @da, $report;
push @pp, $delta;
push @ppall, $delta;
while(deltadays($da[0], $date) > 365) {
shift @pp;
shift @da;
}
my $av = average(@pp);
my $avall = average(@ppall);
# CVE, report date, fixtime, 12 month average
++$flaw;
printf "%s;%s;%d;%.1f;$flaw;%.1f;\n", $cve, $report, $delta, $av, $avall;
}