stats/cve-age.pl at master · curl/stats · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/perl

# NOTE:
#
# This accesses the web site git repo to find the 'vuln.pm' file with the
# proper meta-data!
#
# Shows the number of days each CVE was present in a curl release before
# fixed.
#

my $webroot = $ARGV[0] || "../curl-www";

require "$webroot/docs/vuln.pm";
$csv = "$webroot/docs/releases.csv";

sub relinfo {
    open(C, "<$csv");
    while(<C>) {
        chomp;
        my ($index, $version, $vulns, $date, $since, $ddays, $adays, $dbugs, $abugs,
            $dchanges, $achanges) = split(';', $_);
        $release{$version}=$date;
        push @inorder, $version;
        $p = $date; # remmeber the last date, which is the earliest
    }
    close(C);
}

relinfo();

sub deltadays {
    my ($prev, $date) = @_;
    my $psecs = `date +%s -d "$prev"`;
    my $secs = `date +%s -d "$date"`;
    return int(($secs-$psecs)/86400);
}

sub average {
    my @p = @_;
    my $sum;
    for my $y (@p) {
        $sum += $y;
    }
    return $sum / scalar(@p);
}

sub median {
    my @a = @_;
    my @vals = sort {$a <=> $b} @a;
    my $len = @vals;
    if($len%2) { #odd?
        return $vals[int($len/2)];
    }
    else {
        #even
        return ($vals[int($len/2)-1] + $vals[int($len/2)])/2;
    }
}

my $amount = 0;
my $prevdate = "1998-03-20";
my $flaws;
my @pp;
my @da;

sub conv {
    my ($days) = @_;
    return $days / 365.25;
}

sub since {
    my ($days) = @_;
    return sprintf("%.2f", conv($days));
}

printf "-;1998-03-20;;0;;;;;;;;;\n";
for(reverse @vuln) {
    my ($id, $start, $stop, $desc, $cve, $date, $rdate, $cwe, $award,
        $area, $cissue, $where, $severity, $issue)=split('\|');
    if($date =~ /^(\d\d\d\d)(\d\d)(\d\d)/) {
        ($y, $m, $d)=(0+$1, 0+$2, 0+$3);
        $date = sprintf("%04d-%02d-%02d", $y, $m, $d);
    }
    my $delta = deltadays($release{$start}, $date);
    push @ppall, $delta;

    my $average = average(@ppall);
    my $median = median(@ppall);

    my $medlevel;
    my $hlevel;
    my $clevel;
    if($severity eq "medium") {
        $medlevel = sprintf("%.2f", conv($delta));
    }
    elsif($severity eq "high") {
        $hlevel = sprintf("%.2f", conv($delta));
    }
    elsif($severity eq "critical") {
        $clevel = sprintf("%.2f", conv($delta));
    }

    printf "%s;%s;%.2f;%.2f;%u;%.2f;%.2f;%s;%s;%s;%s;%s;%s;%s;%s;%s\n", $cve, $date,
        conv($delta),
        conv(deltadays("1998-03-20", $date)),
        ++$flaws,
        conv($average), conv($median),
        since(deltadays("2002-10-01", $date)), # 7.10
        since(deltadays("2006-10-30", $date)), # 7.16.0
        since(deltadays("2010-06-16", $date)), # 7.21.0
        since(deltadays("2014-09-10", $date)), # 7.38.0
        since(deltadays("2018-07-11", $date)), # 7.61.0
        since(deltadays("2022-08-31", $date)), # 7.85.0
        $medlevel,
        $hlevel,
        $clevel;

    $prevdate = $date;
}