security-stuff/security-diff.sh at main · ppanigra/security-stuff · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
#!/usr/bin/env bash
if [ -z "$3" ] ; then
  echo "Usage: $0 <image> <tag1> <tag2>"
  echo "Example: $0 redis/redis-stack-server 7.0.6 7.2.3"
  exit 1
fi

IMAGE="$1"
TAG1="$2"
TAG2="$3"

# Function to get CVEs for a specific severity
get_cves() {
  local image_tag="$1"
  local severity="$2"
  grype "$image_tag" -o json 2>/dev/null | jq -r ".matches[] | select(.vulnerability.severity == \"$severity\") | .vulnerability.id" | sort -u
}

# Function to analyze CVEs and store results
analyze_cves() {
  local severity="$1"
  local tag1_cves_file="/tmp/tag1_${severity,,}_cves.txt"
  local tag2_cves_file="/tmp/tag2_${severity,,}_cves.txt"

  echo "Scanning ${IMAGE}:${TAG1} for ${severity} CVEs..."
  get_cves "${IMAGE}:${TAG1}" "$severity" > "$tag1_cves_file"

  echo "Scanning ${IMAGE}:${TAG2} for ${severity} CVEs..."
  get_cves "${IMAGE}:${TAG2}" "$severity" > "$tag2_cves_file"

  # Calculate differences and store in global variables
  eval "${severity,,}_addressed=\$(comm -23 \"$tag1_cves_file\" \"$tag2_cves_file\" | wc -l)"
  eval "${severity,,}_not_addressed=\$(comm -12 \"$tag1_cves_file\" \"$tag2_cves_file\" | wc -l)"
  eval "${severity,,}_newly_added=\$(comm -13 \"$tag1_cves_file\" \"$tag2_cves_file\" | wc -l)"
  eval "${severity,,}_total_tag1=\$(wc -l < \"$tag1_cves_file\")"
  eval "${severity,,}_total_tag2=\$(wc -l < \"$tag2_cves_file\")"

  # Calculate percentage changes
  local tag1_count=$(wc -l < "$tag1_cves_file")
  local tag2_count=$(wc -l < "$tag2_cves_file")

  if [ "$tag1_count" -gt 0 ]; then
    # Calculate percentage reduction (positive means improvement)
    if command -v bc >/dev/null 2>&1; then
      local reduction_pct=$(echo "scale=1; (($tag1_count - $tag2_count) * 100.0 / $tag1_count)" | bc)
    else
      # Fallback calculation using awk if bc is not available
      local reduction_pct=$(awk "BEGIN {printf \"%.1f\", (($tag1_count - $tag2_count) * 100.0 / $tag1_count)}")
    fi
    eval "${severity,,}_reduction_pct=\"$reduction_pct\""
  else
    eval "${severity,,}_reduction_pct=\"0.0\""
  fi

  # Store file paths for later detailed output
  eval "${severity,,}_tag1_file=\"$tag1_cves_file\""
  eval "${severity,,}_tag2_file=\"$tag2_cves_file\""
}

# Function to print detailed CVE lists grouped by status then severity
print_detailed_lists() {
  echo ""
  echo "Detailed CVE Analysis:"
  echo "========================================"

  # CVEs Addressed
  if [ "$critical_addressed" -gt 0 ] || [ "$high_addressed" -gt 0 ]; then
    echo ""
    echo "📈 CVEs Addressed in ${TAG2} (Total: $((critical_addressed + high_addressed)))"
    echo "----------------------------------------"

    if [ "$critical_addressed" -gt 0 ]; then
      echo ""
      echo "Critical (${critical_addressed}):"
      comm -23 "$critical_tag1_file" "$critical_tag2_file" | sed 's/^/  - /'
    fi

    if [ "$high_addressed" -gt 0 ]; then
      echo ""
      echo "High (${high_addressed}):"
      comm -23 "$high_tag1_file" "$high_tag2_file" | sed 's/^/  - /'
    fi
  fi

  # CVEs Not Addressed
  if [ "$critical_not_addressed" -gt 0 ] || [ "$high_not_addressed" -gt 0 ]; then
    echo ""
    echo "⚠️  CVEs Not Addressed (Total: $((critical_not_addressed + high_not_addressed)))"
    echo "----------------------------------------"

    if [ "$critical_not_addressed" -gt 0 ]; then
      echo ""
      echo "Critical (${critical_not_addressed}):"
      comm -12 "$critical_tag1_file" "$critical_tag2_file" | sed 's/^/  - /'
    fi

    if [ "$high_not_addressed" -gt 0 ]; then
      echo ""
      echo "High (${high_not_addressed}):"
      comm -12 "$high_tag1_file" "$high_tag2_file" | sed 's/^/  - /'
    fi
  fi

  # Newly Added CVEs
  if [ "$critical_newly_added" -gt 0 ] || [ "$high_newly_added" -gt 0 ]; then
    echo ""
    echo "🔴 Newly Added CVEs in ${TAG2} (Total: $((critical_newly_added + high_newly_added)))"
    echo "----------------------------------------"

    if [ "$critical_newly_added" -gt 0 ]; then
      echo ""
      echo "Critical (${critical_newly_added}):"
      comm -13 "$critical_tag1_file" "$critical_tag2_file" | sed 's/^/  - /'
    fi

    if [ "$high_newly_added" -gt 0 ]; then
      echo ""
      echo "High (${high_newly_added}):"
      comm -13 "$high_tag1_file" "$high_tag2_file" | sed 's/^/  - /'
    fi
  fi

  echo ""
  echo "========================================"
}

echo "Comparing security vulnerabilities between ${IMAGE}:${TAG1} and ${IMAGE}:${TAG2}"
echo ""

# Analyze both severities
analyze_cves "Critical"
analyze_cves "High"

# Calculate totals
total_tag1=$((critical_total_tag1 + high_total_tag1))
total_tag2=$((critical_total_tag2 + high_total_tag2))
total_addressed=$((critical_addressed + high_addressed))
total_not_addressed=$((critical_not_addressed + high_not_addressed))
total_newly_added=$((critical_newly_added + high_newly_added))

# Calculate overall security improvement percentage
if [ "$total_tag1" -gt 0 ]; then
  if command -v bc >/dev/null 2>&1; then
    total_reduction_pct=$(echo "scale=1; (($total_tag1 - $total_tag2) * 100.0 / $total_tag1)" | bc)
  else
    total_reduction_pct=$(awk "BEGIN {printf \"%.1f\", (($total_tag1 - $total_tag2) * 100.0 / $total_tag1)}")
  fi
else
  total_reduction_pct="0.0"
fi

# Print consolidated overview table
echo ""
echo "CVE Overview: ${IMAGE}"
echo "=============================================="
printf "%-20s | %-10s | %-10s | %-10s\n" "Severity" "${TAG1}" "${TAG2}" "Change %"
echo "----------------------------------------------"
printf "%-20s | %-10s | %-10s | %-10s\n" "Critical CVEs" "$critical_total_tag1" "$critical_total_tag2" "${critical_reduction_pct}%"
printf "%-20s | %-10s | %-10s | %-10s\n" "High CVEs" "$high_total_tag1" "$high_total_tag2" "${high_reduction_pct}%"
echo "----------------------------------------------"
printf "%-20s | %-10s | %-10s | %-10s\n" "Total CVEs" "$total_tag1" "$total_tag2" "${total_reduction_pct}%"
echo "=============================================="

# Print consolidated comparison summary
echo ""
echo "Overall Comparison Summary (${TAG1} → ${TAG2}):"
echo "================================================"
printf "%-25s | %-10s | %-10s | %-10s\n" "Metric" "Critical" "High" "Total"
echo "------------------------------------------------"
printf "%-25s | %-10s | %-10s | %-10s\n" "CVEs Addressed" "$critical_addressed" "$high_addressed" "$total_addressed"
printf "%-25s | %-10s | %-10s | %-10s\n" "CVEs Not Addressed" "$critical_not_addressed" "$high_not_addressed" "$total_not_addressed"
printf "%-25s | %-10s | %-10s | %-10s\n" "Newly Added CVEs" "$critical_newly_added" "$high_newly_added" "$total_newly_added"
echo "================================================"

# Print security improvement summary
echo ""
echo "Security Improvement Analysis:"
echo "================================================"
total_reduction_int=$(echo "$total_reduction_pct" | cut -d'.' -f1)
if [ "$total_reduction_int" -gt 0 ]; then
  echo "✅ Overall Security Improvement: ${total_reduction_pct}% reduction in CVEs"
elif [ "$total_reduction_int" -lt 0 ]; then
  echo "❌ Security Regression: ${total_reduction_pct#-}% increase in CVEs"
else
  echo "➖ No Change: Same number of total CVEs"
fi

critical_reduction_int=$(echo "$critical_reduction_pct" | cut -d'.' -f1)
if [ "$critical_reduction_int" -gt 0 ]; then
  echo "🔥 Critical CVEs: ${critical_reduction_pct}% reduction"
elif [ "$critical_reduction_int" -lt 0 ]; then
  echo "🚨 Critical CVEs: ${critical_reduction_pct#-}% increase"
else
  echo "⚪ Critical CVEs: No change"
fi

high_reduction_int=$(echo "$high_reduction_pct" | cut -d'.' -f1)
if [ "$high_reduction_int" -gt 0 ]; then
  echo "🟡 High CVEs: ${high_reduction_pct}% reduction"
elif [ "$high_reduction_int" -lt 0 ]; then
  echo "🟠 High CVEs: ${high_reduction_pct#-}% increase"
else
  echo "⚪ High CVEs: No change"
fi
echo "================================================"

# Print detailed lists for both severities
print_detailed_lists

# Cleanup temp files
rm -f /tmp/tag1_critical_cves.txt /tmp/tag2_critical_cves.txt
rm -f /tmp/tag1_high_cves.txt /tmp/tag2_high_cves.txt