Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:active-edit-fix-cvss-handling-for-lp2058614 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. active-edit-fix-cvss-handling-for-lp2058614
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: edea51680121a1f2be1107bec4bcf2b4add47600
Proposed branch: ~alexmurray/ubuntu-cve-tracker:active-edit-fix-cvss-handling-for-lp2058614
Merge into: ubuntu-cve-tracker:master
Diff against target: 56 lines (+23/-2)
1 file modified
scripts/active_edit (+23/-2)
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Steve Beattie Pending
Review via email: mp+462908@code.launchpad.net

Description of the change

scripts/active_edit: fix CVSS handling (LP: #2058614)

When specifying CVSS need to specify the source as well as the CVSS vector
string separated by a comma - then also ensure we add the base score and
severity to the CVE file as well.

Signed-off-by: Alex Murray <email address hidden>

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Didn't try it, but LGTM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/active_edit b/scripts/active_edit
2index cb4beb4..84bdb23 100755
3--- a/scripts/active_edit
4+++ b/scripts/active_edit
5@@ -34,7 +34,7 @@ parser.add_option("-y", "--yes", dest="autoconfirm", help="Do not ask for confir
6 parser.add_option("-P", "--public", dest="public_date", help="Record date the CVE went public (default to today in UTC)", metavar="YYYY-MM-DD")
7 parser.add_option("--priority", help="Record a priority for the CVE", default=None)
8 parser.add_option("-R", "--priority-reason", help="Record a priority reason for the CVE", default=None)
9-parser.add_option("-C", "--cvss", help="CVSS3.1 rating", metavar="CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_")
10+parser.add_option("-C", "--cvss", help="Assigner and CVSS3.1 rating, separated by a comma", metavar="assigner,CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_", action="append")
11 parser.add_option("-d", "--description", help="Description", default=None)
12 (options, args) = parser.parse_args()
13
14@@ -259,7 +259,11 @@ def create_or_update_cve(cve, packages, priority=None, bug_urls=None,
15 print('CVSS:', file=fp)
16 for entry in (cvss if cvss else []):
17 src, cvss = entry
18- print(' %s: %s' % (src, cvss), file=fp)
19+ print(' %s: %s [%.1f %s]' %
20+ (src,
21+ cvss["baseMetricV3"]["cvssV3"]["vectorString"],
22+ cvss["baseMetricV3"]["cvssV3"]["baseScore"],
23+ cvss["baseMetricV3"]["cvssV3"]["baseSeverity"]), file=fp)
24
25 for p in pkgs:
26 add_pkg(p, fp, fixed, None, embargoed, break_fixes)
27@@ -277,6 +281,16 @@ def update_file_metadata(metadata, value, cve_fp):
28 cve_fp.seek(0)
29 cve_fp.writelines(cve_content)
30
31+def parse_cvss_options(cvsses):
32+ parsed = []
33+ for cvss in cvsses:
34+ parts = cvss.split(",")
35+ if len(parts) != 2:
36+ raise ValueError("specified CVSS '%s' does not contain a source" % cvss)
37+ source = parts[0]
38+ vector = parts[1]
39+ parsed.append((source, cve_lib.parse_cvss(vector)))
40+ return parsed
41
42 pkg_db = cve_lib.load_package_db()
43
44@@ -304,5 +318,12 @@ if not pat.search(cve):
45 print("Bad CVE entry. Should be CVE-XXXX-XXXX\n", file=sys.stderr)
46 sys.exit(1)
47
48+if options.cvss:
49+ try:
50+ options.cvss = parse_cvss_options(options.cvss)
51+ except Exception as e:
52+ print("Error parsing CVSS option: %s" % str(e), file=sys.stderr)
53+ sys.exit(1)
54+
55 create_or_update_cve(cve, pkgs, priority=options.priority, bug_urls=options.bug_urls, ref_urls=options.ref_urls, public_date=options.public_date, desc=options.description, cvss=options.cvss, embargoed=options.embargoed, breakfix=options.breakfix, priority_reason=options.priority_reason)
56 sys.exit(0)

Subscribers

People subscribed via source and target branches