Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:active-edit-fix-cvss-handling-for-lp2058614 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. active-edit-fix-cvss-handling-for-lp2058614
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: edea51680121a1f2be1107bec4bcf2b4add47600
Proposed branch: ~alexmurray/ubuntu-cve-tracker:active-edit-fix-cvss-handling-for-lp2058614
Merge into: ubuntu-cve-tracker:master
Diff against target: 56 lines (+23/-2)
1 file modified
scripts/active_edit (+23/-2)
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Steve Beattie Pending
Review via email: mp+462908@code.launchpad.net

Description of the change

scripts/active_edit: fix CVSS handling (LP: #2058614)

When specifying CVSS need to specify the source as well as the CVSS vector
string separated by a comma - then also ensure we add the base score and
severity to the CVE file as well.

Signed-off-by: Alex Murray <email address hidden>

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Didn't try it, but LGTM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/active_edit b/scripts/active_edit
index cb4beb4..84bdb23 100755
--- a/scripts/active_edit
+++ b/scripts/active_edit
@@ -34,7 +34,7 @@ parser.add_option("-y", "--yes", dest="autoconfirm", help="Do not ask for confir
34parser.add_option("-P", "--public", dest="public_date", help="Record date the CVE went public (default to today in UTC)", metavar="YYYY-MM-DD")34parser.add_option("-P", "--public", dest="public_date", help="Record date the CVE went public (default to today in UTC)", metavar="YYYY-MM-DD")
35parser.add_option("--priority", help="Record a priority for the CVE", default=None)35parser.add_option("--priority", help="Record a priority for the CVE", default=None)
36parser.add_option("-R", "--priority-reason", help="Record a priority reason for the CVE", default=None)36parser.add_option("-R", "--priority-reason", help="Record a priority reason for the CVE", default=None)
37parser.add_option("-C", "--cvss", help="CVSS3.1 rating", metavar="CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_")37parser.add_option("-C", "--cvss", help="Assigner and CVSS3.1 rating, separated by a comma", metavar="assigner,CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_", action="append")
38parser.add_option("-d", "--description", help="Description", default=None)38parser.add_option("-d", "--description", help="Description", default=None)
39(options, args) = parser.parse_args()39(options, args) = parser.parse_args()
4040
@@ -259,7 +259,11 @@ def create_or_update_cve(cve, packages, priority=None, bug_urls=None,
259 print('CVSS:', file=fp)259 print('CVSS:', file=fp)
260 for entry in (cvss if cvss else []):260 for entry in (cvss if cvss else []):
261 src, cvss = entry261 src, cvss = entry
262 print(' %s: %s' % (src, cvss), file=fp)262 print(' %s: %s [%.1f %s]' %
263 (src,
264 cvss["baseMetricV3"]["cvssV3"]["vectorString"],
265 cvss["baseMetricV3"]["cvssV3"]["baseScore"],
266 cvss["baseMetricV3"]["cvssV3"]["baseSeverity"]), file=fp)
263267
264 for p in pkgs:268 for p in pkgs:
265 add_pkg(p, fp, fixed, None, embargoed, break_fixes)269 add_pkg(p, fp, fixed, None, embargoed, break_fixes)
@@ -277,6 +281,16 @@ def update_file_metadata(metadata, value, cve_fp):
277 cve_fp.seek(0)281 cve_fp.seek(0)
278 cve_fp.writelines(cve_content)282 cve_fp.writelines(cve_content)
279283
284def parse_cvss_options(cvsses):
285 parsed = []
286 for cvss in cvsses:
287 parts = cvss.split(",")
288 if len(parts) != 2:
289 raise ValueError("specified CVSS '%s' does not contain a source" % cvss)
290 source = parts[0]
291 vector = parts[1]
292 parsed.append((source, cve_lib.parse_cvss(vector)))
293 return parsed
280294
281pkg_db = cve_lib.load_package_db()295pkg_db = cve_lib.load_package_db()
282296
@@ -304,5 +318,12 @@ if not pat.search(cve):
304 print("Bad CVE entry. Should be CVE-XXXX-XXXX\n", file=sys.stderr)318 print("Bad CVE entry. Should be CVE-XXXX-XXXX\n", file=sys.stderr)
305 sys.exit(1)319 sys.exit(1)
306320
321if options.cvss:
322 try:
323 options.cvss = parse_cvss_options(options.cvss)
324 except Exception as e:
325 print("Error parsing CVSS option: %s" % str(e), file=sys.stderr)
326 sys.exit(1)
327
307create_or_update_cve(cve, pkgs, priority=options.priority, bug_urls=options.bug_urls, ref_urls=options.ref_urls, public_date=options.public_date, desc=options.description, cvss=options.cvss, embargoed=options.embargoed, breakfix=options.breakfix, priority_reason=options.priority_reason)328create_or_update_cve(cve, pkgs, priority=options.priority, bug_urls=options.bug_urls, ref_urls=options.ref_urls, public_date=options.public_date, desc=options.description, cvss=options.cvss, embargoed=options.embargoed, breakfix=options.breakfix, priority_reason=options.priority_reason)
308sys.exit(0)329sys.exit(0)

Subscribers

People subscribed via source and target branches