Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:check-cves-ignore-based-on-urlref-regex into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. check-cves-ignore-based-on-urlref-regex
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: d33673a1b33549c7012f7933de00c414c3327f73
Proposed branch: ~alexmurray/ubuntu-cve-tracker:check-cves-ignore-based-on-urlref-regex
Merge into: ubuntu-cve-tracker:master
Diff against target: 49 lines (+19/-2)
1 file modified
scripts/check-cves (+19/-2)
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Review via email: mp+466119@code.launchpad.net

Commit message

scripts/check-cves: add support for ignoring CVEs based on ref URLs

Wordpress Plugin CVEs seem to be reported by the same CNA so support matching
their URL prefix to ignore these common CVEs.

I have tested this during CVE triage today and it seems to work well and is a
great time saver.

Signed-off-by: Alex Murray <email address hidden>

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

Anyone want to take a look at this? The change is small so should be easy to review - I've been using it during CVE triage this week and it has been really useful FWIW.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

LGTM, ack, thanks!

review: Approve
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Does this 'feel' slow while using it? it looks a bit like it recompiles every regex on every cve, and I'm wondering if it would make sense to explicitly compile these first, or write one complex regex that matches all of these and compile that one, to skip repeated executions. (At least, I didn't quickly spot a python version of https://docs.rs/regex/latest/regex/struct.RegexSet.html that could do this easily for you.)

Revision history for this message
Alex Murray (alexmurray) wrote :

@seth-arnold - I didn't notice any performance impact but I agree that we should ideally be pre-compiling these. Also they should probably be stored in a separate "configuration" file to allow easily adding new ones during the CVE triage process.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/check-cves b/scripts/check-cves
index c49011c..2cc026d 100755
--- a/scripts/check-cves
+++ b/scripts/check-cves
@@ -118,6 +118,14 @@ IGNORE_STRINGS = [
118 "Oracle Enterprise Manager", "F5 BIG-IP", "Adobe Acrobat and Reader"118 "Oracle Enterprise Manager", "F5 BIG-IP", "Adobe Acrobat and Reader"
119]119]
120120
121IGNORE_URLS = {
122 "https://patchstack.com/database/vulnerability/.*/wordpress.*": "WordPress Plugin",
123 "https://www.wordfence.com/threat-intel/vulnerabilities/id/.*?source=cve": "WordPress Plugin",
124 "https://wpscan.com/vulnerability/.*": "WordPress Plugin",
125 "https://www.zyxel.com/global/en/support/security-advisories/.*": "Zyxel",
126 "https://www.manageengine.com/.*": "Zoho ManageEngine",
127 "https://www.qnap.com/en/security-advisory/.*": "QNAP",
128}
121129
122def merge_list(list1, list2, intersection=None):130def merge_list(list1, list2, intersection=None):
123 """Write the union of list and list2 into list. If intersection is not131 """Write the union of list and list2 into list. If intersection is not
@@ -980,10 +988,19 @@ class CVEHandler(xml.sax.handler.ContentHandler):
980 words = self.get_software_hints_from_cve_description(self.cve_data[cve]['desc'])988 words = self.get_software_hints_from_cve_description(self.cve_data[cve]['desc'])
981 if action == 'skip':989 if action == 'skip':
982 # try and hint if any of the references use a URL that is within990 # try and hint if any of the references use a URL that is within
983 # a known packages Homepage from HOMEPAGES_MAP991 # a known packages Homepage from HOMEPAGES_MAP or within
992 # IGNORE_URLS
984 if 'refs' in self.cve_data[cve]:993 if 'refs' in self.cve_data[cve]:
985 for ref in self.cve_data[cve]['refs']:994 for ref in self.cve_data[cve]['refs']:
986 url = ref[2]995 url = ref[2]
996 for url_re in IGNORE_URLS:
997 if re.search(url_re, url):
998 print(f"Detected URL: {url} matches {url_re}")
999 action = 'ignore'
1000 reason = IGNORE_URLS[url_re]
1001 break
1002 if action == 'ignore':
1003 break
987 for srcpkg in HOMEPAGES_MAP:1004 for srcpkg in HOMEPAGES_MAP:
988 for homepage in HOMEPAGES_MAP[srcpkg]:1005 for homepage in HOMEPAGES_MAP[srcpkg]:
989 # TODO: do smarter matching than this1006 # TODO: do smarter matching than this
@@ -997,7 +1014,7 @@ class CVEHandler(xml.sax.handler.ContentHandler):
997 # otherwise it will likely confuse the human doing CVE triage to1014 # otherwise it will likely confuse the human doing CVE triage to
998 # suggest a package name that doesn't actually exist1015 # suggest a package name that doesn't actually exist
999 hints = words & allsrcs1016 hints = words & allsrcs
1000 if len(hints) > 0:1017 if len(hints) > 0 and action != "ignore":
1001 packages = []1018 packages = []
1002 for hint in hints:1019 for hint in hints:
1003 # use preferred name of package instead of the one that matched1020 # use preferred name of package instead of the one that matched

Subscribers

People subscribed via source and target branches