Launchpad itself

Merge lp:~cprov/launchpad/cve-2014 into lp:launchpad

cve-2014
Merge into devel

Proposed by Celso Providelo on 2014-03-03

Status:

Merged

Merged at revision:

16954

Proposed branch:

lp:~cprov/launchpad/cve-2014

Merge into:

lp:launchpad

Diff against target:

167 lines (+75/-11)

6 files modified

database/schema/patch-2209-55-0.sql (+17/-0)
doc/bug-export.rnc (+1/-1)
lib/lp/app/validators/cve.py (+29/-2)
lib/lp/app/validators/tests/test_validators.py (+2/-1)
lib/lp/bugs/doc/cve.txt (+21/-0)
lib/lp/bugs/model/cve.py (+5/-7)

To merge this branch:

bzr merge lp:~cprov/launchpad/cve-2014

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
William Grant	code	2014-03-03	Approve on 2014-03-04
Review via email: mp+209126@code.launchpad.net

Description of the change

Supporting 2014-format CVE references (sequence identifier longer than 4-digits).

Revision history for this message

William Grant (wgrant) wrote on 2014-03-04:

There's also a cvename regex defined in doc/bug-export.rnc that you might want to fix.

Did you check that update-cve.py will correctly import the extended format?

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === added file 'database/schema/patch-2209-55-0.sql'
 --- database/schema/patch-2209-55-0.sql	1970-01-01 00:00:00 +0000
 +++ database/schema/patch-2209-55-0.sql	2014-03-05 02:19:53 +0000
@@ -0,0 +1,17 @@
++-- Copyright 2014 Canonical Ltd.  This software is licensed under the
++-- GNU Affero General Public License version 3 (see the file LICENSE).
++
++SET client_min_messages=ERROR;
++
++CREATE OR REPLACE FUNCTION valid_cve(text) RETURNS boolean
++    LANGUAGE plpythonu IMMUTABLE STRICT
++    AS $_$
++    import re
++    name = args[0]
++    pat = r"^(19|20)\d{2}-\d{4,}$"
++    if re.match(pat, name):
++        return 1
++    return 0
++$_$;
++
++INSERT INTO LaunchpadDatabaseRevision VALUES (2209, 55, 0);
 === modified file 'doc/bug-export.rnc'
 --- doc/bug-export.rnc	2012-07-07 15:49:23 +0000
 +++ doc/bug-export.rnc	2014-03-05 02:19:53 +0000
@@ -7,7 +7,7 @@
  boolean = "True" | "False"
  lpname = xsd:string { pattern = "[a-z0-9][a-z0-9\+\.\-]*" }
  lpbugname = xsd:string { pattern = "[a-z][a-z0-9\+\.\-]*" }
--cvename = xsd:string { pattern = "(19|20)[0-9][0-9]-[0-9][0-9][0-9][0-9]" }
++cvename = xsd:string { pattern = "(19|20)[0-9]{2}-[0-9]{4,}" }
  non_empty_text = xsd:string { minLength = "1" }
  # XXX: jamesh 2006-04-11 bug=105401:
 === modified file 'lib/lp/app/validators/cve.py'
 --- lib/lp/app/validators/cve.py	2009-06-25 05:30:52 +0000
 +++ lib/lp/app/validators/cve.py	2014-03-05 02:19:53 +0000
@@ -6,9 +6,36 @@
  import re
++cveseq_regexp = r'(19|20)\d{2}\-\d{4,}'
++CVEREF_PATTERN = re.compile(r'(CVE|CAN)-(%s)' % cveseq_regexp)
++
++
  def valid_cve(name):
--    pat = r"^(19|20)\d\d-\d{4}$"
++    """Validate CVE identification.
++
++    Until 2014 CVE sequence had to be smaller 4 digits (<= 9999):
++
++    >>> valid_cve('1999-1234')
++    True
++    >>> valid_cve('2014-9999')
++    True
++
++    And leading zeros were required for sequence in [1-999]:
++
++    >>> valid_cve('2014-999')
++    False
++    >>> valid_cve('2014-0999')
++    True
++
++    From 2014 and on, sequence can be any sequence of digits greater or
++    equal to 4 digits:
++
++    >>> valid_cve('2014-19999')
++    True
++    >>> valid_cve('2014-99999999')
++    True
++    """
++    pat = r"^%s" % cveseq_regexp
      if re.match(pat, name):
          return True
      return False
--
 === modified file 'lib/lp/app/validators/tests/test_validators.py'
 --- lib/lp/app/validators/tests/test_validators.py	2011-12-28 17:03:06 +0000
 +++ lib/lp/app/validators/tests/test_validators.py	2014-03-05 02:19:53 +0000
@@ -27,7 +27,8 @@
      suite.addTest(
          DocTestSuite(validators, optionflags=ELLIPSIS | NORMALIZE_WHITESPACE))
--    from lp.app.validators import email, name, url, version
++    from lp.app.validators import cve, email, name, url, version
++    suite.addTest(suitefor(cve))
      suite.addTest(suitefor(email))
      suite.addTest(suitefor(name))
      suite.addTest(suitefor(url))
 === modified file 'lib/lp/bugs/doc/cve.txt'
 --- lib/lp/bugs/doc/cve.txt	2012-08-07 02:31:56 +0000
 +++ lib/lp/bugs/doc/cve.txt	2014-03-05 02:19:53 +0000
@@ -99,6 +99,27 @@
      True
      >>> b.unlinkCVE(cve, user=no_priv)
++== 2014 CVE identification format changes =
++
++Since 2014, CVEs can have an identifier (sequence) longer than 4-digits.
++
++CVEs creation accepts 2014 format:
++
++    >>> cve_2014 = cveset.new(sequence="2014-999999",
++    ...     description="A new-style CVE sequence", status=CveStatus.ENTRY,
++    ...     )
++    >>> cve_2014.displayname
++    u'CVE-2014-999999'
++
++Text references to CVEs using 2014 format can be found:
++
++    >>> b.findCvesInText('''
++    ...     This bug is related to CVE-2014-999999
++    ... ''', user=no_priv)
++    >>> cve_2014 in b.cves
++    True
++    >>> b.unlinkCVE(cve_2014, user=no_priv)
++
  == CVE Reports ==
  Launchpad offers distributions, distribution releases and products with
 === modified file 'lib/lp/bugs/model/cve.py'
 --- lib/lp/bugs/model/cve.py	2013-07-11 06:12:20 +0000
 +++ lib/lp/bugs/model/cve.py	2014-03-05 02:19:53 +0000
@@ -8,8 +8,6 @@
      'CveSet',
+     ]
--import re
--
  # SQL imports
  from sqlobject import (
      SQLMultipleJoin,
@@ -22,7 +20,10 @@
  # Zope
  from zope.interface import implements
--from lp.app.validators.cve import valid_cve
++from lp.app.validators.cve import (
++    CVEREF_PATTERN,
++    valid_cve,
++    )
  from lp.bugs.interfaces.buglink import IBugLinkTarget
  from lp.bugs.interfaces.cve import (
      CveStatus,
@@ -41,9 +42,6 @@
  from lp.services.database.stormexpr import fti_search
--cverefpat = re.compile(r'(CVE|CAN)-((19|20)\d{2}\-\d{4})')
--
--
  class Cve(SQLBase, BugLinkTargetMixin):
      """A CVE database record."""
@@ -147,7 +145,7 @@
          """See ICveSet."""
          # let's look for matching entries
          cves = set()
--        for match in cverefpat.finditer(text):
++        for match in CVEREF_PATTERN.finditer(text):
              # let's get the core CVE data
              sequence = match.group(2)
              # see if there is already a matching CVE ref in the db, and if

Launchpad itself

Merge lp:~cprov/launchpad/cve-2014 into lp:launchpad

Commit message

Description of the change

Preview Diff

Subscribers