Ubuntu CVE Tracker

Merge ~emitorino/ubuntu-cve-tracker:sec_586_extend_subprojects into ubuntu-cve-tracker:master

Proposed by Emilia Torino on 2022-04-14

Status:	Merged
Merged at revision:	0871352e9c7385fa781393a17224d059c40300bf
Proposed branch:	~emitorino/ubuntu-cve-tracker:sec_586_extend_subprojects
Merge into:	ubuntu-cve-tracker:master
Diff against target:	230 lines (+102/-31) 2 files modified scripts/active_edit (+9/-3) scripts/check-cves (+93/-28)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Ubuntu Security Team	2022-04-21	Pending
Alex Murray	2022-04-14	Pending
Review via email: mp+419425@code.launchpad.net

Commit message

SEC-586: Help detect external software during cve triage

Description of the change

Since the loading of external subprojects is already supported in $UCT, this MP is suggesting if one or more packages present in the corresponding supported.txt files of the external subprojects could be affected by a CVE being processed.

Revision history for this message

Spyros Seimenis (sespiros) wrote on 2022-04-18:

Nice feature! Overall it makes the output clearer and organized. I tested the features locally and I have some first functionality related comments:
- changes in the embargoed repo don't seem to get reported similarly to the subprojects case (detect_updates_to_external_subprojects). I just "touched" a new file in both the embargoed and subprojects repos to test this, only the one in subprojects was reported.
- The subprojects section that reports potential subprojects suffers from the same issues that the normal process does, struggling to match packages to descriptions. The normal process though performs an extra step "hints = words & allsrcs" which 1) filters the hints list using known package names and 2) filters out some common words such as "the" "and" etc. Maybe try and apply a similar filtering process to the subprojects section. In my test run I had subprojects incorrectly matching CVEs to project that had just the word "the" in common.

Also I have a couple of other opinionated cosmetic changes/ideas:
- section banners (===) could be shorter (compared to the *** sections) so that it is easier to parse output between multiple CVEs
- section banners could have spaces in titles like "=== Something ===" instead of "===something==="
- content inside sections (under the === lines) could be idented by 1 space like the rest of the text
- ===cve details=== -> === CVE details ===
- "subproject summary" => "Potentially affected sub-projects" (and maybe the extra line is not needed)
- Affected subprojects section could be under the debian section since the debian one probably is more important and potentially provides more info that are useful to take an action on the CVE
- "triage summary" could use a larger banner to make it easier to parse when viewing all of the scrollback (instead of having the same banner like the per-CVE sections)
- the "please choose one option" section is a bit confusing since unlike the other sections this is a section that requires an action. I am thinking the output would look good even without it.
- the "subproject summary" section itself is fine but the extra message "please remember to push" could also be shown at the very end of the output (when running process_cves) similar to the "IMPORTANT" message that you get for example if you had check-syntax failures.

Revision history for this message

Emilia Torino (emitorino) wrote on 2022-04-19 (last edit on 2022-04-19):

Download full text (3.6 KiB)

Hey Spyros, thanks a lot for your feedback! Please find some comments/questions above.

> Nice feature! Overall it makes the output clearer and organized. I tested the
> features locally and I have some first functionality related comments:
> - changes in the embargoed repo don't seem to get reported similarly to the
> subprojects case (detect_updates_to_external_subprojects). I just "touched" a
> new file in both the embargoed and subprojects repos to test this, only the
> one in subprojects was reported.

Ah right, we could add emargoed cves were created. Thanks!

> - The subprojects section that reports potential subprojects suffers from the
> same issues that the normal process does, struggling to match packages to
> descriptions. The normal process though performs an extra step "hints = words
> & allsrcs" which 1) filters the hints list using known package names and 2)
> filters out some common words such as "the" "and" etc. Maybe try and apply a
> similar filtering process to the subprojects section. In my test run I had
> subprojects incorrectly matching CVEs to project that had just the word "the"
> in common.

So I refactored out the logic to get hints from the cve description, in get_software_hints_from_cve_description to apply the same logic, the issue is that not only universe packages can have those names but also pypi ones:

https://launchpad.net/ubuntu/+source/the
https://launchpad.net/ubuntu/+source/and
https://pypi.org/project/with/

We need to decide if we prefer to filter those out while confirming the pkgs affected, or we prefer to ignored those at all. The issue with ignoring those is the high probability of missing affected cves. The counterpart is the high volume of false positives.

>
> Also I have a couple of other opinionated cosmetic changes/ideas:
> - section banners (===) could be shorter (compared to the *** sections) so
> that it is easier to parse output between multiple CVEs

Sure

> - section banners could have spaces in titles like "=== Something ===" instead
> of "===something==="
> - content inside sections (under the === lines) could be idented by 1 space
> like the rest of the text
> - ===cve details=== -> === CVE details ===
> - "subproject summary" => "Potentially affected sub-projects" (and maybe the
> extra line is not needed)

I tried to be consistent with the current format used. If you see there are other occurrences like "print('==========================details from embargo entry==========================')
" in https://git.launchpad.net/~emitorino/ubuntu-cve-tracker/tree/scripts/check-cves?h=sec_586_extend_subprojects#n1004. I don't have a preference and I am happy to update it if preferred.

> - Affected subprojects section could be under the debian section since the
> debian one probably is more important and potentially provides more info that
> are useful to take an action on the CVE

The point here is that a CVE could not affect debian at all so it will be incorrect to keep it there. Correct?

> - "triage summary" could use a larger banner to make it easier to parse when
> viewing all of the scrollback (instead of having the same banner like the per-
> CVE sections)

Sure

> - the "ple...

Hey Spyros, thanks a lot for your feedback! Please find some comments/questions above.

Ah right, we could add emargoed cves were created. Thanks!

https://launchpad.net/ubuntu/+source/the
https://launchpad.net/ubuntu/+source/and
https://pypi.org/project/with/

> 
> Also I have a couple of other opinionated cosmetic changes/ideas:
> - section banners (===) could be shorter (compared to the *** sections) so
> that it is easier to parse output between multiple CVEs

Sure

> - Affected subprojects section could be under the debian section since the
> debian one probably is more important and potentially provides more info that
> are useful to take an action on the CVE

The point here is that a CVE could not affect debian at all so it will be incorrect to keep it there. Correct?

> - "triage summary" could use a larger banner to make it easier to parse when
> viewing all of the scrollback (instead of having the same banner like the per-
> CVE sections)

Sure

> - the "please choose one option" section is a bit confusing since unlike the
> other sections this is a section that requires an action. I am thinking the
> output would look good even without it.

Sure

> - the "subproject summary" section itself is fine but the extra message
> "please remember to push" could also be shown at the very end of the output
> (when running process_cves) similar to the "IMPORTANT" message that you get
> for example if you had check-syntax failures.

Sure! Thanks!

Revision history for this message

Emilia Torino (emitorino) wrote on 2022-04-21:

Download full text (4.2 KiB)

> Hey Spyros, thanks a lot for your feedback! Please find some
> comments/questions above.
>
> > Nice feature! Overall it makes the output clearer and organized. I tested
> the
> > features locally and I have some first functionality related comments:
> > - changes in the embargoed repo don't seem to get reported similarly to the
> > subprojects case (detect_updates_to_external_subprojects). I just "touched"
> a
> > new file in both the embargoed and subprojects repos to test this, only the
> > one in subprojects was reported.
>
> Ah right, we could add emargoed cves were created. Thanks!
>
> > - The subprojects section that reports potential subprojects suffers from
> the
> > same issues that the normal process does, struggling to match packages to
> > descriptions. The normal process though performs an extra step "hints =
> words
> > & allsrcs" which 1) filters the hints list using known package names and 2)
> > filters out some common words such as "the" "and" etc. Maybe try and apply a
> > similar filtering process to the subprojects section. In my test run I had
> > subprojects incorrectly matching CVEs to project that had just the word
> "the"
> > in common.
>
> So I refactored out the logic to get hints from the cve description, in
> get_software_hints_from_cve_description to apply the same logic, the issue is
> that not only universe packages can have those names but also pypi ones:
>
> https://launchpad.net/ubuntu/+source/the
> https://launchpad.net/ubuntu/+source/and
> https://pypi.org/project/with/
>
> We need to decide if we prefer to filter those out while confirming the pkgs
> affected, or we prefer to ignored those at all. The issue with ignoring those
> is the high probability of missing affected cves. The counterpart is the high
> volume of false positives.
>

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

> >
> > Also I have a couple of other opinionated cosmetic changes/ideas:
> > - section banners (===) could be shorter (compared to the *** sections) so
> > that it is easier to parse output between multiple CVEs
>
> Sure

Done

>
> > - section banners could have spaces in titles like "=== Something ==="
> instead
> > of "===something==="
> > - content inside sections (under the === lines) could be idented by 1 space
> > like the rest of the text
> > - ===cve details=== -> === CVE details ===
> > - "subproject summary" => "Potentially affected sub-projects" (and maybe the
> > extra line is not needed)
>
> I tried to be consistent with the current format used. If you see there are
> other occurrences like "print('==========================details from embargo
> entry==========================')
> " in https://git.launchpad.net/~emitorino/ubuntu-cve-
> tracker/tree/scripts/check-cves?h=sec_586_extend_subprojects#n1004. I don't
> have a preference and I am happy to update it if preferred.

Done

>
> > - Affected subprojects section could be under the debian section since the
> > debian one probably is more important and potentially provides more info
> that
> > are useful to take a...

> Hey Spyros, thanks a lot for your feedback! Please find some
> comments/questions above.
> 
> > Nice feature! Overall it makes the output clearer and organized. I tested
> the
> > features locally and I have some first functionality related comments:
> > - changes in the embargoed repo don't seem to get reported similarly to the
> > subprojects case (detect_updates_to_external_subprojects). I just "touched"
> a
> > new file in both the embargoed and subprojects repos to test this, only the
> > one in subprojects was reported.
> 
> Ah right, we could add emargoed cves were created. Thanks!
> 
> > - The subprojects section that reports potential subprojects suffers from
> the
> > same issues that the normal process does, struggling to match packages to
> > descriptions. The normal process though performs an extra step "hints =
> words
> > & allsrcs" which 1) filters the hints list using known package names and 2)
> > filters out some common words such as "the" "and" etc. Maybe try and apply a
> > similar filtering process to the subprojects section. In my test run I had
> > subprojects incorrectly matching CVEs to project that had just the word
> "the"
> > in common.
> 
> So I refactored out the logic to get hints from the cve description, in
> get_software_hints_from_cve_description to apply the same logic, the issue is
> that not only universe packages can have those names but also pypi ones:
> 
> https://launchpad.net/ubuntu/+source/the
> https://launchpad.net/ubuntu/+source/and
> https://pypi.org/project/with/
> 
> We need to decide if we prefer to filter those out while confirming the pkgs
> affected, or we prefer to ignored those at all. The issue with ignoring those
> is the high probability of missing affected cves. The counterpart is the high
> volume of false positives.
>

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

Done

> 
> > - section banners could have spaces in titles like "=== Something ==="
> instead
> > of "===something==="
> > - content inside sections (under the === lines) could be idented by 1 space
> > like the rest of the text
> > - ===cve details=== -> === CVE details ===
> > - "subproject summary" => "Potentially affected sub-projects" (and maybe the
> > extra line is not needed)
> 
> I tried to be consistent with the current format used. If you see there are
> other occurrences like "print('==========================details from embargo
> entry==========================')
> " in https://git.launchpad.net/~emitorino/ubuntu-cve-
> tracker/tree/scripts/check-cves?h=sec_586_extend_subprojects#n1004. I don't
> have a preference and I am happy to update it if preferred.

Done

> 
> > - Affected subprojects section could be under the debian section since the
> > debian one probably is more important and potentially provides more info
> that
> > are useful to take an action on the CVE
> 
> The point here is that a CVE could not affect debian at all so it will be
> incorrect to keep it there. Correct?

I misunderstood this suggestions when I first read it. I assumed you were asking to put this inside the Debian section (but you said below! I have added this suggestion as well)

> 
> > - "triage summary" could use a larger banner to make it easier to parse when
> > viewing all of the scrollback (instead of having the same banner like the
> per-
> > CVE sections)
> 
> Sure

Done

> 
> > - the "please choose one option" section is a bit confusing since unlike the
> > other sections this is a section that requires an action. I am thinking the
> > output would look good even without it.
> 
> Sure

Done

> 
> > - the "subproject summary" section itself is fine but the extra message
> > "please remember to push" could also be shown at the very end of the output
> > (when running process_cves) similar to the "IMPORTANT" message that you get
> > for example if you had check-syntax failures.
> 
> Sure! Thanks!

Revision history for this message

Emilia Torino (emitorino) wrote on 2022-04-21:

Download full text (4.2 KiB)

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

Done

>
> > - Affected subprojects section could be under the debian section since the
> > debian one probably is more important and potentially provides more info
> that
> > are useful to take a...

> Hey Spyros, thanks a lot for your feedback! Please find some
> comments/questions above.
> 
> > Nice feature! Overall it makes the output clearer and organized. I tested
> the
> > features locally and I have some first functionality related comments:
> > - changes in the embargoed repo don't seem to get reported similarly to the
> > subprojects case (detect_updates_to_external_subprojects). I just "touched"
> a
> > new file in both the embargoed and subprojects repos to test this, only the
> > one in subprojects was reported.
> 
> Ah right, we could add emargoed cves were created. Thanks!
> 
> > - The subprojects section that reports potential subprojects suffers from
> the
> > same issues that the normal process does, struggling to match packages to
> > descriptions. The normal process though performs an extra step "hints =
> words
> > & allsrcs" which 1) filters the hints list using known package names and 2)
> > filters out some common words such as "the" "and" etc. Maybe try and apply a
> > similar filtering process to the subprojects section. In my test run I had
> > subprojects incorrectly matching CVEs to project that had just the word
> "the"
> > in common.
> 
> So I refactored out the logic to get hints from the cve description, in
> get_software_hints_from_cve_description to apply the same logic, the issue is
> that not only universe packages can have those names but also pypi ones:
> 
> https://launchpad.net/ubuntu/+source/the
> https://launchpad.net/ubuntu/+source/and
> https://pypi.org/project/with/
> 
> We need to decide if we prefer to filter those out while confirming the pkgs
> affected, or we prefer to ignored those at all. The issue with ignoring those
> is the high probability of missing affected cves. The counterpart is the high
> volume of false positives.
>

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

Done

> 
> > - section banners could have spaces in titles like "=== Something ==="
> instead
> > of "===something==="
> > - content inside sections (under the === lines) could be idented by 1 space
> > like the rest of the text
> > - ===cve details=== -> === CVE details ===
> > - "subproject summary" => "Potentially affected sub-projects" (and maybe the
> > extra line is not needed)
> 
> I tried to be consistent with the current format used. If you see there are
> other occurrences like "print('==========================details from embargo
> entry==========================')
> " in https://git.launchpad.net/~emitorino/ubuntu-cve-
> tracker/tree/scripts/check-cves?h=sec_586_extend_subprojects#n1004. I don't
> have a preference and I am happy to update it if preferred.

Done

I misunderstood this suggestions when I first read it. I assumed you were asking to put this inside the Debian section (but you said below! I have added this suggestion as well)

> 
> > - "triage summary" could use a larger banner to make it easier to parse when
> > viewing all of the scrollback (instead of having the same banner like the
> per-
> > CVE sections)
> 
> Sure

Done

Revision history for this message

Emilia Torino (emitorino) wrote on 2022-04-21:

Download full text (4.2 KiB)

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

Done

>
> > - Affected subprojects section could be under the debian section since the
> > debian one probably is more important and potentially provides more info
> that
> > are useful to take a...

> Hey Spyros, thanks a lot for your feedback! Please find some
> comments/questions above.
> 
> > Nice feature! Overall it makes the output clearer and organized. I tested
> the
> > features locally and I have some first functionality related comments:
> > - changes in the embargoed repo don't seem to get reported similarly to the
> > subprojects case (detect_updates_to_external_subprojects). I just "touched"
> a
> > new file in both the embargoed and subprojects repos to test this, only the
> > one in subprojects was reported.
> 
> Ah right, we could add emargoed cves were created. Thanks!
> 
> > - The subprojects section that reports potential subprojects suffers from
> the
> > same issues that the normal process does, struggling to match packages to
> > descriptions. The normal process though performs an extra step "hints =
> words
> > & allsrcs" which 1) filters the hints list using known package names and 2)
> > filters out some common words such as "the" "and" etc. Maybe try and apply a
> > similar filtering process to the subprojects section. In my test run I had
> > subprojects incorrectly matching CVEs to project that had just the word
> "the"
> > in common.
> 
> So I refactored out the logic to get hints from the cve description, in
> get_software_hints_from_cve_description to apply the same logic, the issue is
> that not only universe packages can have those names but also pypi ones:
> 
> https://launchpad.net/ubuntu/+source/the
> https://launchpad.net/ubuntu/+source/and
> https://pypi.org/project/with/
> 
> We need to decide if we prefer to filter those out while confirming the pkgs
> affected, or we prefer to ignored those at all. The issue with ignoring those
> is the high probability of missing affected cves. The counterpart is the high
> volume of false positives.
>

I have also removed the "common words" from the suggestion. Thanks! I though that we could miss the CVE but you can manually add the package when you are reading the CVE description.

Done

> 
> > - section banners could have spaces in titles like "=== Something ==="
> instead
> > of "===something==="
> > - content inside sections (under the === lines) could be idented by 1 space
> > like the rest of the text
> > - ===cve details=== -> === CVE details ===
> > - "subproject summary" => "Potentially affected sub-projects" (and maybe the
> > extra line is not needed)
> 
> I tried to be consistent with the current format used. If you see there are
> other occurrences like "print('==========================details from embargo
> entry==========================')
> " in https://git.launchpad.net/~emitorino/ubuntu-cve-
> tracker/tree/scripts/check-cves?h=sec_586_extend_subprojects#n1004. I don't
> have a preference and I am happy to update it if preferred.

Done

I misunderstood this suggestions when I first read it. I assumed you were asking to put this inside the Debian section (but you said below! I have added this suggestion as well)

> 
> > - "triage summary" could use a larger banner to make it easier to parse when
> > viewing all of the scrollback (instead of having the same banner like the
> per-
> > CVE sections)
> 
> Sure

Done

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Emilia Torino

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/active_edit b/scripts/active_edit
 index af98ce6..3371340 100755
 --- a/scripts/active_edit
 +++ b/scripts/active_edit
@@ -75,12 +75,18 @@ def create_or_update_external_subproject_cves(cve, pkgname):
          print("\n")
      if options.autoconfirm or ans.startswith("y"):
++        if affected_releases:
++            print('\n================= External subproject update ==================')
++            print(" %s - %s: " % (cve, pkgname))
++
          for release in affected_releases:
              with open(os.path.join(cve_lib.get_external_subproject_cve_dir(release), cve), "a") as f:
                  state = "needs-triage"
                  entry = "%s_%s: %s\n" % (release, pkgname, state)
                  f.write(entry)
                  f.close()
++                print("    %s" % release)
++
      else:
          print("Aborted\n")
@@ -146,10 +152,10 @@ def update_cve(cve, pkgname, fixed_in=None, fixed_in_release=None, fixed_in_rele
                    and (not cve_lib.is_active_esm_release(r) or r == 'precise'):
                  continue
              state = "needs-triage"
--            if cve_lib.is_active_esm_release(r):
--                state = "ignored (out of standard support)"
--            elif not pkg_in_rel(pkgname, release):
++            if not pkg_in_rel(pkgname, release):
                  continue
++            elif cve_lib.is_active_esm_release(r):
++                state = "ignored (out of standard support)"
              elif r == 'upstream' and fixed_in is not None:
                  state = "released (%s)" % fixed_in
              elif fixed_in_release_version and r == fixed_in_release:
 diff --git a/scripts/check-cves b/scripts/check-cves
 index a08a998..6c3d820 100755
 --- a/scripts/check-cves
 +++ b/scripts/check-cves
@@ -72,7 +72,8 @@ for release in list(source.keys()):
  # remove common words which also happen to be names
  # of source packages since our ignore suggestion is
  # likely to sometimes contain these
--allsrcs.difference_update(set(['an', 'and', 'context', 'file', 'modules', 'the', 'when']))
++common_words = ['an', 'and', 'context', 'file', 'modules', 'the', 'when']
++allsrcs.difference_update(set(common_words))
  # add boilerplate names too so we can get mysql or postgresql
  # etc even if they don't exist as source package names
  allsrcs.update(set(cve_lib.load_boilerplates().keys()))
@@ -711,11 +712,40 @@ class CVEHandler(xml.sax.handler.ContentHandler):
                  (timestamp, self.num_added, self.num_ignored, self.num_skipped, self.num_added + self.num_ignored, [os.path.basename(x) for x in args]))
      def printReport(self):
++        print('\n============================ Triage summary =============================')
          print("\n %4d CVEs added" % self.num_added)
          print(" %4d CVEs ignored" % self.num_ignored)
          print(" %4d CVEs skipped" % self.num_skipped)
          print("---------------------------")
          print("%5d total CVEs triaged" % (self.num_added + self.num_ignored))
++        updates_detected, updates_details = self.detect_updates_to_external_repositories()
++        if updates_detected:
++            print('\n====================== External updates detected ========================')
++            print(updates_details)
++            print("\n Please remember to push the above changes if appropriate")
++
++    def detect_updates_to_external_repositories(self):
++        external_repositories = [cve_lib.subprojects_dir, cve_lib.embargoed_dir]
++        updates_detected = False
++        updates_details = ""
++        for repository_dir in external_repositories:
++            cmd = ['git', '-C', repository_dir, 'status', '--porcelain']
++            try:
++                process = subprocess.run(
++                    cmd,
++                    stdout=subprocess.PIPE,
++                    stderr=subprocess.PIPE,
++                    universal_newlines=True,
++                    check=True,
++                )
++                if process.returncode == 0 and process.stdout:
++                    if process.stdout:
++                        updates_detected = True
++                        updates_details += "\n %s \n %s" % (repository_dir, process.stdout)
++            except subprocess.CalledProcessError as exception:
++                print(exception)
++                updates_detected = False
++        return updates_detected, updates_details
      def parse_json(self, fp):
          template_nvd = {"CVE_data_type": "CVE",
@@ -940,6 +970,15 @@ class CVEHandler(xml.sax.handler.ContentHandler):
          f.write('%s  <CVE> skip\n\n' % (line_prefix))
          f.flush()
++    def find_hint_in_external_subprojects(self, software_hints_from_cve_description):
++        external_subprojects = {}
++        for subproject in cve_lib.external_releases:
++            if subproject in source:
++                for hint in software_hints_from_cve_description:
++                    if hint in source[subproject] and hint not in common_words:
++                        external_subprojects.setdefault(subproject, set()).add(hint)
++        return external_subprojects
++
      def display_cve(self, cve, file=sys.stdout, line_prefix=None, wrap_desc=False):
          class CVEOutput:
              def __init__(self, file, line_prefix=None):
@@ -984,11 +1023,14 @@ class CVEHandler(xml.sax.handler.ContentHandler):
          if wrap_desc:
              print('%s' % _wrap_desc(self.cve_data[cve]['desc']))
          else:
--            print('%s' % (self.cve_data[cve]['desc']))
++            print('\n======================== CVE details ==========================')
++            print(' %s' % cve)
++            print(' %s' % (self.cve_data[cve]['desc']))
          for cvss in self.cve_data[cve]['cvss']:
              print(' CVSS (%s): %s [%.1f]' % (cvss['source'], cvss['vector'], cvss['baseScore']))
          if self.debian and cve in self.debian:
--            print('Debian CVE Tracker: %s' % (self.debian[cve]['state']))
++            print('\n======================= Debian details ========================')
++            print(' Debian CVE Tracker: %s' % (self.debian[cve]['state']))
              if len(self.debian[cve]['note']):
                  print("\t" + "\n\t".join(self.debian[cve]['note']))
              for pkg in self.debian[cve]['pkgs']:
@@ -1013,6 +1055,16 @@ class CVEHandler(xml.sax.handler.ContentHandler):
          else:
              proposed_ignore = self.get_ignore_suggestion(self.cve_data[cve]['desc'])
              print('%s ignore %s' % (cve, proposed_ignore))
++
++        software_hints_from_cve_desc = self.get_software_hints_from_cve_description(self.cve_data[cve]["desc"])
++        if software_hints_from_cve_desc:
++            software_hints_per_external_releases = self.find_hint_in_external_subprojects(software_hints_from_cve_desc)
++            if software_hints_per_external_releases:
++                print('\n==================== Subprojects details ======================')
++                print(' External subprojects possibly affected: ')
++                for affected_subproject in software_hints_per_external_releases:
++                    print("    - " + affected_subproject + ": " + " - ".join(
++                        software_hints_per_external_releases[affected_subproject]))
          # once again, announce formerly embargoed status
          if cve in EmbargoList:
              print('**!!**            no longer embargoed             **!!**')
@@ -1035,30 +1087,37 @@ class CVEHandler(xml.sax.handler.ContentHandler):
          if cve in EmbargoList:
              action = 'unembargo'
              reason = ""
--        # Default to Debian state, if available
--        elif self.debian and cve in self.debian and self.debian[cve]['state']:
--            if self.debian[cve]['state'].startswith('NOT-FOR-US:'):
--                action = 'ignore'
--                reason = self.debian[cve]['state'].split(':', 1)[1].lstrip()
--            if self.debian[cve]['state'] == 'FOUND':
--                action = 'add'
--                packages = list(self.debian[cve]['pkgs'].keys())
--                if len(self.debian[cve]['pkgs']) == 1:
--                    pkg = packages[0]
--                    if self.debian[cve]['pkgs'][pkg]['state'] == '<itp>':
--                        # software has not been admitted into debian
--                        action = 'ignore'
--                        reason = '%s: <itp> (dbug %s)' % (pkg, self.debian[cve]['pkgs'][pkg]['bug'])
--
          else:
--            # try and hint if the detected product name contains any known
--            # package names
--            desc = self.get_ignore_suggestion(self.cve_data[cve]['desc'])
--            words = set(desc.lower().split(" "))
--            hints = words & allsrcs
--            if len(hints) > 0:
--                packages = list(hints)
--                action = 'add'
++            words = self.get_software_hints_from_cve_description(self.cve_data[cve]['desc'])
++            # Default to Debian state, if available
++            if self.debian and cve in self.debian and self.debian[cve]['state']:
++                if self.debian[cve]['state'].startswith('NOT-FOR-US:'):
++                    action = 'ignore'
++                    reason = self.debian[cve]['state'].split(':', 1)[1].lstrip()
++                if self.debian[cve]['state'] == 'FOUND':
++                    action = 'add'
++                    packages = list(self.debian[cve]['pkgs'].keys())
++                    if len(self.debian[cve]['pkgs']) == 1:
++                        pkg = packages[0]
++                        if self.debian[cve]['pkgs'][pkg]['state'] == '<itp>':
++                            # software has not been admitted into debian
++                            action = 'ignore'
++                            reason = '%s: <itp> (dbug %s)' % (pkg, self.debian[cve]['pkgs'][pkg]['bug'])
++
++            else:
++                # try and hint if the detected product name contains any known
++                # package names
++                hints = words & allsrcs
++                if len(hints) > 0:
++                    packages = list(hints)
++                    action = 'add'
++
++            # Regardless of Ubuntu software, try and hint if the detected product
++            # name contains any external software name
++            external_software_hints = self.find_hint_in_external_subprojects(words)
++            if external_software_hints:
++                for software in external_software_hints.values():
++                    packages.extend(list(software))
          # remove any duplicates
          uniq = []
@@ -1071,10 +1130,15 @@ class CVEHandler(xml.sax.handler.ContentHandler):
          return (action, reason, packages)
++    def get_software_hints_from_cve_description(self, cve_description):
++        desc = self.get_ignore_suggestion(cve_description)
++        words = set(desc.lower().split(" "))
++        return words
++
      def human_process_cve(self, cve, action='skip', reason='', package=''):
          info = ''
          while info == "" or not info[0] in ['i', 'a', 's', 'q', 'r']:
--            prompt_user('A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [%s] ' % (action))
++            prompt_user('\nA]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [%s] ' % (action))
              info = sys.stdin.readline().strip().lower()
              if info == "":
                  info = action
@@ -1107,7 +1171,8 @@ class CVEHandler(xml.sax.handler.ContentHandler):
              _spawn_editor(dst)
              self.saved_cve = cve
--            print('Detecting packages built using: %s...' % info, end='')
++            print('\n===================== Dependant packages ======================')
++            print(' Detecting packages built using: %s...' % info, end='')
              sys.stdout.flush()
              built_using = ""
              try: