Ubuntu CVE Tracker

Code review comment for ~emitorino/ubuntu-cve-tracker:detect_priority_mismatch

Revision history for this message

Steve Beattie (sbeattie) wrote on 2024-02-12:

Hey Emi, I gave this a try and this is a good direction for the workflow. I appreciated the addition of the number of CVEs that need a priority explanation, I tweaked it a bit to report that out of the total number of CVEs examined within the given time period, with the following diff:

--- a/scripts/detect_priorities_mismatches.py
+++ b/scripts/detect_priorities_mismatches.py
@@ -59,7 +59,7 @@ if __name__ == "__main__":

     if cves_with_mismatches:
         total_cves_to_process = len(cves_with_mismatches)
- print(f"\n==== Listing {total_cves_to_process} CVEs with Ubuntu Priority different than CVSS base severity ====")
+ print(f"\n==== Listing {total_cves_to_process} CVEs (out of {len(full_cves_information)}) with Ubuntu Priority different than CVSS base severity
====")
         for index, cve in enumerate(cves_with_mismatches):
             print(f"\n=========== {index + 1}/{total_cves_to_process}: {cve} ===========")
             print(cves_with_mismatches[cve]['Description'])

which results in output like so since the beginning of 2024 based on current UCT as of now:

==== Listing 246 CVEs (out of 477) with Ubuntu Priority different than CVSS base severity ====

In examining the CVEs that popped up, I found that I ended up opening up the CVE file to examine the reference links and bug reports to dig into more details about each CVE.

Something you might consider is how check-cves reports the options available to the user at https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/check-cves#n1101 ; I don't think it needs to be as verbose, but the ways of indicating which key to press and what the default is if one simply presses enter may be useful.

I would like a way to generate a non-interactive report of CVEs that need action.

One thing that might be nice is instead of having the published_since argument to load_table(), take a criteria function as an argument, where the function expects to be passed a CVE and return True or False to include it, allowing use of different criteria besides being published after a given date as options to load_table(). You could then have load_table_published_since() if you wanted that the detect_priorities_mismatch.py calls that under the hood invokes load_table() with a criteria function that looks for published dates after the passed date.

--- a/scripts/detect_priorities_mismatches.py
+++ b/scripts/detect_priorities_mismatches.py
@@ -59,7 +59,7 @@ if __name__ == "__main__":
 
     if cves_with_mismatches:
         total_cves_to_process = len(cves_with_mismatches)
-        print(f"\n==== Listing {total_cves_to_process} CVEs with Ubuntu Priority different than CVSS base severity ====")
+        print(f"\n==== Listing {total_cves_to_process} CVEs (out of {len(full_cves_information)}) with Ubuntu Priority different than CVSS base severity
 ====")
         for index, cve in enumerate(cves_with_mismatches):
             print(f"\n=========== {index + 1}/{total_cves_to_process}: {cve} ===========")
             print(cves_with_mismatches[cve]['Description'])

which results in output like so since the beginning of 2024 based on current UCT as of now:

==== Listing 246 CVEs (out of 477) with Ubuntu Priority different than CVSS base severity ====

In examining the CVEs that popped up, I found that I ended up opening up the CVE file to examine the reference links and bug reports to dig into more details about each CVE.

I would like a way to generate a non-interactive report of CVEs that need action.

« Back to merge proposal