Hey Emi, I gave this a try and this is a good direction for the workflow. I appreciated the addition of the number of CVEs that need a priority explanation, I tweaked it a bit to report that out of the total number of CVEs examined within the given time period, with the following diff:
if cves_with_mismatches: total_cves_to_process = len(cves_with_mismatches)
- print(f"\n==== Listing {total_cves_to_process} CVEs with Ubuntu Priority different than CVSS base severity ====")
+ print(f"\n==== Listing {total_cves_to_process} CVEs (out of {len(full_cves_information)}) with Ubuntu Priority different than CVSS base severity
====")
for index, cve in enumerate(cves_with_mismatches): print(f"\n=========== {index + 1}/{total_cves_to_process}: {cve} ===========") print(cves_with_mismatches[cve]['Description'])
which results in output like so since the beginning of 2024 based on current UCT as of now:
==== Listing 246 CVEs (out of 477) with Ubuntu Priority different than CVSS base severity ====
In examining the CVEs that popped up, I found that I ended up opening up the CVE file to examine the reference links and bug reports to dig into more details about each CVE.
Something you might consider is how check-cves reports the options available to the user at https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/check-cves#n1101 ; I don't think it needs to be as verbose, but the ways of indicating which key to press and what the default is if one simply presses enter may be useful.
I would like a way to generate a non-interactive report of CVEs that need action.
One thing that might be nice is instead of having the published_since argument to load_table(), take a criteria function as an argument, where the function expects to be passed a CVE and return True or False to include it, allowing use of different criteria besides being published after a given date as options to load_table(). You could then have load_table_published_since() if you wanted that the detect_priorities_mismatch.py calls that under the hood invokes load_table() with a criteria function that looks for published dates after the passed date.
Hey Emi, I gave this a try and this is a good direction for the workflow. I appreciated the addition of the number of CVEs that need a priority explanation, I tweaked it a bit to report that out of the total number of CVEs examined within the given time period, with the following diff:
--- a/scripts/ detect_ priorities_ mismatches. py detect_ priorities_ mismatches. py
+++ b/scripts/
@@ -59,7 +59,7 @@ if __name__ == "__main__":
if cves_with_ mismatches:
total_ cves_to_ process = len(cves_ with_mismatches ) cves_to_ process} CVEs with Ubuntu Priority different than CVSS base severity ====") cves_to_ process} CVEs (out of {len(full_ cves_informatio n)}) with Ubuntu Priority different than CVSS base severity cves_with_ mismatches) :
print( f"\n=== ======= = {index + 1}/{total_ cves_to_ process} : {cve} ===========")
print( cves_with_ mismatches[ cve]['Descripti on'])
- print(f"\n==== Listing {total_
+ print(f"\n==== Listing {total_
====")
for index, cve in enumerate(
which results in output like so since the beginning of 2024 based on current UCT as of now:
==== Listing 246 CVEs (out of 477) with Ubuntu Priority different than CVSS base severity ====
In examining the CVEs that popped up, I found that I ended up opening up the CVE file to examine the reference links and bug reports to dig into more details about each CVE.
Something you might consider is how check-cves reports the options available to the user at https:/ /git.launchpad. net/ubuntu- cve-tracker/ tree/scripts/ check-cves# n1101 ; I don't think it needs to be as verbose, but the ways of indicating which key to press and what the default is if one simply presses enter may be useful.
I would like a way to generate a non-interactive report of CVEs that need action.
One thing that might be nice is instead of having the published_since argument to load_table(), take a criteria function as an argument, where the function expects to be passed a CVE and return True or False to include it, allowing use of different criteria besides being published after a given date as options to load_table(). You could then have load_table_ published_ since() if you wanted that the detect_ priorities_ mismatch. py calls that under the hood invokes load_table() with a criteria function that looks for published dates after the passed date.