Ubuntu CVE Tracker

Merge ~eslerm/ubuntu-cve-tracker:sync-nvd into ubuntu-cve-tracker:master

  1. Git
  2. lp:~eslerm/ubuntu-cve-tracker
  3. sync-nvd
  4. Merge into master
Proposed by Mark Esler
Status: Merged
Merged at revision: 0db4522a18680f98dd7cb990e0d3cf0869b9ed59
Proposed branch: ~eslerm/ubuntu-cve-tracker:sync-nvd
Merge into: ubuntu-cve-tracker:master
Diff against target: 28 lines (+5/-2)
1 file modified
scripts/process_cves (+5/-2)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+455828@code.launchpad.net

Description of the change

update_files() code to download NVD 2.0 API data

Archive mode is added to rsync for recursion. Doesn't alter other, non-recursive, downloads.

Eventually, nvd2_loc will replace nvd_loc and 1.0 data and tooling can be discarded.

If approved, I'll update ~/.ubuntu-cve-tracker.conf documentation before merging.

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

nvd2_loc should have a default value please.

review: Needs Fixing
Revision history for this message
Mark Esler (eslerm) wrote :

Alex, nvd2_loc is defined in ~/.ubuntu-cve-tracker.conf as:

nvd2_loc="people.canonical.com:/home/ubuntu-security/nvd-database"

Before merging, I'd update https://wiki.ubuntu.com/SecurityTeam/UbuntuCVETracker

Revision history for this message
Alex Murray (alexmurray) wrote :

Updating documentation is not sufficient IMO - the code should be robust and define sensible default since not everyone will have updated their local configuration before using this new code. FWIW I found this since I tried testing this and it failed as I do not have a nvd2_loc defined in my ~/.ubuntu-cve-tracker.conf

Revision history for this message
Mark Esler (eslerm) wrote :

I'm happy to set a new convention. Existing code (for `mitre_loc` and `nvd_loc`) is not defined this way, but has URL alternatives (which will not work for NVD 2.0).

For a sensible default, I could hardcode the location to people, which could be overridden by a definition in ~/.ubuntu-cve-tracker.conf

Does that sound good to you?

Revision history for this message
Alex Murray (alexmurray) wrote :

Yes I think hard-coding people is the best option here - thanks.

Revision history for this message
Mark Esler (eslerm) wrote :

Done.

Tested without defining variable, setting variable correctly, and setting to the pre-existing `deleteme.txt` path on people.

Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/process_cves b/scripts/process_cves
2index d42c160..06bdb20 100755
3--- a/scripts/process_cves
4+++ b/scripts/process_cves
5@@ -38,8 +38,8 @@ download() {
6 wget -N "$url" ||:
7 gunzip -f "$file"
8 else
9- echo "rsync -vz --progress \"$url\" ."
10- rsync -vz --progress "$url" .
11+ echo "rsync -avz --progress \"$url\" ."
12+ rsync -avz --progress "$url" .
13 fi
14 echo "---"
15 }
16@@ -97,9 +97,12 @@ update_debian() {
17 }
18
19 update_files() {
20+ # deprecate NVD 1.0 data in 2024
21 download "${mitre_loc:-https://cve.mitre.org/data/downloads}/allitems.xml"
22 download_yearly_files
23 download "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json"
24+ # NVD 2.0 API will replace and become nvd_loc in December 2023
25+ download "${nvd2_loc:-people.canonical.com:/home/ubuntu-security/nvd-database}"
26 }
27
28 full_refresh() {

Subscribers

People subscribed via source and target branches