Merge ~eslerm/ubuntu-cve-tracker:website-fix-tag into ubuntu-cve-tracker:master

I think this will do the job. It's probably worth trying by-hand on both an entry with a tag and an entry without a tag before checking it in, but I've got good feelings about this.

Once it works we should do a big run over all affected CVEs.

Thanks

Thanks Seth

tags are not standardized, and there are some tags with spaces in the

so, I need to make a new patch :)

> Thanks Seth
>
> tags are not standardized, and there are some tags with spaces in the
>
> so, I need to make a new patch :)

If we know that the first separator will always be a space, `maxsplit=1` should ensure two components.

is this still under development?

This is ready now. I tested against all active/ ignored/ and retired/ cves.

retested with two lines of deadcode removed

Would it be better to update cve_lib so that it can and does parse the tags and returns these as a tuple along with the patch URL that way we can encapsulate that parsing in a more logical location?

I can move this to cve_lib if preferred. I've been hesitant to move the kludge there.

To remove all kludges, our deb822 UCT file format should change to properly track tags. i.e., tags shouldn't exist as part of the url string. (To do this, tags would first need to be sanitized to remove whitespace. And what to do in the case of no tags would need to be worked out.)

e.g.,

```
diff --git a/active/CVE-2023-2953 b/active/CVE-2023-2953
index 453ef36a951..3f5664ce223 100644
--- a/active/CVE-2023-2953
+++ b/active/CVE-2023-2953
@@ -20,12 +20,16 @@ CVSS:
  nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

 Patches_openldap:
- upstream: https://git.openldap.org/openldap/openldap/-/commit/ea8dd2d279c5aeaf9d4672a4e95bebd99babcce1 (master)
- upstream: https://git.openldap.org/openldap/openldap/-/commit/3f2abd0b2eeec8522e50d5c4ea4992e70e8f9915 (master)
- upstream: https://git.openldap.org/openldap/openldap/-/commit/c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f (2_6_4)
- upstream: https://git.openldap.org/openldap/openldap/-/commit/840944e26f734bb03d925f26c4ef11a6cedcbb9c (2_6_4)
- upstream: https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce (2_5_14)
- upstream: https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b (2_5_14)
+ upstream:
+ master:
+ https://git.openldap.org/openldap/openldap/-/commit/ea8dd2d279c5aeaf9d4672a4e95bebd99babcce1
+ https://git.openldap.org/openldap/openldap/-/commit/3f2abd0b2eeec8522e50d5c4ea4992e70e8f9915
+ 2_6_4:
+ https://git.openldap.org/openldap/openldap/-/commit/c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f
+ https://git.openldap.org/openldap/openldap/-/commit/840944e26f734bb03d925f26c4ef11a6cedcbb9c
+ 2_5_14:
+ https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce
+ https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b
 upstream_openldap: released (2.6.4)
 trusty_openldap: ignored (end of standard support)
 trusty/esm_openldap: released (2.4.31-1+nmu2ubuntu8.5+esm6)
```

edit: Launchpad does not show whitespace of the above example well. Please check in an editor.

I don't think we would have to change the CVE file format necessarily - although I do like the idea of making this more structured - so let's not bikeshed on that or let it get in the way of this MR - we can always do that work as a separate MR in the future, so +1 from me on this current MR as is.

Alex, would you still like this moved to cve_lib? I don't mind doing so. I can merge this now and remove it after.

Assuming I understand you correctly, I think if you move it to cve_lib you'll end up having to fix up all existing users of Patches within cve_lib to then expect a list of tuples, not a list of strings which feels like too much churn - particularly if you want to restructure the CVE files eventually anyway to make this more hierarchical as per your example earlier - so I think we merge this as is then can work on improving things later.

It's not intended to be a tag, it's a comment, and there could be whitespace in it. Trying to use comments as tags only would change the commit sort order. I think that would be a big change to how we use them now, and we'd still need to figure out how to add comments.

Here's an example from CVE-2023-48795:

Patches_paramiko:
 upstream: https://github.com/paramiko/paramiko/commit/be3ffc18cc466e0b0a877d716721353c12561bcc
 upstream: https://github.com/paramiko/paramiko/commit/4c7f0410c533cdf0df2890512237961f934f5ab9 (changelog)
 upstream: https://github.com/paramiko/paramiko/commit/773a174fb1e40e1d18dbe2625e16337ea401119e
 upstream: https://github.com/paramiko/paramiko/commit/c32be441a5ff0dc4914b22d6d1efa392aebe862f (not required)
 upstream: https://github.com/paramiko/paramiko/commit/f4dedacb9040d27d9844f51c81c28e0247d3e4a3
 upstream: https://github.com/paramiko/paramiko/commit/73f079f5a4bbba7f3048dadbe05b24242206745e (changelog)
 upstream: https://github.com/paramiko/paramiko/commit/75e311d3c0845a316b6e7b3fae2488d86ad5a270
 upstream: https://github.com/paramiko/paramiko/commit/fa46de7feeeb8a01dc471581a0258252ce4f2db6
 upstream: https://github.com/paramiko/paramiko/commit/8dcb237f0ee095b1d8b26765c3d41d0ab6963be9 (test suite fix)
 upstream: https://github.com/paramiko/paramiko/commit/58785d29c47570fa700e096d16b9a0d3a6069048 (changelog)
 upstream: https://github.com/paramiko/paramiko/commit/96db1e2be856eac66631761bae41167a1ebd2b4e
 upstream: https://github.com/paramiko/paramiko/commit/33508c920309860c4a775be70f209c2a400e18ec
 upstream: https://github.com/paramiko/paramiko/commit/30b447b911c39460bbef5e7834e339c43a251316 (lint)
 upstream: https://github.com/paramiko/paramiko/commit/3e4bdf998f5b1508322234a527e8fa432220368b (changelog)

Ack, thanks for clarification Marc. This should not be merged.

My conclusion now is that the issue is on the webpage tooling end: https://github.com/canonical/ubuntu.com/issues/13498

Does that sound reasonable to others? If so, I'll update that issue with a comment for the web team.

They should be able to add an anchor link to our output `<source>: <url>` or `<source>: <url> (<note>)`.

Also, what is happening here: https://ubuntu.com/security/CVE-2023-48795 o.o

Getting the web team to adapt to what we send them has been a challenge; I think we'd be better suited to just send them the moral equivalent of foo.split(" ")[0] and leave it at that. Changing the submission format to support both the patch URL and patch description would be nice but that's even more work. We could unbreak all the links with a simple thing that'll throw away a bit of data in the display.

Following Seth's advice, the new patch drops notes.

I added comments to clarify why/how things are done.

I think the regex is too tight, it'll skip entries with spaces in the note.

Right you are. Thanks Seth!

Now:
```
Patches_moodle:
 upstream: http://foo.bar
 upstream: http://foo.bar
 upstream: http://foo.bar (note)
 upstream: http://foo.bar (note note)
```

Results in:
```
{'moodle': ['upstream: http://foo.bar', 'upstream: http://foo.bar', 'upstream: http://foo.bar', 'upstream: http://foo.bar']}
```

Cool, thanks!

You've spent a fair amount of time with this function, and this file; would it be easy to add some tests here? those four examples are a really decent start on test cases. I *think* it wouldn't be too much more to get some tests, but hooking them up to run periodically would be the bigger challenge. (And it might be super-easy once you know the trick, I just don't know it off-hand.)

Thanks

Useless comment to see if I can reproduce an oops.

Updates for tests added.

Tests across UCT are a bit scattered and loosely defined, so I've filed https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/2052830

Just stumbled over that bug, patch looks good!