Merge ~eslerm/ubuntu-cve-tracker:check-cves-variables into ubuntu-cve-tracker:master
- Git
- lp:~eslerm/ubuntu-cve-tracker
- check-cves-variables
- Merge into master
Status: | Merged |
---|---|
Merged at revision: | fb96f59c1267dc5da2facee5ee39b2e23cd87e65 |
Proposed branch: | ~eslerm/ubuntu-cve-tracker:check-cves-variables |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
523 lines (+110/-112) 1 file modified
scripts/check-cves (+110/-112) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Alex Murray | Approve | ||
Review via email: mp+462731@code.launchpad.net |
Commit message
check-cves: variable clarity updates
Description of the change
This is mostly an update to make variables clearer.
I should have said "constants" not "globals".
I'm not certain all of them should be added. Particularly `BUILT_USING_MAP` which pylint suggested. `UNTRIAGED_JSON` as well, but I don't believe code using this variable is proper (several parameters can override it).
There is more work to clarify human_process_
Mark Esler (eslerm) wrote : | # |
Marc Deslauriers (mdeslaur) wrote : | # |
This script doesn't have a main function, it's just a script. If you really want to run something like pylint over it and want to switch everything it thinks are "global" variables to uppercase, you should probably convert the script to use a main function first.
Mark Esler (eslerm) wrote (last edit ): | # |
The plan is to use a main function. My refactor isn't complete, but had begun to implement this https:/
It's easier to work with the code after it is clearer, which is why I'm suggesting style changes first.
Potentially I _could_ drop all of these variables to lower case if needed.
Preview Diff
1 | diff --git a/scripts/check-cves b/scripts/check-cves | |||
2 | index be0b713..c1239fd 100755 | |||
3 | --- a/scripts/check-cves | |||
4 | +++ b/scripts/check-cves | |||
5 | @@ -79,20 +79,20 @@ for release in list(source.keys()): | |||
6 | 79 | # remove common words which also happen to be names | 79 | # remove common words which also happen to be names |
7 | 80 | # of source packages since our ignore suggestion is | 80 | # of source packages since our ignore suggestion is |
8 | 81 | # likely to sometimes contain these | 81 | # likely to sometimes contain these |
11 | 82 | common_words = ['an', 'and', 'context', 'file', 'modules', 'the', 'when'] | 82 | COMMON_WORDS = ['an', 'and', 'context', 'file', 'modules', 'the', 'when'] |
12 | 83 | allsrcs.difference_update(set(common_words)) | 83 | allsrcs.difference_update(set(COMMON_WORDS)) |
13 | 84 | allsrcs.update(set(cve_lib.package_db.keys())) | 84 | allsrcs.update(set(cve_lib.package_db.keys())) |
14 | 85 | 85 | ||
16 | 86 | built_using_map = None | 86 | BUILT_USING_MAP = None |
17 | 87 | 87 | ||
19 | 88 | destdir = "." | 88 | DEST_DIR = "." |
20 | 89 | 89 | ||
21 | 90 | # Skip stuff older than 2005 | 90 | # Skip stuff older than 2005 |
23 | 91 | cve_limit = 2004 | 91 | CVE_LIMIT = 2004 |
24 | 92 | 92 | ||
26 | 93 | mistriaged_hint = 'Previously triaged as ignored in Ubuntu\n\n' | 93 | MISTRIAGED_HINT = 'Previously triaged as ignored in Ubuntu\n\n' |
27 | 94 | 94 | ||
29 | 95 | ignore_strings = [ | 95 | IGNORE_STRINGS = [ |
30 | 96 | "** REJECT **", "Internet Explorer", "Microsoft Edge", "Windows 98", | 96 | "** REJECT **", "Internet Explorer", "Microsoft Edge", "Windows 98", |
31 | 97 | "Windows 2000", "Windows XP", "Windows Server 2003", "Windows NT", | 97 | "Windows 2000", "Windows XP", "Windows Server 2003", "Windows NT", |
32 | 98 | "Mercury Board", "ZeroBoard", "AntiVirus", "Microsoft", "SGI IRIX", | 98 | "Mercury Board", "ZeroBoard", "AntiVirus", "Microsoft", "SGI IRIX", |
33 | @@ -136,7 +136,6 @@ def _spawn_editor(path): | |||
34 | 136 | subprocess.call([editor, path]) | 136 | subprocess.call([editor, path]) |
35 | 137 | 137 | ||
36 | 138 | def debug(msg): | 138 | def debug(msg): |
37 | 139 | global opt | ||
38 | 140 | if args.debug: | 139 | if args.debug: |
39 | 141 | print(msg, file=sys.stderr) | 140 | print(msg, file=sys.stderr) |
40 | 142 | 141 | ||
41 | @@ -227,7 +226,7 @@ def import_debian(handler): | |||
42 | 227 | cves = dict() | 226 | cves = dict() |
43 | 228 | 227 | ||
44 | 229 | today = datetime_date.today() | 228 | today = datetime_date.today() |
46 | 230 | known = set(CVEKnownList + CVEIgnoreList) | 229 | known = set(cve_known_list + cve_ignore_list) |
47 | 231 | 230 | ||
48 | 232 | def ever_existed(pkg): | 231 | def ever_existed(pkg): |
49 | 233 | for rel in source: | 232 | for rel in source: |
50 | @@ -236,8 +235,8 @@ def import_debian(handler): | |||
51 | 236 | return False | 235 | return False |
52 | 237 | 236 | ||
53 | 238 | def mistriaged(cve): | 237 | def mistriaged(cve): |
56 | 239 | if cve in CVEIgnoreNotForUsSet and \ | 238 | if cve in CVE_IGNORE_NFU_SET and \ |
57 | 240 | cve not in CVEIgnoreMistriagedSet and \ | 239 | cve not in CVE_IGNORE_MISTRIAGED_LIST and \ |
58 | 241 | handler.debian[cve]['state'] == 'FOUND': | 240 | handler.debian[cve]['state'] == 'FOUND': |
59 | 242 | # check that at least one of the assigned packages exist | 241 | # check that at least one of the assigned packages exist |
60 | 243 | # in Ubuntu | 242 | # in Ubuntu |
61 | @@ -259,7 +258,7 @@ def import_debian(handler): | |||
62 | 259 | continue | 258 | continue |
63 | 260 | 259 | ||
64 | 261 | year = int(re.split('-', cve)[1]) | 260 | year = int(re.split('-', cve)[1]) |
66 | 262 | if year < cve_limit: | 261 | if year < CVE_LIMIT: |
67 | 263 | continue | 262 | continue |
68 | 264 | 263 | ||
69 | 265 | # If we already know about the CVE, skip it unless is | 264 | # If we already know about the CVE, skip it unless is |
70 | @@ -267,7 +266,7 @@ def import_debian(handler): | |||
71 | 267 | if cve in known: | 266 | if cve in known: |
72 | 268 | if mistriaged(cve): | 267 | if mistriaged(cve): |
73 | 269 | # add a note about how this was originally classified | 268 | # add a note about how this was originally classified |
75 | 270 | dsas[dsa]['desc'] = mistriaged_hint + dsas[dsa]['desc'] | 269 | dsas[dsa]['desc'] = MISTRIAGED_HINT + dsas[dsa]['desc'] |
76 | 271 | else: | 270 | else: |
77 | 272 | continue | 271 | continue |
78 | 273 | 272 | ||
79 | @@ -294,16 +293,16 @@ def import_debian(handler): | |||
80 | 294 | continue | 293 | continue |
81 | 295 | 294 | ||
82 | 296 | year = int(re.split('-', cve)[1]) | 295 | year = int(re.split('-', cve)[1]) |
84 | 297 | if year < cve_limit: | 296 | if year < CVE_LIMIT: |
85 | 298 | if args.verbose: | 297 | if args.verbose: |
87 | 299 | print(f"Skipping {cve}, year {year} predates {cve_limit}", file=sys.stderr) | 298 | print(f"Skipping {cve}, year {year} predates {CVE_LIMIT}", file=sys.stderr) |
88 | 300 | continue | 299 | continue |
89 | 301 | 300 | ||
90 | 302 | # If we already know about the CVE, skip it unless is mistriaged | 301 | # If we already know about the CVE, skip it unless is mistriaged |
91 | 303 | if cve in known: | 302 | if cve in known: |
92 | 304 | if mistriaged(cve): | 303 | if mistriaged(cve): |
93 | 305 | # add a note about how this was originally classified | 304 | # add a note about how this was originally classified |
95 | 306 | handler.debian[cve]['desc'] = mistriaged_hint + handler.debian[cve]['desc'] | 305 | handler.debian[cve]['desc'] = MISTRIAGED_HINT + handler.debian[cve]['desc'] |
96 | 307 | else: | 306 | else: |
97 | 308 | if args.verbose: | 307 | if args.verbose: |
98 | 309 | print(f"Skipping {cve}, already known", file=sys.stderr) | 308 | print(f"Skipping {cve}, already known", file=sys.stderr) |
99 | @@ -539,14 +538,14 @@ def dpkg_compare_versions(v1, op, v2): | |||
100 | 539 | 538 | ||
101 | 540 | 539 | ||
102 | 541 | def get_built_using(pkgs=[]): | 540 | def get_built_using(pkgs=[]): |
106 | 542 | global built_using_map | 541 | global BUILT_USING_MAP |
107 | 543 | if built_using_map is None: | 542 | if BUILT_USING_MAP is None: |
108 | 544 | built_using_map = source_map.load_built_using_collection( | 543 | BUILT_USING_MAP = source_map.load_built_using_collection( |
109 | 545 | source_map.load(data_type='packages')) | 544 | source_map.load(data_type='packages')) |
110 | 546 | 545 | ||
111 | 547 | out = "" | 546 | out = "" |
112 | 548 | for pkg in pkgs: | 547 | for pkg in pkgs: |
114 | 549 | out += source_map.get_built_using(built_using_map, pkg) | 548 | out += source_map.get_built_using(BUILT_USING_MAP, pkg) |
115 | 550 | 549 | ||
116 | 551 | return out | 550 | return out |
117 | 552 | 551 | ||
118 | @@ -602,7 +601,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
119 | 602 | timestamp = time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime()) | 601 | timestamp = time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime()) |
120 | 603 | 602 | ||
121 | 604 | # Append to timestamp file list | 603 | # Append to timestamp file list |
123 | 605 | with open(f'{destdir}/check-cves.log', 'a') as f: | 604 | with open(f'{DEST_DIR}/check-cves.log', 'a') as f: |
124 | 606 | f.write( | 605 | f.write( |
125 | 607 | f"{timestamp} UTC - " | 606 | f"{timestamp} UTC - " |
126 | 608 | f"{self.num_added} added, " | 607 | f"{self.num_added} added, " |
127 | @@ -780,10 +779,10 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
128 | 780 | if not self.curr_cve or not self.curr_desc: | 779 | if not self.curr_cve or not self.curr_desc: |
129 | 781 | return | 780 | return |
130 | 782 | # Skip CVEs we know about already unless this is a mistriaged CVE | 781 | # Skip CVEs we know about already unless this is a mistriaged CVE |
132 | 783 | if self.curr_cve in self.cve_ignore and mistriaged_hint not in self.curr_desc: | 782 | if self.curr_cve in self.cve_ignore and MISTRIAGED_HINT not in self.curr_desc: |
133 | 784 | return | 783 | return |
134 | 785 | 784 | ||
136 | 786 | limit = cve_limit | 785 | limit = CVE_LIMIT |
137 | 787 | if not args.refresh and not args.score_refresh: | 786 | if not args.refresh and not args.score_refresh: |
138 | 788 | limit = 2005 | 787 | limit = 2005 |
139 | 789 | if int(self.curr_cve.split("-")[1]) < limit: | 788 | if int(self.curr_cve.split("-")[1]) < limit: |
140 | @@ -832,7 +831,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
141 | 832 | if subproject in source: | 831 | if subproject in source: |
142 | 833 | aliases = source_map.get_all_aliases(source, subproject) | 832 | aliases = source_map.get_all_aliases(source, subproject) |
143 | 834 | for hint in software_hints_from_cve_description: | 833 | for hint in software_hints_from_cve_description: |
145 | 835 | if hint in common_words: | 834 | if hint in COMMON_WORDS: |
146 | 836 | continue | 835 | continue |
147 | 837 | 836 | ||
148 | 838 | if hint in source[subproject]: | 837 | if hint in source[subproject]: |
149 | @@ -863,7 +862,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
150 | 863 | sys.stdout = CVEOutput(file, line_prefix) | 862 | sys.stdout = CVEOutput(file, line_prefix) |
151 | 864 | 863 | ||
152 | 865 | # Check if this was once an embargoed issue | 864 | # Check if this was once an embargoed issue |
154 | 866 | if cve in EmbargoList: | 865 | if cve in CVE_EMBARGO_LIST: |
155 | 867 | print('**!!** no longer embargoed **!!**') | 866 | print('**!!** no longer embargoed **!!**') |
156 | 868 | print('==========================details from embargo entry==========================') | 867 | print('==========================details from embargo entry==========================') |
157 | 869 | with open(os.path.join('embargoed', cve)) as f: | 868 | with open(os.path.join('embargoed', cve)) as f: |
158 | @@ -927,7 +926,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
159 | 927 | print(" - " + affected_subproject + ": " + " - ".join( | 926 | print(" - " + affected_subproject + ": " + " - ".join( |
160 | 928 | software_hints_per_external_releases[affected_subproject])) | 927 | software_hints_per_external_releases[affected_subproject])) |
161 | 929 | # once again, announce formerly embargoed status | 928 | # once again, announce formerly embargoed status |
163 | 930 | if cve in EmbargoList: | 929 | if cve in CVE_EMBARGO_LIST: |
164 | 931 | print('**!!** no longer embargoed **!!**') | 930 | print('**!!** no longer embargoed **!!**') |
165 | 932 | print('**!!** ensure this is correct before unembargoing **!!**') | 931 | print('**!!** ensure this is correct before unembargoing **!!**') |
166 | 933 | 932 | ||
167 | @@ -940,12 +939,12 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
168 | 940 | reason = "" | 939 | reason = "" |
169 | 941 | packages = [] | 940 | packages = [] |
170 | 942 | # Skip CVEs that are obviously not about Ubuntu | 941 | # Skip CVEs that are obviously not about Ubuntu |
172 | 943 | for s in ignore_strings: | 942 | for s in IGNORE_STRINGS: |
173 | 944 | if re.search('(^| )%s' % re.escape(s), self.cve_data[cve]['desc'], flags=re.MULTILINE) and self.cve_data[cve]['desc'].find("Linux") < 0: | 943 | if re.search('(^| )%s' % re.escape(s), self.cve_data[cve]['desc'], flags=re.MULTILINE) and self.cve_data[cve]['desc'].find("Linux") < 0: |
174 | 945 | action = 'ignore' | 944 | action = 'ignore' |
175 | 946 | reason = s | 945 | reason = s |
176 | 947 | # if cve is in embargo list (but now public), default to unembargo action | 946 | # if cve is in embargo list (but now public), default to unembargo action |
178 | 948 | if cve in EmbargoList: | 947 | if cve in CVE_EMBARGO_LIST: |
179 | 949 | action = 'unembargo' | 948 | action = 'unembargo' |
180 | 950 | reason = "" | 949 | reason = "" |
181 | 951 | else: | 950 | else: |
182 | @@ -1011,36 +1010,36 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
183 | 1011 | return words | 1010 | return words |
184 | 1012 | 1011 | ||
185 | 1013 | def human_process_cve(self, cve, action='skip', reason='', package=''): | 1012 | def human_process_cve(self, cve, action='skip', reason='', package=''): |
188 | 1014 | info = '' | 1013 | user_input = '' |
189 | 1015 | while info == "" or info[0] not in ['i', 'a', 's', 'q', 'r']: | 1014 | while user_input == "" or user_input[0] not in ['i', 'a', 's', 'q', 'r']: |
190 | 1016 | prompt_user(f'\nA]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [{action}] ') | 1015 | prompt_user(f'\nA]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [{action}] ') |
194 | 1017 | info = sys.stdin.readline().strip().lower() | 1016 | user_input = sys.stdin.readline().strip().lower() |
195 | 1018 | if info == "": | 1017 | if user_input == "": |
196 | 1019 | info = action | 1018 | user_input = action |
197 | 1020 | 1019 | ||
199 | 1021 | if info.startswith('q'): | 1020 | if user_input.startswith('q'): |
200 | 1022 | self.printReport() | 1021 | self.printReport() |
201 | 1023 | self.updateTimestamp() | 1022 | self.updateTimestamp() |
202 | 1024 | sys.exit(0) | 1023 | sys.exit(0) |
204 | 1025 | elif info.startswith('a') or info.startswith('r'): | 1024 | elif user_input.startswith('a') or user_input.startswith('r'): |
205 | 1026 | do_repeat = False | 1025 | do_repeat = False |
208 | 1027 | if info.startswith('r'): | 1026 | if user_input.startswith('r'): |
209 | 1028 | info = self.saved_package | 1027 | user_input = self.saved_package |
210 | 1029 | do_repeat = True | 1028 | do_repeat = True |
211 | 1030 | else: | 1029 | else: |
214 | 1031 | info = "" | 1030 | user_input = "" |
215 | 1032 | while info == "": | 1031 | while user_input == "": |
216 | 1033 | prompt_user('Package(s) affected? ') | 1032 | prompt_user('Package(s) affected? ') |
217 | 1034 | if package == "": | 1033 | if package == "": |
218 | 1035 | package = self.saved_package | 1034 | package = self.saved_package |
219 | 1036 | if package != "": | 1035 | if package != "": |
220 | 1037 | prompt_user(f'[{package}] ') | 1036 | prompt_user(f'[{package}] ') |
225 | 1038 | info = sys.stdin.readline().strip() | 1037 | user_input = sys.stdin.readline().strip() |
226 | 1039 | if info == '': | 1038 | if user_input == '': |
227 | 1040 | info = package | 1039 | user_input = package |
228 | 1041 | self.saved_package = info | 1040 | self.saved_package = user_input |
229 | 1042 | 1041 | ||
231 | 1043 | dst = self.add_cve(cve, info.split(), None) | 1042 | dst = self.add_cve(cve, user_input.split(), None) |
232 | 1044 | 1043 | ||
233 | 1045 | if do_repeat: | 1044 | if do_repeat: |
234 | 1046 | subprocess.call(['./scripts/active_dup', self.saved_cve, cve]) | 1045 | subprocess.call(['./scripts/active_dup', self.saved_cve, cve]) |
235 | @@ -1048,11 +1047,11 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
236 | 1048 | self.saved_cve = cve | 1047 | self.saved_cve = cve |
237 | 1049 | 1048 | ||
238 | 1050 | print('\n===================== Dependant packages ======================') | 1049 | print('\n===================== Dependant packages ======================') |
240 | 1051 | print(f' Detecting packages built using: {info}...', end='') | 1050 | print(f' Detecting packages built using: {user_input}...', end='') |
241 | 1052 | sys.stdout.flush() | 1051 | sys.stdout.flush() |
242 | 1053 | built_using = "" | 1052 | built_using = "" |
243 | 1054 | try: | 1053 | try: |
245 | 1055 | built_using = get_built_using(info) | 1054 | built_using = get_built_using(user_input) |
246 | 1056 | except Exception as e: | 1055 | except Exception as e: |
247 | 1057 | print(f"ERROR: {e}", file=sys.stderr) | 1056 | print(f"ERROR: {e}", file=sys.stderr) |
248 | 1058 | pass # for now just show the error but don't break triage | 1057 | pass # for now just show the error but don't break triage |
249 | @@ -1062,13 +1061,13 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
250 | 1062 | print(source_map.get_built_using_header()) | 1061 | print(source_map.get_built_using_header()) |
251 | 1063 | print(built_using) | 1062 | print(built_using) |
252 | 1064 | print("IMPORTANT: the above packages are candidates for rebuilds when fixes are applied to:") | 1063 | print("IMPORTANT: the above packages are candidates for rebuilds when fixes are applied to:") |
254 | 1065 | print(" %s" % "\n ".join(info)) | 1064 | print(" %s" % "\n ".join(user_input)) |
255 | 1066 | else: | 1065 | else: |
256 | 1067 | print("none detected") | 1066 | print("none detected") |
257 | 1068 | 1067 | ||
261 | 1069 | elif info.startswith('i'): | 1068 | elif user_input.startswith('i'): |
262 | 1070 | info = "" | 1069 | ignored_reason = "" |
263 | 1071 | while info == "": | 1070 | while ignored_reason == "": |
264 | 1072 | print('Reason to be ignored?') | 1071 | print('Reason to be ignored?') |
265 | 1073 | prompts = [] | 1072 | prompts = [] |
266 | 1074 | 1073 | ||
267 | @@ -1085,24 +1084,23 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
268 | 1085 | print(f" {chr(97 + i)}) {prompts[i]}") | 1084 | print(f" {chr(97 + i)}) {prompts[i]}") |
269 | 1086 | prompt_user(' > ') | 1085 | prompt_user(' > ') |
270 | 1087 | 1086 | ||
273 | 1088 | info = sys.stdin.readline().strip() | 1087 | ignored_reason_input = sys.stdin.readline().strip() |
274 | 1089 | if len(info) == 1 and info.isalpha(): | 1088 | # NOTE: user is selecting a choice from prompts |
275 | 1089 | if len(ignored_reason_input) == 1 and ignored_reason_input.isalpha(): | ||
276 | 1090 | try: | 1090 | try: |
277 | 1091 | # ord('a') == 97 | 1091 | # ord('a') == 97 |
279 | 1092 | info = prompts[ord(info) - 97] | 1092 | ignored_reason = prompts[ord(ignored_reason_input) - 97] |
280 | 1093 | except IndexError: | 1093 | except IndexError: |
281 | 1094 | print('\nError: invalid reason.\n') | 1094 | print('\nError: invalid reason.\n') |
287 | 1095 | info = "" | 1095 | # TODO: reassess if < 2 is a better value |
288 | 1096 | # Enter defaults to only suggestion if only one exists | 1096 | # or add a mechanism to catch certain 3 letter words |
289 | 1097 | elif len(info) == 0 and len(prompts) == 1: | 1097 | # e.g., IBM is currently invalid |
290 | 1098 | info = prompts[0] | 1098 | elif len(ignored_reason_input) < 3: # Fat fingers protection |
286 | 1099 | elif len(info) < 3: # Fat fingers protection | ||
291 | 1100 | print('\nError: Reason must be at least 3 characters long!\n') | 1099 | print('\nError: Reason must be at least 3 characters long!\n') |
295 | 1101 | info = "" | 1100 | self.saved_ignore_cache.insert(ignored_reason) |
296 | 1102 | self.saved_ignore_cache.insert(info) | 1101 | self.ignore_cve(cve, ignored_reason) |
294 | 1103 | self.ignore_cve(cve, info) | ||
297 | 1104 | 1102 | ||
299 | 1105 | elif info.startswith('s'): | 1103 | elif user_input.startswith('s'): |
300 | 1106 | self.skip_cve() | 1104 | self.skip_cve() |
301 | 1107 | print('') | 1105 | print('') |
302 | 1108 | 1106 | ||
303 | @@ -1146,7 +1144,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
304 | 1146 | if priority not in cve_lib.priorities and not priority == 'untriaged': | 1144 | if priority not in cve_lib.priorities and not priority == 'untriaged': |
305 | 1147 | raise ValueError(f'Invalid priority on line {line_num}:\n{orig_line}') | 1145 | raise ValueError(f'Invalid priority on line {line_num}:\n{orig_line}') |
306 | 1148 | 1146 | ||
308 | 1149 | if os.path.exists(f'{destdir}/active/{cve}'): | 1147 | if os.path.exists(f'{DEST_DIR}/active/{cve}'): |
309 | 1150 | raise ValueError(f'Updating an existing CVE is not supported (line {line_num}):\n{orig_line}') | 1148 | raise ValueError(f'Updating an existing CVE is not supported (line {line_num}):\n{orig_line}') |
310 | 1151 | 1149 | ||
311 | 1152 | if preprocess: | 1150 | if preprocess: |
312 | @@ -1160,7 +1158,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
313 | 1160 | if action == 'edit': | 1158 | if action == 'edit': |
314 | 1161 | _spawn_editor(cve_path) | 1159 | _spawn_editor(cve_path) |
315 | 1162 | elif action == 'unembargo': | 1160 | elif action == 'unembargo': |
317 | 1163 | if cve not in EmbargoList: | 1161 | if cve not in CVE_EMBARGO_LIST: |
318 | 1164 | raise ValueError(f'CVE {cve} is not in the embargo database (line {line_num}):\n{orig_line}') | 1162 | raise ValueError(f'CVE {cve} is not in the embargo database (line {line_num}):\n{orig_line}') |
319 | 1165 | 1163 | ||
320 | 1166 | if os.path.exists(os.path.join('active', cve)): | 1164 | if os.path.exists(os.path.join('active', cve)): |
321 | @@ -1198,7 +1196,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
322 | 1198 | desc = '' | 1196 | desc = '' |
323 | 1199 | 1197 | ||
324 | 1200 | # Check if this was once an embargoed issue | 1198 | # Check if this was once an embargoed issue |
326 | 1201 | if cve in EmbargoList: | 1199 | if cve in CVE_EMBARGO_LIST: |
327 | 1202 | desc += '# **!!** no longer embargoed **!!**\n' | 1200 | desc += '# **!!** no longer embargoed **!!**\n' |
328 | 1203 | desc += '# ==========================details from embargo entry==========================\n' | 1201 | desc += '# ==========================details from embargo entry==========================\n' |
329 | 1204 | with open(os.path.join('embargoed', cve)) as f: | 1202 | with open(os.path.join('embargoed', cve)) as f: |
330 | @@ -1238,7 +1236,7 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
331 | 1238 | action = 'skip' | 1236 | action = 'skip' |
332 | 1239 | data = "" | 1237 | data = "" |
333 | 1240 | # Skip CVEs that are obviously not about Ubuntu | 1238 | # Skip CVEs that are obviously not about Ubuntu |
335 | 1241 | for s in ignore_strings: | 1239 | for s in IGNORE_STRINGS: |
336 | 1242 | if self.cve_data[cve]['desc'].find(s) >= 0 and self.cve_data[cve]['desc'].find("Linux") < 0: | 1240 | if self.cve_data[cve]['desc'].find(s) >= 0 and self.cve_data[cve]['desc'].find("Linux") < 0: |
337 | 1243 | action = 'ignore' | 1241 | action = 'ignore' |
338 | 1244 | data = s | 1242 | data = s |
339 | @@ -1255,11 +1253,11 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
340 | 1255 | 1253 | ||
341 | 1256 | def add_cve(self, cve, packages, priority=None): | 1254 | def add_cve(self, cve, packages, priority=None): |
342 | 1257 | # remove from not-for-us.txt if adding and ensure we remove any | 1255 | # remove from not-for-us.txt if adding and ensure we remove any |
345 | 1258 | # mistriaged_hint from the description | 1256 | # MISTRIAGED_HINT from the description |
346 | 1259 | if cve in CVEIgnoreNotForUsSet: | 1257 | if cve in CVE_IGNORE_NFU_SET: |
347 | 1260 | cmd = ['sed', '-i', f'/^{cve} #.*$/d', './ignored/not-for-us.txt'] | 1258 | cmd = ['sed', '-i', f'/^{cve} #.*$/d', './ignored/not-for-us.txt'] |
348 | 1261 | subprocess.call(cmd) | 1259 | subprocess.call(cmd) |
350 | 1262 | self.cve_data[cve]['desc'] = self.cve_data[cve]['desc'].replace(mistriaged_hint, '') | 1260 | self.cve_data[cve]['desc'] = self.cve_data[cve]['desc'].replace(MISTRIAGED_HINT, '') |
351 | 1263 | 1261 | ||
352 | 1264 | # Build up list of reference urls | 1262 | # Build up list of reference urls |
353 | 1265 | ref_urls = [] | 1263 | ref_urls = [] |
354 | @@ -1376,10 +1374,10 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
355 | 1376 | self.num_added += 1 | 1374 | self.num_added += 1 |
356 | 1377 | 1375 | ||
357 | 1378 | def ignore_cve(self, cve, reason): | 1376 | def ignore_cve(self, cve, reason): |
359 | 1379 | # Append to ignore list unless is already in CVEIgnoreList and then | 1377 | # Append to ignore list unless is already in cve_ignore_list and then |
360 | 1380 | # append to the ignored/ignore-mistriaged.txt | 1378 | # append to the ignored/ignore-mistriaged.txt |
363 | 1381 | txtfile = 'ignore-mistriaged.txt' if cve in CVEIgnoreNotForUsSet else 'not-for-us.txt' | 1379 | txtfile = 'ignore-mistriaged.txt' if cve in CVE_IGNORE_NFU_SET else 'not-for-us.txt' |
364 | 1382 | with open(f'{destdir}/ignored/{txtfile}', 'a') as f: | 1380 | with open(f'{DEST_DIR}/ignored/{txtfile}', 'a') as f: |
365 | 1383 | f.write(f'{cve} # {reason}\n') | 1381 | f.write(f'{cve} # {reason}\n') |
366 | 1384 | 1382 | ||
367 | 1385 | self.num_ignored += 1 | 1383 | self.num_ignored += 1 |
368 | @@ -1388,74 +1386,74 @@ class CVEHandler(xml.sax.handler.ContentHandler): | |||
369 | 1388 | self.num_skipped += 1 | 1386 | self.num_skipped += 1 |
370 | 1389 | 1387 | ||
371 | 1390 | 1388 | ||
376 | 1391 | ignored_notforus_path = 'ignored/not-for-us.txt' | 1389 | IGNORED_NFU_PATH = 'ignored/not-for-us.txt' |
377 | 1392 | if destdir != './' and destdir != '.': | 1390 | if DEST_DIR != './' and DEST_DIR != '.': |
378 | 1393 | ignored_notforus_path = os.path.join(destdir, ignored_notforus_path) | 1391 | IGNORED_NFU_PATH = os.path.join(DEST_DIR, IGNORED_NFU_PATH) |
379 | 1394 | # CVEIgnoreNotForUsSet is a set of all CVEs that we have previously | 1392 | # CVE_IGNORE_NFU_SET is a set of all CVEs that we have previously |
380 | 1395 | # chosen to ignore since they don't apply to software in Ubuntu | 1393 | # chosen to ignore since they don't apply to software in Ubuntu |
382 | 1396 | CVEIgnoreNotForUsSet = set(cve_lib.parse_CVEs_from_uri(ignored_notforus_path)) | 1394 | CVE_IGNORE_NFU_SET = set(cve_lib.parse_CVEs_from_uri(IGNORED_NFU_PATH)) |
383 | 1397 | 1395 | ||
388 | 1398 | ignored_mistriaged_path = 'ignored/ignore-mistriaged.txt' | 1396 | IGNORED_MISTRIAGED_PATH = 'ignored/ignore-mistriaged.txt' |
389 | 1399 | if destdir != './' and destdir != '.': | 1397 | if DEST_DIR != './' and DEST_DIR != '.': |
390 | 1400 | ignored_mistriaged_path = os.path.join(destdir, ignored_mistriaged_path) | 1398 | IGNORED_MISTRIAGED_PATH = os.path.join(DEST_DIR, IGNORED_MISTRIAGED_PATH) |
391 | 1401 | # CVEIgnoreMistriagedSet is a set of all CVEs that we want to definitely | 1399 | # CVE_IGNORE_MISTRIAGED_LIST is a set of all CVEs that we want to definitely |
392 | 1402 | # ignore when doing mistriaged CVE detection - they should exist in both | 1400 | # ignore when doing mistriaged CVE detection - they should exist in both |
393 | 1403 | # CVEIgnoreNotForUsList and CVEIgnoreMistriagedList | 1401 | # CVEIgnoreNotForUsList and CVEIgnoreMistriagedList |
395 | 1404 | CVEIgnoreMistriagedSet = set(cve_lib.parse_CVEs_from_uri(ignored_mistriaged_path)) | 1402 | CVE_IGNORE_MISTRIAGED_LIST = set(cve_lib.parse_CVEs_from_uri(IGNORED_MISTRIAGED_PATH)) |
396 | 1405 | 1403 | ||
398 | 1406 | # CVEIgnoreList is a list of all CVEs we know about already. These will be | 1404 | # cve_ignore_list is a list of all CVEs we know about already. These will be |
399 | 1407 | # ignored when checking MITRE for new CVEs | 1405 | # ignored when checking MITRE for new CVEs |
401 | 1408 | CVEIgnoreList = list(CVEIgnoreNotForUsSet) | 1406 | cve_ignore_list = list(CVE_IGNORE_NFU_SET) |
402 | 1409 | 1407 | ||
408 | 1410 | CVEKnownList = [] | 1408 | cve_known_list = [] |
409 | 1411 | CVEKnownList += [cve for cve in os.listdir(destdir + "/ignored/") if cve.startswith('CVE-')] | 1409 | cve_known_list += [cve for cve in os.listdir(DEST_DIR + "/ignored/") if cve.startswith('CVE-')] |
410 | 1412 | CVEKnownList += [cve for cve in os.listdir(destdir + "/retired/") if cve.startswith('CVE-')] | 1410 | cve_known_list += [cve for cve in os.listdir(DEST_DIR + "/retired/") if cve.startswith('CVE-')] |
411 | 1413 | (ActiveList, EmbargoList) = cve_lib.get_cve_list() | 1411 | (CVE_ACTIVE_LIST, CVE_EMBARGO_LIST) = cve_lib.get_cve_list() |
412 | 1414 | CVEKnownList += [cve for cve in ActiveList if cve not in EmbargoList] | 1412 | cve_known_list += [cve for cve in CVE_ACTIVE_LIST if cve not in CVE_EMBARGO_LIST] |
413 | 1415 | 1413 | ||
414 | 1416 | if not args.refresh and not args.mistriaged and not args.score_refresh: | 1414 | if not args.refresh and not args.mistriaged and not args.score_refresh: |
416 | 1417 | CVEIgnoreList += CVEKnownList | 1415 | cve_ignore_list += cve_known_list |
417 | 1418 | 1416 | ||
418 | 1419 | if args.known: | 1417 | if args.known: |
420 | 1420 | cvelist = CVEIgnoreList | 1418 | cvelist = cve_ignore_list |
421 | 1421 | if args.skip_nfu: | 1419 | if args.skip_nfu: |
423 | 1422 | cvelist = CVEKnownList | 1420 | cvelist = cve_known_list |
424 | 1423 | for cve in sorted(cvelist): | 1421 | for cve in sorted(cvelist): |
425 | 1424 | print(cve) | 1422 | print(cve) |
426 | 1425 | sys.exit(0) | 1423 | sys.exit(0) |
427 | 1426 | 1424 | ||
428 | 1427 | parser = xml.sax.make_parser() | 1425 | parser = xml.sax.make_parser() |
430 | 1428 | handler = CVEHandler(CVEIgnoreList) | 1426 | handler = CVEHandler(cve_ignore_list) |
431 | 1429 | parser.setContentHandler(handler) | 1427 | parser.setContentHandler(handler) |
432 | 1430 | 1428 | ||
433 | 1431 | # if has specified to triage only specific CVEs, check these are not | 1429 | # if has specified to triage only specific CVEs, check these are not |
434 | 1432 | # ignored | 1430 | # ignored |
436 | 1433 | specific_cves = None | 1431 | SPECIFIC_CVES = None |
437 | 1434 | if args.cve: | 1432 | if args.cve: |
439 | 1435 | specific_cves = set() | 1433 | SPECIFIC_CVES = set() |
440 | 1436 | for cve in args.cve.split(","): | 1434 | for cve in args.cve.split(","): |
441 | 1437 | # ignore empty CVE | 1435 | # ignore empty CVE |
442 | 1438 | if cve.strip() == "": | 1436 | if cve.strip() == "": |
443 | 1439 | continue | 1437 | continue |
444 | 1440 | # error out if is ignored | 1438 | # error out if is ignored |
446 | 1441 | if cve in CVEIgnoreList: | 1439 | if cve in cve_ignore_list: |
447 | 1442 | print(f"{cve} already exists in UCT - please remove it then retriage.") | 1440 | print(f"{cve} already exists in UCT - please remove it then retriage.") |
448 | 1443 | sys.exit(1) | 1441 | sys.exit(1) |
450 | 1444 | specific_cves.add(cve) | 1442 | SPECIFIC_CVES.add(cve) |
451 | 1445 | 1443 | ||
453 | 1446 | untriaged_json = "" | 1444 | UNTRIAGED_JSON = "" |
454 | 1447 | if args.untriaged: | 1445 | if args.untriaged: |
457 | 1448 | untriaged_json = read_locate_cves_output(args.untriaged) | 1446 | UNTRIAGED_JSON = read_locate_cves_output(args.untriaged) |
458 | 1449 | args.uris.append(untriaged_json) | 1447 | args.uris.append(UNTRIAGED_JSON) |
459 | 1450 | 1448 | ||
460 | 1451 | if args.mbox: | 1449 | if args.mbox: |
463 | 1452 | untriaged_json = read_mbox_file(args.mbox) | 1450 | UNTRIAGED_JSON = read_mbox_file(args.mbox) |
464 | 1453 | args.uris.append(untriaged_json) | 1451 | args.uris.append(UNTRIAGED_JSON) |
465 | 1454 | 1452 | ||
466 | 1455 | rhel8oval_import_json = "" | 1453 | rhel8oval_import_json = "" |
467 | 1456 | if args.rhel8oval: | 1454 | if args.rhel8oval: |
470 | 1457 | untriaged_json = read_rhel8oval_file(args.rhel8oval) | 1455 | UNTRIAGED_JSON = read_rhel8oval_file(args.rhel8oval) |
471 | 1458 | args.uris.append(untriaged_json) | 1456 | args.uris.append(UNTRIAGED_JSON) |
472 | 1459 | 1457 | ||
473 | 1460 | debian_import_json = "" | 1458 | debian_import_json = "" |
474 | 1461 | if (args.import_missing_debian or args.mistriaged) and handler.debian is not None: | 1459 | if (args.import_missing_debian or args.mistriaged) and handler.debian is not None: |
475 | @@ -1483,8 +1481,8 @@ for uri in args.uris: | |||
476 | 1483 | print('') | 1481 | print('') |
477 | 1484 | 1482 | ||
478 | 1485 | # Leaving our fake json around is icky | 1483 | # Leaving our fake json around is icky |
481 | 1486 | if os.path.exists(untriaged_json): | 1484 | if os.path.exists(UNTRIAGED_JSON): |
482 | 1487 | os.unlink(untriaged_json) | 1485 | os.unlink(UNTRIAGED_JSON) |
483 | 1488 | if os.path.exists(debian_import_json): | 1486 | if os.path.exists(debian_import_json): |
484 | 1489 | os.unlink(debian_import_json) | 1487 | os.unlink(debian_import_json) |
485 | 1490 | 1488 | ||
486 | @@ -1508,7 +1506,7 @@ def refresh_cves(cve_refresh_list, full_refresh=True): | |||
487 | 1508 | # Find the on-disk CVE file | 1506 | # Find the on-disk CVE file |
488 | 1509 | cvefile = "" | 1507 | cvefile = "" |
489 | 1510 | for status in ['active', 'retired', 'ignored']: | 1508 | for status in ['active', 'retired', 'ignored']: |
491 | 1511 | check = f'{destdir}/{status}/{cve}' | 1509 | check = f'{DEST_DIR}/{status}/{cve}' |
492 | 1512 | if os.path.exists(check): | 1510 | if os.path.exists(check): |
493 | 1513 | cvefile = check | 1511 | cvefile = check |
494 | 1514 | break | 1512 | break |
495 | @@ -1568,10 +1566,10 @@ def refresh_cves(cve_refresh_list, full_refresh=True): | |||
496 | 1568 | 1566 | ||
497 | 1569 | 1567 | ||
498 | 1570 | if args.refresh or args.score_refresh: | 1568 | if args.refresh or args.score_refresh: |
501 | 1571 | if args.cve and specific_cves is not set(): | 1569 | if args.cve and SPECIFIC_CVES is not set(): |
502 | 1572 | cve_refresh_list = specific_cves | 1570 | cve_refresh_list = SPECIFIC_CVES |
503 | 1573 | else: | 1571 | else: |
505 | 1574 | cve_refresh_list = CVEKnownList | 1572 | cve_refresh_list = cve_known_list |
506 | 1575 | 1573 | ||
507 | 1576 | # with OptParse args.refresh and args.score_refresh will each | 1574 | # with OptParse args.refresh and args.score_refresh will each |
508 | 1577 | # either be True or None. We want full_refresh to be False when | 1575 | # either be True or None. We want full_refresh to be False when |
509 | @@ -1590,12 +1588,12 @@ if experimental: | |||
510 | 1590 | handler.display_command_file_usage(fout, '# ') | 1588 | handler.display_command_file_usage(fout, '# ') |
511 | 1591 | 1589 | ||
512 | 1592 | for cve in new_cves: | 1590 | for cve in new_cves: |
514 | 1593 | if args.cve and cve not in specific_cves: | 1591 | if args.cve and cve not in SPECIFIC_CVES: |
515 | 1594 | # ignore this cve | 1592 | # ignore this cve |
516 | 1595 | continue | 1593 | continue |
517 | 1596 | # if this got marked as mistriaged, probablistically choose it for | 1594 | # if this got marked as mistriaged, probablistically choose it for |
518 | 1597 | # processing | 1595 | # processing |
520 | 1598 | if mistriaged_hint in handler.cve_data[cve]['desc']: | 1596 | if MISTRIAGED_HINT in handler.cve_data[cve]['desc']: |
521 | 1599 | if args.mistriaged == 0: | 1597 | if args.mistriaged == 0: |
522 | 1600 | # ignore this one | 1598 | # ignore this one |
523 | 1601 | continue | 1599 | continue |
I used pylint to inform some of these changes: https:/ /pylint. readthedocs. io/en/stable/ user_guide/ messages/ convention/ invalid- name.html