Ubuntu CVE Tracker

Merge ~eslerm/ubuntu-cve-tracker:cna-info into ubuntu-cve-tracker:master

  1. Git
  2. lp:~eslerm/ubuntu-cve-tracker
  3. cna-info
  4. Merge into master
Proposed by Mark Esler
Status: Needs review
Proposed branch: ~eslerm/ubuntu-cve-tracker:cna-info
Merge into: ubuntu-cve-tracker:master
Diff against target: 362 lines (+356/-0)
1 file modified
scripts/cna_info.py (+356/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+463549@code.launchpad.net

Commit message

cna_info.py: init with all valid CNAs until ~2024-03

Description of the change

this was part of vulnerability_translate.py

breaking into smaller, more maintainable, pieces

To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

For context of how this is will be use, these dictionary keys are present in the CVE List and NVD's CVE datasets. By having a lookup table, we _could_ use CNA information in UCT.

One example is to identify CNA during initial CVE Triage and if a CNA has never assigned a CVE in UCT _yet_, it is a heuristic.

Another is to address https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/2054762 where we are blanket attributing NVD for (nearly) all CVSS scores which are not generated by ubuntu. Attributing CNAs properly is not only technically correct, but drives priority* and could become a heuristic for triagers. (*iiuc, only NVD scores drive FedRAMP priority)

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Would it be better to maintain these as YAML files instead to allow for easier editing? Then a simple python script to load them?

Reply

Unmerged commits

4d50f43... by Mark Esler

cna_info.py: init with all valid CNAs until ~2024-03

Succeeded
[SUCCEEDED] unit-tests:0 (build)
[SUCCEEDED] check-cves:0 (build)
12 of 2 results FirstPreviousNextLast

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/cna_info.py b/scripts/cna_info.py
2new file mode 100755
3index 0000000..e4f3048
4--- /dev/null
5+++ b/scripts/cna_info.py
6@@ -0,0 +1,356 @@
7+#!/usr/bin/env python3
8+
9+"""
10+cna_info.py maintains CNA information for other UCT scripts
11+
12+TRACKED_CNAS and NOT_FOR_US_CNAS are dictionaries with the same format.
13+
14+Keys are unique IDs that refer to a specific CNA. These keys are present in
15+upstream CVE Program's CVE List V5 [0] and NVD's API 2.0 [1] CVE data.
16+
17+Values are common names for CNAs. An empty value means that the common name
18+is unknown or simply unset. Dictionaries are maintained alphabetically by
19+value. Common names are concatenated to a single lowercase word.
20+
21+TRACKED_CNAS are CNAs which have assigned CVEs tracked in ./active or ./retired.
22+
23+NOT_FOR_US_CNAS are CNAs which have never (yet) assigned a CVE tracked in
24+./active or ./retired.
25+
26+KNOWN_CNAS combines TRACKED_CNAS and NOT_FOR_US_CNAS.
27+
28+[0] https://github.com/CVEProject/cvelistV5
29+[1] https://nvd.nist.gov/general/news/api-20-announcements
30+
31+Copyright 2023-2024, Canonical Ltd.
32+Author: Mark Esler <mark.esler@canonical.com>
33+"""
34+
35+# CNAs which have assigned at least one CVE tracked in UCT's
36+# ./active or ./retired
37+TRACKED_CNAS = {
38+ "psirt@adobe.com": "adobe",
39+ "cve@aliasrobotics.com": "aliasrobotics",
40+ "psirt@amd.com": "amd",
41+ "security@android.com": "android",
42+ "security@apache.org": "apache",
43+ "product-security@apple.com": "apple",
44+ "arm-security@arm.com": "arm",
45+ "security@atlassian.com": "atlassian",
46+ "secure@blackberry.com": "blackberry",
47+ "cret@cert.org": "cert",
48+ "cvd@cert.pl": "certpl",
49+ "security@checkmk.com": "checkmk",
50+ "cve@checkpoint.com": "checkpoint",
51+ "chrome-cve-admin@google.com": "chrome",
52+ "talos-cna@cisco.com": "cisco",
53+ "ykramarz@cisco.com": "cisco",
54+ "cna@cloudflare.com": "cloudflare",
55+ "security@debian.org": "debian",
56+ "security_alert@emc.com": "dell",
57+ "ics-cert@hq.dhs.gov": "dhs",
58+ "security@documentfoundation.org": "documentfoundation",
59+ "mlhess@drupal.org": "drupal",
60+ "security@duo.com": "duo",
61+ "emo@eclipse.org": "eclipse",
62+ "infosec@edk2.groups.io": "edk2",
63+ "bressers@elastic.co": "elastic",
64+ "security@eset.com": "eset",
65+ "PSIRT-CNA@flexerasoftware.com": "flexsoftware",
66+ "cve-notifications-us@f-secure.com": "fsecure",
67+ "f5sirt@f5.com": "f5",
68+ "cve-assign@fb.com": "facebook",
69+ "help@fluidattacks.com": "fluidattack",
70+ "secteam@freebsd.org": "freebsd",
71+ "security-advisories@github.com": "github",
72+ "cve@gitlab.com": "gitlab",
73+ "security@golang.org": "golang",
74+ "cve-coordination@google.com": "google",
75+ "security@grafana.com": "grafana",
76+ "support@hackerone.com": "hackerone",
77+ "security@hashicorp.com": "hashicorp",
78+ "psirt@hcl.com": "hcl",
79+ "psirt@huawei.com": "huawei",
80+ "security@huntr.dev": "huntr",
81+ "psirt@us.ibm.com": "ibm",
82+ "cve-coordination@incibe.es": "incibe",
83+ "secure@intel.com": "intel",
84+ "cve-request@iojs.org": "iojs",
85+ "security-officer@isc.org": "isc",
86+ "cna@cyber.gov.il": "isreal",
87+ "jenkinsci-cert@googlegroups.com": "jenkinsci",
88+ "reefs@jfrog.com": "jfrog",
89+ "jordan@liggitt.net": "jordan",
90+ "josh@bress.net": "josh",
91+ "vultures@jpcert.or.jp": "jpcert",
92+ "sirt@juniper.net": "juniper",
93+ "vulnerability@kaspersky.com": "kaspersky",
94+ "416baaa9-dc9f-4396-8d5f-8c081fb06d67": "kernel",
95+ "mandiant-cve@google.com": "mandiant",
96+ "responsibledisclosure@mattermost.com": "mattermost",
97+ "vulnerabilitylab@mend.io": "mendio",
98+ "secure@microsoft.com": "microsoft",
99+ "cve@mitre.org": "mitre",
100+ "cna@mongodb.com": "mongodb",
101+ "security@mozilla.org": "mozilla",
102+ "sep@nlnetlabs.nl": "nlnetlabs",
103+ "vulnerability@ncsc.ch": "nscs",
104+ "nvd@nist.gov": "nvd",
105+ "psirt@nvidia.com": "nvidia",
106+ "security@odoo.com": "odoo",
107+ "research@onekey.com": "onekey",
108+ "security@open-xchange.com": "ope-xchange",
109+ "security@openanolis.org": "openanolis",
110+ "security@opencloudos.tech": "opencloudos",
111+ "securities@openeuler.org": "openeuler",
112+ "openssl-security@openssl.org": "openssl",
113+ "security@opentext.com": "opentext",
114+ "security@openvpn.net": "openvpn",
115+ "secalert_us@oracle.com": "oracle",
116+ "security@otrs.com": "otrs",
117+ "psirt@paloaltonetworks.com": "paloalto",
118+ "security@pandorafms.com": "pandorafms",
119+ "audit@patchstack.com": "patchstack",
120+ "patrick@puiterwijk.org": "patrick",
121+ "security@php.net": "php",
122+ "security@pivotal.io": "pivotal",
123+ "security@puppet.com": "puppet",
124+ "cna@python.org": "python",
125+ "product-security@qualcomm.com": "qualcomm",
126+ "cve@rapid7.con": "rapid7",
127+ "secalert@redhat.com": "redhat",
128+ "security@sierrawireless.com": "sierrawireless",
129+ "cve_disclosure@tech.gov.sg": "singapore",
130+ "report@snyk.io": "snyk",
131+ "info@starlabs.sg": "starlabs",
132+ "meissner@suse.de": "suse",
133+ "disclosure@synopsys.com": "synopsys",
134+ "cve@takeonme.org": "takeonme",
135+ "security@tcpdump.org": "tcpdump",
136+ "vulnreport@tenable.com": "tenable",
137+ "security@tibco.com": "tibco",
138+ "trellixpsirt@trellix.com": "trellix",
139+ "security@ubuntu.com": "ubuntu",
140+ "vuln@vdoo.com": "vdoo",
141+ "security@vmware.com": "vmware",
142+ "cna@vuldb.com": "vuldb",
143+ "psirt@wdc.com": "wdc",
144+ "facts@wolfssl.com": "wolfssl",
145+ "security@wordfence.com": "wordfence",
146+ "contact@wpscan.com": "wpscan",
147+ "disclosure@vulncheck.com": "wulncheck",
148+ "security@xen.org": "xen",
149+ "xpdf@xpdfreader.com": "xpdf",
150+ "browser-security@yandex-team.ru": "yandex",
151+ "security@zabbix.com": "zabbix",
152+ "zdi-disclosures@trendmicro.com": "zdi",
153+ "vulnerabilities@zephyrproject.org": "zephyr",
154+ "46fe6300-5254-4a98-9594-a9567bec8179": "",
155+ "6b35d637-e00f-4228-858c-b20ad6e1d07b": "",
156+ "bc94ec7e-8909-4cbb-83df-d2fc9330fa88": "",
157+ "larry0@me.com": "",
158+}
159+
160+
161+# CNAs which have never (yet) assigned a CVE tracked in UCT's
162+# ./active or ./retired
163+NOT_FOR_US_CNAS = {
164+ "cert@airbus.com": "airbus",
165+ "psirt@autodesk.com": "autodesk",
166+ "cve-requests@bitdefender.com": "bitdefender",
167+ "psirt@bosch.com": "bosch",
168+ "vuln@ca.com": "broadcom",
169+ "cybersecurity@dahuatech.com": "dahuatechnology",
170+ "CybersecurityCOE@eaton.com": "easton",
171+ "psirt@fortinet.com": "fortinet",
172+ "security-alert@hpe.com": "hpe",
173+ "productsecurity@jci.com": "johnsoncontrols",
174+ "psirt@lenovo.com": "lenovo",
175+ "cve@navercorp.com": "navercorporation",
176+ "security-alert@netapp.com": "netapp",
177+ "cna@sap.com": "sap",
178+ "cybersecurity@se.com": "schneiderelectric",
179+ "productcert@siemens.com": "siemens",
180+ "PSIRT@sonicwall.com": "sonicwall",
181+ "secure@symantec.com": "symantec",
182+ "security@trendmicro.com": "trendmicro",
183+ "twcert@cert.org.tw": "twertcc",
184+ "psirt@zte.com.cn": "zte",
185+ "vulnerability@cspcert.ph": "",
186+ "2499f714-1537-4658-8207-48ae4bb9eae9": "",
187+ "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007": "",
188+ "57dba5dd-1a03-47f6-8b36-e84e47d335d8": "",
189+ "security@search-guard.com": "",
190+ "7bc73191-a2b6-4c63-9918-753964601853": "",
191+ "security@marklogic.com": "",
192+ "a2826606-91e7-4eb6-899e-8484bd4575d5": "",
193+ "0a72a055-908d-47f5-a16a-1f09049c16c6": "",
194+ "15c01472-ff32-4bec-916d-912e60a9fe4c": "",
195+ "22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de": "",
196+ "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe": "",
197+ "3DS.Information-Security@3ds.com": "",
198+ "551230f0-3615-47bd-b7cc-93e92e730bbf": "",
199+ "68630edc-a58c-4cbd-9b01-0e130455c8ae": "",
200+ "7168b535-132a-4efe-a076-338f829b2eb9": "",
201+ "769c9ae7-73c3-4e47-ae19-903170fc3eb8": "",
202+ "8a9629cb-c5e7-4d2a-a894-111e8039b7ea": "",
203+ "9119a7d8-5eab-497f-8521-727c672e3725": "",
204+ "96d4e157-0bf0-48b3-8efd-382c68caf4e0": "",
205+ "a87f365f-9d39-4848-9b3a-58c7cae69cab": "",
206+ "ed10eef1-636d-4fbe-9993-6890dfa878f8": "",
207+ "0fc0942c-577d-436f-ae8e-945763c79b02": "",
208+ "36106deb-8e95-420b-a0a0-e70af5d245df": "",
209+ "3836d913-7555-4dd0-a509-f5667fdf5fe4": "",
210+ "6f8de1f0-f67e-45a6-b68f-98777fdb759c": "",
211+ "df4dee71-de3a-4139-9588-11b62fe6c0ff": "",
212+ "ff5b8ace-8b95-4078-9743-eac1ca5451de": "",
213+ "13061848-ea10-403d-bd75-c83a022c2891": "",
214+ "alibaba-cna@list.alibaba-inc.com": "",
215+ "ART@zuso.ai": "",
216+ "biossecurity@ami.com": "",
217+ "bugreport@qualys.com": "",
218+ "cert@ncsc.nl": "",
219+ "contact@securifera.com": "",
220+ "csirt@divd.nl": "",
221+ "cve@asrg.io": "",
222+ "cve-coordination@logitech.com": "",
223+ "cve-coordination@palantir.com": "",
224+ "cve@forums.swift.org": "",
225+ "cve@jetbrains.com": "",
226+ "cve@profelis.com.tr": "",
227+ "cves@blacklanternsecurity.com": "",
228+ "cve@usom.gov.tr": "",
229+ "cve@zscaler.com": "",
230+ "cybersecurity@bd.com": "",
231+ "cybersecurity@ch.abb.com": "",
232+ "cybersecurity@hitachienergy.com": "",
233+ "cybersecurity@hitachi-powergrids.com": "",
234+ "disclose@cybersecurityworks.com": "",
235+ "disclosures@exodusintel.com": "",
236+ "disclosures@gallagher.com": "",
237+ "disclosures@halborn.com": "",
238+ "dl_cve@linecorp.com": "",
239+ "dsap-vuln-management@google.com": "",
240+ "eb41dac7-0af8-4f84-9f6d-0272772514f4": "",
241+ "f98c90f0-e9bd-4fa7-911b-51993f3571fd": "",
242+ "fc9afe74-3f80-4fb7-a313-e6f036a89882": "",
243+ "GEPowerCVD@ge.com": "",
244+ "hirt@hitachi.co.jp": "",
245+ "hp-security-alert@hp.com": "",
246+ "hsrc@hikvision.com": "",
247+ "iletisim@usom.gov.tr": "",
248+ "incident@nbu.gov.sk": "",
249+ "info@appcheck-ng.com": "",
250+ "info@cert.vde.com": "",
251+ "info@cybellum.com": "",
252+ "info@greenrocketsecurity.com": "",
253+ "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp": "",
254+ "mobile.security@samsung.com": "",
255+ "office@cyberdanube.com": "",
256+ "office@obdev.at": "",
257+ "openbmc-security@lists.ozlabs.org": "",
258+ "ot-cert@dragos.com": "",
259+ "paddle-security@baidu.com": "",
260+ "prodsec@nozominetworks.com": "",
261+ "prodsec@splunk.com": "",
262+ "product-cna@github.com": "",
263+ "product-security@axis.com": "",
264+ "productsecurity@baxter.com": "",
265+ "productsecurity@bbraun.com": "",
266+ "productsecurity@carrier.com": "",
267+ "product-security@gg.jp.panasonic.com": "",
268+ "product.security@lge.com": "",
269+ "product-security@silabs.com": "",
270+ "psirt@arista.com": "",
271+ "psirt@esri.com": "",
272+ "psirt@forcepoint.com": "",
273+ "psirt@forgerock.com": "",
274+ "psirt@honeywell.com": "",
275+ "psirt-info@cyber.jp.nec.com": "",
276+ "psirt@mirantis.com": "",
277+ "psirt@moxa.com": "",
278+ "psirt@netskope.com": "",
279+ "psirt@okta.com": "",
280+ "psirt@purestorage.com": "",
281+ "PSIRT@rockwellautomation.com": "",
282+ "psirt@sailpoint.com": "",
283+ "PSIRT@samsung.com": "",
284+ "psirt@servicenow.com": "",
285+ "psirt@sick.de": "",
286+ "psirt@solarwinds.com": "",
287+ "PSIRT@synaptics.com": "",
288+ "psirt@teamviewer.com": "",
289+ "psirt@thalesgroup.com": "",
290+ "psirt@tigera.io": "",
291+ "responsible-disclosure@pingidentity.com": "",
292+ "scy@openharmony.io": "",
293+ "sec@hillstonenet.com": "",
294+ "secure@citrix.com": "",
295+ "secure@ea.com": "",
296+ "security@1e.com": "",
297+ "security@360.cn": "",
298+ "security@42gears.com": "",
299+ "security@acronis.com": "",
300+ "securityalerts@avaya.com": "",
301+ "security-alert@sophos.com": "",
302+ "security@asustor.com": "",
303+ "security@baicells.com": "",
304+ "security@bluespice.com": "",
305+ "security@craftersoftware.com": "",
306+ "security@deepsurface.com": "",
307+ "security@devolutions.net": "",
308+ "security@docker.com": "",
309+ "security@dotcms.com": "",
310+ "security@fidelissecurity.com": "",
311+ "security@genetec.com": "",
312+ "security@hypr.com": "",
313+ "security@illumio.com": "",
314+ "security@jetbrains.com": "",
315+ "security@joomla.org": "",
316+ "security@knime.com": "",
317+ "security@liferay.com": "",
318+ "security@mautic.org": "",
319+ "security@mediatek.com": "",
320+ "security@medtronic.com": "",
321+ "security@m-files.com": "",
322+ "security@mimsoftware.com": "",
323+ "security@ni.com": "",
324+ "security@nortonlifelock.com": "",
325+ "security@octopus.com": "",
326+ "security@opennms.com": "",
327+ "security@opera.com": "",
328+ "security@oppo.com": "",
329+ "security@pega.com": "",
330+ "security@progress.com": "",
331+ "security@proofpoint.com": "",
332+ "security@qnapsecurity.com.tw": "",
333+ "security@replicated.com": "",
334+ "security-report@netflix.com": "",
335+ "SecurityResponse@netmotionsoftware.com": "",
336+ "security@salesforce.com": "",
337+ "security@selinc.com": "",
338+ "security@snowsoftware.com": "",
339+ "security@synology.com": "",
340+ "security@temporal.io": "",
341+ "security@teradici.com": "",
342+ "security@unisoc.com": "",
343+ "security@vaadin.com": "",
344+ "security@vivo.com": "",
345+ "security.vulnerabilities@algosec.com": "",
346+ "security.vulnerabilities@hitachivantara.com": "",
347+ "security@xiaomi.com": "",
348+ "security@yugabyte.com": "",
349+ "security@zoom.us": "",
350+ "security@zyxel.com.tw": "",
351+ "sirt@brocade.com": "",
352+ "sirt@silver-peak.com": "",
353+ "support@shopbeat.co.za": "",
354+ "vdisclose@cert-in.org.in": "",
355+ "vdp@themissinglink.com.au": "",
356+ "VulnerabilityReporting@secomea.com": "",
357+ "vuln@krcert.or.kr": "",
358+ "zowe-security@lists.openmainframeproject.org": "",
359+}
360+
361+
362+KNOWN_CNAS = TRACKED_CNAS | NOT_FOR_US_CNAS

Subscribers

People subscribed via source and target branches