Merge ~eslerm/ubuntu-cve-tracker:cna-info into ubuntu-cve-tracker:master
Proposed by
Mark Esler
Status: | Needs review |
---|---|
Proposed branch: | ~eslerm/ubuntu-cve-tracker:cna-info |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
362 lines (+356/-0) 1 file modified
scripts/cna_info.py (+356/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Security Team | Pending | ||
Review via email: mp+463549@code.launchpad.net |
Commit message
cna_info.py: init with all valid CNAs until ~2024-03
Description of the change
this was part of vulnerability_
breaking into smaller, more maintainable, pieces
To post a comment you must log in.
Unmerged commits
- 4d50f43... by Mark Esler
-
unit-tests:0 (build) check-cves:0 (build) 1 → 2 of 2 results First • Previous • Next • Last
For context of how this is will be use, these dictionary keys are present in the CVE List and NVD's CVE datasets. By having a lookup table, we _could_ use CNA information in UCT.
One example is to identify CNA during initial CVE Triage and if a CNA has never assigned a CVE in UCT _yet_, it is a heuristic.
Another is to address https:/ /bugs.launchpad .net/ubuntu- cve-tracker/ +bug/2054762 where we are blanket attributing NVD for (nearly) all CVSS scores which are not generated by ubuntu. Attributing CNAs properly is not only technically correct, but drives priority* and could become a heuristic for triagers. (*iiuc, only NVD scores drive FedRAMP priority)