Ubuntu CVE Tracker

Merge ~eslerm/ubuntu-cve-tracker:cna-info into ubuntu-cve-tracker:master

  1. Git
  2. lp:~eslerm/ubuntu-cve-tracker
  3. cna-info
  4. Merge into master
Proposed by Mark Esler
Status: Needs review
Proposed branch: ~eslerm/ubuntu-cve-tracker:cna-info
Merge into: ubuntu-cve-tracker:master
Diff against target: 362 lines (+356/-0)
1 file modified
scripts/cna_info.py (+356/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+463549@code.launchpad.net

Commit message

cna_info.py: init with all valid CNAs until ~2024-03

Description of the change

this was part of vulnerability_translate.py

breaking into smaller, more maintainable, pieces

To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

For context of how this is will be use, these dictionary keys are present in the CVE List and NVD's CVE datasets. By having a lookup table, we _could_ use CNA information in UCT.

One example is to identify CNA during initial CVE Triage and if a CNA has never assigned a CVE in UCT _yet_, it is a heuristic.

Another is to address https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/2054762 where we are blanket attributing NVD for (nearly) all CVSS scores which are not generated by ubuntu. Attributing CNAs properly is not only technically correct, but drives priority* and could become a heuristic for triagers. (*iiuc, only NVD scores drive FedRAMP priority)

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Would it be better to maintain these as YAML files instead to allow for easier editing? Then a simple python script to load them?

Reply

Unmerged commits

4d50f43... by Mark Esler

cna_info.py: init with all valid CNAs until ~2024-03

Succeeded
[SUCCEEDED] unit-tests:0 (build)
[SUCCEEDED] check-cves:0 (build)
12 of 2 results FirstPreviousNextLast

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/cna_info.py b/scripts/cna_info.py
0new file mode 1007550new file mode 100755
index 0000000..e4f3048
--- /dev/null
+++ b/scripts/cna_info.py
@@ -0,0 +1,356 @@
1#!/usr/bin/env python3
2
3"""
4cna_info.py maintains CNA information for other UCT scripts
5
6TRACKED_CNAS and NOT_FOR_US_CNAS are dictionaries with the same format.
7
8Keys are unique IDs that refer to a specific CNA. These keys are present in
9upstream CVE Program's CVE List V5 [0] and NVD's API 2.0 [1] CVE data.
10
11Values are common names for CNAs. An empty value means that the common name
12is unknown or simply unset. Dictionaries are maintained alphabetically by
13value. Common names are concatenated to a single lowercase word.
14
15TRACKED_CNAS are CNAs which have assigned CVEs tracked in ./active or ./retired.
16
17NOT_FOR_US_CNAS are CNAs which have never (yet) assigned a CVE tracked in
18./active or ./retired.
19
20KNOWN_CNAS combines TRACKED_CNAS and NOT_FOR_US_CNAS.
21
22[0] https://github.com/CVEProject/cvelistV5
23[1] https://nvd.nist.gov/general/news/api-20-announcements
24
25Copyright 2023-2024, Canonical Ltd.
26Author: Mark Esler <mark.esler@canonical.com>
27"""
28
29# CNAs which have assigned at least one CVE tracked in UCT's
30# ./active or ./retired
31TRACKED_CNAS = {
32 "psirt@adobe.com": "adobe",
33 "cve@aliasrobotics.com": "aliasrobotics",
34 "psirt@amd.com": "amd",
35 "security@android.com": "android",
36 "security@apache.org": "apache",
37 "product-security@apple.com": "apple",
38 "arm-security@arm.com": "arm",
39 "security@atlassian.com": "atlassian",
40 "secure@blackberry.com": "blackberry",
41 "cret@cert.org": "cert",
42 "cvd@cert.pl": "certpl",
43 "security@checkmk.com": "checkmk",
44 "cve@checkpoint.com": "checkpoint",
45 "chrome-cve-admin@google.com": "chrome",
46 "talos-cna@cisco.com": "cisco",
47 "ykramarz@cisco.com": "cisco",
48 "cna@cloudflare.com": "cloudflare",
49 "security@debian.org": "debian",
50 "security_alert@emc.com": "dell",
51 "ics-cert@hq.dhs.gov": "dhs",
52 "security@documentfoundation.org": "documentfoundation",
53 "mlhess@drupal.org": "drupal",
54 "security@duo.com": "duo",
55 "emo@eclipse.org": "eclipse",
56 "infosec@edk2.groups.io": "edk2",
57 "bressers@elastic.co": "elastic",
58 "security@eset.com": "eset",
59 "PSIRT-CNA@flexerasoftware.com": "flexsoftware",
60 "cve-notifications-us@f-secure.com": "fsecure",
61 "f5sirt@f5.com": "f5",
62 "cve-assign@fb.com": "facebook",
63 "help@fluidattacks.com": "fluidattack",
64 "secteam@freebsd.org": "freebsd",
65 "security-advisories@github.com": "github",
66 "cve@gitlab.com": "gitlab",
67 "security@golang.org": "golang",
68 "cve-coordination@google.com": "google",
69 "security@grafana.com": "grafana",
70 "support@hackerone.com": "hackerone",
71 "security@hashicorp.com": "hashicorp",
72 "psirt@hcl.com": "hcl",
73 "psirt@huawei.com": "huawei",
74 "security@huntr.dev": "huntr",
75 "psirt@us.ibm.com": "ibm",
76 "cve-coordination@incibe.es": "incibe",
77 "secure@intel.com": "intel",
78 "cve-request@iojs.org": "iojs",
79 "security-officer@isc.org": "isc",
80 "cna@cyber.gov.il": "isreal",
81 "jenkinsci-cert@googlegroups.com": "jenkinsci",
82 "reefs@jfrog.com": "jfrog",
83 "jordan@liggitt.net": "jordan",
84 "josh@bress.net": "josh",
85 "vultures@jpcert.or.jp": "jpcert",
86 "sirt@juniper.net": "juniper",
87 "vulnerability@kaspersky.com": "kaspersky",
88 "416baaa9-dc9f-4396-8d5f-8c081fb06d67": "kernel",
89 "mandiant-cve@google.com": "mandiant",
90 "responsibledisclosure@mattermost.com": "mattermost",
91 "vulnerabilitylab@mend.io": "mendio",
92 "secure@microsoft.com": "microsoft",
93 "cve@mitre.org": "mitre",
94 "cna@mongodb.com": "mongodb",
95 "security@mozilla.org": "mozilla",
96 "sep@nlnetlabs.nl": "nlnetlabs",
97 "vulnerability@ncsc.ch": "nscs",
98 "nvd@nist.gov": "nvd",
99 "psirt@nvidia.com": "nvidia",
100 "security@odoo.com": "odoo",
101 "research@onekey.com": "onekey",
102 "security@open-xchange.com": "ope-xchange",
103 "security@openanolis.org": "openanolis",
104 "security@opencloudos.tech": "opencloudos",
105 "securities@openeuler.org": "openeuler",
106 "openssl-security@openssl.org": "openssl",
107 "security@opentext.com": "opentext",
108 "security@openvpn.net": "openvpn",
109 "secalert_us@oracle.com": "oracle",
110 "security@otrs.com": "otrs",
111 "psirt@paloaltonetworks.com": "paloalto",
112 "security@pandorafms.com": "pandorafms",
113 "audit@patchstack.com": "patchstack",
114 "patrick@puiterwijk.org": "patrick",
115 "security@php.net": "php",
116 "security@pivotal.io": "pivotal",
117 "security@puppet.com": "puppet",
118 "cna@python.org": "python",
119 "product-security@qualcomm.com": "qualcomm",
120 "cve@rapid7.con": "rapid7",
121 "secalert@redhat.com": "redhat",
122 "security@sierrawireless.com": "sierrawireless",
123 "cve_disclosure@tech.gov.sg": "singapore",
124 "report@snyk.io": "snyk",
125 "info@starlabs.sg": "starlabs",
126 "meissner@suse.de": "suse",
127 "disclosure@synopsys.com": "synopsys",
128 "cve@takeonme.org": "takeonme",
129 "security@tcpdump.org": "tcpdump",
130 "vulnreport@tenable.com": "tenable",
131 "security@tibco.com": "tibco",
132 "trellixpsirt@trellix.com": "trellix",
133 "security@ubuntu.com": "ubuntu",
134 "vuln@vdoo.com": "vdoo",
135 "security@vmware.com": "vmware",
136 "cna@vuldb.com": "vuldb",
137 "psirt@wdc.com": "wdc",
138 "facts@wolfssl.com": "wolfssl",
139 "security@wordfence.com": "wordfence",
140 "contact@wpscan.com": "wpscan",
141 "disclosure@vulncheck.com": "wulncheck",
142 "security@xen.org": "xen",
143 "xpdf@xpdfreader.com": "xpdf",
144 "browser-security@yandex-team.ru": "yandex",
145 "security@zabbix.com": "zabbix",
146 "zdi-disclosures@trendmicro.com": "zdi",
147 "vulnerabilities@zephyrproject.org": "zephyr",
148 "46fe6300-5254-4a98-9594-a9567bec8179": "",
149 "6b35d637-e00f-4228-858c-b20ad6e1d07b": "",
150 "bc94ec7e-8909-4cbb-83df-d2fc9330fa88": "",
151 "larry0@me.com": "",
152}
153
154
155# CNAs which have never (yet) assigned a CVE tracked in UCT's
156# ./active or ./retired
157NOT_FOR_US_CNAS = {
158 "cert@airbus.com": "airbus",
159 "psirt@autodesk.com": "autodesk",
160 "cve-requests@bitdefender.com": "bitdefender",
161 "psirt@bosch.com": "bosch",
162 "vuln@ca.com": "broadcom",
163 "cybersecurity@dahuatech.com": "dahuatechnology",
164 "CybersecurityCOE@eaton.com": "easton",
165 "psirt@fortinet.com": "fortinet",
166 "security-alert@hpe.com": "hpe",
167 "productsecurity@jci.com": "johnsoncontrols",
168 "psirt@lenovo.com": "lenovo",
169 "cve@navercorp.com": "navercorporation",
170 "security-alert@netapp.com": "netapp",
171 "cna@sap.com": "sap",
172 "cybersecurity@se.com": "schneiderelectric",
173 "productcert@siemens.com": "siemens",
174 "PSIRT@sonicwall.com": "sonicwall",
175 "secure@symantec.com": "symantec",
176 "security@trendmicro.com": "trendmicro",
177 "twcert@cert.org.tw": "twertcc",
178 "psirt@zte.com.cn": "zte",
179 "vulnerability@cspcert.ph": "",
180 "2499f714-1537-4658-8207-48ae4bb9eae9": "",
181 "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007": "",
182 "57dba5dd-1a03-47f6-8b36-e84e47d335d8": "",
183 "security@search-guard.com": "",
184 "7bc73191-a2b6-4c63-9918-753964601853": "",
185 "security@marklogic.com": "",
186 "a2826606-91e7-4eb6-899e-8484bd4575d5": "",
187 "0a72a055-908d-47f5-a16a-1f09049c16c6": "",
188 "15c01472-ff32-4bec-916d-912e60a9fe4c": "",
189 "22d9ba52-f336-4b0d-bf1f-0efbdcc3c1de": "",
190 "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe": "",
191 "3DS.Information-Security@3ds.com": "",
192 "551230f0-3615-47bd-b7cc-93e92e730bbf": "",
193 "68630edc-a58c-4cbd-9b01-0e130455c8ae": "",
194 "7168b535-132a-4efe-a076-338f829b2eb9": "",
195 "769c9ae7-73c3-4e47-ae19-903170fc3eb8": "",
196 "8a9629cb-c5e7-4d2a-a894-111e8039b7ea": "",
197 "9119a7d8-5eab-497f-8521-727c672e3725": "",
198 "96d4e157-0bf0-48b3-8efd-382c68caf4e0": "",
199 "a87f365f-9d39-4848-9b3a-58c7cae69cab": "",
200 "ed10eef1-636d-4fbe-9993-6890dfa878f8": "",
201 "0fc0942c-577d-436f-ae8e-945763c79b02": "",
202 "36106deb-8e95-420b-a0a0-e70af5d245df": "",
203 "3836d913-7555-4dd0-a509-f5667fdf5fe4": "",
204 "6f8de1f0-f67e-45a6-b68f-98777fdb759c": "",
205 "df4dee71-de3a-4139-9588-11b62fe6c0ff": "",
206 "ff5b8ace-8b95-4078-9743-eac1ca5451de": "",
207 "13061848-ea10-403d-bd75-c83a022c2891": "",
208 "alibaba-cna@list.alibaba-inc.com": "",
209 "ART@zuso.ai": "",
210 "biossecurity@ami.com": "",
211 "bugreport@qualys.com": "",
212 "cert@ncsc.nl": "",
213 "contact@securifera.com": "",
214 "csirt@divd.nl": "",
215 "cve@asrg.io": "",
216 "cve-coordination@logitech.com": "",
217 "cve-coordination@palantir.com": "",
218 "cve@forums.swift.org": "",
219 "cve@jetbrains.com": "",
220 "cve@profelis.com.tr": "",
221 "cves@blacklanternsecurity.com": "",
222 "cve@usom.gov.tr": "",
223 "cve@zscaler.com": "",
224 "cybersecurity@bd.com": "",
225 "cybersecurity@ch.abb.com": "",
226 "cybersecurity@hitachienergy.com": "",
227 "cybersecurity@hitachi-powergrids.com": "",
228 "disclose@cybersecurityworks.com": "",
229 "disclosures@exodusintel.com": "",
230 "disclosures@gallagher.com": "",
231 "disclosures@halborn.com": "",
232 "dl_cve@linecorp.com": "",
233 "dsap-vuln-management@google.com": "",
234 "eb41dac7-0af8-4f84-9f6d-0272772514f4": "",
235 "f98c90f0-e9bd-4fa7-911b-51993f3571fd": "",
236 "fc9afe74-3f80-4fb7-a313-e6f036a89882": "",
237 "GEPowerCVD@ge.com": "",
238 "hirt@hitachi.co.jp": "",
239 "hp-security-alert@hp.com": "",
240 "hsrc@hikvision.com": "",
241 "iletisim@usom.gov.tr": "",
242 "incident@nbu.gov.sk": "",
243 "info@appcheck-ng.com": "",
244 "info@cert.vde.com": "",
245 "info@cybellum.com": "",
246 "info@greenrocketsecurity.com": "",
247 "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp": "",
248 "mobile.security@samsung.com": "",
249 "office@cyberdanube.com": "",
250 "office@obdev.at": "",
251 "openbmc-security@lists.ozlabs.org": "",
252 "ot-cert@dragos.com": "",
253 "paddle-security@baidu.com": "",
254 "prodsec@nozominetworks.com": "",
255 "prodsec@splunk.com": "",
256 "product-cna@github.com": "",
257 "product-security@axis.com": "",
258 "productsecurity@baxter.com": "",
259 "productsecurity@bbraun.com": "",
260 "productsecurity@carrier.com": "",
261 "product-security@gg.jp.panasonic.com": "",
262 "product.security@lge.com": "",
263 "product-security@silabs.com": "",
264 "psirt@arista.com": "",
265 "psirt@esri.com": "",
266 "psirt@forcepoint.com": "",
267 "psirt@forgerock.com": "",
268 "psirt@honeywell.com": "",
269 "psirt-info@cyber.jp.nec.com": "",
270 "psirt@mirantis.com": "",
271 "psirt@moxa.com": "",
272 "psirt@netskope.com": "",
273 "psirt@okta.com": "",
274 "psirt@purestorage.com": "",
275 "PSIRT@rockwellautomation.com": "",
276 "psirt@sailpoint.com": "",
277 "PSIRT@samsung.com": "",
278 "psirt@servicenow.com": "",
279 "psirt@sick.de": "",
280 "psirt@solarwinds.com": "",
281 "PSIRT@synaptics.com": "",
282 "psirt@teamviewer.com": "",
283 "psirt@thalesgroup.com": "",
284 "psirt@tigera.io": "",
285 "responsible-disclosure@pingidentity.com": "",
286 "scy@openharmony.io": "",
287 "sec@hillstonenet.com": "",
288 "secure@citrix.com": "",
289 "secure@ea.com": "",
290 "security@1e.com": "",
291 "security@360.cn": "",
292 "security@42gears.com": "",
293 "security@acronis.com": "",
294 "securityalerts@avaya.com": "",
295 "security-alert@sophos.com": "",
296 "security@asustor.com": "",
297 "security@baicells.com": "",
298 "security@bluespice.com": "",
299 "security@craftersoftware.com": "",
300 "security@deepsurface.com": "",
301 "security@devolutions.net": "",
302 "security@docker.com": "",
303 "security@dotcms.com": "",
304 "security@fidelissecurity.com": "",
305 "security@genetec.com": "",
306 "security@hypr.com": "",
307 "security@illumio.com": "",
308 "security@jetbrains.com": "",
309 "security@joomla.org": "",
310 "security@knime.com": "",
311 "security@liferay.com": "",
312 "security@mautic.org": "",
313 "security@mediatek.com": "",
314 "security@medtronic.com": "",
315 "security@m-files.com": "",
316 "security@mimsoftware.com": "",
317 "security@ni.com": "",
318 "security@nortonlifelock.com": "",
319 "security@octopus.com": "",
320 "security@opennms.com": "",
321 "security@opera.com": "",
322 "security@oppo.com": "",
323 "security@pega.com": "",
324 "security@progress.com": "",
325 "security@proofpoint.com": "",
326 "security@qnapsecurity.com.tw": "",
327 "security@replicated.com": "",
328 "security-report@netflix.com": "",
329 "SecurityResponse@netmotionsoftware.com": "",
330 "security@salesforce.com": "",
331 "security@selinc.com": "",
332 "security@snowsoftware.com": "",
333 "security@synology.com": "",
334 "security@temporal.io": "",
335 "security@teradici.com": "",
336 "security@unisoc.com": "",
337 "security@vaadin.com": "",
338 "security@vivo.com": "",
339 "security.vulnerabilities@algosec.com": "",
340 "security.vulnerabilities@hitachivantara.com": "",
341 "security@xiaomi.com": "",
342 "security@yugabyte.com": "",
343 "security@zoom.us": "",
344 "security@zyxel.com.tw": "",
345 "sirt@brocade.com": "",
346 "sirt@silver-peak.com": "",
347 "support@shopbeat.co.za": "",
348 "vdisclose@cert-in.org.in": "",
349 "vdp@themissinglink.com.au": "",
350 "VulnerabilityReporting@secomea.com": "",
351 "vuln@krcert.or.kr": "",
352 "zowe-security@lists.openmainframeproject.org": "",
353}
354
355
356KNOWN_CNAS = TRACKED_CNAS | NOT_FOR_US_CNAS

Subscribers

People subscribed via source and target branches