Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:aliases-in-triage into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. aliases-in-triage
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Rejected
Rejected by: David Fernandez Gonzalez
Proposed branch: ~litios/ubuntu-cve-tracker:aliases-in-triage
Merge into: ubuntu-cve-tracker:master
Diff against target: 55 lines (+23/-3)
2 files modified
scripts/active_edit (+8/-3)
scripts/check-cves (+15/-0)
Reviewer Review Type Date Requested Status
Alex Murray Pending
Steve Beattie Pending
Ubuntu Security Team Pending
Review via email: mp+437128@code.launchpad.net

Description of the change

When doing triage, if aliases are found for a subproject, add the right entries when creating the CVE.

Also in triage, include the aliases when trying to find the package in a subproject (in the "possibly affected" section)

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Planning to do this the other way around, removing.

Unmerged commits

1f47bb0... by David Fernandez Gonzalez

Enable the use of aliases when triagging + include aliases in active_edit

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/active_edit b/scripts/active_edit
2index 9d0df27..244f741 100755
3--- a/scripts/active_edit
4+++ b/scripts/active_edit
5@@ -128,9 +128,14 @@ def _add_pkg(p, fp, fixed, parent, embargoed):
6 print('%s_%s: %s' % (rel, p, state), file=fp)
7 # TODO: figure out how to store subproject details for embargoed CVEs
8 elif not embargoed:
9- # add this to subprojects for rel
10- with open(os.path.join(cve_lib.get_external_subproject_cve_dir(rel), cve), "a") as f:
11- print('%s_%s: %s' % (rel, p, state), file=f)
12+ if 'aliases' in source[rel][p]:
13+ for alias in source[rel][p]['aliases']:
14+ with open(os.path.join(cve_lib.get_external_subproject_cve_dir(rel), cve), "a") as f:
15+ print('%s_%s: %s' % (rel, alias, state), file=f)
16+ else:
17+ # add this to subprojects for rel
18+ with open(os.path.join(cve_lib.get_external_subproject_cve_dir(rel), cve), "a") as f:
19+ print('%s_%s: %s' % (rel, p, state), file=f)
20
21 def add_pkg(p, fp, fixed, parent, embargoed):
22 # skip packages which don't actually exist in any release
23diff --git a/scripts/check-cves b/scripts/check-cves
24index 6eb9f58..093f58f 100755
25--- a/scripts/check-cves
26+++ b/scripts/check-cves
27@@ -76,6 +76,17 @@ common_words = ['an', 'and', 'context', 'file', 'modules', 'the', 'when']
28 allsrcs.difference_update(set(common_words))
29 allsrcs.update(set(cve_lib.package_db.keys()))
30
31+aliases = {}
32+for rel in source:
33+ aliases[rel] = {}
34+ for pkg in source[rel]:
35+ if 'aliases' in source[rel][pkg]:
36+ for alias in source[rel][pkg]['aliases']:
37+ if alias not in aliases[rel]:
38+ aliases[rel][alias] = [pkg]
39+ else:
40+ aliases[rel][alias].append(pkg)
41+
42 built_using_map = None
43
44 destdir = "."
45@@ -887,6 +898,10 @@ class CVEHandler(xml.sax.handler.ContentHandler):
46 for hint in software_hints_from_cve_description:
47 if hint in source[subproject] and hint not in common_words:
48 external_subprojects.setdefault(subproject, set()).add(hint)
49+ elif hint in aliases[subproject] and hint not in common_words:
50+ for pkg in aliases[subproject][hint]:
51+ if pkg in source[subproject]:
52+ external_subprojects.setdefault(subproject, set()).add(hint + ' (alias)')
53 return external_subprojects
54
55 def display_cve(self, cve, file=sys.stdout, line_prefix=None, wrap_desc=False):

Subscribers

People subscribed via source and target branches