Merge ~litios/ubuntu-cve-tracker:oval-cve-tag into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merge reported by: | David Fernandez Gonzalez |
Merged at revision: | 349332baab42728fef77dc722637e3dbecf2f017 |
Proposed branch: | ~litios/ubuntu-cve-tracker:oval-cve-tag |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
157 lines (+57/-19) 2 files modified
scripts/generate-oval (+0/-1) scripts/oval_lib.py (+57/-18) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eduardo Barretto | Approve | ||
Review via email: mp+440876@code.launchpad.net |
Description of the change
This change will add a new tag: <cve>
This tag will be used to represent the cve in the advisory, as this is especially needed for OVAL for packages. This cve tag tries to follow Red Hat approach:
<cve cvss3="
Some comments:
* Severity is extracted from Ubuntu's priority.
* Severity and public date are omitted in CVE format as they are already on the advisory.
* USNs are also added as a comma-separated list of elements.
* The most recent CVSS vector and score are added.
Examples:
- OVAL PKG advisory:
<rights>Copyright (C) 2023 Canonical Ltd.</rights>
<component>
<current_
<cve href="https:/
<cve href="https:/
- OVAL CVE advisory:
<severity>
<rights>Copyright (C) 2023 Canonical Ltd.</rights>
<public_
<public_
<cve href="https:/
overall lgtm, but I do have a doubt if we decided to not have severity in the <cve> tag for CVE-based OVAL and USN-based OVAL. Do you remember?