Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval_cve_references into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval_cve_references
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 4a8ca580fb0ae79f25962678532e41a821fc82c1
Proposed branch: ~litios/ubuntu-cve-tracker:oval_cve_references
Merge into: ubuntu-cve-tracker:master
Diff against target: 63 lines (+17/-8)
1 file modified
scripts/oval_lib.py (+17/-8)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+442655@code.launchpad.net

Description of the change

This PR adds CVE <reference> tags for the USN format, so both USN and CVEs are listed as references.

Due to the size of the generated tags, we won't be implementing this for the package format.

Example: https://pastebin.canonical.com/p/trzRPN6Hts/

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

lgtm!
thanks for addressing the changes we were discussing in MM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index fa16876..668c447 100644
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -2059,14 +2059,21 @@ class OvalGeneratorUSN():
6
7 return bugs.strip()
8
9- def create_cves_references(self, cves):
10- references = ""
11+ def generate_cve_ref(self, cve):
12+ return '<reference source="CVE" ref_id="{0}" ref_url="{1}" />'.format(cve['Candidate'], cve['CVE_URL'])
13+
14+ def create_cves_elements(self, cves):
15+ cve_tags = ""
16+ cve_references = ""
17 for cve in cves:
18- cve_ref = generate_cve_tag(cve)
19- references += \
20+ cve_references += \
21+ """{0}
22+ """.format(self.generate_cve_ref(cve))
23+
24+ cve_tags += \
25 """{0}
26- """.format(cve_ref)
27- return references.strip()
28+ """.format(generate_cve_tag(cve))
29+ return cve_references.strip(), cve_tags.strip()
30
31 def get_usn_severity(self, cves):
32 if not cves:
33@@ -2083,7 +2090,7 @@ class OvalGeneratorUSN():
34 # TODO: xml lib
35 def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):
36 urls, cves_info = self.format_cves_info(usn_object['cves'], cve_dir)
37- cve_references = self.create_cves_references(cves_info)
38+ cve_references, cve_tags = self.create_cves_elements(cves_info)
39 bug_references = self.create_bug_references(urls)
40
41 for cve in cves_info:
42@@ -2107,6 +2114,7 @@ class OvalGeneratorUSN():
43 'usn_url': self.usn_base_url.format(usn_object['id']),
44 'description': escape(' '.join((usn_object['description'].strip() + instructions).split('\n'))),
45 'cves_references': cve_references,
46+ 'cve_tags': cve_tags,
47 'bug_references': bug_references,
48 'severity': usn_severity,
49 'usn_timestamp': datetime.fromtimestamp(usn_object['timestamp'], tz=timezone.utc).strftime('%Y-%m-%d'),
50@@ -2144,11 +2152,12 @@ class OvalGeneratorUSN():
51 <platform>{platform}</platform>
52 </affected>
53 <reference source="USN" ref_url="{usn_url}" ref_id="{usn_id}"/>
54+ {cves_references}
55 <description>{description}</description>
56 <advisory from="security@ubuntu.com">
57 <severity>{severity}</severity>
58 <issued date="{usn_timestamp}"/>
59- {cves_references}
60+ {cve_tags}
61 {bug_references}
62 </advisory>
63 </metadata>

Subscribers

People subscribed via source and target branches