Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval_cve_references into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval_cve_references
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 4a8ca580fb0ae79f25962678532e41a821fc82c1
Proposed branch: ~litios/ubuntu-cve-tracker:oval_cve_references
Merge into: ubuntu-cve-tracker:master
Diff against target: 63 lines (+17/-8)
1 file modified
scripts/oval_lib.py (+17/-8)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+442655@code.launchpad.net

Description of the change

This PR adds CVE <reference> tags for the USN format, so both USN and CVEs are listed as references.

Due to the size of the generated tags, we won't be implementing this for the package format.

Example: https://pastebin.canonical.com/p/trzRPN6Hts/

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

lgtm!
thanks for addressing the changes we were discussing in MM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index fa16876..668c447 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -2059,14 +2059,21 @@ class OvalGeneratorUSN():
20592059
2060 return bugs.strip()2060 return bugs.strip()
20612061
2062 def create_cves_references(self, cves):2062 def generate_cve_ref(self, cve):
2063 references = ""2063 return '<reference source="CVE" ref_id="{0}" ref_url="{1}" />'.format(cve['Candidate'], cve['CVE_URL'])
2064
2065 def create_cves_elements(self, cves):
2066 cve_tags = ""
2067 cve_references = ""
2064 for cve in cves:2068 for cve in cves:
2065 cve_ref = generate_cve_tag(cve)2069 cve_references += \
2066 references += \2070 """{0}
2071 """.format(self.generate_cve_ref(cve))
2072
2073 cve_tags += \
2067 """{0}2074 """{0}
2068 """.format(cve_ref)2075 """.format(generate_cve_tag(cve))
2069 return references.strip()2076 return cve_references.strip(), cve_tags.strip()
20702077
2071 def get_usn_severity(self, cves):2078 def get_usn_severity(self, cves):
2072 if not cves:2079 if not cves:
@@ -2083,7 +2090,7 @@ class OvalGeneratorUSN():
2083 # TODO: xml lib2090 # TODO: xml lib
2084 def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):2091 def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):
2085 urls, cves_info = self.format_cves_info(usn_object['cves'], cve_dir)2092 urls, cves_info = self.format_cves_info(usn_object['cves'], cve_dir)
2086 cve_references = self.create_cves_references(cves_info)2093 cve_references, cve_tags = self.create_cves_elements(cves_info)
2087 bug_references = self.create_bug_references(urls)2094 bug_references = self.create_bug_references(urls)
20882095
2089 for cve in cves_info:2096 for cve in cves_info:
@@ -2107,6 +2114,7 @@ class OvalGeneratorUSN():
2107 'usn_url': self.usn_base_url.format(usn_object['id']),2114 'usn_url': self.usn_base_url.format(usn_object['id']),
2108 'description': escape(' '.join((usn_object['description'].strip() + instructions).split('\n'))),2115 'description': escape(' '.join((usn_object['description'].strip() + instructions).split('\n'))),
2109 'cves_references': cve_references,2116 'cves_references': cve_references,
2117 'cve_tags': cve_tags,
2110 'bug_references': bug_references,2118 'bug_references': bug_references,
2111 'severity': usn_severity,2119 'severity': usn_severity,
2112 'usn_timestamp': datetime.fromtimestamp(usn_object['timestamp'], tz=timezone.utc).strftime('%Y-%m-%d'),2120 'usn_timestamp': datetime.fromtimestamp(usn_object['timestamp'], tz=timezone.utc).strftime('%Y-%m-%d'),
@@ -2144,11 +2152,12 @@ class OvalGeneratorUSN():
2144 <platform>{platform}</platform>2152 <platform>{platform}</platform>
2145 </affected>2153 </affected>
2146 <reference source="USN" ref_url="{usn_url}" ref_id="{usn_id}"/>2154 <reference source="USN" ref_url="{usn_url}" ref_id="{usn_id}"/>
2155 {cves_references}
2147 <description>{description}</description>2156 <description>{description}</description>
2148 <advisory from="security@ubuntu.com">2157 <advisory from="security@ubuntu.com">
2149 <severity>{severity}</severity>2158 <severity>{severity}</severity>
2150 <issued date="{usn_timestamp}"/>2159 <issued date="{usn_timestamp}"/>
2151 {cves_references}2160 {cve_tags}
2152 {bug_references}2161 {bug_references}
2153 </advisory>2162 </advisory>
2154 </metadata>2163 </metadata>

Subscribers

People subscribed via source and target branches