Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval/add-test-ref-to-cve-tag into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval/add-test-ref-to-cve-tag
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 373f3bb0e7715842c3eba2787ada577f9f173035
Proposed branch: ~litios/ubuntu-cve-tracker:oval/add-test-ref-to-cve-tag
Merge into: ubuntu-cve-tracker:master
Diff against target: 144 lines (+33/-18)
2 files modified
scripts/oval_lib.py (+19/-4)
test/test_oval_lib_unit.py (+14/-14)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+451097@code.launchpad.net

Description of the change

Add a 'test_ref' attribute to the 'cve' elements in the advisory pointing to the test in which that particular CVE is tested for package OVAL format.

Also, rename the severity to priority and add cvss_score:

        <advisory>
          <rights>Copyright (C) 2023 Canonical Ltd.</rights>
          <component>universe</component>
          <current_version>1:10.0.0+r36-9</current_version>
          <cve href="https://ubuntu.com/security/CVE-2016-3861" priority="medium" public="20160911" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700000">CVE-2016-3861</cve>
          <cve href="https://ubuntu.com/security/CVE-2016-6762" priority="medium" public="20170112" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2016-6762</cve>
          <cve href="https://ubuntu.com/security/CVE-2017-0647" priority="low" public="20170614" cvss_score="5.5" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" cvss_severity="medium" test_ref="oval:com.ubuntu.jammy:tst:22040002700020">CVE-2017-0647</cve>
          <cve href="https://ubuntu.com/security/CVE-2017-0841" priority="medium" public="20171116" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2017-0841</cve>
        </advisory>

...

        <criteria operator="OR">
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700000" comment="(CVE-2016-3861) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r1-4')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2016-6762) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700020" comment="(CVE-2017-0647) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r33-2')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2017-0841) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
        </criteria>

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

thanks David!
as shown in the CI results, there are some tests that will need fixing before we merge this, could you please include that?

review: Needs Fixing
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Fixed, thanks for the review!

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

now the unit-tests are passing, thanks!
the check-cves failures are not related to this PR and were already fixed in master branch.

thanks for making this change!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index 341b2ab..09cc6c4 100644
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -123,10 +123,10 @@ def debug(message):
6 sys.stdout.write('\rDEBUG: {0}\n'.format(message))
7
8 def generate_cve_tag(cve):
9- cve_ref = '<cve href="https://ubuntu.com/security/{0}" severity="{1}" public="{2}"'.format(cve['Candidate'], cve['Priority'], cve['PublicDate'].split(' ')[0].replace('-', ''))
10+ cve_ref = '<cve href="https://ubuntu.com/security/{0}" priority="{1}" public="{2}"'.format(cve['Candidate'], cve['Priority'], cve['PublicDate'].split(' ')[0].replace('-', ''))
11
12 if 'CVSS' in cve and cve['CVSS']:
13- cve_ref += ' cvss_score="{0}" cvss_vector="{1}"'.format(cve['CVSS'][0]['baseScore'], cve['CVSS'][0]['vector'])
14+ cve_ref += ' cvss_score="{0}" cvss_vector="{1}" cvss_severity="{2}"'.format(cve['CVSS'][0]['baseScore'], cve['CVSS'][0]['vector'], cve['CVSS'][0]['baseSeverity'].lower())
15
16 cve_ref_usns = False
17 if 'References' in cve:
18@@ -502,7 +502,7 @@ class CVE:
19 def __init__(self, number, info, pkgs=[]) -> None:
20 self.number = number
21 self.description = info['Description']
22- self.severity = info['Priority'][0]
23+ self.priority = info['Priority'][0]
24 self.public_date = info['PublicDate']
25 self.cvss = info['CVSS']
26 self.usns = []
27@@ -667,11 +667,19 @@ class OvalGeneratorPkg(OvalGenerator):
28
29 return definition
30
31+ def _add_test_ref_to_cve_tag(self, test_ref_id: int, cve: CVE, definition: etree.Element):
32+ advisory = definition.find('.//advisory')
33+
34+ for cve_tag in advisory.findall('cve'):
35+ if cve_tag.text == cve.number:
36+ cve_tag.attrib['test_ref'] = f"{self.ns}:tst:{test_ref_id}"
37+ return
38+
39 def _generate_cve_tag(self, cve: CVE) -> etree.Element:
40 cve_tag = etree.Element("cve",
41 attrib={
42 'href' : f"https://ubuntu.com/security/{cve.number}",
43- 'severity': cve.severity,
44+ 'priority': cve.priority,
45 'public': cve.public_date.split(' ')[0].replace('-', '')
46 })
47
48@@ -679,6 +687,7 @@ class OvalGeneratorPkg(OvalGenerator):
49 if cve.cvss:
50 cve_tag.set('cvss_score', cve.cvss[0]['baseScore'])
51 cve_tag.set('cvss_vector', cve.cvss[0]['vector'])
52+ cve_tag.set('cvss_severity', cve.cvss[0]['baseSeverity'].lower())
53 if cve.usns:
54 cve_tag.set('usns', ','.join(cve.usns))
55
56@@ -1055,15 +1064,19 @@ class OvalGeneratorPkg(OvalGenerator):
57 binaries = package.binaries[key]
58 if pkg_rel_entry.fixed_version:
59 if pkg_rel_entry.fixed_version in fixed_versions:
60+ self._add_test_ref_to_cve_tag(fixed_versions[pkg_rel_entry.fixed_version], cve, definition_element)
61 self._add_criterion(fixed_versions[pkg_rel_entry.fixed_version], pkg_rel_entry, cve, definition_element)
62 continue
63 else:
64+ self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
65 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)
66 fixed_versions[pkg_rel_entry.fixed_version] = self.definition_id
67 elif one_time_added_id:
68+ self._add_test_ref_to_cve_tag(one_time_added_id, cve, definition_element)
69 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)
70 continue
71 else:
72+ self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
73 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)
74 one_time_added_id = self.definition_id
75
76@@ -1106,6 +1119,8 @@ class OvalGeneratorPkg(OvalGenerator):
77 pkg_rel_entry = cve.pkg_rel_entries[package.name]
78 cve_added = True
79
80+ self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
81+
82 kernel_version_criterion = self._add_fixed_kernel_elements(cve, package, pkg_rel_entry, root_element, running_kernel_id, fixed_versions)
83 self._add_to_criteria(definition_element, kernel_version_criterion, depth=3)
84 self._increase_id(is_definition=False)
85diff --git a/test/test_oval_lib_unit.py b/test/test_oval_lib_unit.py
86index 5b5c9a8..79c21c6 100644
87--- a/test/test_oval_lib_unit.py
88+++ b/test/test_oval_lib_unit.py
89@@ -100,12 +100,12 @@ class TestOvalLibUnit:
90 <advisory from="security@ubuntu.com">
91 <severity>Medium</severity>
92 <issued date="2020-06-09"/>
93- <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve>
94- <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve>
95- <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve>
96- <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve>
97- <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve>
98- <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve>
99+ <cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0067</cve>
100+ <cve href="https://ubuntu.com/security/CVE-2020-0543" priority="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0543</cve>
101+ <cve href="https://ubuntu.com/security/CVE-2020-12114" priority="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" cvss_severity="medium">CVE-2020-12114</cve>
102+ <cve href="https://ubuntu.com/security/CVE-2020-12464" priority="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12464</cve>
103+ <cve href="https://ubuntu.com/security/CVE-2020-12659" priority="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12659</cve>
104+ <cve href="https://ubuntu.com/security/CVE-2020-1749" priority="medium" public="20200304">CVE-2020-1749</cve>
105 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
106 </advisory>
107 </metadata>
108@@ -128,12 +128,12 @@ class TestOvalLibUnit:
109 <reference source="CVE" ref_id="CVE-2020-12659" ref_url="https://ubuntu.com/security/CVE-2020-12659"/>
110 <reference source="CVE" ref_id="CVE-2020-1749" ref_url="https://ubuntu.com/security/CVE-2020-1749"/>"""
111
112- cve_tags_mock = """<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve>
113- <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve>
114- <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve>
115- <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve>
116- <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve>
117- <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve>"""
118+ cve_tags_mock = """<cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0067</cve>
119+ <cve href="https://ubuntu.com/security/CVE-2020-0543" priority="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0543</cve>
120+ <cve href="https://ubuntu.com/security/CVE-2020-12114" priority="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" cvss_severity="medium">CVE-2020-12114</cve>
121+ <cve href="https://ubuntu.com/security/CVE-2020-12464" priority="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12464</cve>
122+ <cve href="https://ubuntu.com/security/CVE-2020-12659" priority="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12659</cve>
123+ <cve href="https://ubuntu.com/security/CVE-2020-1749" priority="medium" public="20200304">CVE-2020-1749</cve>"""
124
125
126 test_mock = [r"""
127@@ -300,7 +300,7 @@ class TestOvalLibUnit:
128 <advisory from="security@ubuntu.com">
129 <severity>Medium</severity>
130 <issued date="2020-06-09"/>
131- <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>
132+ <cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>
133 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
134 </advisory>
135 </metadata>
136@@ -548,7 +548,7 @@ No subscription required"""
137 format_cves_info_mock.return_value = (self.urls_mock,
138 self.invalid_priority_cve_mock)
139 create_cves_elements_mock.return_value = (self.invalid_priority_references_mock,
140- '<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>')
141+ '<cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>')
142 create_bug_ref_mock.return_value = self.url_ref_mock
143 get_usn_severity_mock.return_value = self.avg_severity_mock
144 pocket_mock.return_value = self.pocket

Subscribers

People subscribed via source and target branches