Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval/add-test-ref-to-cve-tag into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval/add-test-ref-to-cve-tag
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 373f3bb0e7715842c3eba2787ada577f9f173035
Proposed branch: ~litios/ubuntu-cve-tracker:oval/add-test-ref-to-cve-tag
Merge into: ubuntu-cve-tracker:master
Diff against target: 144 lines (+33/-18)
2 files modified
scripts/oval_lib.py (+19/-4)
test/test_oval_lib_unit.py (+14/-14)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+451097@code.launchpad.net

Description of the change

Add a 'test_ref' attribute to the 'cve' elements in the advisory pointing to the test in which that particular CVE is tested for package OVAL format.

Also, rename the severity to priority and add cvss_score:

        <advisory>
          <rights>Copyright (C) 2023 Canonical Ltd.</rights>
          <component>universe</component>
          <current_version>1:10.0.0+r36-9</current_version>
          <cve href="https://ubuntu.com/security/CVE-2016-3861" priority="medium" public="20160911" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700000">CVE-2016-3861</cve>
          <cve href="https://ubuntu.com/security/CVE-2016-6762" priority="medium" public="20170112" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2016-6762</cve>
          <cve href="https://ubuntu.com/security/CVE-2017-0647" priority="low" public="20170614" cvss_score="5.5" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" cvss_severity="medium" test_ref="oval:com.ubuntu.jammy:tst:22040002700020">CVE-2017-0647</cve>
          <cve href="https://ubuntu.com/security/CVE-2017-0841" priority="medium" public="20171116" cvss_score="7.8" cvss_vector="CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" cvss_severity="high" test_ref="oval:com.ubuntu.jammy:tst:22040002700010">CVE-2017-0841</cve>
        </advisory>

...

        <criteria operator="OR">
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700000" comment="(CVE-2016-3861) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r1-4')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2016-6762) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700020" comment="(CVE-2017-0647) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:7.0.0+r33-2')."/>
          <criterion test_ref="oval:com.ubuntu.jammy:tst:22040002700010" comment="(CVE-2017-0841) android-platform-system-core package in jammy, is related to the CVE in some way and has been fixed (note: '1:8.1.0+r3-5')."/>
        </criteria>

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

thanks David!
as shown in the CI results, there are some tests that will need fixing before we merge this, could you please include that?

review: Needs Fixing
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Fixed, thanks for the review!

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

now the unit-tests are passing, thanks!
the check-cves failures are not related to this PR and were already fixed in master branch.

thanks for making this change!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index 341b2ab..09cc6c4 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -123,10 +123,10 @@ def debug(message):
123 sys.stdout.write('\rDEBUG: {0}\n'.format(message))123 sys.stdout.write('\rDEBUG: {0}\n'.format(message))
124124
125def generate_cve_tag(cve):125def generate_cve_tag(cve):
126 cve_ref = '<cve href="https://ubuntu.com/security/{0}" severity="{1}" public="{2}"'.format(cve['Candidate'], cve['Priority'], cve['PublicDate'].split(' ')[0].replace('-', ''))126 cve_ref = '<cve href="https://ubuntu.com/security/{0}" priority="{1}" public="{2}"'.format(cve['Candidate'], cve['Priority'], cve['PublicDate'].split(' ')[0].replace('-', ''))
127127
128 if 'CVSS' in cve and cve['CVSS']:128 if 'CVSS' in cve and cve['CVSS']:
129 cve_ref += ' cvss_score="{0}" cvss_vector="{1}"'.format(cve['CVSS'][0]['baseScore'], cve['CVSS'][0]['vector'])129 cve_ref += ' cvss_score="{0}" cvss_vector="{1}" cvss_severity="{2}"'.format(cve['CVSS'][0]['baseScore'], cve['CVSS'][0]['vector'], cve['CVSS'][0]['baseSeverity'].lower())
130130
131 cve_ref_usns = False131 cve_ref_usns = False
132 if 'References' in cve:132 if 'References' in cve:
@@ -502,7 +502,7 @@ class CVE:
502 def __init__(self, number, info, pkgs=[]) -> None:502 def __init__(self, number, info, pkgs=[]) -> None:
503 self.number = number503 self.number = number
504 self.description = info['Description']504 self.description = info['Description']
505 self.severity = info['Priority'][0]505 self.priority = info['Priority'][0]
506 self.public_date = info['PublicDate']506 self.public_date = info['PublicDate']
507 self.cvss = info['CVSS']507 self.cvss = info['CVSS']
508 self.usns = []508 self.usns = []
@@ -667,11 +667,19 @@ class OvalGeneratorPkg(OvalGenerator):
667667
668 return definition668 return definition
669669
670 def _add_test_ref_to_cve_tag(self, test_ref_id: int, cve: CVE, definition: etree.Element):
671 advisory = definition.find('.//advisory')
672
673 for cve_tag in advisory.findall('cve'):
674 if cve_tag.text == cve.number:
675 cve_tag.attrib['test_ref'] = f"{self.ns}:tst:{test_ref_id}"
676 return
677
670 def _generate_cve_tag(self, cve: CVE) -> etree.Element:678 def _generate_cve_tag(self, cve: CVE) -> etree.Element:
671 cve_tag = etree.Element("cve",679 cve_tag = etree.Element("cve",
672 attrib={680 attrib={
673 'href' : f"https://ubuntu.com/security/{cve.number}",681 'href' : f"https://ubuntu.com/security/{cve.number}",
674 'severity': cve.severity,682 'priority': cve.priority,
675 'public': cve.public_date.split(' ')[0].replace('-', '')683 'public': cve.public_date.split(' ')[0].replace('-', '')
676 })684 })
677685
@@ -679,6 +687,7 @@ class OvalGeneratorPkg(OvalGenerator):
679 if cve.cvss:687 if cve.cvss:
680 cve_tag.set('cvss_score', cve.cvss[0]['baseScore'])688 cve_tag.set('cvss_score', cve.cvss[0]['baseScore'])
681 cve_tag.set('cvss_vector', cve.cvss[0]['vector'])689 cve_tag.set('cvss_vector', cve.cvss[0]['vector'])
690 cve_tag.set('cvss_severity', cve.cvss[0]['baseSeverity'].lower())
682 if cve.usns:691 if cve.usns:
683 cve_tag.set('usns', ','.join(cve.usns))692 cve_tag.set('usns', ','.join(cve.usns))
684693
@@ -1055,15 +1064,19 @@ class OvalGeneratorPkg(OvalGenerator):
1055 binaries = package.binaries[key]1064 binaries = package.binaries[key]
1056 if pkg_rel_entry.fixed_version:1065 if pkg_rel_entry.fixed_version:
1057 if pkg_rel_entry.fixed_version in fixed_versions:1066 if pkg_rel_entry.fixed_version in fixed_versions:
1067 self._add_test_ref_to_cve_tag(fixed_versions[pkg_rel_entry.fixed_version], cve, definition_element)
1058 self._add_criterion(fixed_versions[pkg_rel_entry.fixed_version], pkg_rel_entry, cve, definition_element)1068 self._add_criterion(fixed_versions[pkg_rel_entry.fixed_version], pkg_rel_entry, cve, definition_element)
1059 continue1069 continue
1060 else:1070 else:
1071 self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
1061 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)1072 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)
1062 fixed_versions[pkg_rel_entry.fixed_version] = self.definition_id1073 fixed_versions[pkg_rel_entry.fixed_version] = self.definition_id
1063 elif one_time_added_id:1074 elif one_time_added_id:
1075 self._add_test_ref_to_cve_tag(one_time_added_id, cve, definition_element)
1064 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)1076 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)
1065 continue1077 continue
1066 else:1078 else:
1079 self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
1067 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)1080 self._add_criterion(self.definition_id, pkg_rel_entry, cve, definition_element)
1068 one_time_added_id = self.definition_id1081 one_time_added_id = self.definition_id
10691082
@@ -1106,6 +1119,8 @@ class OvalGeneratorPkg(OvalGenerator):
1106 pkg_rel_entry = cve.pkg_rel_entries[package.name]1119 pkg_rel_entry = cve.pkg_rel_entries[package.name]
1107 cve_added = True1120 cve_added = True
11081121
1122 self._add_test_ref_to_cve_tag(self.definition_id, cve, definition_element)
1123
1109 kernel_version_criterion = self._add_fixed_kernel_elements(cve, package, pkg_rel_entry, root_element, running_kernel_id, fixed_versions)1124 kernel_version_criterion = self._add_fixed_kernel_elements(cve, package, pkg_rel_entry, root_element, running_kernel_id, fixed_versions)
1110 self._add_to_criteria(definition_element, kernel_version_criterion, depth=3)1125 self._add_to_criteria(definition_element, kernel_version_criterion, depth=3)
1111 self._increase_id(is_definition=False)1126 self._increase_id(is_definition=False)
diff --git a/test/test_oval_lib_unit.py b/test/test_oval_lib_unit.py
index 5b5c9a8..79c21c6 100644
--- a/test/test_oval_lib_unit.py
+++ b/test/test_oval_lib_unit.py
@@ -100,12 +100,12 @@ class TestOvalLibUnit:
100 <advisory from="security@ubuntu.com">100 <advisory from="security@ubuntu.com">
101 <severity>Medium</severity>101 <severity>Medium</severity>
102 <issued date="2020-06-09"/>102 <issued date="2020-06-09"/>
103 <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve>103 <cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0067</cve>
104 <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve>104 <cve href="https://ubuntu.com/security/CVE-2020-0543" priority="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0543</cve>
105 <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve>105 <cve href="https://ubuntu.com/security/CVE-2020-12114" priority="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" cvss_severity="medium">CVE-2020-12114</cve>
106 <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve>106 <cve href="https://ubuntu.com/security/CVE-2020-12464" priority="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12464</cve>
107 <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve>107 <cve href="https://ubuntu.com/security/CVE-2020-12659" priority="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12659</cve>
108 <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve>108 <cve href="https://ubuntu.com/security/CVE-2020-1749" priority="medium" public="20200304">CVE-2020-1749</cve>
109 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>109 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
110 </advisory>110 </advisory>
111 </metadata>111 </metadata>
@@ -128,12 +128,12 @@ class TestOvalLibUnit:
128 <reference source="CVE" ref_id="CVE-2020-12659" ref_url="https://ubuntu.com/security/CVE-2020-12659"/>128 <reference source="CVE" ref_id="CVE-2020-12659" ref_url="https://ubuntu.com/security/CVE-2020-12659"/>
129 <reference source="CVE" ref_id="CVE-2020-1749" ref_url="https://ubuntu.com/security/CVE-2020-1749"/>"""129 <reference source="CVE" ref_id="CVE-2020-1749" ref_url="https://ubuntu.com/security/CVE-2020-1749"/>"""
130 130
131 cve_tags_mock = """<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve>131 cve_tags_mock = """<cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0067</cve>
132 <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve>132 <cve href="https://ubuntu.com/security/CVE-2020-0543" priority="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium">CVE-2020-0543</cve>
133 <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve>133 <cve href="https://ubuntu.com/security/CVE-2020-12114" priority="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" cvss_severity="medium">CVE-2020-12114</cve>
134 <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve>134 <cve href="https://ubuntu.com/security/CVE-2020-12464" priority="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12464</cve>
135 <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve>135 <cve href="https://ubuntu.com/security/CVE-2020-12659" priority="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" cvss_severity="medium">CVE-2020-12659</cve>
136 <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve>"""136 <cve href="https://ubuntu.com/security/CVE-2020-1749" priority="medium" public="20200304">CVE-2020-1749</cve>"""
137137
138138
139 test_mock = [r"""139 test_mock = [r"""
@@ -300,7 +300,7 @@ class TestOvalLibUnit:
300 <advisory from="security@ubuntu.com">300 <advisory from="security@ubuntu.com">
301 <severity>Medium</severity>301 <severity>Medium</severity>
302 <issued date="2020-06-09"/>302 <issued date="2020-06-09"/>
303 <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>303 <cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>
304 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>304 <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
305 </advisory>305 </advisory>
306 </metadata>306 </metadata>
@@ -548,7 +548,7 @@ No subscription required"""
548 format_cves_info_mock.return_value = (self.urls_mock,548 format_cves_info_mock.return_value = (self.urls_mock,
549 self.invalid_priority_cve_mock)549 self.invalid_priority_cve_mock)
550 create_cves_elements_mock.return_value = (self.invalid_priority_references_mock,550 create_cves_elements_mock.return_value = (self.invalid_priority_references_mock,
551 '<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>')551 '<cve href="https://ubuntu.com/security/CVE-2020-0067" priority="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" cvss_severity="medium" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>')
552 create_bug_ref_mock.return_value = self.url_ref_mock552 create_bug_ref_mock.return_value = self.url_ref_mock
553 get_usn_severity_mock.return_value = self.avg_severity_mock553 get_usn_severity_mock.return_value = self.avg_severity_mock
554 pocket_mock.return_value = self.pocket554 pocket_mock.return_value = self.pocket

Subscribers

People subscribed via source and target branches