Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags into ubuntu-cve-tracker:master

Proposed by David Fernandez Gonzalez on 2024-02-05

Status:	Work in progress
Proposed branch:	~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags
Merge into:	ubuntu-cve-tracker:master
Diff against target:	72 lines (+28/-6) 1 file modified scripts/oval_lib.py (+28/-6)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Eduardo Barretto		2024-02-05	Pending
Review via email: mp+460034@code.launchpad.net

Description of the change

Current USN OVAL cannot detect if a CVE applied to the release.

This creates several problems:

1. Wrong information about the fixed version. If CVE was fixed in a different USN but CVE and package show up in another USN, that USN will also claim it fixed the CVE (example: USN-3679-1)

2. If CVE doesn't apply to the release, it will still appear in references and cve tags.

-------

Function cve_applies_release was created to fix this problem:

* CVE will only be added if:
1. Status for that CVE is released in that release and package.
2. The source version mentioned in the USN matches the one in the CVE.

* If after that there are no CVEs that apply, don't generate that USN OVAL information.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-02-08:

I'm changing this to work in progress as discussed with David.
We found many corner cases and we are trying to solve it in another approach.
we will update this PR whenever we have a better solution

Unmerged commits

6fbc218... by David Fernandez Gonzalez on 2024-02-05

[OVAL] USN: if the USN doesn't have any valid CVEs, don't add it

Signed-off-by: David Fernandez Gonzalez <email address hidden>

	unit-tests:0 (build)
	check-cves:0 (build)

a10ee05... by David Fernandez Gonzalez on 2024-02-01

[OVAL] USN: only get CVE if it was fixed in the USN

Signed-off-by: David Fernandez Gonzalez <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

David Fernandez Gonzalez

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
 index b30a987..bb0c37c 100644
 --- a/scripts/oval_lib.py
 +++ b/scripts/oval_lib.py
@@ -2094,7 +2094,9 @@ class OvalGeneratorUSN():
      # TODO: xml lib
      def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):
--        urls, cves_info = self.format_cves_info(usn_object['cves'], cve_dir)
++        urls, cves_info = self.get_cves_info(usn_object['cves'], cve_dir, usn_object)
++        if not cves_info: return None
++
          cve_references, cve_tags = self.create_cves_elements(cves_info)
          bug_references = self.create_bug_references(urls)
@@ -2437,7 +2439,8 @@ class OvalGeneratorUSN():
                  'CVSS': cve_object['CVSS'],
                  'References': references.split('\n'),
                  'CVE_URL': self.cve_base_url.format(cve),
--                'MITRE_URL': self.mitre_base_url.format(cve)
++                'MITRE_URL': self.mitre_base_url.format(cve),
++                'Packages': cve_object['pkgs']
+                 }
          return cve_info
@@ -2457,16 +2460,33 @@ class OvalGeneratorUSN():
          return (urls, _cves)
--    def format_cves_info(self, cves, cve_dir):
++    def cve_applies_release(self, cve, usn_obj):
++        pkg_versions = {}
++        for package_name in cve['Packages']:
++            package = cve['Packages'][package_name]
++            if self.release_codename in package and \
++                package[self.release_codename][0] == 'released':
++                pkg_versions[package_name] = package[self.release_codename][1]
++
++        applies = False
++        for package_name in usn_obj['releases'][self.release_codename]['sources']:
++            pkg_fixed_info = usn_obj['releases'][self.release_codename]['sources'][package_name]
++            if package_name in pkg_versions and \
++                pkg_fixed_info['version'] == pkg_versions[package_name]:
++                applies = True
++
++        return applies
++
++    def get_cves_info(self, cves, cve_dir, usn_obj):
          urls, cves = self.filter_cves(cves)
          cves_info = []
          for cve in cves:
              # ignore empty CVE entries
              if len(cve) == 0:
                  continue
--            res = self.get_cve_info_from_file(cve, cve_dir)
--            if res:
--                cves_info.append(res)
++            cve_info = self.get_cve_info_from_file(cve, cve_dir)
++            if cve_info and self.cve_applies_release(cve_info, usn_obj):
++                cves_info.append(cve_info)
          return urls, cves_info
@@ -2578,6 +2598,8 @@ class OvalGeneratorUSN():
          # Only need one definition, but if multiple versions of binary pkgs,
          # then may need several test, object, state and var
          usn_def = self.create_usn_definition(usn_object, usn_number, id_base, test_refs, cve_dir, instructions)
++        if not usn_def: return
++
          self.oval_structure['definition'].write(usn_def)
          for test_ref in test_refs: