Merge ~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags into ubuntu-cve-tracker:master
Status: | Work in progress |
---|---|
Proposed branch: | ~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
72 lines (+28/-6) 1 file modified
scripts/oval_lib.py (+28/-6) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eduardo Barretto | Pending | ||
Review via email: mp+460034@code.launchpad.net |
Description of the change
Current USN OVAL cannot detect if a CVE applied to the release.
This creates several problems:
1. Wrong information about the fixed version. If CVE was fixed in a different USN but CVE and package show up in another USN, that USN will also claim it fixed the CVE (example: USN-3679-1)
2. If CVE doesn't apply to the release, it will still appear in references and cve tags.
-------
Function cve_applies_release was created to fix this problem:
* CVE will only be added if:
1. Status for that CVE is released in that release and package.
2. The source version mentioned in the USN matches the one in the CVE.
* If after that there are no CVEs that apply, don't generate that USN OVAL information.
Unmerged commits
- 6fbc218... by David Fernandez Gonzalez
-
unit-tests:0 (build) check-cves:0 (build) 1 → 2 of 2 results First • Previous • Next • Last - a10ee05... by David Fernandez Gonzalez
I'm changing this to work in progress as discussed with David.
We found many corner cases and we are trying to solve it in another approach.
we will update this PR whenever we have a better solution