Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval/usn-wrong-cve-tags
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Work in progress
Proposed branch: ~litios/ubuntu-cve-tracker:oval/usn-wrong-cve-tags
Merge into: ubuntu-cve-tracker:master
Diff against target: 72 lines (+28/-6)
1 file modified
scripts/oval_lib.py (+28/-6)
Reviewer Review Type Date Requested Status
Eduardo Barretto Pending
Review via email: mp+460034@code.launchpad.net

Description of the change

Current USN OVAL cannot detect if a CVE applied to the release.

This creates several problems:

1. Wrong information about the fixed version. If CVE was fixed in a different USN but CVE and package show up in another USN, that USN will also claim it fixed the CVE (example: USN-3679-1)

2. If CVE doesn't apply to the release, it will still appear in references and cve tags.

-------

Function cve_applies_release was created to fix this problem:

* CVE will only be added if:
  1. Status for that CVE is released in that release and package.
  2. The source version mentioned in the USN matches the one in the CVE.

* If after that there are no CVEs that apply, don't generate that USN OVAL information.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

I'm changing this to work in progress as discussed with David.
We found many corner cases and we are trying to solve it in another approach.
we will update this PR whenever we have a better solution

Reply

Unmerged commits

6fbc218... by David Fernandez Gonzalez

[OVAL] USN: if the USN doesn't have any valid CVEs, don't add it

Signed-off-by: David Fernandez Gonzalez <email address hidden>

In progress
[WAITING] unit-tests:0 (build)
[WAITING] check-cves:0 (build)
12 of 2 results FirstPreviousNextLast
a10ee05... by David Fernandez Gonzalez

[OVAL] USN: only get CVE if it was fixed in the USN

Signed-off-by: David Fernandez Gonzalez <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index b30a987..bb0c37c 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -2094,7 +2094,9 @@ class OvalGeneratorUSN():
20942094
2095 # TODO: xml lib2095 # TODO: xml lib
2096 def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):2096 def create_usn_definition(self, usn_object, usn_number, id_base, test_refs, cve_dir, instructions):
2097 urls, cves_info = self.format_cves_info(usn_object['cves'], cve_dir)2097 urls, cves_info = self.get_cves_info(usn_object['cves'], cve_dir, usn_object)
2098 if not cves_info: return None
2099
2098 cve_references, cve_tags = self.create_cves_elements(cves_info)2100 cve_references, cve_tags = self.create_cves_elements(cves_info)
2099 bug_references = self.create_bug_references(urls)2101 bug_references = self.create_bug_references(urls)
21002102
@@ -2437,7 +2439,8 @@ class OvalGeneratorUSN():
2437 'CVSS': cve_object['CVSS'],2439 'CVSS': cve_object['CVSS'],
2438 'References': references.split('\n'),2440 'References': references.split('\n'),
2439 'CVE_URL': self.cve_base_url.format(cve),2441 'CVE_URL': self.cve_base_url.format(cve),
2440 'MITRE_URL': self.mitre_base_url.format(cve)2442 'MITRE_URL': self.mitre_base_url.format(cve),
2443 'Packages': cve_object['pkgs']
2441 }2444 }
24422445
2443 return cve_info2446 return cve_info
@@ -2457,16 +2460,33 @@ class OvalGeneratorUSN():
24572460
2458 return (urls, _cves)2461 return (urls, _cves)
24592462
2460 def format_cves_info(self, cves, cve_dir):2463 def cve_applies_release(self, cve, usn_obj):
2464 pkg_versions = {}
2465 for package_name in cve['Packages']:
2466 package = cve['Packages'][package_name]
2467 if self.release_codename in package and \
2468 package[self.release_codename][0] == 'released':
2469 pkg_versions[package_name] = package[self.release_codename][1]
2470
2471 applies = False
2472 for package_name in usn_obj['releases'][self.release_codename]['sources']:
2473 pkg_fixed_info = usn_obj['releases'][self.release_codename]['sources'][package_name]
2474 if package_name in pkg_versions and \
2475 pkg_fixed_info['version'] == pkg_versions[package_name]:
2476 applies = True
2477
2478 return applies
2479
2480 def get_cves_info(self, cves, cve_dir, usn_obj):
2461 urls, cves = self.filter_cves(cves)2481 urls, cves = self.filter_cves(cves)
2462 cves_info = []2482 cves_info = []
2463 for cve in cves:2483 for cve in cves:
2464 # ignore empty CVE entries2484 # ignore empty CVE entries
2465 if len(cve) == 0:2485 if len(cve) == 0:
2466 continue2486 continue
2467 res = self.get_cve_info_from_file(cve, cve_dir)2487 cve_info = self.get_cve_info_from_file(cve, cve_dir)
2468 if res:2488 if cve_info and self.cve_applies_release(cve_info, usn_obj):
2469 cves_info.append(res)2489 cves_info.append(cve_info)
24702490
2471 return urls, cves_info2491 return urls, cves_info
24722492
@@ -2578,6 +2598,8 @@ class OvalGeneratorUSN():
2578 # Only need one definition, but if multiple versions of binary pkgs,2598 # Only need one definition, but if multiple versions of binary pkgs,
2579 # then may need several test, object, state and var2599 # then may need several test, object, state and var
2580 usn_def = self.create_usn_definition(usn_object, usn_number, id_base, test_refs, cve_dir, instructions)2600 usn_def = self.create_usn_definition(usn_object, usn_number, id_base, test_refs, cve_dir, instructions)
2601 if not usn_def: return
2602
2581 self.oval_structure['definition'].write(usn_def)2603 self.oval_structure['definition'].write(usn_def)
25822604
2583 for test_ref in test_refs:2605 for test_ref in test_refs:

Subscribers

People subscribed via source and target branches