Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/add_impact_field into ubuntu-cve-tracker:master

  1. Git
  2. lp:~pfsmorigo/ubuntu-cve-tracker
  3. pfsmorigo/add_impact_field
  4. Merge into master
Proposed by Paulo Flabiano Smorigo
Status: Merged
Merged at revision: 10ce8191ad157d865e74cffc0ff52092da3a81f0
Proposed branch: ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/add_impact_field
Merge into: ubuntu-cve-tracker:master
Diff against target: 37 lines (+6/-3)
1 file modified
scripts/publish-cves-to-website-api.py (+6/-3)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Alex Murray Approve
Review via email: mp+436081@code.launchpad.net

Description of the change

This is the changed need in the upload script to send the impact field to the web security API. The support from the web site is working and I tested using a CVE as example:

https://ubuntu.com/security/cves/CVE-2021-21311.json

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM - is there a corresponding web team API change for this?

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

One question:

I see the example json here includes, in addition to the base v3 vector, the exploitabilityScore and impactScore fields, which aren't included in our stored vectors in the CVE tracker, and are not computed as part of cve_lib.parse_cvss(). I see them also referenced in the web team API change for this at https://github.com/canonical/ubuntu-com-security-api/pull/121/files.

I don't see them being computed in the publish-cves-to-website-api.py script, so (a) where are they coming from, and (b) if they aren't coming from the script, is that going to cause a problem when submitting cves with this change?

Also, can you add comments noting that the cvss3 variable contains just the computd base score, and the impact field contains the full base vector? I know that now, but in two weeks I will surely have forgotten, and will likely be confused if I have to diagnose any problems with this script more than two weeks from now.

Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

Oh actually, I misunderstood the parse_cvss() api, it is computing these things. Okay, modulo adding some hint comments, this LGTM. Thanks!

review: Approve
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

> LGTM - is there a corresponding web team API change for this?

Yes. The web api accept this new field as you can see in the json like above. The web team will soon change the webpage in order to show those informations.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

> One question:
>
> I see the example json here includes, in addition to the base v3 vector, the
> exploitabilityScore and impactScore fields, which aren't included in our
> stored vectors in the CVE tracker, and are not computed as part of
> cve_lib.parse_cvss(). I see them also referenced in the web team API change
> for this at https://github.com/canonical/ubuntu-com-security-
> api/pull/121/files.

Hmm, both are calculated in parse_cvss, right?
https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/cve_lib.py#n2993

This link is the result of the PR I sent to fix the problem of not accepting the impact data.

>
> I don't see them being computed in the publish-cves-to-website-api.py script,
> so (a) where are they coming from, and (b) if they aren't coming from the
> script, is that going to cause a problem when submitting cves with this
> change?
>
> Also, can you add comments noting that the cvss3 variable contains just the
> computd base score, and the impact field contains the full base vector? I know
> that now, but in two weeks I will surely have forgotten, and will likely be
> confused if I have to diagnose any problems with this script more than two
> weeks from now.

Sure, I'll add a comment.

>
> Thanks!

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

> Oh actually, I misunderstood the parse_cvss() api, it is computing these
> things. Okay, modulo adding some hint comments, this LGTM. Thanks!

Oh, sorry about my previous comment! I'll add a comment, tks!!

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Update the commit with a comment in both fields as requested.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, please commit.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
2index 6acc6ea..a591670 100755
3--- a/scripts/publish-cves-to-website-api.py
4+++ b/scripts/publish-cves-to-website-api.py
5@@ -81,18 +81,20 @@ def post_single_cve(cve_filename):
6 references.pop(0)
7
8 cvss3 = None
9+ impact = None
10 if len(cve_data["CVSS"]) > 0:
11 if "3." in cve_data["CVSS"][0]['vector']:
12 # Use CVSS3
13 try:
14- c = cve_lib.parse_cvss(cve_data["CVSS"][0]['vector'])
15- cvss3 = c['baseMetricV3']['cvssV3']['baseScore']
16+ impact = cve_lib.parse_cvss(cve_data["CVSS"][0]['vector'])
17+ cvss3 = impact['baseMetricV3']['cvssV3']['baseScore']
18 except ValueError as e:
19 print(
20 "%s: bad CVSS data %s, skipping: %s" % (cve_filename, cve_data["CVSS"][0]['vector'], e),
21 file=sys.stderr
22 )
23 cvss3 = None
24+ impact = None
25
26 packages = []
27 tags = {}
28@@ -160,7 +162,8 @@ def post_single_cve(cve_filename):
29 "mitigation": cve_data.get("Mitigation", ""),
30 "notes": notes,
31 "priority": priority,
32- "cvss3": cvss3, # CVSS vector to convert into Base score
33+ "cvss3": cvss3, # CVSS3 computed base score
34+ "impact": impact, # Full CVSS3 base vector structure
35 "references": references,
36 "bugs": cve_data["Bugs"].strip().split("\n"),
37 "packages": packages,

Subscribers

People subscribed via source and target branches