Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/priority-reason into ubuntu-cve-tracker:master

  1. Git
  2. lp:~pfsmorigo/ubuntu-cve-tracker
  3. pfsmorigo/priority-reason
  4. Merge into master
Proposed by Paulo Flabiano Smorigo
Status: Merged
Merged at revision: 7a65edaede42610c3f147c8d3c57d83b6c641741
Proposed branch: ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/priority-reason
Merge into: ubuntu-cve-tracker:master
Diff against target: 408 lines (+53/-30)
23 files modified
scripts/active_edit (+4/-1)
scripts/check-syntax (+1/-1)
scripts/cve_lib.py (+22/-5)
scripts/cve_packages (+3/-3)
scripts/oval_lib.py (+3/-3)
scripts/publish-cves-to-website-api.py (+1/-1)
scripts/report-date.py (+2/-2)
scripts/sis-generate-usn (+2/-2)
test/okay/cve-id-N7.json (+1/-1)
test/okay/cve-id-NNNN.json (+1/-1)
test/okay/patches-missing-1.json (+1/-1)
test/okay/patches-missing-2.json (+1/-1)
test/okay/patches-missing-3.json (+1/-1)
test/okay/patches-missing-4.json (+1/-1)
test/okay/priority-critical (+1/-0)
test/okay/priority-critical.json (+1/-1)
test/okay/priority-high (+1/-0)
test/okay/priority-high.json (+1/-1)
test/okay/priority-low (+1/-0)
test/okay/priority-low.json (+1/-1)
test/okay/priority-medium.json (+1/-1)
test/okay/priority-negligible.json (+1/-1)
test/okay/priority-untriaged.json (+1/-1)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+437974@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

A few general questions:

1. Should the name just be Reason instead of Priority-Reason to make it easier?
2. What if instead we extended the syntax to allow the reason to be listed directly underneath the priority, e.g.

Priority: low
  classified as low since it is not a real vulnerability

as I think this is easier to read personally and it keeps the reason with the Priority

3. Or instead it could be a comment after the priority (but this would mean we couldn't easily do long Reason's) e.g.

Priority: low # classified as low since it is not a real vulnerability

4. Like Notes: do we want to capture who added the reason?
5. Do we also need to update all the boilerplates?
6. I think the check for this should be removed from cve_lib.py and instead added to check-syntax as this feels more like a policy check than a low-level format check
7. Can we please have a unit test in test_cve_lib.py?

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Thanks for the feedback. About the questions...

1. Leaving just as Reason feels vague but I'm ok to use it instead. This change also works for the package priority so, for instance, Priority-Reason_koffice would be just Reason_koffice.

2 and 3. I'm ok with both alternatives as long as we have a good way to parse it properly. Maybe parentesis like we do for package states: "Priority: low (it is not a real vulnerability)"

4. Not sure. We can always check git for the author. Not sure if it matters for the person browsing the CVE.

5. If we go with 2 and 3 suggestions, only the boilerplates that has a low/high/critical would be modified. Nowadays only one boilerplate has low (thunderbird). Now, if we make it mandatory, we would need to change all CVE that fits the criteria.

6. check-syntax uses a function in cve_lib.py to verify the CVEs. I just added an additional check there for the priority reason.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

AlexM: I changed the format to be a comment in parenthesis after the tag. I still using priority-reason for the name but I'm ok about using other term. Also, maybe we can start without enforcing it for now. Otherwise we will need to add a reason for all the CVEs we have that fits the criteria.

Revision history for this message
Camila Camargo de Matos (ccdm94) wrote :

Since the priority reason will need to be short because it will be included in the parenthesis, maybe it is interesting to come with some "default" possible texts to include, so that we can use them as reference. For example, when we update the status of a release to 'not-affected', for example, and the reason behind it not being affected is because the function being patched doesn't exist, or because the code doesn't include some other function which is needed to trigger the vulnerability, we usually put something like 'code not present' for all cases. I don't know if this PR is the right one to possibly include these changes, but it could be useful for some cases that are commonly found during triage. An example would be a 'code not compiled in Ubuntu' for a priority set as 'low'.

Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM!

review: Approve
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hello Alex and other reviewers,

A couple of months ago we had a discussion and I did all the changes at the time. I was waiting for the review but I just realised that I didn't push the new changes to this PR so I did it now. I took the opportunity to change a little bit and merged all commits into one.

This commit will:
 - Change the priority field to a tuple in the format ('priority', 'priority reason');
 - The format for the reason will be a line after the Priority field with a space at the begin:

Priority: high
 classified as high because...

 - It will make check_syntax complains if priority is other than 'medium' and there is no reason for it;
 - The check only complains if the PublishDate is after this month (avoid check in old CVEs);

Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM still - thanks @pfsmorigo

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/active_edit b/scripts/active_edit
index 4e2be92..d9068d6 100755
--- a/scripts/active_edit
+++ b/scripts/active_edit
@@ -232,7 +232,10 @@ def create_or_update_cve(cve, packages, priority=None, bug_urls=None, ref_urls=N
232 print('Bugs:', file=fp)232 print('Bugs:', file=fp)
233 for url in (bug_urls if bug_urls else []):233 for url in (bug_urls if bug_urls else []):
234 print(" %s" % url, file=fp)234 print(" %s" % url, file=fp)
235 print('Priority: %s' % (priority if priority else "untriaged"), file=fp)235 priority_text = priority if priority else "untriaged"
236 if priority in cve_lib.PRIORITY_REASON_REQUIRED:
237 priority_text += "\n XXX-Reason-XXX"
238 print('Priority: %s' % priority_text, file=fp)
236 print('Discovered-by:', file=fp)239 print('Discovered-by:', file=fp)
237 print('Assigned-to:', file=fp)240 print('Assigned-to:', file=fp)
238 print('CVSS:', file=fp)241 print('CVSS:', file=fp)
diff --git a/scripts/check-syntax b/scripts/check-syntax
index f3a5128..2bf4202 100755
--- a/scripts/check-syntax
+++ b/scripts/check-syntax
@@ -764,7 +764,7 @@ def check_cve(cve):
764 if (764 if (
765 len(supported)765 len(supported)
766 and (is_active(cve) or is_embargoed(cve))766 and (is_active(cve) or is_embargoed(cve))
767 and ("Priority" not in data or data["Priority"] not in cve_lib.priorities)767 and ("Priority" not in data or data["Priority"][0] not in cve_lib.priorities)
768 ):768 ):
769 filename = srcmap["Priority"][0] if "Priority" in srcmap else cvepath769 filename = srcmap["Priority"][0] if "Priority" in srcmap else cvepath
770 linenum = srcmap["Priority"][1] if "Priority" in srcmap else 1770 linenum = srcmap["Priority"][1] if "Priority" in srcmap else 1
diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
index 9b2e44e..d90dbd7 100755
--- a/scripts/cve_lib.py
+++ b/scripts/cve_lib.py
@@ -64,6 +64,8 @@ else:
64 boilerplates_dir = "boilerplates"64 boilerplates_dir = "boilerplates"
6565
66PRODUCT_UBUNTU = "ubuntu"66PRODUCT_UBUNTU = "ubuntu"
67PRIORITY_REASON_REQUIRED = ["low", "high", "critical"]
68PRIORITY_REASON_DATE_START = "2023-07-11"
6769
68# common to all scripts70# common to all scripts
69# these get populated by the contents of subprojects defined below71# these get populated by the contents of subprojects defined below
@@ -1856,8 +1858,8 @@ def contextual_priority(cveinfo, pkg=None, rel=None):
1856 if rel_p in cveinfo:1858 if rel_p in cveinfo:
1857 return 2, cveinfo[rel_p]1859 return 2, cveinfo[rel_p]
1858 if pkg_p in cveinfo:1860 if pkg_p in cveinfo:
1859 return 1, cveinfo[pkg_p]1861 return 1, cveinfo[pkg_p][0]
1860 return 0, cveinfo.get('Priority', 'untriaged')1862 return 0, cveinfo['Priority'][0] if 'Priority' in cveinfo else 'untriaged'
18611863
18621864
1863def find_cve(cve):1865def find_cve(cve):
@@ -2095,6 +2097,7 @@ def load_cve(cve, strict=False, srcmap=None):
2095 raise ValueError("File does not exist: '%s'" % (cve))2097 raise ValueError("File does not exist: '%s'" % (cve))
2096 linenum = 02098 linenum = 0
2097 notes_parser = NotesParser()2099 notes_parser = NotesParser()
2100 priority_reason = {}
2098 cvss_entries = []2101 cvss_entries = []
2099 with codecs.open(cve, encoding="utf-8") as inF:2102 with codecs.open(cve, encoding="utf-8") as inF:
2100 lines = inF.readlines()2103 lines = inF.readlines()
@@ -2112,6 +2115,12 @@ def load_cve(cve, strict=False, srcmap=None):
2112 code, newmsg = notes_parser.parse_line(cve, line, linenum, code)2115 code, newmsg = notes_parser.parse_line(cve, line, linenum, code)
2113 if code != EXIT_OKAY:2116 if code != EXIT_OKAY:
2114 msg += newmsg2117 msg += newmsg
2118 elif lastfield.startswith('Priority'):
2119 priority_part = lastfield.split('_')[1] if '_' in lastfield else None
2120 if priority_part in priority_reason:
2121 priority_reason[priority_part].append(line.strip())
2122 else:
2123 priority_reason[priority_part] = [line.strip()]
2115 elif 'Patches_' in lastfield:2124 elif 'Patches_' in lastfield:
2116 try:2125 try:
2117 _, pkg = lastfield.split('_', 1)2126 _, pkg = lastfield.split('_', 1)
@@ -2186,7 +2195,7 @@ def load_cve(cve, strict=False, srcmap=None):
2186 msg += "%s: %d: bad field with 'Priority_': '%s'\n" % (cve, linenum, field)2195 msg += "%s: %d: bad field with 'Priority_': '%s'\n" % (cve, linenum, field)
2187 code = EXIT_FAIL2196 code = EXIT_FAIL
2188 continue2197 continue
2189 data.setdefault(field, value)2198 data.setdefault(field, [value])
2190 srcmap.setdefault(field, (cve, linenum))2199 srcmap.setdefault(field, (cve, linenum))
2191 if value not in ['untriaged', 'not-for-us'] + priorities:2200 if value not in ['untriaged', 'not-for-us'] + priorities:
2192 msg += "%s: %d: unknown Priority '%s'\n" % (cve, linenum, value)2201 msg += "%s: %d: unknown Priority '%s'\n" % (cve, linenum, value)
@@ -2265,7 +2274,7 @@ def load_cve(cve, strict=False, srcmap=None):
22652274
2266 # Fill in defaults for missing fields2275 # Fill in defaults for missing fields
2267 if 'Priority' not in data:2276 if 'Priority' not in data:
2268 data.setdefault('Priority', 'untriaged')2277 data.setdefault('Priority', ['untriaged'])
2269 srcmap.setdefault('Priority', (cve, 1))2278 srcmap.setdefault('Priority', (cve, 1))
2270 # Perform override fields2279 # Perform override fields
2271 if 'PublicDateAtUSN' in data:2280 if 'PublicDateAtUSN' in data:
@@ -2277,6 +2286,14 @@ def load_cve(cve, strict=False, srcmap=None):
2277 data['PublicDate'] = data['CRD']2286 data['PublicDate'] = data['CRD']
2278 srcmap['PublicDate'] = srcmap['CRD']2287 srcmap['PublicDate'] = srcmap['CRD']
22792288
2289 if data["PublicDate"] > PRIORITY_REASON_DATE_START and \
2290 data["Priority"][0] in PRIORITY_REASON_REQUIRED and not priority_reason:
2291 msg += "%s: %d: needs a reason for being '%s'\n" % (cve, linenum, data["Priority"][0])
2292 code = EXIT_FAIL
2293 for item in priority_reason:
2294 field = 'Priority' if not item else 'Priority_' + item
2295 data[field].append(' '.join(priority_reason[item]))
2296
2280 # entries need an upstream entry if any entries are from the internal2297 # entries need an upstream entry if any entries are from the internal
2281 # list of subprojects2298 # list of subprojects
2282 for pkg in affected:2299 for pkg in affected:
@@ -2339,7 +2356,7 @@ def load_table(cves, uems, opt=None, rcves=[], icves=[]):
2339 # Allow for Priority overrides2356 # Allow for Priority overrides
2340 priority[cve]['default'] = 'untriaged'2357 priority[cve]['default'] = 'untriaged'
2341 try:2358 try:
2342 priority[cve]['default'] = info['Priority']2359 priority[cve]['default'] = info['Priority'][0]
2343 except KeyError:2360 except KeyError:
2344 priority[cve]['default'] = 'untriaged'2361 priority[cve]['default'] = 'untriaged'
23452362
diff --git a/scripts/cve_packages b/scripts/cve_packages
index da038c4..c4903af 100755
--- a/scripts/cve_packages
+++ b/scripts/cve_packages
@@ -253,9 +253,9 @@ for cve in sorted(cves):
253 if cveinfo[cve]['CVSS']:253 if cveinfo[cve]['CVSS']:
254 p = cveinfo[cve]['CVSS'][0]['baseSeverity'].lower()254 p = cveinfo[cve]['CVSS'][0]['baseSeverity'].lower()
255 else:255 else:
256 p = priority[cve]['default']256 p = priority[cve]['default'][0]
257 else:257 else:
258 p = priority[cve]['default']258 p = priority[cve]['default'][0]
259259
260 if pkg in packages:260 if pkg in packages:
261 packages[pkg] += 1261 packages[pkg] += 1
@@ -263,7 +263,7 @@ for cve in sorted(cves):
263 packages[pkg] = 1263 packages[pkg] = 1
264264
265 if pkg in priority[cve]:265 if pkg in priority[cve]:
266 p = priority[cve][pkg]266 p = priority[cve][pkg][0]
267267
268 if pkg in priorities[p]:268 if pkg in priorities[p]:
269 priorities[p][pkg] += 1269 priorities[p][pkg] += 1
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index ed64318..f8decdd 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -1266,7 +1266,7 @@ class OvalGeneratorCVE:
1266 'cve_title': escape(header['Candidate']),1266 'cve_title': escape(header['Candidate']),
1267 'description': escape('{0} {1}'.format(header['Description'],1267 'description': escape('{0} {1}'.format(header['Description'],
1268 header['Ubuntu-Description']).strip() + instruction),1268 header['Ubuntu-Description']).strip() + instruction),
1269 'priority': escape(header['Priority']),1269 'priority': escape(header['Priority'][0]),
1270 'criteria': '',1270 'criteria': '',
1271 'references': '',1271 'references': '',
1272 'notes': ''1272 'notes': ''
@@ -1316,7 +1316,7 @@ class OvalGeneratorCVE:
1316 # convert additional data <advisory> metadata elements1316 # convert additional data <advisory> metadata elements
1317 advisory = []1317 advisory = []
1318 advisory.append('<severity>{0}</severity>'.format(1318 advisory.append('<severity>{0}</severity>'.format(
1319 escape(header['Priority'].title())))1319 escape(header['Priority'][0].title())))
1320 advisory.append(1320 advisory.append(
1321 '<rights>Copyright (C) {0}Canonical Ltd.</rights>'.format(escape(1321 '<rights>Copyright (C) {0}Canonical Ltd.</rights>'.format(escape(
1322 header['PublicDate'].split('-', 1)[0] + ' '1322 header['PublicDate'].split('-', 1)[0] + ' '
@@ -2471,7 +2471,7 @@ class OvalGeneratorUSN():
2471 return None2471 return None
24722472
2473 public_date = cve_object['PublicDate']2473 public_date = cve_object['PublicDate']
2474 priority = cve_object['Priority']2474 priority = cve_object['Priority'][0]
2475 references = cve_object['References']2475 references = cve_object['References']
2476 # TODO: deal with multiple CVSS?2476 # TODO: deal with multiple CVSS?
2477 cve_info = {2477 cve_info = {
diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
index aa80880..d6af0e7 100755
--- a/scripts/publish-cves-to-website-api.py
+++ b/scripts/publish-cves-to-website-api.py
@@ -166,7 +166,7 @@ def post_single_cve(cve_filename):
166 for [author, note] in cve_data["Notes"]:166 for [author, note] in cve_data["Notes"]:
167 notes.append({"author": author, "note": note})167 notes.append({"author": author, "note": note})
168168
169 priority = cve_data["Priority"]169 priority = cve_data["Priority"][0]
170170
171 if priority == "untriaged":171 if priority == "untriaged":
172 priority = "unknown"172 priority = "unknown"
diff --git a/scripts/report-date.py b/scripts/report-date.py
index c983072..e350e0c 100755
--- a/scripts/report-date.py
+++ b/scripts/report-date.py
@@ -78,9 +78,9 @@ for priority in ['untriaged'] + cve_lib.priorities:
78 continue78 continue
7979
80 # Only report if we have a matching priority80 # Only report if we have a matching priority
81 this_priority = info[cve]['Priority']81 this_priority = info[cve]['Priority'][0]
82 if info[cve].has_key('Priority_%s' % (pkg)):82 if info[cve].has_key('Priority_%s' % (pkg)):
83 this_priority = info[cve]['Priority_%s' % (pkg)]83 this_priority = info[cve]['Priority_%s' % (pkg)][0]
84 if this_priority == priority:84 if this_priority == priority:
85 pkglist.add(pkg)85 pkglist.add(pkg)
8686
diff --git a/scripts/sis-generate-usn b/scripts/sis-generate-usn
index 4a46e18..4535210 100755
--- a/scripts/sis-generate-usn
+++ b/scripts/sis-generate-usn
@@ -198,8 +198,8 @@ def check_cve_priority(cve):
198 print("ERROR: {} does not exist in UCT in either {}".format(cve, state),198 print("ERROR: {} does not exist in UCT in either {}".format(cve, state),
199 file=sys.stderr)199 file=sys.stderr)
200 sys.exit(1)200 sys.exit(1)
201 if cve_data['Priority'] in ['untriaged', 'not-for-us']:201 if cve_data['Priority'][0] in ['untriaged', 'not-for-us']:
202 print("ERROR: {} has Priority {}".format(cve, cve_data['Priority']),202 print("ERROR: {} has Priority {}".format(cve, cve_data['Priority'][0]),
203 file=sys.stderr)203 file=sys.stderr)
204 sys.exit(1)204 sys.exit(1)
205205
diff --git a/test/okay/cve-id-N7.json b/test/okay/cve-id-N7.json
index 6685f37..afbffa1 100644
--- a/test/okay/cve-id-N7.json
+++ b/test/okay/cve-id-N7.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "negligible",16 "Priority": ["negligible"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/cve-id-NNNN.json b/test/okay/cve-id-NNNN.json
index 1d19260..0c008ca 100644
--- a/test/okay/cve-id-NNNN.json
+++ b/test/okay/cve-id-NNNN.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "negligible",16 "Priority": ["negligible"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/patches-missing-1.json b/test/okay/patches-missing-1.json
index f438ff6..c78d347 100644
--- a/test/okay/patches-missing-1.json
+++ b/test/okay/patches-missing-1.json
@@ -11,7 +11,7 @@
11 "Notes": [],11 "Notes": [],
12 "Mitigation": "",12 "Mitigation": "",
13 "Bugs": "",13 "Bugs": "",
14 "Priority": "medium",14 "Priority": ["medium"],
15 "Discovered-by": "",15 "Discovered-by": "",
16 "Assigned-to": "",16 "Assigned-to": "",
17 "CVSS": [],17 "CVSS": [],
diff --git a/test/okay/patches-missing-2.json b/test/okay/patches-missing-2.json
index d057b6e..92fac9d 100644
--- a/test/okay/patches-missing-2.json
+++ b/test/okay/patches-missing-2.json
@@ -11,7 +11,7 @@
11 "Notes": [],11 "Notes": [],
12 "Mitigation": "",12 "Mitigation": "",
13 "Bugs": "",13 "Bugs": "",
14 "Priority": "medium",14 "Priority": ["medium"],
15 "Discovered-by": "",15 "Discovered-by": "",
16 "Assigned-to": "",16 "Assigned-to": "",
17 "CVSS": [],17 "CVSS": [],
diff --git a/test/okay/patches-missing-3.json b/test/okay/patches-missing-3.json
index 950893d..b58408e 100644
--- a/test/okay/patches-missing-3.json
+++ b/test/okay/patches-missing-3.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "medium",16 "Priority": ["medium"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/patches-missing-4.json b/test/okay/patches-missing-4.json
index 6c03170..5ab7913 100644
--- a/test/okay/patches-missing-4.json
+++ b/test/okay/patches-missing-4.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "medium",16 "Priority": ["medium"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-critical b/test/okay/priority-critical
index 5d20f02..78a81de 100644
--- a/test/okay/priority-critical
+++ b/test/okay/priority-critical
@@ -11,6 +11,7 @@ Notes:
11Mitigation: 11Mitigation:
12Bugs: 12Bugs:
13Priority: critical13Priority: critical
14 reason for being critial
14Discovered-by:15Discovered-by:
15Assigned-to:16Assigned-to:
16CVSS:17CVSS:
diff --git a/test/okay/priority-critical.json b/test/okay/priority-critical.json
index 5b99773..89cbce9 100644
--- a/test/okay/priority-critical.json
+++ b/test/okay/priority-critical.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "critical",16 "Priority": ["critical", "reason for being critial"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-high b/test/okay/priority-high
index f97416a..5ec543f 100644
--- a/test/okay/priority-high
+++ b/test/okay/priority-high
@@ -11,6 +11,7 @@ Notes:
11Mitigation: 11Mitigation:
12Bugs: 12Bugs:
13Priority: high13Priority: high
14 reason for being high
14Discovered-by:15Discovered-by:
15Assigned-to:16Assigned-to:
16CVSS:17CVSS:
diff --git a/test/okay/priority-high.json b/test/okay/priority-high.json
index 1c91a1f..f893e73 100644
--- a/test/okay/priority-high.json
+++ b/test/okay/priority-high.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "high",16 "Priority": ["high", "reason for being high"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-low b/test/okay/priority-low
index 62d21c5..8c5050c 100644
--- a/test/okay/priority-low
+++ b/test/okay/priority-low
@@ -11,6 +11,7 @@ Notes:
11Mitigation:11Mitigation:
12Bugs:12Bugs:
13Priority: low13Priority: low
14 reason for being low
14Discovered-by:15Discovered-by:
15Assigned-to:16Assigned-to:
16CVSS:17CVSS:
diff --git a/test/okay/priority-low.json b/test/okay/priority-low.json
index 76eb0f6..8eadf86 100644
--- a/test/okay/priority-low.json
+++ b/test/okay/priority-low.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "low",16 "Priority": ["low", "reason for being low"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-medium.json b/test/okay/priority-medium.json
index acd1505..03aa9f2 100644
--- a/test/okay/priority-medium.json
+++ b/test/okay/priority-medium.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "medium",16 "Priority": ["medium"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-negligible.json b/test/okay/priority-negligible.json
index 16783ce..5035758 100644
--- a/test/okay/priority-negligible.json
+++ b/test/okay/priority-negligible.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "negligible",16 "Priority": ["negligible"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],
diff --git a/test/okay/priority-untriaged.json b/test/okay/priority-untriaged.json
index ab2ece0..a596046 100644
--- a/test/okay/priority-untriaged.json
+++ b/test/okay/priority-untriaged.json
@@ -13,7 +13,7 @@
13 "Notes": [],13 "Notes": [],
14 "Mitigation": "",14 "Mitigation": "",
15 "Bugs": "",15 "Bugs": "",
16 "Priority": "untriaged",16 "Priority": ["untriaged"],
17 "Discovered-by": "",17 "Discovered-by": "",
18 "Assigned-to": "",18 "Assigned-to": "",
19 "CVSS": [],19 "CVSS": [],

Subscribers

People subscribed via source and target branches