Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/reason_in_notes into ubuntu-cve-tracker:master
- Git
- lp:~pfsmorigo/ubuntu-cve-tracker
- pfsmorigo/reason_in_notes
- Merge into master
Status: | Merged |
---|---|
Merged at revision: | 1a98a3ca6297b5152a92307a832b3c6f1a43af73 |
Proposed branch: | ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/reason_in_notes |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
14 lines (+4/-0) 1 file modified
scripts/publish-cves-to-website-api.py (+4/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Security Team | Pending | ||
Review via email: mp+448821@code.launchpad.net |
Commit message
Description of the change
Add the priority reason as the top comment in the notes session like this:
https:/
This is a temporary solution until the new field is added by the web team.
Emilia Torino (emitorino) wrote : | # |
Steve Beattie (sbeattie) wrote : | # |
On Wed, Aug 09, 2023 at 06:39:15PM -0000, Paulo Flabiano Smorigo wrote:
> Paulo Flabiano Smorigo has proposed merging ~pfsmorigo/
>
> Requested reviews:
> Ubuntu Security Team (ubuntu-security)
>
> For more details, see:
> https:/
>
> Add the priority reason as the top comment in the notes session like this:
>
> https:/
>
> This is a temporary solution until the new field is added by the web team.
You could conceivably make the author of the priority reason be the
ubuntu-security user on launchpad, but I'm not sure it's worth the
bother for a temporary fix.
I would like to see the attached patch containing testcases for putting
the priority reason in the notes field, however.
Thanks.
--
Steve Beattie
<email address hidden>
1 | 0 | From 1849959a109b7b9d57af562932f0fe32f7d00e0d Mon Sep 17 00:00:00 2001 | 0 | From 1849959a109b7b9d57af562932f0fe32f7d00e0d Mon Sep 17 00:00:00 2001 |
2 | 1 | From: Steve Beattie <steve.beattie@canonical.com> | 1 | From: Steve Beattie <steve.beattie@canonical.com> |
3 | 2 | Date: Thu, 10 Aug 2023 15:34:15 -0700 | 2 | Date: Thu, 10 Aug 2023 15:34:15 -0700 |
4 | 3 | Subject: [PATCH] publish-cves-to-website-api.py: add priority reason notes | 3 | Subject: [PATCH] publish-cves-to-website-api.py: add priority reason notes |
5 | 4 | tests | 4 | tests |
6 | 5 | 5 | ||
7 | 6 | Add a couple of tests to validate putting the priority reason in the | 6 | Add a couple of tests to validate putting the priority reason in the |
8 | 7 | notes field as a temporary fix. These can also be used as a basis | 7 | notes field as a temporary fix. These can also be used as a basis |
9 | 8 | for tests when the web team adds a separate priority reason field. | 8 | for tests when the web team adds a separate priority reason field. |
10 | 9 | 9 | ||
11 | 10 | MR: https://code.launchpad.net/~pfsmorigo/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/448821 | 10 | MR: https://code.launchpad.net/~pfsmorigo/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/448821 |
12 | 11 | Signed-off-by: Steve Beattie <steve.beattie@canonical.com> | 11 | Signed-off-by: Steve Beattie <steve.beattie@canonical.com> |
13 | 12 | -- | ||
14 | 13 | test/website_api/use_priority_reason | 26 ++++++++ | 12 | test/website_api/use_priority_reason | 26 ++++++++ |
15 | 14 | test/website_api/use_priority_reason.json | 56 ++++++++++++++++ | 13 | test/website_api/use_priority_reason.json | 56 ++++++++++++++++ |
16 | 15 | .../use_priority_reason_plus_notes | 29 +++++++++ | 14 | .../use_priority_reason_plus_notes | 29 +++++++++ |
17 | 16 | .../use_priority_reason_plus_notes.json | 64 +++++++++++++++++++ | 15 | .../use_priority_reason_plus_notes.json | 64 +++++++++++++++++++ |
18 | 17 | 4 files changed, 175 insertions(+) | 16 | 4 files changed, 175 insertions(+) |
19 | 18 | create mode 100644 test/website_api/use_priority_reason | 17 | create mode 100644 test/website_api/use_priority_reason |
20 | 19 | create mode 100644 test/website_api/use_priority_reason.json | 18 | create mode 100644 test/website_api/use_priority_reason.json |
21 | 20 | create mode 100644 test/website_api/use_priority_reason_plus_notes | 19 | create mode 100644 test/website_api/use_priority_reason_plus_notes |
22 | 21 | create mode 100644 test/website_api/use_priority_reason_plus_notes.json | 20 | create mode 100644 test/website_api/use_priority_reason_plus_notes.json |
23 | 22 | 21 | ||
24 | diff --git a/test/website_api/use_priority_reason b/test/website_api/use_priority_reason | |||
25 | 23 | new file mode 100644 | 22 | new file mode 100644 |
26 | index 00000000000..1d542f4e061 | |||
27 | --- /dev/null | |||
28 | +++ b/test/website_api/use_priority_reason | |||
29 | @@ -0,0 +1,26 @@ | |||
30 | 1 | PublicDateAtUSN: 2020-08-04 17:00:00 UTC | ||
31 | 2 | Candidate: CVE-2020-1234 | ||
32 | 3 | CRD: 2020-08-04 17:00:00 UTC | ||
33 | 4 | PublicDate: 2020-08-04 17:00:00 UTC | ||
34 | 5 | References: | ||
35 | 6 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234 | ||
36 | 7 | Description: | ||
37 | 8 | Publish CVEs to Website API tests | ||
38 | 9 | Ubuntu-Description: | ||
39 | 10 | Notes: | ||
40 | 11 | Mitigation: | ||
41 | 12 | Bugs: | ||
42 | 13 | Priority: low | ||
43 | 14 | This is the reason the priority of this CVE is low. This cve is | ||
44 | 15 | priority low for a very good reason. | ||
45 | 16 | Discovered-by: | ||
46 | 17 | Assigned-to: | ||
47 | 18 | CVSS: | ||
48 | 19 | |||
49 | 20 | |||
50 | 21 | Patches_package: | ||
51 | 22 | upstream_package: needs-triage | ||
52 | 23 | trusty_package: released (1.2.3) | ||
53 | 24 | trusty/esm_package: not-affected (1.2.3) | ||
54 | 25 | jammy_package: released (4.5.6) | ||
55 | 26 | esm-apps/jammy_package: not-affected (4.5.6) | ||
56 | diff --git a/test/website_api/use_priority_reason.json b/test/website_api/use_priority_reason.json | |||
57 | 0 | new file mode 100644 | 27 | new file mode 100644 |
58 | index 00000000000..f0fdf4b9f76 | |||
59 | --- /dev/null | |||
60 | +++ b/test/website_api/use_priority_reason.json | |||
61 | @@ -0,0 +1,56 @@ | |||
62 | 1 | [ | ||
63 | 2 | { | ||
64 | 3 | "id": "CVE-2020-1234", | ||
65 | 4 | "description": "\nPublish CVEs to Website API tests", | ||
66 | 5 | "ubuntu_description": "", | ||
67 | 6 | "mitigation": "", | ||
68 | 7 | "notes": [ | ||
69 | 8 | { | ||
70 | 9 | "author": "", | ||
71 | 10 | "note": "Priority reason:\nThis is the reason the priority of this CVE is low. This cve is priority low for a very good reason." | ||
72 | 11 | } | ||
73 | 12 | ], | ||
74 | 13 | "priority": "low", | ||
75 | 14 | "cvss3": null, | ||
76 | 15 | "references": [ | ||
77 | 16 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234" | ||
78 | 17 | ], | ||
79 | 18 | "bugs": [ | ||
80 | 19 | "" | ||
81 | 20 | ], | ||
82 | 21 | "packages": [ | ||
83 | 22 | { | ||
84 | 23 | "name": "package", | ||
85 | 24 | "source": "https://launchpad.net/ubuntu/+source/package", | ||
86 | 25 | "ubuntu": "https://packages.ubuntu.com/search?suite=all§ion=all&arch=any&searchon=sourcenames&keywords=package", | ||
87 | 26 | "debian": "https://tracker.debian.org/pkg/package", | ||
88 | 27 | "statuses": [ | ||
89 | 28 | { | ||
90 | 29 | "release_codename": "trusty", | ||
91 | 30 | "status": "released", | ||
92 | 31 | "description": "1.2.3", | ||
93 | 32 | "pocket": "security" | ||
94 | 33 | }, | ||
95 | 34 | { | ||
96 | 35 | "release_codename": "jammy", | ||
97 | 36 | "status": "released", | ||
98 | 37 | "description": "4.5.6", | ||
99 | 38 | "pocket": "security" | ||
100 | 39 | }, | ||
101 | 40 | { | ||
102 | 41 | "release_codename": "upstream", | ||
103 | 42 | "status": "needs-triage", | ||
104 | 43 | "description": "", | ||
105 | 44 | "pocket": "security" | ||
106 | 45 | } | ||
107 | 46 | ] | ||
108 | 47 | } | ||
109 | 48 | ], | ||
110 | 49 | "status": "active", | ||
111 | 50 | "tags": {}, | ||
112 | 51 | "patches": { | ||
113 | 52 | "package": [] | ||
114 | 53 | }, | ||
115 | 54 | "published": "2020-08-04 17:00:00 UTC" | ||
116 | 55 | } | ||
117 | 56 | ] | ||
118 | diff --git a/test/website_api/use_priority_reason_plus_notes b/test/website_api/use_priority_reason_plus_notes | |||
119 | 0 | new file mode 100644 | 57 | new file mode 100644 |
120 | index 00000000000..41e6cc83b7c | |||
121 | --- /dev/null | |||
122 | +++ b/test/website_api/use_priority_reason_plus_notes | |||
123 | @@ -0,0 +1,29 @@ | |||
124 | 1 | PublicDateAtUSN: 2020-08-04 17:00:00 UTC | ||
125 | 2 | Candidate: CVE-2020-1234 | ||
126 | 3 | CRD: 2020-08-04 17:00:00 UTC | ||
127 | 4 | PublicDate: 2020-08-04 17:00:00 UTC | ||
128 | 5 | References: | ||
129 | 6 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234 | ||
130 | 7 | Description: | ||
131 | 8 | Publish CVEs to Website API tests | ||
132 | 9 | Ubuntu-Description: | ||
133 | 10 | Notes: | ||
134 | 11 | pfsmorigo> this is a note | ||
135 | 12 | sbeattie> this is another note. It contains for too many words for a | ||
136 | 13 | note. Why are there so many words in this note? | ||
137 | 14 | Mitigation: | ||
138 | 15 | Bugs: | ||
139 | 16 | Priority: low | ||
140 | 17 | This is the reason the priority of this CVE is low. This cve is | ||
141 | 18 | priority low for a very good reason. | ||
142 | 19 | Discovered-by: | ||
143 | 20 | Assigned-to: | ||
144 | 21 | CVSS: | ||
145 | 22 | |||
146 | 23 | |||
147 | 24 | Patches_package: | ||
148 | 25 | upstream_package: needs-triage | ||
149 | 26 | trusty_package: released (1.2.3) | ||
150 | 27 | trusty/esm_package: not-affected (1.2.3) | ||
151 | 28 | jammy_package: released (4.5.6) | ||
152 | 29 | esm-apps/jammy_package: not-affected (4.5.6) | ||
153 | diff --git a/test/website_api/use_priority_reason_plus_notes.json b/test/website_api/use_priority_reason_plus_notes.json | |||
154 | 0 | new file mode 100644 | 30 | new file mode 100644 |
155 | index 00000000000..6e4a5d06d46 | |||
156 | --- /dev/null | |||
157 | +++ b/test/website_api/use_priority_reason_plus_notes.json | |||
158 | @@ -0,0 +1,64 @@ | |||
223 | 0 | - | 1 | [ |
160 | 2 | { | ||
161 | 3 | "id": "CVE-2020-1234", | ||
162 | 4 | "description": "\nPublish CVEs to Website API tests", | ||
163 | 5 | "ubuntu_description": "", | ||
164 | 6 | "mitigation": "", | ||
165 | 7 | "notes": [ | ||
166 | 8 | { | ||
167 | 9 | "author": "", | ||
168 | 10 | "note": "Priority reason:\nThis is the reason the priority of this CVE is low. This cve is priority low for a very good reason." | ||
169 | 11 | }, | ||
170 | 12 | { | ||
171 | 13 | "author": "pfsmorigo", | ||
172 | 14 | "note": "this is a note" | ||
173 | 15 | }, | ||
174 | 16 | { | ||
175 | 17 | "author": "sbeattie", | ||
176 | 18 | "note": "this is another note. It contains for too many words for a\nnote. Why are there so many words in this note?" | ||
177 | 19 | } | ||
178 | 20 | ], | ||
179 | 21 | "priority": "low", | ||
180 | 22 | "cvss3": null, | ||
181 | 23 | "references": [ | ||
182 | 24 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234" | ||
183 | 25 | ], | ||
184 | 26 | "bugs": [ | ||
185 | 27 | "" | ||
186 | 28 | ], | ||
187 | 29 | "packages": [ | ||
188 | 30 | { | ||
189 | 31 | "name": "package", | ||
190 | 32 | "source": "https://launchpad.net/ubuntu/+source/package", | ||
191 | 33 | "ubuntu": "https://packages.ubuntu.com/search?suite=all§ion=all&arch=any&searchon=sourcenames&keywords=package", | ||
192 | 34 | "debian": "https://tracker.debian.org/pkg/package", | ||
193 | 35 | "statuses": [ | ||
194 | 36 | { | ||
195 | 37 | "release_codename": "trusty", | ||
196 | 38 | "status": "released", | ||
197 | 39 | "description": "1.2.3", | ||
198 | 40 | "pocket": "security" | ||
199 | 41 | }, | ||
200 | 42 | { | ||
201 | 43 | "release_codename": "jammy", | ||
202 | 44 | "status": "released", | ||
203 | 45 | "description": "4.5.6", | ||
204 | 46 | "pocket": "security" | ||
205 | 47 | }, | ||
206 | 48 | { | ||
207 | 49 | "release_codename": "upstream", | ||
208 | 50 | "status": "needs-triage", | ||
209 | 51 | "description": "", | ||
210 | 52 | "pocket": "security" | ||
211 | 53 | } | ||
212 | 54 | ] | ||
213 | 55 | } | ||
214 | 56 | ], | ||
215 | 57 | "status": "active", | ||
216 | 58 | "tags": {}, | ||
217 | 59 | "patches": { | ||
218 | 60 | "package": [] | ||
219 | 61 | }, | ||
220 | 62 | "published": "2020-08-04 17:00:00 UTC" | ||
221 | 63 | } | ||
222 | 64 | ] | ||
224 | 1 | 2.40.1 | 65 | 2.40.1 |
Steve Beattie (sbeattie) wrote : | # |
On Thu, Aug 10, 2023 at 08:35:58PM -0000, Emilia Torino wrote:
> Leaving one question just in case, otherwise LGTM!
>
> Diff comments:
>
> > diff --git a/scripts/
> > index d6af0e7..d5a0042 100755
> > --- a/scripts/
> > +++ b/scripts/
> > @@ -163,6 +163,10 @@ def post_single_
> >
> > notes = []
> >
> > + # TODO Remove this when we have the proper field ir ready
>
> s/ir/is? Seems a typo :), also if thats the case maybe "we have" should be removed? So either remove everything after field, or remove "we have" I guess
>
> > + if cve_data[
>
> Should we check cve_data[
In hindsight, it would have been useful to have hidden the accessors behind an
api in cve_lib, something like
cve_lib.
cve_lib.
so that we can move to a future where the internal structures of cves
are hidden in a class. That said, I don't know how to make the api
export the case where we have a different priority for a specific
package or release.
> > + notes.append(
> > +
> > for [author, note] in cve_data["Notes"]:
> > notes.append(
> >
>
>
> --
> https:/
> You are subscribed to branch ubuntu-
>
--
Steve Beattie
<email address hidden>
Steve Beattie (sbeattie) wrote : | # |
Wow, emailing a patch attachment really confused the merge request interface.
Anyway, my attempts to create testcases resulted in the following merge request:
https:/
Paulo Flabiano Smorigo (pfsmorigo) wrote : | # |
> Leaving one question just in case, otherwise LGTM!
Fixed the mistypo and added a check as you suggested. I added it anyway but, to be honest, the check is not really necessary since the element is always a tuplet with two elements:
>>> cveinfo[
['medium', '']
>>> cveinfo[
['negligible', '']
>>> cveinfo[
['low', '']
Preview Diff
1 | diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py | |||
2 | index d6af0e7..4bb95c7 100755 | |||
3 | --- a/scripts/publish-cves-to-website-api.py | |||
4 | +++ b/scripts/publish-cves-to-website-api.py | |||
5 | @@ -163,6 +163,10 @@ def post_single_cve(cve_filename): | |||
6 | 163 | 163 | ||
7 | 164 | notes = [] | 164 | notes = [] |
8 | 165 | 165 | ||
9 | 166 | # TODO Remove this when we have the proper field is ready | ||
10 | 167 | if len(cve_data["Priority"]) > 1 and cve_data["Priority"][1]: | ||
11 | 168 | notes.append({"author": "", "note": "Priority reason:\n" + cve_data["Priority"][1]}) | ||
12 | 169 | |||
13 | 166 | for [author, note] in cve_data["Notes"]: | 170 | for [author, note] in cve_data["Notes"]: |
14 | 167 | notes.append({"author": author, "note": note}) | 171 | notes.append({"author": author, "note": note}) |
15 | 168 | 172 |
Leaving one question just in case, otherwise LGTM!