Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:check_cves_uris into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. check_cves_uris
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: eecc4691546f96a328e7b2bdce2532b026a21549
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:check_cves_uris
Merge into: ubuntu-cve-tracker:master
Diff against target: 22 lines (+3/-1)
1 file modified
scripts/check-cves (+3/-1)
Reviewer Review Type Date Requested Status
Mark Esler Approve
Marc Deslauriers Approve
Review via email: mp+463152@code.launchpad.net

Commit message

 scripts/check-cves: do not use allitems.xml by default

 if we set allitems.xml from MITRE by default, it is always loading
 that XML no matter if we have configured another path in
 .ubuntu-cve-tracker.conf file or not. instead, we should use that URL
 as a fallback if anything is set in the configuration file.

Description of the change

The idea of this commit is to re establish the MITRE's huge XML file
 https://cve.mitre.org/cve/downloads/allitems.xml
as the place to fetch for CVEs if, and only if, no other argument is used.
If we are using an specific source of CVEs to be imported we don't normally
use the 'allitems.xml' file from mitre.

Having it on default for the 'uris' argument, will make us check it no
matter if we have something being imported or not, that is, we will always
be checking 'allitems.xml' and what we passed along, for example:

if 'secure_testing_path' is setup in '~/.ubuntu-cve-tracker.conf' file and
we run:
 $UCT/scripts/check-cves --import-missing-debian
we are going to have:
 Loading /home/rodrigo/git-pulls/security-tracker/data/CVE/list ...
 Loading https://cve.mitre.org/cve/downloads/allitems.xml ...

when actually, the 'allitems.xml' used to be the fallback place to fetch
CVEs when another location is not set. at least this was the behavior
before commit 8b896cae083748f5bbec487d67cb33408a884c45.

The current behavior is happening because the mitre's URL is the default
for 'uris' and any other argument is appended to it.

The proposal is to move that URL back for the case that the script can't
find a proper place to look for CVEs.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

LGTM, ack.

review: Approve
Revision history for this message
Mark Esler (eslerm) wrote :

Thank you Rodrigo!

Small style nitpick is that `if not args.uris:` feels cleaner than `if len(args.uris) == 0:`

Since an empty list evaluates to False: `bool([])`

(note that `nargs='*'` implicitly sets args.uris to a list)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/check-cves b/scripts/check-cves
2index e4ac77c..be0b713 100755
3--- a/scripts/check-cves
4+++ b/scripts/check-cves
5@@ -47,7 +47,7 @@ uct_config = read_uct_config()
6
7 # fmt: off
8 parser = argparse.ArgumentParser(prog="check_cves", description="check_cves builds UCT with new CVE data")
9-parser.add_argument('uris', nargs='*', default=["https://cve.mitre.org/cve/downloads/allitems.xml",])
10+parser.add_argument('uris', nargs='*', help="URIs to fetch CVEs")
11 parser.add_argument("-r", "--report", help="Just report CVEs that need checking", action="store_true")
12 parser.add_argument("-v", "--verbose", help="Report verbose details", action="store_true")
13 parser.add_argument("-d", "--debug", help="Report debugging information", action="store_true")
14@@ -1462,6 +1462,8 @@ if (args.import_missing_debian or args.mistriaged) and handler.debian is not Non
15 debian_import_json = import_debian(handler)
16 args.uris.append(debian_import_json)
17
18+if len(args.uris) == 0:
19+ args.uris.append("https://cve.mitre.org/cve/downloads/allitems.xml")
20
21 for uri in args.uris:
22 print(f'Loading {uri} ...', file=sys.stderr)

Subscribers

People subscribed via source and target branches