[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number



On Fri, 17 Dec 2021 13:56:26 +0000 Neil Williams <codehelp@debian.org> wrote:
> On Fri, 10 Dec 2021 10:56:25 +0000 Neil Williams <codehelp@debian.org>
> wrote:
> > A tool to automate a syntactically correct change to a specific CVE
> > would be a useful extension of this support, not just to add the bug
> > number once the email is received from the BTS but to also make other
> > standard changes:
> > 
> > - mark a given released suite (stable/oldstable/LTS) as <not-affected>
> 
> For this operation, should <not-affected> clear only specific kinds for
> the specified suite?
> 
> e.g. if kind==fixed, then version would need to be unset for the CVE to
> show as not-affected & any bug number might also have to be cleared if
> the suite was specified as sid?
> 
> Should annotations like "Minor issue" be retained or removed?
> 
> Or should the script refuse to change kind==fixed & possibly others &
> maybe only make changes if kind is None?
> 

Candidate bin/update-vuln script is now in my fork on Salsa:

https://salsa.debian.org/codehelp/security-tracker/-/blob/grabcvefix/bin/update-vuln
https://salsa.debian.org/codehelp/security-tracker/-/raw/grabcvefix/bin/update-vuln

As noted in the script:

Only make one change to one CVE at a time. Review and merge that
change and delete the merged file before updating the same CVE.

The workflow would be:
./bin/update-vuln --cve CVE-YYYY-NNNNN ...
# on exit zero:
./bin/merge-cve-files ./CVE-YYYY-NNNNN.list
# review change to data/CVE/list
git diff data/CVE/list
rm ./CVE-YYYY-NNNNN.list
# .. step and repeat
git add data/CVE/list
git commit

As with #1001451 and grab-cve-in-fix, the code may yet need to move
into lib.python.sectracker to be properly tested. Also, the change in
#1001451 for merge-cve-files is also needed for the update-vuln support.

Note the addition of the --description option for <not-affected>
support - that will typically require quoting the argument.

e.g.
$ ./bin/update-vuln --cve CVE-YYYY-NNNNN --src <SRC_PKG> --suite buster --description "Vulnerable code introduced later"


$ ./bin/update-vuln --help
usage: update-vuln [-h] --cve CVE [--src SRC --suite SUITE [--description DESCRIPTION]] | [[--number NUMBER] [--itp SRC]] | [--note NOTE]

Make a single update to specified CVE data as not-affected, add bug number or add a note

optional arguments:
  -h, --help            show this help message and exit

Required arguments:
  --cve CVE             The CVE ID to update

Marking a CVE as not-affected - must use --src and --suite Optionally add a description or omit to remove the current description:
  --src SRC             Source package name in SUITE
  --suite SUITE         Mark the CVE as <not-affected> in SUITE
  --description DESCRIPTION
                        Optional description of why the SRC is unaffected in SUITE

Add a bug number to the CVE:
  --number NUMBER       Debian BTS bug number
  --itp SRC             Mark as an ITP bug for the specified source package name

Add a NOTE: entry to the CVE:
  --note NOTE           Content of the NOTE: entry to add to the CVE

Data is written to a new <cve_number>.list file which can be used with './bin/merge-cve-files'. Make sure the output file is merged and removed before updating the same CVE again.


-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgprZ23iXqa21.pgp
Description: OpenPGP digital signature


Reply to: