On Fri, 17 Dec 2021 13:56:26 +0000 Neil Williams <codehelp@debian.org> wrote:
> On Fri, 10 Dec 2021 10:56:25 +0000 Neil Williams <codehelp@debian.org>
> wrote:
> > A tool to automate a syntactically correct change to a specific CVE
> > would be a useful extension of this support, not just to add the bug
> > number once the email is received from the BTS but to also make other
> > standard changes:
> >
> > - mark a given released suite (stable/oldstable/LTS) as <not-affected>
>
> For this operation, should <not-affected> clear only specific kinds for
> the specified suite?
>
> e.g. if kind==fixed, then version would need to be unset for the CVE to
> show as not-affected & any bug number might also have to be cleared if
> the suite was specified as sid?
>
> Should annotations like "Minor issue" be retained or removed?
>
> Or should the script refuse to change kind==fixed & possibly others &
> maybe only make changes if kind is None?
>
Candidate bin/update-vuln script is now in my fork on Salsa:
https://salsa.debian.org/codehelp/security-tracker/-/blob/grabcvefix/bin/update-vuln
https://salsa.debian.org/codehelp/security-tracker/-/raw/grabcvefix/bin/update-vuln
As noted in the script:
Only make one change to one CVE at a time. Review and merge that
change and delete the merged file before updating the same CVE.
The workflow would be:
./bin/update-vuln --cve CVE-YYYY-NNNNN ...
# on exit zero:
./bin/merge-cve-files ./CVE-YYYY-NNNNN.list
# review change to data/CVE/list
git diff data/CVE/list
rm ./CVE-YYYY-NNNNN.list
# .. step and repeat
git add data/CVE/list
git commit
As with #1001451 and grab-cve-in-fix, the code may yet need to move
into lib.python.sectracker to be properly tested. Also, the change in
#1001451 for merge-cve-files is also needed for the update-vuln support.
Note the addition of the --description option for <not-affected>
support - that will typically require quoting the argument.
e.g.
$ ./bin/update-vuln --cve CVE-YYYY-NNNNN --src <SRC_PKG> --suite buster --description "Vulnerable code introduced later"
$ ./bin/update-vuln --help
usage: update-vuln [-h] --cve CVE [--src SRC --suite SUITE [--description DESCRIPTION]] | [[--number NUMBER] [--itp SRC]] | [--note NOTE]
Make a single update to specified CVE data as not-affected, add bug number or add a note
optional arguments:
-h, --help show this help message and exit
Required arguments:
--cve CVE The CVE ID to update
Marking a CVE as not-affected - must use --src and --suite Optionally add a description or omit to remove the current description:
--src SRC Source package name in SUITE
--suite SUITE Mark the CVE as <not-affected> in SUITE
--description DESCRIPTION
Optional description of why the SRC is unaffected in SUITE
Add a bug number to the CVE:
--number NUMBER Debian BTS bug number
--itp SRC Mark as an ITP bug for the specified source package name
Add a NOTE: entry to the CVE:
--note NOTE Content of the NOTE: entry to add to the CVE
Data is written to a new <cve_number>.list file which can be used with './bin/merge-cve-files'. Make sure the output file is merged and removed before updating the same CVE again.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
Attachment:
pgprZ23iXqa21.pgp
Description: OpenPGP digital signature