[Secure-testing-commits] r14058 - bin lib/python
Michael Gilbert
gilbert-guest at alioth.debian.org
Sun Feb 7 22:10:53 UTC 2010
Author: gilbert-guest
Date: 2010-02-07 22:10:53 +0000 (Sun, 07 Feb 2010)
New Revision: 14058
Modified:
bin/tracker_service.py
bin/update-nvd
lib/python/bugs.py
lib/python/security_db.py
Log:
use nvd urgencies and add finer control for per-release pages
Modified: bin/tracker_service.py
===================================================================
--- bin/tracker_service.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ bin/tracker_service.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -24,10 +24,11 @@
webservice_base_class = WebServiceHTTP
class BugFilter:
- default_action_list = [("show_high_urgency", "only high urgencies"),
- ("show_medium_urgency", "only medium and high urgencies"),
- ("show_remote_only", "only remote vulnerabilities"),
- ("show_undetermined_urgency", "undetermined and unimportant urgencies")]
+ default_action_list = [('show_high_urgency', 'only high urgencies'),
+ ('show_medium_urgency', 'only medium and high urgencies'),
+ ('show_undetermined_urgency', 'issues that may be vulnerable but need to be checked (shown in purple)'),
+ ('show_unimportant_urgency', 'unimportant issues'),
+ ('show_remote_only', 'only remote vulnerabilities')]
def __init__(self, params, action_list=None):
if action_list is None:
self.action_list = self.default_action_list
@@ -59,22 +60,25 @@
def urgencyFiltered(self, urg, vuln):
"""Returns True for urgencies that should be filtered."""
filterlow = self.params['show_medium_urgency'] and \
- urg in ('low', 'unimportant', 'undetermined')
+ urg in ('low', 'low**', 'unimportant',
+ 'undetermined', 'not yet assigned')
filtermed = self.params['show_high_urgency'] and \
- urg in ('medium', 'low', 'unimportant', 'undetermined')
- filteruni = not self.params['show_undetermined_urgency'] \
- and vuln == 2 or urg == 'unimportant'
- return filterlow or filtermed or filteruni
+ urg in ('medium', 'medium**', 'low', 'low**',
+ 'unimportant', 'undetermined', 'not yet assigned')
+ filterund = not self.params['show_undetermined_urgency'] and vuln == 2
+ filteruni = not self.params['show_unimportant_urgency'] \
+ and urg == 'unimportant'
+ return filterlow or filtermed or filterund or filteruni
def remoteFiltered(self, remote):
"""Returns True for only remote flaws if filtered."""
- return remote is not None and not self.params['show_remote_only'] \
+ return remote is not None and self.params['show_remote_only'] \
and not remote
class BugFilterNoDSA(BugFilter):
def __init__(self, params):
BugFilter.__init__(self, params, self.default_action_list
- + [('show_nodsa', 'non-DSA vulnerabilities')])
+ + [('show_nodsa', 'issues that are not severe enough to warrant a DSA')])
def nodsaFiltered(self, nodsa):
"""Returns True for no DSA issues if filtered."""
@@ -112,6 +116,14 @@
}
''')).toHTML()
+ nvd_text = P('''If a "**" is included, the urgency field was automatically
+ assigned by the NVD (National Vulnerability Database). Note that this
+ rating is automatically derived from a set of known factors about the
+ issue (such as access complexity, confidentiality impact, exploitability,
+ remediation level, and others). Human intervention is involved in
+ determining the values of these factors, but the rating itself comes
+ from a fully automated formula.''')
+
def __init__(self, socket_name, db_name):
webservice_base_class.__init__(self, socket_name)
self.db = security_db.DB(db_name)
@@ -422,6 +434,8 @@
urgency = ''
else:
ver = self.make_red('(unfixed)')
+ if urgency == 'not yet assigned':
+ urgency = ''
pkg = n.package
pkg_kind = n.package_kind
@@ -658,11 +672,10 @@
else:
remote = 'no'
- if vulnerable == 2:
+ if urgency.startswith('high'):
+ urgency = self.make_red(urgency)
+ elif vulnerable == 2:
urgency = self.make_purple(urgency)
-
- if urgency == 'high':
- urgency = self.make_red(urgency)
else:
if no_dsa:
urgency = urgency + '*'
@@ -672,10 +685,10 @@
return self.create_page(
url, 'Vulnerable source packages in the %s suite' % release,
[bf.actions(url), BR(),
- make_table(gen(), caption=("Package", "Bug", "Urgency",
- "Remote")),
- P('''(If a "*" is included in the urgency field, no DSA is planned
-for this vulnerability.)''')])
+ make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote")),
+ P('''If a "*" is included in the urgency field, no DSA is planned
+ for this vulnerability.'''),
+ self.nvd_text])
def page_status_release_stable(self, path, params, url):
return self.page_status_release_stable_oldstable('stable', params, url)
@@ -715,9 +728,6 @@
else:
remote = 'no'
- if sid_vulnerable == 2:
- urgency = self.make_purple(urgency)
-
if ts_fixed:
status = 'fixed in testing-security'
else:
@@ -726,6 +736,11 @@
else:
status = self.make_dangerous('fixed in unstable')
+ if urgency.startswith('high'):
+ urgency = self.make_red(urgency)
+ elif vulnerable == 2:
+ urgency = self.make_purple(urgency)
+
yield (pkg_name, self.make_xref(url, bug_name),
urgency, remote, status)
@@ -734,8 +749,8 @@
[make_menu(url.scriptRelative,
("status/dtsa-candidates", "Candidates for DTSAs")),
bf.actions(url), BR(),
- make_table(gen(), caption=("Package", "Bug", "Urgency",
- "Remote"))])
+ make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote")),
+ self.nvd_text])
def page_status_release_unstable_like(self, path, params, url,
rel, title):
@@ -774,7 +789,7 @@
else:
remote = 'no'
- if urgency == 'high':
+ if urgency.startswith('high'):
urgency = self.make_red(urgency)
elif vulnerable == 2:
urgency = self.make_purple(urgency)
@@ -789,8 +804,8 @@
if there are still some vulnerably binary packages present
in the archive."""),
bf.actions(url), BR(),
- make_table(gen(), caption=('Package', 'Bug', 'Urgency',
- 'Remote'))])
+ make_table(gen(), caption=('Package', 'Bug', 'Urgency', 'Remote')),
+ self.nvd_text])
def page_status_release_unstable(self, path, params, url):
return self.page_status_release_unstable_like(
@@ -858,8 +873,10 @@
else:
remote = 'no'
- if urgency == 'high':
+ if urgency.starstwith('high'):
urgency = self.make_red(urgency)
+ elif vulnerable == 2:
+ urgency = self.make_purple(urgency)
if stable_later:
notes = "(fixed in stable?)"
Modified: bin/update-nvd
===================================================================
--- bin/update-nvd 2010-02-07 22:10:48 UTC (rev 14057)
+++ bin/update-nvd 2010-02-07 22:10:53 UTC (rev 14058)
@@ -43,8 +43,5 @@
data.sort()
cursor = db.writeTxn()
-if incremental:
- db.updateNVD(cursor, data)
-else:
- db.replaceNVD(cursor, data)
+db.updateNVD(cursor, data, incremental)
db.commit(cursor)
Modified: lib/python/bugs.py
===================================================================
--- lib/python/bugs.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ lib/python/bugs.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -23,7 +23,7 @@
def listUrgencies():
urgencies = {}
- urgs = ("high", "medium", "low", "unimportant", "undetermined")
+ urgs = ('high', 'medium', 'low', 'unimportant', 'not yet assigned')
for u in range(len(urgs)):
urgencies[urgs[u]] = Urgency(urgs[u], -u)
Urgency.urgencies = urgencies
@@ -140,10 +140,7 @@
def __init__(self, package, version, notes, release=None):
bugs = []
- if version == 'undetermined':
- urgency = 'undetermined'
- else:
- urgency = 'low'
+ urgency = 'not yet assigned'
if notes is not None:
for n in self.re_notes_split.split(notes):
u = internUrgency(n)
Modified: lib/python/security_db.py
===================================================================
--- lib/python/security_db.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ lib/python/security_db.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -1140,6 +1140,30 @@
# architectures.
# FIXME: MAX(n.urgency) is wrong.
+ # assign nvd urgencies to those that have not yet been assigned
+ if self.verbose:
+ print " insert nvd urgencies"
+ cursor.execute(
+ """REPLACE INTO source_package_status
+ SELECT s.bug_name, s.package, s.vulnerable,
+ CASE WHEN n.severity == 'Medium' THEN 'medium**'
+ ELSE CASE WHEN n.severity == 'High' THEN 'high**'
+ ELSE CASE WHEN n.severity == 'Low' THEN 'low**'
+ ELSE 'not yet assigned' END END END
+ FROM nvd_data AS n, source_package_status AS s
+ WHERE s.bug_name == n.cve_name
+ AND s.urgency == 'not yet assigned'""")
+ cursor.execute(
+ """REPLACE INTO binary_package_status
+ SELECT b.bug_name, b.package, b.vulnerable,
+ CASE WHEN n.severity == 'Medium' THEN 'medium**'
+ ELSE CASE WHEN n.severity == 'High' THEN 'high**'
+ ELSE CASE WHEN n.severity == 'Low' THEN 'low**'
+ ELSE 'not yet assigned' END END END
+ FROM nvd_data AS n, binary_package_status AS b
+ WHERE b.bug_name == n.cve_name
+ AND b.urgency == 'not yet assigned'""")
+
# Calculate the release-specific bug status.
if self.verbose:
@@ -1308,7 +1332,7 @@
c.execute("""DELETE FROM vulnlist WHERE name LIKE 'TEMP-0000000-%'""")
urgency_to_flag = {'low' : 'L', 'medium' : 'M', 'high' : 'H',
- 'unknown' : ' ' , 'undetermined' : ' '}
+ 'not yet assigned' : ' '}
result = ["VERSION 0\n"]
for (name, package, fixed_version, kind, urgency, remote, description,
@@ -1442,7 +1466,7 @@
fill_bug_to_index()
urgency_to_flag = {'low' : 'L', 'medium' : 'M', 'high' : 'H',
- 'unknown' : ' ', 'undetermined' : ' '}
+ 'not yet assigned' : ' '}
vuln_list = []
source_packages = {}
@@ -1615,7 +1639,6 @@
self.calculateDebsecan0(release)
self.calculateDebsecan1()
-
def getDebsecan(self, name):
"""Returns the debsecan data item NAME."""
for (data,) in self.cursor().execute(
@@ -1624,16 +1647,11 @@
else:
return None
- def replaceNVD(self, cursor, data):
- """Replaces the stored NVD data."""
- cursor.execute("DELETE FROM nvd_data");
- cursor.executemany("INSERT INTO nvd_data VALUES (?"
- + (", ?" * (len(data[0]) - 1))
- + ")", data)
-
- def updateNVD(self, cursor, data):
- """Adds (and overwrites) NVD data stored in the database.
- This can be used for incremental updates."""
+ def updateNVD(self, cursor, data, incremental):
+ """Adds (and overwrites) NVD data stored in the database. This
+ can be used for incremental updates if incremental is True."""
+ if not incremental:
+ cursor.execute("DELETE FROM nvd_data");
cursor.executemany("INSERT OR REPLACE INTO nvd_data VALUES (?"
+ (", ?" * (len(data[0]) - 1))
+ ")", data)
More information about the Secure-testing-commits
mailing list