[Git][security-tracker-team/security-tracker][master] Add a script to merge two CVE files

[Emilio Pozuelo Monfort]

Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b117d83c by Emilio Pozuelo Monfort at 2020-12-21T14:41:03+01:00
Add a script to merge two CVE files

It currently supports the necessary annotations to automatically merge
the point release lists.

- - - - -


1 changed file:

- + bin/merge-cve-files


Changes:

=====================================
bin/merge-cve-files
=====================================
@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+#
+# Merge a separate CVE file (such as data/next-point-update.txt) back into
+# the main one.
+#
+# Copyright © 2020 Emilio Pozuelo Monfort <pochu at debian.org>
+
+import os.path
+import sys
+
+import setup_paths  # noqa
+from debian_support import internRelease
+from sectracker.parsers import cvelist, writecvelist, PackageAnnotation
+
+def merge_annotations(old_annotations, new_annotation):
+    if not isinstance(new_annotation, PackageAnnotation):
+        raise NotImplementedError(f"unsupported annotation of type {type(annotation)}")
+
+    # filter out the current annotation, if any
+    annotations = [ann for ann in old_annotations
+                   if not isinstance(ann, PackageAnnotation)
+                   or ann.package != new_annotation.package
+                   or ann.release != new_annotation.release]
+
+    # append the new one at the right place
+    for idx, annotation in enumerate(annotations):
+        if not isinstance(annotation, PackageAnnotation) \
+          or annotation.package != new_annotation.package:
+            continue
+
+        next_annotation = annotations[idx + 1] if len(annotations) > (idx + 1) else None
+        if next_annotation and isinstance(next_annotation, PackageAnnotation) \
+          and next_annotation.package == new_annotation.package \
+          and internRelease(new_annotation.release) < internRelease(next_annotation.release):
+            continue
+
+        annotations.insert(idx + 1, new_annotation)
+        return annotations
+
+def parse_list(path):
+    data, messages = cvelist(path)
+
+    for m in messages:
+        sys.stderr.write(str(m) + "\n")
+
+    return data
+
+if len(sys.argv) not in (2, 3):
+    print(f"Usage: {os.path.basename(sys.argv[0])} (CVE/list) extra-cve-list")
+    sys.exit(1)
+
+if len(sys.argv) == 3:
+    main_list = sys.argv[1]
+else:
+    main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+
+extra_list = sys.argv[-1]
+
+data = parse_list(main_list)
+extra_data = parse_list(extra_list)
+
+for extra_bug in extra_data:
+    bug = next(bug for bug in data if bug.header.name == extra_bug.header.name)
+
+    new_annotations = bug.annotations
+    for extra_annotation in extra_bug.annotations:
+        new_annotations = merge_annotations(new_annotations, extra_annotation)
+
+    bug = bug._replace(annotations=new_annotations)
+    data = [bug if bug.header.name == old_bug.header.name else old_bug for old_bug in data]
+
+with open(main_list, 'w') as f:
+    writecvelist(data, f)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b117d83ca38d664c4470a0b7e27926ac17bc2834

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b117d83ca38d664c4470a0b7e27926ac17bc2834
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201221/6c7c9d36/attachment-0001.html>