[Git][security-tracker-team/security-tracker][remove-cve-dist-tags-on-DSA] 2 commits: Add a script to remove dist tags (e.g. postponed) from CVE/list

[Emilio Pozuelo Monfort (@pochu)]

Emilio Pozuelo Monfort pushed to branch remove-cve-dist-tags-on-DSA at Debian Security Tracker / security-tracker


Commits:
155c2ca5 by Emilio Pozuelo Monfort at 2021-11-03T12:55:14+01:00
Add a script to remove dist tags (e.g. postponed) from CVE/list

This can be useful when releasing a DSA that fixes some CVEs that
were previously triaged as no-dsa.

- - - - -
464007fa by Emilio Pozuelo Monfort at 2021-11-03T12:55:14+01:00
gen-DSA: call remove-cve-dist-tags

This will remove 'obsolete' tags for a CVE for a given release
and package if it is being fixed in a security update.

- - - - -


2 changed files:

- bin/gen-DSA
- + bin/remove-cve-dist-tags


Changes:

=====================================
bin/gen-DSA
=====================================
@@ -367,6 +367,7 @@ for dist in $CODENAMES; do
 	fi
     fi
     [ -z "$version" ] || setvar "${dist}_VERSION" "$version"
+    [ -z "$version" ] || bin/remove-cve-dist-tags "${dist}" "${PACKAGE}" ${CVE}
 done
 
 if ! $save; then


=====================================
bin/remove-cve-dist-tags
=====================================
@@ -0,0 +1,60 @@
+#!/usr/bin/python3
+#
+# Remove no-dsa tags from data/CVE/list
+#
+# Copyright © 2021 Emilio Pozuelo Monfort <pochu at debian.org>
+
+import os.path
+import sys
+
+import setup_paths  # noqa
+import config
+from sectracker.parsers import cvelist, writecvelist, PackageAnnotation
+
+
+def keep_annotation(cve, annotation):
+    if not isinstance(annotation, PackageAnnotation):
+        return True
+
+    if cve.header.name in cves and \
+       annotation.release == release and \
+       annotation.package == package:
+        print(f"removing annotation for {cve.header.name}/{package}/{release}")
+        return False
+
+    return True
+
+
+def parse_list(path):
+    data, messages = cvelist(path)
+
+    return data
+
+if len(sys.argv) <= 3:
+    # assume there are no CVEs, so nothing to do
+    sys.exit(0)
+
+release = sys.argv[1]
+package = sys.argv[2]
+cves = sys.argv[3:]
+
+main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+# check if another file was specified in config, e.g. a ExtendedFile
+distconfig = config.get_config()[release]
+if 'maincvefile' in distconfig:
+    main_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+
+data = parse_list(main_list)
+new_data = []
+
+for cve in data:
+    annotations = list(
+        annotation
+        for annotation in cve.annotations
+        if keep_annotation(cve, annotation)
+    )
+    cve = cve._replace(annotations=annotations)
+    new_data.append(cve)
+
+with open(main_list, 'w') as f:
+    writecvelist(new_data, f)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f36c52fbfd00f1ccd3ac7b03895b435cce5d027...464007faa3b0fc6c3ed75cccb4264121687e0cda

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f36c52fbfd00f1ccd3ac7b03895b435cce5d027...464007faa3b0fc6c3ed75cccb4264121687e0cda
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211103/33a99186/attachment-0001.htm>