[Git][security-tracker-team/security-tracker][master] 5 commits: Add a script to remove dist tags (e.g. postponed) from CVE/list

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Nov 3 14:30:42 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
155c2ca5 by Emilio Pozuelo Monfort at 2021-11-03T12:55:14+01:00
Add a script to remove dist tags (e.g. postponed) from CVE/list

This can be useful when releasing a DSA that fixes some CVEs that
were previously triaged as no-dsa.

- - - - -
464007fa by Emilio Pozuelo Monfort at 2021-11-03T12:55:14+01:00
gen-DSA: call remove-cve-dist-tags

This will remove 'obsolete' tags for a CVE for a given release
and package if it is being fixed in a security update.

- - - - -
5c746ce6 by Emilio Pozuelo Monfort at 2021-11-03T13:53:21+01:00
bin/remove-cve-dist-tags: accept multiple releases

The release argument is a comma-separated list now.

- - - - -
ff71382f by Emilio Pozuelo Monfort at 2021-11-03T13:53:21+01:00
gen-DSA: only call remove-cve-dist-tags once

And do it after we've asked for all the versions. Calling the script
after asking for each version and before asking for the next is
annoying as the script takes some time due to the size of CVE/list.

This way not only do we avoid that wait between user inputs, but we
also avoid calling the script and thus parsing CVE/list multiple times.

- - - - -
00d2920d by Salvatore Bonaccorso at 2021-11-03T14:30:39+00:00
Merge branch 'remove-cve-dist-tags-on-DSA' into 'master'

Remove obsolete CVE dist tags when fixing them in a security update

See merge request security-tracker-team/security-tracker!92
- - - - -


2 changed files:

- bin/gen-DSA
- + bin/remove-cve-dist-tags


Changes:

=====================================
bin/gen-DSA
=====================================
@@ -357,6 +357,8 @@ for dist in $RELEASES; do
     setvar $dist
 done
 
+DISTS=
+
 for dist in $CODENAMES; do
     version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')"
     if $save && [ -z "$version" ] && grep -q "${dist}_VERSION" "$tmpf"; then
@@ -367,8 +369,11 @@ for dist in $CODENAMES; do
 	fi
     fi
     [ -z "$version" ] || setvar "${dist}_VERSION" "$version"
+    [ -z "$version" ] || DISTS="${DISTS},${dist}"
 done
 
+bin/remove-cve-dist-tags "${DISTS#,}" "${PACKAGE}" ${CVE}
+
 if ! $save; then
     cat $tmpf
     echo


=====================================
bin/remove-cve-dist-tags
=====================================
@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+#
+# Remove no-dsa tags from data/CVE/list
+#
+# Copyright © 2021 Emilio Pozuelo Monfort <pochu at debian.org>
+
+import os.path
+import sys
+
+import setup_paths  # noqa
+import config
+from sectracker.parsers import cvelist, writecvelist, PackageAnnotation
+
+
+def keep_annotation(cve, annotation):
+    if not isinstance(annotation, PackageAnnotation):
+        return True
+
+    if cve.header.name in cves and \
+       annotation.release in releases and \
+       annotation.package == package:
+        print(f"removing annotation for {cve.header.name}/{package}/{annotation.release}")
+        return False
+
+    return True
+
+
+def parse_list(path):
+    data, messages = cvelist(path)
+
+    return data
+
+if len(sys.argv) <= 3:
+    # assume there are no CVEs, so nothing to do
+    sys.exit(0)
+
+releases = sys.argv[1].split(",")
+package = sys.argv[2]
+cves = sys.argv[3:]
+
+main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+# check if another file was specified in config, e.g. a ExtendedFile
+
+for release in releases:
+    distconfig = config.get_config()[release]
+    if 'maincvefile' in distconfig:
+        main_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+
+data = parse_list(main_list)
+new_data = []
+
+for cve in data:
+    annotations = list(
+        annotation
+        for annotation in cve.annotations
+        if keep_annotation(cve, annotation)
+    )
+    cve = cve._replace(annotations=annotations)
+    new_data.append(cve)
+
+with open(main_list, 'w') as f:
+    writecvelist(new_data, f)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e365b3031d754ad20b14055371ad49e6572c21c4...00d2920d845953d6e5cf719b154917b94dec3e0a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e365b3031d754ad20b14055371ad49e6572c21c4...00d2920d845953d6e5cf719b154917b94dec3e0a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211103/2f75cb2c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list