[Git][security-tracker-team/security-tracker][30-improve-gen-dsa-by-checking-cve-s-are-related-to-package] Print a warning in gen-DSA if the package cannot be found for a given CVE
Ola Lundqvist (@opal)
opal at debian.org
Fri Aug 30 22:50:56 BST 2024
Ola Lundqvist pushed to branch 30-improve-gen-dsa-by-checking-cve-s-are-related-to-package at Debian Security Tracker / security-tracker
Commits:
95106bb6 by Ola Lundqvist at 2024-08-30T23:48:09+02:00
Print a warning in gen-DSA if the package cannot be found for a given CVE
Introduced a new bin/check-package-cves script that check whether
CVE(s) are related to a package. If not a list of CVEs not matching
the package is printed and exit with error code 1.
If all CVEs match the package nothing is printed and exit with 0.
bin/gen-DSA is also updated to call this new script and if an exit
code != 0 is returned print a warning for the CVEs and ask the
user if it should proceed.
For more information see:
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/61
- - - - -
2 changed files:
- + bin/check-package-cves
- bin/gen-DSA
Changes:
=====================================
bin/check-package-cves
=====================================
@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+#
+# Check if a package is affected by no-dsa tags from data/CVE/list
+#
+# Copyright © 2021 Emilio Pozuelo Monfort <pochu at debian.org>
+# Copyright © 2024 Ola Lundqvist <opal at debian.org>
+# This script is written by Ola, but based on remove-cve-tags written by
+# Emilio.
+
+import os.path
+import sys
+
+import setup_paths # noqa
+import config
+from sectracker.parsers import cvelist, PackageAnnotation
+
+if len(sys.argv) <= 3:
+ # assume there are no CVEs, so nothing to do
+ sys.exit(0)
+
+releases = sys.argv[1].split(",")
+package = sys.argv[2]
+cves = sys.argv[3:]
+
+main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+# check if another file was specified in config, e.g. a ExtendedFile
+
+for release in releases:
+ distconfig = config.get_config()[release]
+ if 'maincvefile' in distconfig:
+ main_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+
+data = cvelist(main_list)
+cvematch = []
+
+for cve in data:
+ if cve.header.name in cves:
+ for annotation in cve.annotations:
+ if isinstance(annotation, PackageAnnotation):
+ if annotation.package == package:
+ cvematch.append(cve.header.name)
+
+error = 0
+for cve in cves:
+ if not cve in cvematch:
+ error = 1
+ print(f"{cve}")
+
+exit (error)
=====================================
bin/gen-DSA
=====================================
@@ -358,6 +358,7 @@ for dist in $RELEASES; do
done
DISTS=
+DISTSX=
for dist in $CODENAMES; do
version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')"
@@ -370,10 +371,22 @@ for dist in $CODENAMES; do
fi
[ -z "$version" ] || setvar "${dist}_VERSION" "$version"
[ -z "$version" ] || DISTS="${DISTS},${dist}"
+ DISTSX="${DISTSX},${dist}"
done
DISTS="${DISTS#,}"
+DISTSX="${DISTSX#,}"
+set +e
+WARNCVES=$(bin/check-package-cves "${DISTSX}" "${PACKAGE}" ${CVE})
+if [ $? -ne 0 ] ; then
+ for id in $WARNCVES; do
+ warn "'$id' is not related to the package ${PACKAGE}. Check package name and CVE identity." >&2
+ done
+ echo Are you sure you want to continue. If so press enter. If not Press Ctrl-C.
+ read choice
+fi
+set -e
if [ -n "${DISTS}" ]; then
bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE}
fi
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95106bb6feeb307dabeccf0651262400f220b6f5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95106bb6feeb307dabeccf0651262400f220b6f5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240830/f21f182c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list