[Git][security-tracker-team/security-tracker][30-improve-gen-dsa-by-checking-cve-s-are-related-to-package] Furher improvements after more thinking and review comments.

Ola Lundqvist (@opal) opal at debian.org
Sat Aug 31 21:50:00 BST 2024 


Ola Lundqvist pushed to branch 30-improve-gen-dsa-by-checking-cve-s-are-related-to-package at Debian Security Tracker / security-tracker


Commits:
799e7ca6 by Ola Lundqvist at 2024-08-31T22:38:52+02:00
Furher improvements after more thinking and review comments.

  Updated after code review comments.
   - Description of the check-package-cves file improved.
   - Improved variable naming.

  Ensure that only the release described is checked.

  When checking make sure to check the main CVE list and when
  applicable extra lists insted of just checking one list.

- - - - -


2 changed files:

- bin/check-package-cves
- bin/gen-DSA


Changes:

=====================================
bin/check-package-cves
=====================================
@@ -1,11 +1,16 @@
 #!/usr/bin/python3
 #
-# Check if a package is affected by  no-dsa tags from data/CVE/list
+# Check if a package is affected by CVEs. If not the command
+# will print the CVEs that are not related to the package and
+# exit with an error code.
+#
+# data/CVE/list is always checked. Extra lists are checked if applicable.
+#
+# The releases argument is only used to locate the correct CVE list file.
 #
 # Copyright © 2021 Emilio Pozuelo Monfort <pochu at debian.org>
+#   Based on code from remove-cve-dist-tags.
 # Copyright © 2024 Ola Lundqvist <opal at debian.org>
-# This script is written by Ola, but based on remove-cve-tags written by
-# Emilio.
 
 import os.path
 import sys
@@ -22,23 +27,26 @@ releases = sys.argv[1].split(",")
 package = sys.argv[2]
 cves = sys.argv[3:]
 
-main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+main_lists = []
+main_lists.append(os.path.dirname(__file__) + '/../data/CVE/list')
 # check if another file was specified in config, e.g. a ExtendedFile
 
 for release in releases:
     distconfig = config.get_config()[release]
     if 'maincvefile' in distconfig:
-        main_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+        check_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+        if not check_list in main_lists:
+            main_lists.append(check_list)
 
-data = cvelist(main_list)
 cvematch = []
-
-for cve in data:
-    if cve.header.name in cves:
-        for annotation in cve.annotations:
-            if isinstance(annotation, PackageAnnotation):
-                if annotation.package == package:
-                    cvematch.append(cve.header.name)
+for main_list in main_lists:
+    data = cvelist(main_list)
+    for cve in data:
+        if cve.header.name in cves:
+            for annotation in cve.annotations:
+                if isinstance(annotation, PackageAnnotation):
+                    if annotation.package == package:
+                        cvematch.append(cve.header.name)
 
 error = 0
 for cve in cves:


=====================================
bin/gen-DSA
=====================================
@@ -2,6 +2,7 @@
 
 ####################
 #    Copyright (C) 2011, 2012, 2013, 2014 by Raphael Geissert <geissert at debian.org>
+#    Copyright (C) 2024 by Ola Lundqvist <opal at debian.org>
 #
 #
 #    This file is free software: you can redistribute it and/or modify
@@ -357,8 +358,8 @@ for dist in $RELEASES; do
     setvar $dist
 done
 
-DISTS=
-DISTSX=
+REMOVEDISTS=
+CHECKDISTS=
 
 for dist in $CODENAMES; do
     version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')"
@@ -370,15 +371,17 @@ for dist in $CODENAMES; do
 	fi
     fi
     [ -z "$version" ] || setvar "${dist}_VERSION" "$version"
-    [ -z "$version" ] || DISTS="${DISTS},${dist}"
-    DISTSX="${DISTSX},${dist}"
+    [ -z "$version" ] || REMOVEDISTS="${REMOVEDISTS},${dist}"
+    if grep -q "${dist}_VERSION" "$tmpf"; then
+	CHECKDISTS="${CHECKDISTS},${dist}"
+    fi
 done
 
-DISTS="${DISTS#,}"
-DISTSX="${DISTSX#,}"
+REMOVEDISTS="${REMOVEDISTS#,}"
+CHECKDISTS="${CHECKDISTS#,}"
 
 set +e
-WARNCVES=$(bin/check-package-cves "${DISTSX}" "${PACKAGE}" ${CVE})
+WARNCVES=$(bin/check-package-cves "${CHECKDISTS}" "${PACKAGE}" ${CVE})
 if [ $? -ne 0 ] ; then
     for id in $WARNCVES; do
 	warn "'$id' is not related to the package ${PACKAGE}. Check package name and CVE identity." >&2
@@ -387,8 +390,9 @@ if [ $? -ne 0 ] ; then
     read choice
 fi
 set -e
-if [ -n "${DISTS}" ]; then
-    bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE}
+
+if [ -n "${REMOVEDISTS}" ]; then
+    bin/remove-cve-dist-tags "${REMOVEDISTS}" "${PACKAGE}" ${CVE}
 fi
 
 if ! $save; then
@@ -427,11 +431,11 @@ EOF
     echo "$IDMODE text written to ./$IDMODE-$DAID"
     if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then
 	idmode=$(echo "$IDMODE" | tr A-Z a-z)
-	if [ -n "${DISTS}" ]; then
+	if [ -n "${REMOVEDISTS}" ]; then
 	    # in case the advisory applies to several dists, we only look for an
 	    # extra cve file in the first one
-	    DIST="`echo ${DISTS} | sed 's/,.*//'`"
-	    extracvefile=`jq -r ".distributions.${DIST}.maincvefile // empty" data/config.json`
+	    REMOVEDIST="`echo ${REMOVEDISTS} | sed 's/,.*//'`"
+	    extracvefile=`jq -r ".distributions.${REMOVEDIST}.maincvefile // empty" data/config.json`
 	fi
 	if [ -d .git ]; then
 	    echo "Made the following changes:"



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/799e7ca66a4909dd52d29e37abc01b4356743734

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/799e7ca66a4909dd52d29e37abc01b4356743734
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240831/dfa2f35d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list