[Git][security-tracker-team/security-tracker][master] 4 commits: gen-DSA: check the CVE list consistency (Closes: #43)

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Mon Nov 17 12:14:42 GMT 2025 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e08c6a2e by Sylvain Beucler at 2025-07-11T15:49:10+02:00
gen-DSA: check the CVE list consistency (Closes: #43)

Print a warning if a CVE is not affecting the package.

Designed with minimal intrusiveness for gen-DSA.

Closes: #43

- - - - -
0260c6ea by Sylvain Beucler at 2025-11-14T18:41:22+01:00
Indentation size 2->4 spaces

- - - - -
93deb3e7 by Sylvain Beucler at 2025-11-14T18:42:58+01:00
Advertise 'no' as the default result when asking for confirmation

- - - - -
cd9d9a6f by Emilio Pozuelo Monfort at 2025-11-17T12:14:36+00:00
Merge branch 'check-dsa-cve-ids' into 'master'

gen-DSA: check the CVE list consistency (Closes: #43)

Closes #43

See merge request security-tracker-team/security-tracker!226
- - - - -


2 changed files:

- + bin/check-advisory-cve-ids
- bin/gen-DSA


Changes:

=====================================
bin/check-advisory-cve-ids
=====================================
@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+# Check whether the package is affected by the provided CVE IDs
+# Copyright 2025  Sylvain Beucler
+#
+# This file is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <https://www.gnu.org/licenses/>.
+
+import argparse
+import os
+
+import setup_paths
+import debian_support
+from sectracker import parsers
+
+
+parser = argparse.ArgumentParser(
+    formatter_class=argparse.RawDescriptionHelpFormatter,
+    description="""Check whether the package is affected by the provided CVE IDs.
+This is meant to be used by bin/gen-DSA and bin/gen-DLA.
+This helps spot mistyped or not-affected CVEs.
+""",
+)
+parser.add_argument('dists', metavar='DISTS',
+                    help='Debian release(s), comma-separated, may be empty')
+parser.add_argument('package', metavar='PACKAGE',
+                    help='affected package')
+parser.add_argument('cve_ids', nargs='*', metavar='CVE',
+                    help='CVE IDs to verify for the package')
+args = parser.parse_args()
+
+dists = args.dists.split(',')
+if len(args.cve_ids) == 0:
+    # gen-DSA accepts generating advisory without CVE, proceed
+    raise SystemExit(0)
+
+
+# Loading cvefiles takes a few seconds, keep user informed
+print("Checking CVE IDs...")
+
+# Get a list of packages linked for each CVE
+# If a package is <not-affected> globally or for any DISTS, drop it (i.e. warn)
+cve_files = [ s['path'] for s in debian_support.getconfig()['sources']
+              if s['class'] in ['CVEFile','CVEExtendFile'] ]
+valid_packages={}
+for path in cve_files:
+    cve_entries = parsers.cvelist(os.path.dirname(__file__)
+                                  + '/../data' + path)  # path=='/data/xxx/list'
+    for cve_entry in cve_entries:
+        cve_id = cve_entry.header.name
+        if cve_id not in args.cve_ids:
+            continue
+        linked_packages = set()
+        not_affected = set()
+        for ann in cve_entry.annotations:
+            if (ann.type == 'package' and ann.release is None):
+                linked_packages.add(ann.package)
+            if (ann.type == 'package' and ann.release in dists + [None]
+                    and ann.kind == 'not-affected'):
+                not_affected.add(ann.package)
+        valid_packages[cve_id] = linked_packages - not_affected
+
+# Warn about mismatches
+valid = True
+for cve_id in args.cve_ids:
+    if args.package not in valid_packages.get(cve_id,set()):
+        print("warning: {} does not affect {}{}".format(
+            cve_id, args.package, '/'+args.dists if args.dists else ''))
+        valid = False
+
+# Ask for confirmation
+if not valid:
+    ret = 'n'
+    try:
+        ret = input("Continue? y/N\n")
+    except EOFError:
+        pass
+    if ret.lower() != 'y':
+        raise SystemExit(1)


=====================================
bin/gen-DSA
=====================================
@@ -231,10 +231,6 @@ CVE_LIST="$(printf '%s' "$CVE" | sed -r "$sed_cmd")"
 
 for id in $CVE; do
     REFERENCES=$(($REFERENCES+1))
-    grep -wq "^$id" data/CVE/list || {
-	warn "'$id' is not known" >&2
-    }
-
     TEXT="$TEXT\n\n$id\n\n    Description"
 done
 
@@ -374,6 +370,7 @@ done
 
 DISTS="${DISTS#,}"
 
+bin/check-advisory-cve-ids "${DISTS}" "${PACKAGE}" ${CVE} || exit 1
 if [ -n "${DISTS}" ]; then
     bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE}
 fi



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d78f851d51039e5429c597997b9aadafd8b400be...cd9d9a6f538491d7c0de73653e9cd9a4ed1f7142

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d78f851d51039e5429c597997b9aadafd8b400be...cd9d9a6f538491d7c0de73653e9cd9a4ed1f7142
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251117/26cbacdb/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list