lp:~alexmurray/ubuntu-cve-tracker

Author: Alex Murray
Author Date: 2024-05-14 05:18:44 UTC

.launchpad.yaml: fix packages-mirror inside lpci

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-05-14 02:08:47 UTC

scripts/check-syntax: fix logic error when evaluating all results

If any result failed we want the over all script to fail so we need to use AND
not OR here.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-05-05 15:17:15 UTC

`./scripts/sync-from-versions.py -s not-affected -u` for oracular

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-05-01 03:40:56 UTC

scripts: refactor cpe handling to add some unit tests

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-04-12 02:52:25 UTC

scripts/check-cves: try match CVE references against package homepages

Parse and store the Homepage field in source_map and then try and match these
URLs against any we see in the references for a CVE to hint that the package is
likely affected.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-03-22 01:51:59 UTC

scripts/dump-features: place AppArmor userns restrictions under AppArmor

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-03-22 00:21:53 UTC

scripts/active_edit: explicitly parse cvss options

This allows to handle and report any issues to the user in a more graceful
manner rather than just raising a bare exception at runtime.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-03-20 01:08:57 UTC

scripts/cve_lib.py: optimise get_long_kernel_hash()

The initial kernel git commit is a single huge commit which added the entire
2.6.12-rc2 kernel into the git repo - as such, fetching this takes a really long
time AND it is both a common Fixes: commit since it is used for anything which
has existed in the kernel since that time. So optimise for this case by checking
specifically if a short_hash matches this and just returning the known full
commit hash in that case without looking it up. Also for the general case, since
we really only need the first line of the commit patch body to get the "From "
line, just fetch the first 1k of the patch without waiting for the rest.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-03-18 01:23:04 UTC

scripts/check-cves: fix a bunch of pyright warnings

Before:

± pyright scripts/check-cves
/home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:211:32 - error: Object of type "str" is not callable (reportCallIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:252:37 - error: Operator "+" not supported for types "str | Unknown | list[str | Unknown] | list[Unknown]" and "Literal['/data/DSA/list']"
    Operator "+" not supported for types "list[str | Unknown]" and "Literal['/data/DSA/list']"
    Operator "+" not supported for types "list[Unknown]" and "Literal['/data/DSA/list']" (reportOperatorIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:326:32 - error: Argument of type "(cve: Unknown) -> Unknown" cannot be assigned to parameter "desc" of type "str" in function "convert_to_nvd"
    "function" is incompatible with "str" (reportArgumentType)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:414:32 - error: Argument of type "(cve: Unknown) -> Unknown" cannot be assigned to parameter "desc" of type "str" in function "convert_to_nvd"
    "function" is incompatible with "str" (reportArgumentType)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:497:32 - error: Argument of type "(c: Unknown) -> str" cannot be assigned to parameter "desc" of type "str" in function "convert_to_nvd"
    "function" is incompatible with "str" (reportArgumentType)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:597:52 - error: Operator "+" not supported for types "str | Unknown | list[str | Unknown] | list[Unknown]" and "Literal['/data/CVE/list']"
    Operator "+" not supported for types "list[str | Unknown]" and "Literal['/data/CVE/list']"
    Operator "+" not supported for types "list[Unknown]" and "Literal['/data/CVE/list']" (reportOperatorIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:780:49 - error: Operator "not in" not supported for types "Literal['Previously triaged as ignored in Ubuntu\n\n']" and "str | None"
    Operator "not in" not supported for types "Literal['Previously triaged as ignored in Ubuntu\n\n']" and "None" (reportOperatorIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:786:30 - error: "split" is not a known member of "None" (reportOptionalMemberAccess)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:791:27 - error: "find" is not a known member of "None" (reportOptionalMemberAccess)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:791:59 - error: "find" is not a known member of "None" (reportOptionalMemberAccess)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:1474:20 - error: "_exceptions" is not a known member of module "xml.sax" (reportAttributeAccessIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:1622:39 - error: Argument of type "_TemporaryFileWrapper[str] | TextIO" cannot be assigned to parameter "file" of type "TextIO" in function "display_cve"
    Type "_TemporaryFileWrapper[str] | TextIO" cannot be assigned to type "TextIO"
      "_TemporaryFileWrapper[str]" is incompatible with "TextIO" (reportArgumentType)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:1631:39 - error: Argument of type "_TemporaryFileWrapper[str] | TextIO" cannot be assigned to parameter "file" of type "TextIO" in function "display_cve"
    Type "_TemporaryFileWrapper[str] | TextIO" cannot be assigned to type "TextIO"
      "_TemporaryFileWrapper[str]" is incompatible with "TextIO" (reportArgumentType)
13 errors, 0 warnings, 0 informations

After:

± pyright scripts/check-cves
/home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:253:37 - error: Operator "+" not supported for types "str | Unknown | list[str | Unknown] | list[Unknown]" and "Literal['/data/DSA/list']"
    Operator "+" not supported for types "list[str | Unknown]" and "Literal['/data/DSA/list']"
    Operator "+" not supported for types "list[Unknown]" and "Literal['/data/DSA/list']" (reportOperatorIssue)
  /home/amurray/ubuntu/git/ubuntu-cve-tracker/scripts/check-cves:598:52 - error: Operator "+" not supported for types "str | Unknown | list[str | Unknown] | list[Unknown]" and "Literal['/data/CVE/list']"
    Operator "+" not supported for types "list[str | Unknown]" and "Literal['/data/CVE/list']"
    Operator "+" not supported for types "list[Unknown]" and "Literal['/data/CVE/list']" (reportOperatorIssue)
2 errors, 0 warnings, 0 informations

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-02-28 05:51:47 UTC

scripts/cve-mode.el: fix typo in docstring

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-02-28 01:02:55 UTC

scripts/cve_lib.py: remove assert in favor of more graceful failure

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-02-26 07:26:32 UTC

scripts/active_edit: update for Python 3.12 deprecations

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2024-02-05 06:38:47 UTC

scripts/cve_lib.py: when adding CVSS preserve original line contents

As seen in the recent refresh of CVSS for retired/CVE-2007-4988 we could end up
losing contents otherwise.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-07-28 07:37:00 UTC

scripts: move priority reason checking to check-syntax (LP: #2028915)

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-10-29 23:16:44 UTC

scripts/dump-features: yescrpyt is default password hash since jammy

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-08-08 06:07:40 UTC

Add a basic README.boilerplates to help document various use-cases

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-07-27 15:36:44 UTC

scripts/test_source_map.py: test get_aliases_of_ubuntu_package()

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-07-26 13:43:48 UTC

scripts/check-syntax: add cli option to specify the number of jobs

Also switch to concurrent.futures.ProcessPoolExecutor rather than
multiprocessing.Pool as this seems to be the preferred way of doing
parallelisation in Python

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-06-02 12:23:32 UTC

die partner die

The partner mirror hasn't been used or supported for a very long time so let's
not try and pretend anymore. Remove all references to it from UCT.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-04-03 00:09:36 UTC

scripts/test_cve_lib.py: remove debug print from test_release_sort

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-03-29 05:29:31 UTC

scripts/test_cve_lib.py: test cve_lib release lists are sorted OOTB

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-03-28 23:22:21 UTC

scripts/test_cve_lib.py: parametrize testing of non-empty title/desc

Ensure we test each separate entry in package info overrides separately so that
a failure in one doesn't mask others.

Since we are using pytest, we can use unittest.SubTest() as it doesn't seem to
support that but we can do the same thing with the parametrize decorator.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-03-21 05:46:57 UTC

scripts/check-syntax: Refactor debug printing

Avoid having to copy-pasta if opt.debug everytime we want to print.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-03-08 03:02:57 UTC

scripts/sis-generate-usn: Add XXX placeholder for reducing binaries

See
https://code.launchpad.net/~rodrigo-zaiden/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/438390/comments/1164750
for the motivation for this change.

Also fix latent pyflakes3 warnings to appears our git pre-commit hook

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-03-07 04:18:01 UTC

CVE-2021-33621: ruby3.0 was removed in lunar in favor of ruby3.1

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028221

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2023-02-06 05:22:57 UTC

scripts/test_cve_lib.py: Only test parse each CVSSV3 score once

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-10-23 06:44:20 UTC

scripts/active_edit: Actually use the autoconfirm command-line option

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-09-15 07:02:44 UTC

package-db: Print details when assertion check fails

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-09-05 05:27:50 UTC

scripts/sync-from-eol.py: Remove unused import of apt

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-06-30 06:53:04 UTC

scripts/active_edit: Only add DNE entries for Ubuntu product releases

This is a further refinement of the previous merge proposal at
https://code.launchpad.net/~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker-1/+merge/425365

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-06-24 07:43:50 UTC

scripts/active_edit: Always add entries for base Ubuntu releases

Ensure that for the base / progenitor Ubuntu releases we always add a CVE
entry for a given package - and for those releases where the package
doesn't actually exist, set the status to DNE.

By doing this only for the progenitor releases we make sure we don't then
add entries for all of fips / trusty/esm / esm-infra/xenial to every CVE.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2022-03-03 04:17:12 UTC

More WIP - get active_edit seemingly working well-ish

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2021-11-10 01:40:46 UTC

Yet even another test change

Author: Alex Murray
Author Date: 2021-10-21 05:30:02 UTC

cve_lib: Cleanup subprojects API

Rename get_subproject() to get_subproject_details() and have it return the
canonical name as well as the product, series and details so we don't have
to have so many special purpose functions which are each named oddly. This
requires a similar change for umt in ubuntu-security-tools.

Author: Alex Murray
Author Date: 2021-10-14 01:33:25 UTC

scripts/ubuntu-table: Don't source ubuntu-security-tools.conf to parse it

Instead reuse read_config_file() from cve_lib

Author: Alex Murray
Author Date: 2021-09-29 12:48:28 UTC

scripts/check-cves: Speed up trying to match a CVE against a known package

Calculate the list of all known packages once only and clean up matching of
the description against this for each CVE.

Author: Steve Beattie
Author Date: 2021-09-21 16:01:56 UTC

cve_lib tests: add additional tests for missing patches entries

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

Author: Alex Murray
Author Date: 2021-07-22 04:49:53 UTC

check-syntax: Parse and validate date fields more completely

This ensures the value can actually be parsed by other utilities. Perhaps
we should actually be doing this in cve_lib.py but for now this is good
enough to catch any issues like the one found and fixed manually in
fa5907ca48a30108136dea5404e9885292d60bac

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Author: Alex Murray
Author Date: 2020-07-27 08:43:16 UTC

scripts/check-cves: Fix up comment to match code

Author: Alex Murray
Author Date: 2020-07-20 07:01:52 UTC

check-cves: Include boilerplate packages in suggestions during triage

A CVE description might contain MySQL but we only have packages like
mysql-5.5 - so this will never match if we look for it along - so instead,
look for boilerplate package names as well (NOTE: perhaps we should also
remove any numerals / periods when trying package names but for now this
should help a bit regardless).

Author: Alex Murray
Author Date: 2020-03-05 06:37:46 UTC

scripts/test_cve_lib.py: Actually test that our calculated CVSSv3 matches the one calculated by NVD

This ensures our implementation matches theirs

Author: Alex Murray
Author Date: 2020-02-05 01:31:29 UTC

scripts/(check-|process_)cves: Add support for RHEL8 OVAL source

This takes the Red Hat OVAL data and uses it as a source for CVEs during
CVE triage - currently this is pretty basic but is an initial first step

Author: Mike Salvatore
Author Date: 2020-02-04 20:32:45 UTC

Daily re-triage of universe CVEs

Author: Alex Murray
Author Date: 2019-11-12 01:19:37 UTC

sis-generate-usn: Ensure new-usn.sh allows to --force usn generation

Author: Alex Murray
Author Date: 2019-09-19 13:07:47 UTC

cve.vim: Make vim cve syntax snap aware

Author: Alex Murray
Author Date: 2019-09-18 21:33:53 UTC

gitignore nvd json

Author: Alex Murray
Author Date: 2019-09-16 13:44:47 UTC

cve_lib.py: Encapsulate notes parsing to make code cleaner