lp:~litios/ubuntu-cve-tracker

Author: David Fernandez Gonzalez
Author Date: 2024-03-14 07:58:05 UTC

[JSON] Update tests to match current format

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-03-13 10:37:36 UTC

[OVAL] Parent may also have /

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-03-06 14:09:56 UTC

[OVAL] Allow to handle parent merging for non-esm rel

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-02-27 15:02:09 UTC

[OVAL+CUSTOMER-PPA] Add flag to list needs-to-merge OVAL files

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-02-05 12:46:40 UTC

[OVAL] USN: if the USN doesn't have any valid CVEs, don't add it

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-02-02 12:09:33 UTC

[CVE_LIB] Rename external subproject key from distribution to lp_distribution

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2024-01-19 10:48:50 UTC

[OVAL] Retrieve update pocket + extra CVE fields.

Add a function to retrieve the pocket of a given
package and version from the cache.

Add Mitigation and Notes fields to the CVE.

*This commit doesn't modify the OVAL output*

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-12-13 15:50:01 UTC

[OVAL] Fix bug with parent releases

When there is a parent release:

1. If fixed version doesn't exist in the release, check parent.
2. Repeat 1. until last parent, then, use that parent either way.
3. If not fixed, use current release.

Also, fix issue about release priority not being apply correctly.

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-11-30 09:32:57 UTC

OVAL: make IDs smaller

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-11-28 09:54:48 UTC

Remove 'generics' feature

Generics was a feature to support a specific customer case.
This customer project has been migrated from UCT.
We shouldn't need this anymore.

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-11-17 15:22:42 UTC

Don't add CVE entries if cve_triage is false

For those subprojects where the customer doesn't require CVE triage,
(that means cve_triage: false in config.yml), we shouldn't add any
entries. Those CVE files shouldn't exist in the subproject directory.

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-10-26 11:35:37 UTC

cve_lib: remove /ubuntu from subproject ppa names

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-10-17 08:15:49 UTC

source_map: ignore broken built-using entries

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-09-12 08:48:10 UTC

oval: update tests to match new cve_tag

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-08-25 09:22:13 UTC

cve_lib: update documentation in load_external_subprojects

Author: David Fernandez Gonzalez
Author Date: 2023-08-03 11:20:32 UTC

cve_lib: inherit information from original release when loading external subprojects

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-07-28 08:57:24 UTC

Update CVEs status due to EOL of kinetic

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-07-19 09:14:04 UTC

Refactor the logic around fixed only filtering

Also, fix a bug in regards kernel packages listing
vulnerable CVEs when fixed-only flag was provided

Signed-off-by: David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>

Author: David Fernandez Gonzalez
Author Date: 2023-06-27 09:09:58 UTC

Bulk update of CVEs to use new EOL tags

Author: David Fernandez Gonzalez
Author Date: 2023-06-16 11:58:57 UTC

sync_from_usns: improve regex and reformat argument

Author: David Fernandez Gonzalez
Author Date: 2023-06-05 09:31:36 UTC

source_map: add subproject tests

Author: David Fernandez Gonzalez
Author Date: 2023-05-29 09:19:40 UTC

sis-changes: forget binaries too if newer version

Author: David Fernandez Gonzalez
Author Date: 2023-05-25 12:40:43 UTC

oval: allow recursive parents in pkg format

Author: David Fernandez Gonzalez
Author Date: 2023-05-15 07:32:21 UTC

test_oval_lib_unit: fix deprecation warnings

Author: David Fernandez Gonzalez
Author Date: 2023-05-12 11:51:17 UTC

oval: Refactor CVE generator class to new format

Author: David Fernandez Gonzalez
Author Date: 2023-05-11 15:06:15 UTC

oval_lib: add cve references to USNs

Author: David Fernandez Gonzalez
Author Date: 2023-05-10 07:25:29 UTC

oval_lib: add option for only fixed CVEs

Author: David Fernandez Gonzalez
Author Date: 2023-05-03 11:48:17 UTC

cve_lib: add tests for external project metadata CVEs

Author: David Fernandez Gonzalez
Author Date: 2023-05-02 08:14:29 UTC

src_map: Parse all 'Built-Using' tags

Author: David Fernandez Gonzalez
Author Date: 2023-04-25 10:48:46 UTC

oval_lib: refactor cve tag generation to unify across formats

Author: David Fernandez Gonzalez
Author Date: 2023-04-14 15:57:06 UTC

oval: add tests for cve + pkg

Author: David Fernandez Gonzalez
Author Date: 2023-04-12 10:14:05 UTC

sync-from-usns: fix status for esm release if regular update

Author: David Fernandez Gonzalez
Author Date: 2023-04-04 07:28:41 UTC

oval_lib: move PackageCache to generate-oval

Author: David Fernandez Gonzalez
Author Date: 2023-03-15 12:27:53 UTC

generate-oval: add more info to err message

Author: David Fernandez Gonzalez
Author Date: 2023-03-08 18:01:05 UTC

publish-cves-to-website-api: fix tags to use lists instead of sets

Author: David Fernandez Gonzalez
Author Date: 2023-03-07 14:51:18 UTC

sis-generate-usn: don't complain about placeholders in comments

Author: David Fernandez Gonzalez
Author Date: 2023-03-06 12:33:39 UTC

Only get existing tags and patches in a CVE when publishing it to the web

Author: David Fernandez Gonzalez
Author Date: 2023-02-23 11:40:09 UTC

Don't add CVEs in ignored to subprojects

Author: David Fernandez Gonzalez
Author Date: 2023-02-21 10:27:06 UTC

Add logic for subprojects and ESM in is_supported

Author: David Fernandez Gonzalez
Author Date: 2023-02-17 14:45:26 UTC

Create functions for each check

Author: David Fernandez Gonzalez
Author Date: 2023-02-14 17:14:36 UTC

Reduced aliases for soss

Author: David Fernandez Gonzalez
Author Date: 2023-02-10 09:28:38 UTC

Enable the use of aliases when triagging + include aliases in active_edit

Author: Ian Constantin
Author Date: 2023-01-13 07:15:10 UTC

Daily CVE CVSS Refresh

Author: David Fernandez Gonzalez
Author Date: 2022-12-05 16:34:41 UTC

Add aliases parsing for customer-ppas

Author: Mark Esler
Author Date: 2022-11-03 13:44:07 UTC

usngrep: add reverse to --usns

Author: Florencia Cabral
Author Date: 2022-10-13 15:26:45 UTC

remove extra space

Author: Florencia Cabral
Author Date: 2022-09-30 16:58:53 UTC

cve file syntax

Author: Florencia Cabral
Author Date: 2022-09-27 16:21:06 UTC

update supported packages for kinetic/melodic ros esm

Author: Leonidas S. Barbosa
Author Date: 2022-06-16 18:39:11 UTC

Adding --nvd priority filter to ubuntu-table and pkg_status scripts

Author: Leonidas S. Barbosa
Author Date: 2022-06-10 22:47:30 UTC

Adding hability to list CVE affected packages by NVD priority

Author: Leonidas S. Barbosa
Author Date: 2022-04-21 02:22:06 UTC

Making this_only_affected opt and fixing minor issues

Author: Leonidas S. Barbosa
Author Date: 2022-04-14 16:18:56 UTC

Replacing cve_lib.subprojects for cve_lib.release_name

Author: Leonidas S. Barbosa
Author Date: 2022-04-04 09:57:04 UTC

Adding special-ppa flag in order to handle ppas that are special for us and we want to adress, like ~canonical-chromium-browser

Author: Alex Burrage
Author Date: 2022-03-23 18:11:42 UTC

Update to guidelines in README regarding 'ignored' status

Author: Eduardo Barretto
Author Date: 2021-05-20 09:32:55 UTC

Add esm-apps/xenial to boilerplates

Author: Eduardo Barretto
Author Date: 2021-04-27 09:22:16 UTC

Only add 'non-ubuntu-software' field with product not Ubuntu

Author: Paulo Flabiano Smorigo
Author Date: 2021-02-10 23:10:15 UTC

scripts/sis-generate-usn: Add PUBLISH flag

Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>

Author: Mike Salvatore
Author Date: 2020-11-24 11:14:36 UTC

Add descriptions to ESM experimental -> public migration scripts

Author: Avital Ostromich
Author Date: 2020-09-17 13:28:38 UTC

Add check for invalid CVE priorities

Log an error if a CVE priority is invalid (e.g. 'untriaged') and add an
equivalent unit test.
Remove autogenerated .coverage file.

Author: Mike Salvatore
Author Date: 2020-08-26 17:29:02 UTC

Minor refactor and bugfix of code to publish CVEs to new web API

Author: Steve Beattie
Author Date: 2020-08-14 19:25:06 UTC

oval_lib: generate "USN-NNNN-X" as IDs for oval USN reports

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

Author: Mark Morlino
Author Date: 2020-08-06 16:43:24 UTC

persist macaroon for website api

Author: Steve Beattie
Author Date: 2020-08-01 09:15:44 UTC

generate-oval: fix logic around lines to ignore w/out alpha

The addition of the alpha option broke the logic for lines to
ignore when parsing OVAL output by basically not ignoring lines that
should be ignored when the --alpha option has not been passed on the
command line. Fix this to drop the line if config.alpha is not set or
else use the addition "/esm" logic if config.alpha is set.

But I'm not entirely sure of the alpha logic is supposed to be doing, so
this may be wrong.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

Author: Mark Morlino
Author Date: 2020-07-21 21:22:17 UTC

scripts/publish-usn-to-website-api.py improve sorting

Author: Joy Latten
Author Date: 2020-04-08 23:20:15 UTC

The ignored_package_fields and ignored_releases were being ignored.

When running the scripts,
WARNING: Unknown package field "Patches" in Patches_ruby2.1 in "././active/CVE-2019-8324"
WARNING: Unknown package field "upstream" in upstream_ruby2.1 in "././active/CVE-2019-8324"

Author: Joy Latten
Author Date: 2020-03-03 21:03:19 UTC

Add GPLv3 to the generated OVAL.

Author: Alex Murray
Author Date: 2019-09-19 13:07:47 UTC

cve.vim: Make vim cve syntax snap aware

Author: Emilia Torino
Author Date: 2019-08-29 23:29:47 UTC

updating help

Author: Alex Murray
Author Date: 2019-08-27 04:33:54 UTC

html_export.py: Make Notes: contents more readable

We do this by formatting as a table using the now-structured Notes data
from cve_lib.py

Author: Emilia Torino
Author Date: 2019-07-29 19:14:45 UTC

improving output message

Author: Eduardo Barretto
Author Date: 2019-05-17 20:22:28 UTC

Fix component in source_map

Author: Eduardo Barretto
Author Date: 2018-11-09 17:56:19 UTC

Remove kpis from UCT