Enrique Sánchez has proposed merging ~enriqueesanchz/launchpad:add-priority-explanation into launchpad:master.
Commit message: Add priority_explanation support Add priority_explanation support for cve import/export scripts Add priority_explanation field to UCTRecord Add importance_explanation field to CVE Add sampledata/CVE-2023-32637 that has priority_explanation Requested reviews: Launchpad code reviewers (launchpad-reviewers) For more details, see: https://code.launchpad.net/~enriqueesanchz/launchpad/+git/launchpad/+merge/484565 -- Your team Launchpad code reviewers is requested to review the proposed merge of ~enriqueesanchz/launchpad:add-priority-explanation into launchpad:master.
diff --git a/lib/lp/bugs/scripts/tests/sampledata/CVE-2023-32637 b/lib/lp/bugs/scripts/tests/sampledata/CVE-2023-32637 new file mode 100644 index 0000000..161dc4d --- /dev/null +++ b/lib/lp/bugs/scripts/tests/sampledata/CVE-2023-32637 @@ -0,0 +1,29 @@ +Candidate: CVE-2023-32637 +PublicDate: 2023-07-25 06:15:00 UTC +References: + https://jvn.jp/en/jp/JVN35897618/ + https://jbrowse.org/jb2/ + http://gmod.org/wiki/GBrowse + https://www.cve.org/CVERecord?id=CVE-2023-32637 +Description: + GBrowse accepts files with any formats uploaded and places them in the area + accessible through unauthenticated web requests. Therefore, anyone who can + upload files through the product may execute arbitrary code on the server. +Ubuntu-Description: +Notes: + ccdm94> this has likely been fixed in all 2.x versions. +Mitigation: +Bugs: +Priority: high + This has a high priority because it is a vulnerability that allows a remote + attacker to execute code in a machine, and it looks to be easily exploitable + given that it involves regular functionalities provided by the application. +Discovered-by: +Assigned-to: +CVSS: + nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] + +Patches_gbrowse: +upstream_gbrowse: released (2.56+dfsg-1) +trusty_gbrowse: ignored (end of standard support) +xenial_gbrowse: ignored (end of standard support) diff --git a/lib/lp/bugs/scripts/tests/test_uct.py b/lib/lp/bugs/scripts/tests/test_uct.py index f029f28..51da3db 100644 --- a/lib/lp/bugs/scripts/tests/test_uct.py +++ b/lib/lp/bugs/scripts/tests/test_uct.py @@ -170,6 +170,94 @@ class TestUCTRecord(TestCase): ) self.assertEqual(load_from.read_text(), saved_to_path.read_text()) + def test_load_save_with_priority_explanation(self): + load_from = Path(__file__).parent / "sampledata" / "CVE-2023-32637" + uct_record = UCTRecord.load(load_from) + self.assertDictEqual( + UCTRecord( + parent_dir="sampledata", + assigned_to="", + bugs=[""], + cvss=[ + CVSS( + authority="nvd", + vector_string=( + "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H " + "[9.8 CRITICAL]" + ), + ), + ], + candidate="CVE-2023-32637", + crd=None, + public_date_at_USN=None, + public_date=datetime(2023, 7, 25, 6, 15, tzinfo=timezone.utc), + description=( + "GBrowse accepts files with any formats uploaded and " + "places them in the area\naccessible through " + "unauthenticated web requests. Therefore, anyone who can\n" + "upload files through the product may execute arbitrary " + "code on the server." + ), + discovered_by="", + mitigation="", + notes=( + "ccdm94> this has likely been fixed in all 2.x " + "versions." + ), + priority=UCTRecord.Priority.HIGH, + priority_explanation=( + "This has a high priority because it is a vulnerability " + "that allows a remote\nattacker to execute code in a " + "machine, and it looks to be easily exploitable\ngiven " + "that it involves regular functionalities provided by the " + "application." + ), + references=[ + "https://jvn.jp/en/jp/JVN35897618/";, + "https://jbrowse.org/jb2/";, + "http://gmod.org/wiki/GBrowse";, + "https://www.cve.org/CVERecord?id=CVE-2023-32637";, + ], + ubuntu_description="", + packages=[ + UCTRecord.Package( + name="gbrowse", + statuses=[ + UCTRecord.SeriesPackageStatus( + series="upstream", + status=UCTRecord.PackageStatus.RELEASED, + reason="2.56+dfsg-1", + priority=None, + ), + UCTRecord.SeriesPackageStatus( + series="trusty", + status=UCTRecord.PackageStatus.IGNORED, + reason="end of standard support", + priority=None, + ), + UCTRecord.SeriesPackageStatus( + series="xenial", + status=UCTRecord.PackageStatus.IGNORED, + reason="end of standard support", + priority=None, + ), + ], + priority=None, + tags=set(), + patches=[], + ), + ], + ).__dict__, + uct_record.__dict__, + ) + + output_dir = Path(self.makeTemporaryDirectory()) + saved_to_path = uct_record.save(output_dir) + self.assertEqual( + output_dir / "sampledata" / "CVE-2023-32637", saved_to_path + ) + self.assertEqual(load_from.read_text(), saved_to_path.read_text()) + class TestCVE(TestCaseWithFactory): layer = ZopelessDatabaseLayer @@ -231,6 +319,7 @@ class TestCVE(TestCaseWithFactory): mitigation="mitigation", notes="author> text", priority=UCTRecord.Priority.CRITICAL, + priority_explanation="sample priority_explanation", references=["https://ubuntu.com/security/notices/USN-5368-1";], ubuntu_description="ubuntu-description", packages=[ @@ -416,6 +505,7 @@ class TestCVE(TestCaseWithFactory): ), ], importance=BugTaskImportance.CRITICAL, + importance_explanation="sample priority_explanation", status=VulnerabilityStatus.ACTIVE, assignee=assignee, discovered_by="tr3e wang", diff --git a/lib/lp/bugs/scripts/uct/models.py b/lib/lp/bugs/scripts/uct/models.py index 91510e9..d5815b6 100644 --- a/lib/lp/bugs/scripts/uct/models.py +++ b/lib/lp/bugs/scripts/uct/models.py @@ -118,6 +118,7 @@ class UCTRecord: references: List[str], ubuntu_description: str, packages: List[Package], + priority_explanation: str = "", ): self.parent_dir = parent_dir self.assigned_to = assigned_to @@ -132,6 +133,7 @@ class UCTRecord: self.mitigation = mitigation self.notes = notes self.priority = priority + self.priority_explanation = priority_explanation self.references = references self.ubuntu_description = ubuntu_description self.packages = packages @@ -233,6 +235,8 @@ class UCTRecord: ) ) + _priority = cls._pop_cve_property(cve_data, "Priority").split("\n") + entry = UCTRecord( parent_dir=cve_path.absolute().parent.name, assigned_to=cls._pop_cve_property(cve_data, "Assigned-to"), @@ -254,7 +258,8 @@ class UCTRecord: cve_data, "Mitigation", required=False ), notes=cls._format_notes(cls._pop_cve_property(cve_data, "Notes")), - priority=cls.Priority(cls._pop_cve_property(cve_data, "Priority")), + priority=cls.Priority(_priority[0]), + priority_explanation="\n".join(_priority[1:]), references=cls._pop_cve_property(cve_data, "References").split( "\n" ), @@ -305,7 +310,11 @@ class UCTRecord: "Mitigation", self.mitigation.split("\n"), output ) self._write_field("Bugs", self.bugs, output) - self._write_field("Priority", self.priority.value, output) + self._write_field( + "Priority", + self._format_priority(self.priority, self.priority_explanation), + output, + ) self._write_field("Discovered-by", self.discovered_by, output) self._write_field("Assigned-to", self.assigned_to, output) self._write_field( @@ -400,6 +409,15 @@ class UCTRecord: lines.append(" " + line) return "\n".join(lines) + @classmethod + def _format_priority(cls, priority: Priority, explanation: str) -> str: + lines = [priority.value] + for line in explanation.split("\n"): + if line != "": + lines.append(" " + line) + + return "\n".join(lines) + class CVE: """ @@ -493,6 +511,7 @@ class CVE: mitigation: str, cvss: List[CVSS], patch_urls: Optional[List[PatchURL]] = None, + importance_explanation: str = "", ): self.sequence = sequence self.date_made_public = date_made_public @@ -502,6 +521,7 @@ class CVE: self.series_packages = series_packages self.upstream_packages = upstream_packages self.importance = importance + self.importance_explanation = importance_explanation self.status = status self.assignee = assignee self.discovered_by = discovered_by @@ -647,6 +667,7 @@ class CVE: series_packages=series_packages, upstream_packages=upstream_packages, importance=cls.PRIORITY_MAP[uct_record.priority], + importance_explanation=uct_record.priority_explanation, status=cls.infer_vulnerability_status(uct_record), assignee=assignee, discovered_by=uct_record.discovered_by, @@ -774,6 +795,7 @@ class CVE: mitigation=self.mitigation, notes=self.notes, priority=self.PRIORITY_MAP_REVERSE[self.importance], + priority_explanation=self.importance_explanation, references=self.references, ubuntu_description=self.ubuntu_description, packages=list(packages_by_name.values()), diff --git a/lib/lp/bugs/scripts/uct/uctexport.py b/lib/lp/bugs/scripts/uct/uctexport.py index 3745874..9b2045a 100644 --- a/lib/lp/bugs/scripts/uct/uctexport.py +++ b/lib/lp/bugs/scripts/uct/uctexport.py @@ -231,6 +231,7 @@ class UCTExporter: series_packages=series_packages, upstream_packages=upstream_packages, importance=cve_importance, + importance_explanation=vulnerability.importance_explanation, status=vulnerability.status, assignee=bug_tasks[0].assignee, discovered_by=lp_cve.discovered_by or "", diff --git a/lib/lp/bugs/scripts/uct/uctimport.py b/lib/lp/bugs/scripts/uct/uctimport.py index 8ee237b..11f62a3 100644 --- a/lib/lp/bugs/scripts/uct/uctimport.py +++ b/lib/lp/bugs/scripts/uct/uctimport.py @@ -313,6 +313,7 @@ class UCTImporter: distribution=distribution, status=cve.status, importance=cve.importance, + importance_explanation=cve.importance_explanation, creator=bug.owner, information_type=InformationType.PUBLICSECURITY, cve=lp_cve, @@ -362,6 +363,7 @@ class UCTImporter: vulnerability.notes = cve.notes vulnerability.mitigation = cve.mitigation vulnerability.importance = cve.importance + vulnerability.importance_explanation = cve.importance_explanation vulnerability.date_made_public = date_made_public vulnerability.date_notice_issued = date_notice_issued vulnerability.date_coordinated_release = date_coordinated_release
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
