On Fri, 17 Dec 2021 13:56:26 +0000 Neil Williams <codeh...@debian.org> wrote: > On Fri, 10 Dec 2021 10:56:25 +0000 Neil Williams <codeh...@debian.org> > wrote: > > A tool to automate a syntactically correct change to a specific CVE > > would be a useful extension of this support, not just to add the bug > > number once the email is received from the BTS but to also make other > > standard changes: > > > > - mark a given released suite (stable/oldstable/LTS) as <not-affected> > > For this operation, should <not-affected> clear only specific kinds for > the specified suite? > > e.g. if kind==fixed, then version would need to be unset for the CVE to > show as not-affected & any bug number might also have to be cleared if > the suite was specified as sid? > > Should annotations like "Minor issue" be retained or removed? > > Or should the script refuse to change kind==fixed & possibly others & > maybe only make changes if kind is None? >
Candidate bin/update-vuln script is now in my fork on Salsa: https://salsa.debian.org/codehelp/security-tracker/-/blob/grabcvefix/bin/update-vuln https://salsa.debian.org/codehelp/security-tracker/-/raw/grabcvefix/bin/update-vuln As noted in the script: Only make one change to one CVE at a time. Review and merge that change and delete the merged file before updating the same CVE. The workflow would be: ./bin/update-vuln --cve CVE-YYYY-NNNNN ... # on exit zero: ./bin/merge-cve-files ./CVE-YYYY-NNNNN.list # review change to data/CVE/list git diff data/CVE/list rm ./CVE-YYYY-NNNNN.list # .. step and repeat git add data/CVE/list git commit As with #1001451 and grab-cve-in-fix, the code may yet need to move into lib.python.sectracker to be properly tested. Also, the change in #1001451 for merge-cve-files is also needed for the update-vuln support. Note the addition of the --description option for <not-affected> support - that will typically require quoting the argument. e.g. $ ./bin/update-vuln --cve CVE-YYYY-NNNNN --src <SRC_PKG> --suite buster --description "Vulnerable code introduced later" $ ./bin/update-vuln --help usage: update-vuln [-h] --cve CVE [--src SRC --suite SUITE [--description DESCRIPTION]] | [[--number NUMBER] [--itp SRC]] | [--note NOTE] Make a single update to specified CVE data as not-affected, add bug number or add a note optional arguments: -h, --help show this help message and exit Required arguments: --cve CVE The CVE ID to update Marking a CVE as not-affected - must use --src and --suite Optionally add a description or omit to remove the current description: --src SRC Source package name in SUITE --suite SUITE Mark the CVE as <not-affected> in SUITE --description DESCRIPTION Optional description of why the SRC is unaffected in SUITE Add a bug number to the CVE: --number NUMBER Debian BTS bug number --itp SRC Mark as an ITP bug for the specified source package name Add a NOTE: entry to the CVE: --note NOTE Content of the NOTE: entry to add to the CVE Data is written to a new <cve_number>.list file which can be used with './bin/merge-cve-files'. Make sure the output file is merged and removed before updating the same CVE again. -- Neil Williams ============= https://linux.codehelp.co.uk/
pgpHyWc6dfWiw.pgp
Description: OpenPGP digital signature