Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number

2022-01-06 Thread Neil Williams 
On Fri, 17 Dec 2021 13:56:26 + Neil Williams  wrote:
> On Fri, 10 Dec 2021 10:56:25 + Neil Williams 
> wrote:
> > A tool to automate a syntactically correct change to a specific CVE
> > would be a useful extension of this support, not just to add the bug
> > number once the email is received from the BTS but to also make other
> > standard changes:
> > 
> > - mark a given released suite (stable/oldstable/LTS) as 
> 
> For this operation, should  clear only specific kinds for
> the specified suite?
> 
> e.g. if kind==fixed, then version would need to be unset for the CVE to
> show as not-affected & any bug number might also have to be cleared if
> the suite was specified as sid?
> 
> Should annotations like "Minor issue" be retained or removed?
> 
> Or should the script refuse to change kind==fixed & possibly others &
> maybe only make changes if kind is None?
> 

Candidate bin/update-vuln script is now in my fork on Salsa:

https://salsa.debian.org/codehelp/security-tracker/-/blob/grabcvefix/bin/update-vuln
https://salsa.debian.org/codehelp/security-tracker/-/raw/grabcvefix/bin/update-vuln

As noted in the script:

Only make one change to one CVE at a time. Review and merge that
change and delete the merged file before updating the same CVE.

The workflow would be:
./bin/update-vuln --cve CVE--N ...
# on exit zero:
./bin/merge-cve-files ./CVE--N.list
# review change to data/CVE/list
git diff data/CVE/list
rm ./CVE--N.list
# .. step and repeat
git add data/CVE/list
git commit

As with #1001451 and grab-cve-in-fix, the code may yet need to move
into lib.python.sectracker to be properly tested. Also, the change in
#1001451 for merge-cve-files is also needed for the update-vuln support.

Note the addition of the --description option for 
support - that will typically require quoting the argument.

e.g.
$ ./bin/update-vuln --cve CVE--N --src  --suite buster 
--description "Vulnerable code introduced later"


$ ./bin/update-vuln --help
usage: update-vuln [-h] --cve CVE [--src SRC --suite SUITE [--description 
DESCRIPTION]] | [[--number NUMBER] [--itp SRC]] | [--note NOTE]

Make a single update to specified CVE data as not-affected, add bug number or 
add a note

optional arguments:
  -h, --helpshow this help message and exit

Required arguments:
  --cve CVE The CVE ID to update

Marking a CVE as not-affected - must use --src and --suite Optionally add a 
description or omit to remove the current description:
  --src SRC Source package name in SUITE
  --suite SUITE Mark the CVE as  in SUITE
  --description DESCRIPTION
Optional description of why the SRC is unaffected in 
SUITE

Add a bug number to the CVE:
  --number NUMBER   Debian BTS bug number
  --itp SRC Mark as an ITP bug for the specified source package name

Add a NOTE: entry to the CVE:
  --note NOTE   Content of the NOTE: entry to add to the CVE

Data is written to a new .list file which can be used with 
'./bin/merge-cve-files'. Make sure the output file is merged and removed before 
updating the same CVE again.


-- 
Neil Williams
=
https://linux.codehelp.co.uk/


pgpHyWc6dfWiw.pgp
Description: OpenPGP digital signature

Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number

2021-12-17 Thread Neil Williams 
On Fri, 10 Dec 2021 10:56:25 + Neil Williams 
wrote:
> A tool to automate a syntactically correct change to a specific CVE
> would be a useful extension of this support, not just to add the bug
> number once the email is received from the BTS but to also make other
> standard changes:
> 
> - mark a given released suite (stable/oldstable/LTS) as 

For this operation, should  clear only specific kinds for
the specified suite?

e.g. if kind==fixed, then version would need to be unset for the CVE to
show as not-affected & any bug number might also have to be cleared if
the suite was specified as sid?

Should annotations like "Minor issue" be retained or removed?

Or should the script refuse to change kind==fixed & possibly others &
maybe only make changes if kind is None?


-- 
Neil Williams
=
https://linux.codehelp.co.uk/


pgp_Pzxzp3wVA.pgp
Description: OpenPGP digital signature

Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number

2021-12-10 Thread Neil Williams 
Package: security-tracker
Severity: wishlist
X-Debbugs-Cc: codeh...@debian.org

Adding this as a wishlist bug, arising from existing ideas and
discussions with the security team.

'bin/report-vuln' is useful to standardise reports to the BTS but there
is then a manual step of updating data/CVE/list with the bug number.

A tool to automate a syntactically correct change to a specific CVE
would be a useful extension of this support, not just to add the bug number
once the email is received from the BTS but to also make other standard
changes:

- mark CVE  as fixed in unstable in version 
- mark a given released suite (stable/oldstable/LTS) as 
  for a specific CVE ID
- add a bug number to an existing CVE entry
- add a NOTE: entry to an existing CVE

Implement with a view that the requests could be integrated into
tracker.d.o so that a merge request can be generated against the
security tracker or a syntactically valid snippet can be generated that
can be merged into the tracker after review.

The parsing support would be similar to existing scripts and tools and
to the support proposed for #1001451 - this tool is focused on changes
to a specific CVE.