From ae486fa9afadab21907ea9a9779f950987b31a40 Mon Sep 17 00:00:00 2001
From: Saul Wold <sgw@linux.intel.com>
Date: Fri, 10 Apr 2020 13:12:45 -0700
Subject: [PATCH] Update filter to track won't fix or invalid bugs

The Security team wants to be able to mark bugs as Won't Fix or
Invalid when the CVE pertains to an upstream component or driver
that we do not include in StarlingX

Story: 2007538
Task: 39357
Change-Id: I030f4ea0a7b9132b23796d7acf6c2650770b1d44
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 cve_support/cve_policy_filter.py | 22 ++++++++++++++++++++--
 cve_support/lp.py                |  7 +++++--
 cve_support/template.txt         | 23 +++++++++++++++++++++++
 3 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/cve_support/cve_policy_filter.py b/cve_support/cve_policy_filter.py
index ab982b82..7a650edb 100644
--- a/cve_support/cve_policy_filter.py
+++ b/cve_support/cve_policy_filter.py
@@ -28,6 +28,7 @@ def print_html_report(cves_report, title):
     output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\
         cves_to_fix_lp=cves_report["cves_to_fix_lp"],\
         cves_to_track=cves_report["cves_to_track"],\
+        cves_wont_fix=cves_report["cves_wont_fix"],\
         cves_w_errors=cves_report["cves_w_errors"],\
         cves_to_omit=cves_report["cves_to_omit"],\
         heads=heads,\
@@ -77,6 +78,16 @@ def print_report(cves_report, title):
                 cve_line.append(key + ":" + str(value))
         print(cve_line)
 
+    print("\nCVEs with no plans to fix (Won't Fix or Invalid): %d \n" \
+        % (len(cves_report["cves_wont_fix"])))
+    for cve in cves_report["cves_wont_fix"]:
+        cve_line = []
+        for key, value in cve.items():
+            if key != "summary":
+                cve_line.append(key + ":" + str(value))
+        print(cve_line)
+
+
     print("\nERROR: CVEs that have no cvss2Score or cvss2Vector: %d \n" \
         % (len(cves_report["cves_w_errors"])))
     for cve in cves_report["cves_w_errors"]:
@@ -142,6 +153,7 @@ def main():
     cves_to_fix_lp = []
     cves_to_track = []
     cves_w_errors = []
+    cves_wont_fix = []
     cves_to_omit = []
     cves_report = {}
 
@@ -209,8 +221,13 @@ def main():
                 and ("N" in cve["au"] or "S" in cve["au"])
                 and ("P" in cve["ai"] or "C" in cve["ai"])):
             if cve["status"] == "fixed":
-                if find_lp_assigned(cve["id"]):
-                    cves_to_fix_lp.append(cve)
+                bug = find_lp_assigned(cve["id"])
+                if (bug):
+                    print(bug["status"])
+                    if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"):
+                        cves_wont_fix.append(cve)
+                    else:
+                        cves_to_fix_lp.append(cve)
                 else:
                     cves_to_fix.append(cve)
             else:
@@ -222,6 +239,7 @@ def main():
     cves_report["cves_to_fix_lp"] = cves_to_fix_lp
     cves_report["cves_to_track"] = cves_to_track
     cves_report["cves_w_errors"] = cves_w_errors
+    cves_report["cves_wont_fix"] = cves_wont_fix
     cves_report["cves_to_omit"] = cves_to_omit
 
     print_report(cves_report, title)
diff --git a/cve_support/lp.py b/cve_support/lp.py
index 6a2d2edd..2d071676 100644
--- a/cve_support/lp.py
+++ b/cve_support/lp.py
@@ -12,7 +12,6 @@ import os
 from os import path
 from launchpadlib.launchpad import Launchpad
 
-
 # Filter the open bugs
 STATUSES = [
     'New',
@@ -22,6 +21,8 @@ STATUSES = [
     'In Progress',
     'Fix Committed',
     'Fix Released',
+    "Invalid",
+    "Won't Fix",
 ]
 
 CACHEDIR = path.join('/tmp', os.environ['USER'], '.launchpadlib/cache')
@@ -37,12 +38,13 @@ def search_upstrem_lps():
         ('lplib.cookbook.json_fetcher', 'production',
          CACHEDIR, version='devel')
     project = launchpad.projects['starlingx']
-    tasks = project.searchTasks(status=STATUSES)
+    tasks = project.searchTasks(status=STATUSES, has_cve=True)
     for task in tasks:
         bug = task.bug
         if ("cve" in bug.title.lower()):
             bug_dic = {}
             bug_dic['id'] = bug.id
+            bug_dic['status'] = task.status
             bug_dic['title'] = bug.title
             bug_dic['link'] = bug.self_link
             DATA.append(bug_dic)
@@ -75,6 +77,7 @@ def main():
     Sanity test
     """
     cve_ids = ["CVE-2019-0160",\
+        "CVE-2018-7536",\
         "CVE-2019-11810",\
         "CVE-2019-11811",\
         "CVE-2018-15686",\
diff --git a/cve_support/template.txt b/cve_support/template.txt
index 04763f15..dcaea04f 100644
--- a/cve_support/template.txt
+++ b/cve_support/template.txt
@@ -67,6 +67,29 @@
 			{% endfor %}
 		{% endif %}
 	</table>
+	<h2> CVEs that are Invalid or Won't Fix: {{cves_wont_fix | length}}</h2>
+	<table>
+		{% if cves_wont_fix|length >= 1 %}
+			<tr>
+			{% for head in heads %}
+				<th>{{head}}</th>
+			{% endfor %}
+			</tr>
+
+			{% for cve in cves_wont_fix %}
+			<tr>
+				<td>{{cve["id"]}}</td>
+				<td>{{cve["status"]}}</td>
+				<td>{{cve["cvss2Score"]}}</td>
+				<td>{{cve["av"]}}</td>
+				<td>{{cve["ac"]}}</td>
+				<td>{{cve["au"]}}</td>
+				<td>{{cve["ai"]}}</td>
+			</tr>
+			{% endfor %}
+		{% endif %}
+	</table>
+
 	<h2> CVEs to omit: {{cves_to_omit | length}}</h2>
 	<table>
 		{% if cves_to_omit|length >= 1 %}