Update filter to track won't fix or invalid bugs

The Security team wants to be able to mark bugs as Won't Fix or
Invalid when the CVE pertains to an upstream component or driver
that we do not include in StarlingX

Story: 2007538
Task: 39357
Change-Id: I030f4ea0a7b9132b23796d7acf6c2650770b1d44
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
Saul Wold 2020-04-10 13:12:45 -07:00
parent 988b0fd88a
commit ae486fa9af
3 changed files with 48 additions and 4 deletions

View File

@ -28,6 +28,7 @@ def print_html_report(cves_report, title):
output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\ output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\
cves_to_fix_lp=cves_report["cves_to_fix_lp"],\ cves_to_fix_lp=cves_report["cves_to_fix_lp"],\
cves_to_track=cves_report["cves_to_track"],\ cves_to_track=cves_report["cves_to_track"],\
cves_wont_fix=cves_report["cves_wont_fix"],\
cves_w_errors=cves_report["cves_w_errors"],\ cves_w_errors=cves_report["cves_w_errors"],\
cves_to_omit=cves_report["cves_to_omit"],\ cves_to_omit=cves_report["cves_to_omit"],\
heads=heads,\ heads=heads,\
@ -77,6 +78,16 @@ def print_report(cves_report, title):
cve_line.append(key + ":" + str(value)) cve_line.append(key + ":" + str(value))
print(cve_line) print(cve_line)
print("\nCVEs with no plans to fix (Won't Fix or Invalid): %d \n" \
% (len(cves_report["cves_wont_fix"])))
for cve in cves_report["cves_wont_fix"]:
cve_line = []
for key, value in cve.items():
if key != "summary":
cve_line.append(key + ":" + str(value))
print(cve_line)
print("\nERROR: CVEs that have no cvss2Score or cvss2Vector: %d \n" \ print("\nERROR: CVEs that have no cvss2Score or cvss2Vector: %d \n" \
% (len(cves_report["cves_w_errors"]))) % (len(cves_report["cves_w_errors"])))
for cve in cves_report["cves_w_errors"]: for cve in cves_report["cves_w_errors"]:
@ -142,6 +153,7 @@ def main():
cves_to_fix_lp = [] cves_to_fix_lp = []
cves_to_track = [] cves_to_track = []
cves_w_errors = [] cves_w_errors = []
cves_wont_fix = []
cves_to_omit = [] cves_to_omit = []
cves_report = {} cves_report = {}
@ -209,7 +221,12 @@ def main():
and ("N" in cve["au"] or "S" in cve["au"]) and ("N" in cve["au"] or "S" in cve["au"])
and ("P" in cve["ai"] or "C" in cve["ai"])): and ("P" in cve["ai"] or "C" in cve["ai"])):
if cve["status"] == "fixed": if cve["status"] == "fixed":
if find_lp_assigned(cve["id"]): bug = find_lp_assigned(cve["id"])
if (bug):
print(bug["status"])
if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"):
cves_wont_fix.append(cve)
else:
cves_to_fix_lp.append(cve) cves_to_fix_lp.append(cve)
else: else:
cves_to_fix.append(cve) cves_to_fix.append(cve)
@ -222,6 +239,7 @@ def main():
cves_report["cves_to_fix_lp"] = cves_to_fix_lp cves_report["cves_to_fix_lp"] = cves_to_fix_lp
cves_report["cves_to_track"] = cves_to_track cves_report["cves_to_track"] = cves_to_track
cves_report["cves_w_errors"] = cves_w_errors cves_report["cves_w_errors"] = cves_w_errors
cves_report["cves_wont_fix"] = cves_wont_fix
cves_report["cves_to_omit"] = cves_to_omit cves_report["cves_to_omit"] = cves_to_omit
print_report(cves_report, title) print_report(cves_report, title)

View File

@ -12,7 +12,6 @@ import os
from os import path from os import path
from launchpadlib.launchpad import Launchpad from launchpadlib.launchpad import Launchpad
# Filter the open bugs # Filter the open bugs
STATUSES = [ STATUSES = [
'New', 'New',
@ -22,6 +21,8 @@ STATUSES = [
'In Progress', 'In Progress',
'Fix Committed', 'Fix Committed',
'Fix Released', 'Fix Released',
"Invalid",
"Won't Fix",
] ]
CACHEDIR = path.join('/tmp', os.environ['USER'], '.launchpadlib/cache') CACHEDIR = path.join('/tmp', os.environ['USER'], '.launchpadlib/cache')
@ -37,12 +38,13 @@ def search_upstrem_lps():
('lplib.cookbook.json_fetcher', 'production', ('lplib.cookbook.json_fetcher', 'production',
CACHEDIR, version='devel') CACHEDIR, version='devel')
project = launchpad.projects['starlingx'] project = launchpad.projects['starlingx']
tasks = project.searchTasks(status=STATUSES) tasks = project.searchTasks(status=STATUSES, has_cve=True)
for task in tasks: for task in tasks:
bug = task.bug bug = task.bug
if ("cve" in bug.title.lower()): if ("cve" in bug.title.lower()):
bug_dic = {} bug_dic = {}
bug_dic['id'] = bug.id bug_dic['id'] = bug.id
bug_dic['status'] = task.status
bug_dic['title'] = bug.title bug_dic['title'] = bug.title
bug_dic['link'] = bug.self_link bug_dic['link'] = bug.self_link
DATA.append(bug_dic) DATA.append(bug_dic)
@ -75,6 +77,7 @@ def main():
Sanity test Sanity test
""" """
cve_ids = ["CVE-2019-0160",\ cve_ids = ["CVE-2019-0160",\
"CVE-2018-7536",\
"CVE-2019-11810",\ "CVE-2019-11810",\
"CVE-2019-11811",\ "CVE-2019-11811",\
"CVE-2018-15686",\ "CVE-2018-15686",\

View File

@ -67,6 +67,29 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
</table> </table>
<h2> CVEs that are Invalid or Won't Fix: {{cves_wont_fix | length}}</h2>
<table>
{% if cves_wont_fix|length >= 1 %}
<tr>
{% for head in heads %}
<th>{{head}}</th>
{% endfor %}
</tr>
{% for cve in cves_wont_fix %}
<tr>
<td>{{cve["id"]}}</td>
<td>{{cve["status"]}}</td>
<td>{{cve["cvss2Score"]}}</td>
<td>{{cve["av"]}}</td>
<td>{{cve["ac"]}}</td>
<td>{{cve["au"]}}</td>
<td>{{cve["ai"]}}</td>
</tr>
{% endfor %}
{% endif %}
</table>
<h2> CVEs to omit: {{cves_to_omit | length}}</h2> <h2> CVEs to omit: {{cves_to_omit | length}}</h2>
<table> <table>
{% if cves_to_omit|length >= 1 %} {% if cves_to_omit|length >= 1 %}