starlingx/tools
Code Issues Proposed changes

Update filter to track won't fix or invalid bugs

Browse Source 
The Security team wants to be able to mark bugs as Won't Fix or
Invalid when the CVE pertains to an upstream component or driver
that we do not include in StarlingX

Story: 2007538
Task: 39357
Change-Id: I030f4ea0a7b9132b23796d7acf6c2650770b1d44
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
Saul Wold 2020-04-10 13:12:45 -07:00
parent 988b0fd88a
commit ae486fa9af
3 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cve_support/cve_policy_filter.py
View File

@ -28,6 +28,7 @@ def print_html_report(cves_report, title):
output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\
cves_to_fix_lp=cves_report["cves_to_fix_lp"],\
cves_to_track=cves_report["cves_to_track"],\
cves_wont_fix=cves_report["cves_wont_fix"],\
cves_w_errors=cves_report["cves_w_errors"],\
cves_to_omit=cves_report["cves_to_omit"],\
heads=heads,\
@ -77,6 +78,16 @@ def print_report(cves_report, title):
cve_line.append(key + ":" + str(value))
print(cve_line)
print("\nCVEs with no plans to fix (Won't Fix or Invalid): %d \n" \
% (len(cves_report["cves_wont_fix"])))
for cve in cves_report["cves_wont_fix"]:
cve_line = []
for key, value in cve.items():
if key != "summary":
cve_line.append(key + ":" + str(value))
print(cve_line)
print("\nERROR: CVEs that have no cvss2Score or cvss2Vector: %d \n" \
% (len(cves_report["cves_w_errors"])))
for cve in cves_report["cves_w_errors"]:
@ -142,6 +153,7 @@ def main():
cves_to_fix_lp = []
cves_to_track = []
cves_w_errors = []
cves_wont_fix = []
cves_to_omit = []
cves_report = {}
@ -209,7 +221,12 @@ def main():
and ("N" in cve["au"] or "S" in cve["au"])
and ("P" in cve["ai"] or "C" in cve["ai"])):
if cve["status"] == "fixed":
if find_lp_assigned(cve["id"]):
bug = find_lp_assigned(cve["id"])
if (bug):
print(bug["status"])
if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"):
cves_wont_fix.append(cve)
else:
cves_to_fix_lp.append(cve)
else:
cves_to_fix.append(cve)
@ -222,6 +239,7 @@ def main():
cves_report["cves_to_fix_lp"] = cves_to_fix_lp
cves_report["cves_to_track"] = cves_to_track
cves_report["cves_w_errors"] = cves_w_errors
cves_report["cves_wont_fix"] = cves_wont_fix
cves_report["cves_to_omit"] = cves_to_omit
print_report(cves_report, title)

7
cve_support/lp.py
View File

@ -12,7 +12,6 @@ import os
from os import path
from launchpadlib.launchpad import Launchpad
# Filter the open bugs
STATUSES = [
'New',
@ -22,6 +21,8 @@ STATUSES = [
'In Progress',
'Fix Committed',
'Fix Released',
"Invalid",
"Won't Fix",
]
CACHEDIR = path.join('/tmp', os.environ['USER'], '.launchpadlib/cache')
@ -37,12 +38,13 @@ def search_upstrem_lps():
('lplib.cookbook.json_fetcher', 'production',
CACHEDIR, version='devel')
project = launchpad.projects['starlingx']
tasks = project.searchTasks(status=STATUSES)
tasks = project.searchTasks(status=STATUSES, has_cve=True)
for task in tasks:
bug = task.bug
if ("cve" in bug.title.lower()):
bug_dic = {}
bug_dic['id'] = bug.id
bug_dic['status'] = task.status
bug_dic['title'] = bug.title
bug_dic['link'] = bug.self_link
DATA.append(bug_dic)
@ -75,6 +77,7 @@ def main():
Sanity test
"""
cve_ids = ["CVE-2019-0160",\
"CVE-2018-7536",\
"CVE-2019-11810",\
"CVE-2019-11811",\
"CVE-2018-15686",\

23
cve_support/template.txt
View File

@ -67,6 +67,29 @@
{% endfor %}
{% endif %}
</table>
<h2> CVEs that are Invalid or Won't Fix: {{cves_wont_fix | length}}</h2>
<table>
{% if cves_wont_fix|length >= 1 %}
<tr>
{% for head in heads %}
<th>{{head}}</th>
{% endfor %}
</tr>
{% for cve in cves_wont_fix %}
<tr>
<td>{{cve["id"]}}</td>
<td>{{cve["status"]}}</td>
<td>{{cve["cvss2Score"]}}</td>
<td>{{cve["av"]}}</td>
<td>{{cve["ac"]}}</td>
<td>{{cve["au"]}}</td>
<td>{{cve["ai"]}}</td>
</tr>
{% endfor %}
{% endif %}
</table>
<h2> CVEs to omit: {{cves_to_omit | length}}</h2>
<table>
{% if cves_to_omit|length >= 1 %}