Now the latest json format result file includes the several items
in the set data["scannedCves"][cve_id]["cveContents"]["nvd"], so
the original usage is not available to filter CVE info anymore.
So it's time to drop the exception which is to raise this condition
that the length is greater than 1. It will be failed to throw the
exception. We are going to use the condition 'source=nvd@nist.gov'
to get the accurate CVE information instead.
Another update is to expand the function find_lp_assigned with
adding new condition to find the CVE id in the description section
of the LP page. As the length of title is limited, if one page is
used to track many CVE issues, the length may be not enough to
record all CVE ID items.
Closes-Bug: 2059996
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia7dfee5db53baaa82a8e6dd9d5dde8a31da5bcc2
With the LP page of the CVE issue is 'Fix Released' status, the
CVE won't be reported in the cves_to_fix_lp list. we create a
new cves_to_track_lp_fixed list to check if there is a newer fixer
is provided under the same CVE for the 'stx' versioned pacakge,
So that we can recognize when a fixed LP is actually not fixed.
Monthly we need to double check the cves_to_track_lp_fixed list
if it's not empty in the report.
TestPlan:
Pass: python3 cve_policy_filter.py localhost.json test cvssv3
Report the fixed LP of CVE issue in cves_to_fix_lp list.
Story: 2010387
Task: 46683
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: If910a4e58a2a6e2f575c4bad67cd6d19f23ad3f1
To support the monthly master StarlingX CVE scans with the new CVSS v3
policy, we run the filter criteria as the following policy:
Base score >= 7.0
Base Metrics have the following:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None or Low
Availability Impact: High or Low
User Interaction: None
A correction is available upstream
We can see the policy here:
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
Meanwhile update the html report template with new criteria.
TestPlan:
PASS: python3 cve_policy_filter.py localhost.json master_V3_Sep_29_2022 cvssv3
Story: 2010387
Task: 46683
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I8ab91805b4d78c218aee85f94b6cc25929948417
Since vulsscan upstream commit [https://github.com/future-architect/
vuls/commit/96c3592db1c4b3d658e8e8169fdc17c670e48379] had been merged,
So the list type for nvd and jvn items was added in vulsscan data result.
For example the part of json result changed
from
"scannedCves": {
"CVE-2015-8035": {
"cveContents": {
"nvd": {
"type": "nvd",
"cveID": "CVE-2015-8035",
"title": "",
"summary": "The xz_decomp function in xzlib.c in libxml2 \
2.9.1 does not properly detect compression errors, which \
allows context-dependent attackers to cause a denial of \
service (process hang) via crafted XML data.",
"cvss2Score": 2.6,
"cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"cvss2Severity": "LOW",
"cvss3Score": 0,
"cvss3Vector": "",
...
},
},
},
}
to
"scannedCves": {
"CVE-2015-8035": {
"cveContents": {
"nvd": [
{
"type": "nvd",
"cveID": "CVE-2015-8035",
"title": "",
"summary": "The xz_decomp function in xzlib.c in libxml2 \
2.9.1 does not properly detect compression errors, which \
allows context-dependent attackers to cause a denial of \
service (process hang) via crafted XML data.",
"cvss2Score": 2.6,
"cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"cvss2Severity": "LOW",
"cvss3Score": 0,
"cvss3Vector": "",
...
},
],
},
},
}
There is only one item within NVD area according to the latest vulsscan result data set.
Meanwhile we can only see two items within JVN area for the CVE-2018-5407 as follows:
"cveContents": {
"jvn": [
{
"type": "jvn",
"cveID": "CVE-2018-5407",
"cvss2Score": 1.9,
"title": "HPE Integrated Lights-Out 5、HPE Integrated Lights-Out 4
"cvss2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
},
{
"type": "jvn",
"cveID": "CVE-2018-5407",
"title": "Simultaneous Multi-threading における情報漏えいに関する脆弱性",
"cvss2Score": 9,
"cvss2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
}
],
As Michel and Mark suggested, we don't see anything obvious in the log and descriptions
in way of plans to indicate if we should expect more than one item in NVD arean.
Now we update it in cve_policy_filter.py parser for NVD, and add exeception raised
in case it ever happens will allow us to react to the occurrence when the NVD length
is more than 1.
Therefore when getting the cve report we can avoid the following error:
Traceback (most recent call last):
File "cve_support/cve_policy_filter.py", line 345, in <module>
main()
File "cve_support/cve_policy_filter.py", line 338, in main
cvssv2_parse_n_report(cves,title,data)
File "cve_support/cve_policy_filter.py", line 269, in cvssv2_parse_n_report
nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"]
TypeError: list indices must be integers or slices, not str
Change-Id: I847938fde14d6240637537e964578758289b56f5
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Added new files for CVSSv3 scan report generation
Added new files:
new file: cve_policy_filter.py
new file: template_v3.txt
Change-Id: I93978825f973435eb34a0c8e6b3d18e1ac580595
Signed-off-by: Sanjay K Mukherjee <sanjay.k.mukherjee@intel.com>
The upstream seems to have added a new 'fixedIn' key instead of just the
'notFixedYet' keys to the pkg map, so we need to change the logic for
setting the correct status.
The assumption of allfixed = fixed is because there are multiple packages
and any one NotFixedYet will invalid the allfixed at the CVE level.
Do some code clean-up along the way by removing get_status()
Change-Id: Ib896655b8cf81af2a9531e87964d8e37f74da7c2
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The Security team wants to be able to mark bugs as Won't Fix or
Invalid when the CVE pertains to an upstream component or driver
that we do not include in StarlingX
Story: 2007538
Task: 39357
Change-Id: I030f4ea0a7b9132b23796d7acf6c2650770b1d44
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This patch fix a bug in the CVEs report generation. It needs to iterate
over the cves_w_errors list instead of cves_to_track
Closes-Bug: 1859482
Change-Id: Ic61acadf650733b9d7a7d6763c99b0f85394f1a2
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>
This change enables the capability to track if a CVE to be fixed already
has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/
This will help the security team to focus on the CVEs that do not
have a launchpad already open, reducing the overhead of analysis of CVEs
already presented to the development team.
Story:2006971
Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>
Vulscan generates reports for all the CVEs discovered and valid on the STX iso.
However, according to the STX CVE policy:
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
Only CVEs meeting the criteria which follows are accepted for fixing:
Criticality >= 7
Base Vector as:
AV = Network
AC = Low
Au = None or Single
AI = Partial or Complete
And a fix is available upstream
The script filters the json file generated by vuls scan:
https://vuls.io/docs/en/install-with-vulsctl.html
Example of json file from Centos 7.7:
https://pastebin.com/dNEHx6yd
Change-Id: I2481f5fa39f92558d51c612a288a0c9ee08ebe6e
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>