10 Commits

Author SHA1 Message Date
Zhixiong Chi
9cdb43da42 cve_policy_filter.py: Get the filter data from nvd@nist.gov item
Now the latest json format result file includes the several items
in the set data["scannedCves"][cve_id]["cveContents"]["nvd"], so
the original usage is not available to filter CVE info anymore.

So it's time to drop the exception which is to raise this condition
that the length is greater than 1. It will be failed to throw the
exception. We are going to use the condition 'source=nvd@nist.gov'
to get the accurate CVE information instead.

Another update is to expand the function find_lp_assigned with
adding new condition to find the CVE id in the description section
of the LP page. As the length of title is limited, if one page is
used to track many CVE issues, the length may be not enough to
record all CVE ID items.

Closes-Bug: 2059996

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia7dfee5db53baaa82a8e6dd9d5dde8a31da5bcc2
2024-04-22 23:15:10 -04:00
Zhixiong Chi
362d2aa36d cve_policy_filter: Create new list to track the fixed LP CVE issue
With the LP page of the CVE issue is 'Fix Released' status, the
CVE won't be reported in the cves_to_fix_lp list. we create a
new cves_to_track_lp_fixed list to check if there is a newer fixer
is provided under the same CVE for the 'stx' versioned pacakge,
So that we can recognize when a fixed LP is actually not fixed.
Monthly we need to double check the cves_to_track_lp_fixed list
if it's not empty in the report.

TestPlan:
Pass: python3 cve_policy_filter.py localhost.json test cvssv3
      Report the fixed LP of CVE issue in cves_to_fix_lp list.

Story: 2010387
Task: 46683

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: If910a4e58a2a6e2f575c4bad67cd6d19f23ad3f1
2022-12-04 21:01:51 -05:00
Zhixiong Chi
509d901837 cve_policy_filter: Adjust the cvssv3 metrics
To support the monthly master StarlingX CVE scans with the new CVSS v3
policy, we run the filter criteria as the following policy:
    Base score >= 7.0
    Base Metrics have the following:
        Attack Vector: Network
        Attack Complexity: Low
        Privileges Required: None or Low
        Availability Impact: High or Low
        User Interaction: None
    A correction is available upstream

We can see the policy here:
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy

Meanwhile update the html report template with new criteria.

TestPlan:
PASS: python3 cve_policy_filter.py  localhost.json master_V3_Sep_29_2022 cvssv3

Story: 2010387
Task: 46683

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I8ab91805b4d78c218aee85f94b6cc25929948417
2022-11-03 11:09:12 -04:00
Zhixiong Chi
87b94e70d0 cve_policy_filter: Upstream vulsscan json data format changed
Since vulsscan upstream commit [https://github.com/future-architect/
vuls/commit/96c3592db1c4b3d658e8e8169fdc17c670e48379] had been merged,
So the list type for nvd and jvn items was added in vulsscan data result.

For example the part of json result changed
from
    "scannedCves": {
        "CVE-2015-8035": {
            "cveContents": {
                "nvd": {
                    "type": "nvd",
                    "cveID": "CVE-2015-8035",
                    "title": "",
                    "summary": "The xz_decomp function in xzlib.c in libxml2 \
                     2.9.1 does not properly detect compression errors, which \
                     allows context-dependent attackers to cause a denial of \
                     service (process hang) via crafted XML data.",
                    "cvss2Score": 2.6,
                    "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
                    "cvss2Severity": "LOW",
                    "cvss3Score": 0,
                    "cvss3Vector": "",
                    ...
                },
            },
        },
    }

to
    "scannedCves": {
        "CVE-2015-8035": {
            "cveContents": {
                "nvd": [
                    {
                        "type": "nvd",
                        "cveID": "CVE-2015-8035",
                        "title": "",
                        "summary": "The xz_decomp function in xzlib.c in libxml2 \
                         2.9.1 does not properly detect compression errors, which \
                         allows context-dependent attackers to cause a denial of \
                         service (process hang) via crafted XML data.",
                        "cvss2Score": 2.6,
                        "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
                        "cvss2Severity": "LOW",
                        "cvss3Score": 0,
                        "cvss3Vector": "",
                        ...
                    },
                ],
            },
        },
   }

There is only one item within NVD area according to the latest vulsscan result data set.
Meanwhile we can only see two items within JVN area for the CVE-2018-5407 as follows:

"cveContents": {
    "jvn": [
        {
            "type": "jvn",
            "cveID": "CVE-2018-5407",
            "cvss2Score": 1.9,
            "title": "HPE Integrated Lights-Out 5、HPE Integrated Lights-Out 4
            "cvss2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
        },
        {
            "type": "jvn",
            "cveID": "CVE-2018-5407",
            "title": "Simultaneous Multi-threading における情報漏えいに関する脆弱性",
            "cvss2Score": 9,
            "cvss2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
        }
    ],

As Michel and Mark suggested, we don't see anything obvious in the log and descriptions
in way of plans to indicate if we should expect more than one item in NVD arean.
Now we update it in cve_policy_filter.py parser for NVD, and add exeception raised
in case it ever happens will allow us to react to the occurrence when the NVD length
is more than 1.

Therefore when getting the cve report we can avoid the following error:

 Traceback (most recent call last):
   File "cve_support/cve_policy_filter.py", line 345, in <module>
     main()
   File "cve_support/cve_policy_filter.py", line 338, in main
     cvssv2_parse_n_report(cves,title,data)
   File "cve_support/cve_policy_filter.py", line 269, in cvssv2_parse_n_report
     nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"]
 TypeError: list indices must be integers or slices, not str

Change-Id: I847938fde14d6240637537e964578758289b56f5
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-10-24 23:31:38 -04:00
Sanjay K Mukherjee
8be170ef57 cve_policy_filter.py supports CVSSV2 and CVSSV3 vulnerability report generation
Added new files for CVSSv3 scan report generation

  Added new files:
       new file:   cve_policy_filter.py
       new file:   template_v3.txt

Change-Id: I93978825f973435eb34a0c8e6b3d18e1ac580595
Signed-off-by: Sanjay K Mukherjee <sanjay.k.mukherjee@intel.com>
2021-02-09 14:30:20 +05:30
Saul Wold
d7ca9a0a50 cve_policy_filter: Upstream changed status keys
The upstream seems to have added a new 'fixedIn' key instead of just the
'notFixedYet' keys to the pkg map, so we need to change the logic for
setting the correct status.

The assumption of allfixed = fixed is because there are multiple packages
and any one NotFixedYet will invalid the allfixed at the CVE level.

Do some code clean-up along the way by removing get_status()

Change-Id: Ib896655b8cf81af2a9531e87964d8e37f74da7c2
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2020-07-10 13:49:56 -07:00
Saul Wold
ae486fa9af Update filter to track won't fix or invalid bugs
The Security team wants to be able to mark bugs as Won't Fix or
Invalid when the CVE pertains to an upstream component or driver
that we do not include in StarlingX

Story: 2007538
Task: 39357
Change-Id: I030f4ea0a7b9132b23796d7acf6c2650770b1d44
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2020-04-20 06:43:56 -07:00
VictorRodriguez
c23eddb3dc Fix bug in CVE html report generation
This patch fix a bug in the CVEs report generation. It needs to iterate
over the cves_w_errors list instead of cves_to_track

Closes-Bug: 1859482

Change-Id: Ic61acadf650733b9d7a7d6763c99b0f85394f1a2
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>
2020-01-13 13:07:41 -06:00
VictorRodriguez
063e29fe2e Add feature to check if a CVE has an open launchpad
This change enables the capability to track if a CVE to be fixed already
has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

This will help the security team to focus on the CVEs that do not
have a launchpad already open, reducing the overhead of analysis of CVEs
already presented to the development team.

Story:2006971

Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>
2019-12-03 14:50:25 -06:00
VictorRodriguez
1821816ed0 CVE policy filter script
Vulscan generates reports for all the CVEs discovered and valid on the STX iso.
However, according to the STX CVE policy:
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy

Only CVEs meeting the criteria which follows are accepted for fixing:

Criticality >= 7
Base Vector as:

AV = Network
AC = Low
Au = None or Single
AI = Partial or Complete

And a fix is available upstream

The script filters the json file generated by vuls scan:
https://vuls.io/docs/en/install-with-vulsctl.html

Example of json file from Centos 7.7:
https://pastebin.com/dNEHx6yd

Change-Id: I2481f5fa39f92558d51c612a288a0c9ee08ebe6e
Signed-off-by: VictorRodriguez <vm.rod25@gmail.com>
2019-10-27 10:03:27 -06:00