cve_policy_filter: Create new list to track the fixed LP CVE issue

With the LP page of the CVE issue is 'Fix Released' status, the
CVE won't be reported in the cves_to_fix_lp list. we create a
new cves_to_track_lp_fixed list to check if there is a newer fixer
is provided under the same CVE for the 'stx' versioned pacakge,
So that we can recognize when a fixed LP is actually not fixed.
Monthly we need to double check the cves_to_track_lp_fixed list
if it's not empty in the report.

TestPlan:
Pass: python3 cve_policy_filter.py localhost.json test cvssv3
      Report the fixed LP of CVE issue in cves_to_fix_lp list.

Story: 2010387
Task: 46683

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: If910a4e58a2a6e2f575c4bad67cd6d19f23ad3f1
This commit is contained in:
Zhixiong Chi 2022-12-02 10:13:02 +08:00
parent 771c7d5382
commit 362d2aa36d
3 changed files with 61 additions and 0 deletions

View File

@ -18,6 +18,7 @@ cves_valid = []
cves_to_fix = [] cves_to_fix = []
cves_to_fix_lp = [] cves_to_fix_lp = []
cves_to_track = [] cves_to_track = []
cves_to_track_lp_fixed = []
cves_w_errors = [] cves_w_errors = []
cves_wont_fix = [] cves_wont_fix = []
cves_to_omit = [] cves_to_omit = []
@ -54,6 +55,7 @@ def print_html_report(cves_report, title):
template = template_env.get_template(template_file) template = template_env.get_template(template_file)
output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\ output_text = template.render(cves_to_fix=cves_report["cves_to_fix"],\
cves_to_fix_lp=cves_report["cves_to_fix_lp"],\ cves_to_fix_lp=cves_report["cves_to_fix_lp"],\
cves_to_track_lp_fixed=cves_report["cves_to_track_lp_fixed"],\
cves_to_track=cves_report["cves_to_track"],\ cves_to_track=cves_report["cves_to_track"],\
cves_wont_fix=cves_report["cves_wont_fix"],\ cves_wont_fix=cves_report["cves_wont_fix"],\
cves_w_errors=cves_report["cves_w_errors"],\ cves_w_errors=cves_report["cves_w_errors"],\
@ -103,6 +105,15 @@ def print_report(cves_report, title):
cve_line.append(key + ":" + str(value)) cve_line.append(key + ":" + str(value))
print(cve_line) print(cve_line)
print("\nCVEs to track for launchpad fixed: %d \n" \
% (len(cves_report["cves_to_track_lp_fixed"])))
for cve in cves_report["cves_to_track_lp_fixed"]:
cve_line = []
for key, value in cve.items():
if key != "summary":
cve_line.append(key + ":" + str(value))
print(cve_line)
print("\nCVEs to track for incoming fix: %d \n" \ print("\nCVEs to track for incoming fix: %d \n" \
% (len(cves_report["cves_to_track"]))) % (len(cves_report["cves_to_track"])))
for cve in cves_report["cves_to_track"]: for cve in cves_report["cves_to_track"]:
@ -172,6 +183,7 @@ def update_report():
cves_report["cves_to_fix"] = cves_to_fix cves_report["cves_to_fix"] = cves_to_fix
cves_report["cves_to_fix_lp"] = cves_to_fix_lp cves_report["cves_to_fix_lp"] = cves_to_fix_lp
cves_report["cves_to_track"] = cves_to_track cves_report["cves_to_track"] = cves_to_track
cves_report["cves_to_track_lp_fixed"] = cves_to_track_lp_fixed
cves_report["cves_w_errors"] = cves_w_errors cves_report["cves_w_errors"] = cves_w_errors
cves_report["cves_wont_fix"] = cves_wont_fix cves_report["cves_wont_fix"] = cves_wont_fix
cves_report["cves_to_omit"] = cves_to_omit cves_report["cves_to_omit"] = cves_to_omit
@ -193,6 +205,8 @@ def cvssv3_pb_alg():
print(bug["status"]) print(bug["status"])
if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"): if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"):
cves_wont_fix.append(cve) cves_wont_fix.append(cve)
elif (bug["status"] == "Fix Released"):
cves_to_track_lp_fixed.append(cve)
else: else:
cves_to_fix_lp.append(cve) cves_to_fix_lp.append(cve)
else: else:
@ -221,6 +235,8 @@ def cvssv2_pb_alg():
print(bug["status"]) print(bug["status"])
if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"): if (bug["status"] == "Invalid" or bug["status"] == "Won't Fix"):
cves_wont_fix.append(cve) cves_wont_fix.append(cve)
elif (bug["status"] == "Fix Released"):
cves_to_track_lp_fixed.append(cve)
else: else:
cves_to_fix_lp.append(cve) cves_to_fix_lp.append(cve)
else: else:

View File

@ -45,6 +45,28 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
</table> </table>
<h2> CVEs to track for launchpad fixed: {{cves_to_track_lp_fixed | length}}</h2>
<table>
{% if cves_to_track_lp_fixed|length >= 1 %}
<tr>
{% for head in heads %}
<th>{{head}}</th>
{% endfor %}
</tr>
{% for cve in cves_to_track_lp_fixed %}
<tr>
<td>{{cve["id"]}}</td>
<td>{{cve["status"]}}</td>
<td>{{cve["cvss2Score"]}}</td>
<td>{{cve["av"]}}</td>
<td>{{cve["ac"]}}</td>
<td>{{cve["au"]}}</td>
<td>{{cve["ai"]}}</td>
</tr>
{% endfor %}
{% endif %}
</table>
<h2> CVEs to track for incoming fix: {{cves_to_track | length}}</h2> <h2> CVEs to track for incoming fix: {{cves_to_track | length}}</h2>
<table> <table>
{% if cves_to_track|length >= 1 %} {% if cves_to_track|length >= 1 %}

View File

@ -47,6 +47,29 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
</table> </table>
<h2> CVEs to track for launchpad fixed: {{cves_to_track_lp_fixed | length}}</h2>
<table>
{% if cves_to_track_lp_fixed|length >= 1 %}
<tr>
{% for head in heads %}
<th>{{head}}</th>
{% endfor %}
</tr>
{% for cve in cves_to_track_lp_fixed %}
<tr>
<td>{{cve["id"]}}</td>
<td>{{cve["status"]}}</td>
<td>{{cve["cvss3Score"]}}</td>
<td>{{cve["av"]}}</td>
<td>{{cve["ac"]}}</td>
<td>{{cve["pr"]}}</td>
<td>{{cve["ui"]}}</td>
<td>{{cve["ai"]}}</td>
</tr>
{% endfor %}
{% endif %}
</table>
<h2> CVEs to track for incoming fix: {{cves_to_track | length}}</h2> <h2> CVEs to track for incoming fix: {{cves_to_track | length}}</h2>
<table> <table>
{% if cves_to_track|length >= 1 %} {% if cves_to_track|length >= 1 %}