cve_policy_filter: Adjust the cvssv3 metrics

To support the monthly master StarlingX CVE scans with the new CVSS v3 policy, we run the filter criteria as the following policy: Base score >= 7.0 Base Metrics have the following: Attack Vector: Network Attack Complexity: Low Privileges Required: None or Low Availability Impact: High or Low User Interaction: None A correction is available upstream We can see the policy here: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy Meanwhile update the html report template with new criteria. TestPlan: PASS: python3 cve_policy_filter.py localhost.json master_V3_Sep_29_2022 cvssv3 Story: 2010387 Task: 46683 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Change-Id: I8ab91805b4d78c218aee85f94b6cc25929948417
2022-10-24 11:19:40 +08:00 · 2022-10-24 11:19:40 +08:00 · 509d901837
commit 509d901837
parent 80e0d7b828
3 changed files with 17 additions and 5 deletions
--- a/cve_support/cve_policy_filter.py
+++ b/cve_support/cve_policy_filter.py
@ -46,7 +46,7 @@ def print_html_report(cves_report, title):
    template_env = jinja2.Environment(loader=template_loader)
    if CVSS_VER == "cvssv3":
        template_file = "template_v3.txt"
-        heads = ["cve_id", "status", "cvss3Score", "av", "ac", "ui","a"]
+        heads = ["cve_id", "status", "cvss3Score", "av", "ac", "pr", "ui","a"]
    else:
        template_file = "template.txt"
        heads = ["cve_id", "status", "cvss2Score", "av", "ac", "au", "ai"]
@ -83,6 +83,7 @@ def print_report(cves_report, title):
        print("Attack Vector: " + cve["av"])
        print("Access Complexity : " + cve["ac"])
        if CVSS_VER == "cvssv3":
+            print("Privileges Required: " + cve["pr"])
            print("User Interaction: " + cve["ui"])
        else:
            print("Authentication: " + cve["au"])
@ -180,10 +181,11 @@ def cvssv3_pb_alg():
    Patchback algo for CVSSV3 report
    """
    for cve in cves_valid:
-        if (cve["cvss3Score"] >= 7.8
+        if (cve["cvss3Score"] >= 7.0
                and cve["av"] == "N"
                and cve["ac"] == "L"
-                and cve["ui"] == "R"
+                and ("N" in cve["pr"] or "L" in cve["pr"])
+                and cve["ui"] == "N"
                and cve["ai"] != "N"):
                if cve["status"] == "fixed":
                    bug = find_lp_assigned(cve["id"])
@ -245,6 +247,8 @@ def cvssv3_parse_n_report(cves,title,data):

            nvd3_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Score"]
            cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Vector"]
+            if cvss3vector == "":
+                raise KeyError
        except KeyError:
            cves_w_errors.append(cve)
        else:
@ -258,11 +262,14 @@ def cvssv3_parse_n_report(cves,title,data):
                    _ai = element.split(":")[1]
                if "UI:" in element:
                    _ui = element.split(":")[1]
+                if "PR:" in element:
+                    _pr = element.split(":")[1]
            print(cve)
            cve["av"] = str(_av)
            cve["ac"] = str(_ac)
            cve["ai"] = str(_ai)
            cve["ui"] = str(_ui)
+            cve["pr"] = str(_pr)
            cve["summary"] = get_summary(data, cve_id)
            cve["sourcelink"] = get_source_link(data, cve_id)
            affectedpackages_list, allfixed = get_affectedpackages(data, cve_id)
--- a/cve_support/template.txt
+++ b/cve_support/template.txt
@ -23,7 +23,7 @@
 			{% endfor %}
 		{% endif %}
 		</table>
-	<h2>CVEs to fix w/ a launchpad assigend: {{cves_to_fix_lp | length}}</h2>
+	<h2>CVEs to fix w/ a launchpad assigned: {{cves_to_fix_lp | length}}</h2>
 	<table>
 		{% if cves_to_fix_lp|length >= 1 %}
 			<tr>
--- a/cve_support/template_v3.txt
+++ b/cve_support/template_v3.txt
@ -17,13 +17,14 @@
 				<td>{{cve["cvss3Score"]}}</td>
 				<td>{{cve["av"]}}</td>
 				<td>{{cve["ac"]}}</td>
+				<td>{{cve["pr"]}}</td>
 				<td>{{cve["ui"]}}</td>
 				<td>{{cve["ai"]}}</td>
 			</tr>
 			{% endfor %}
 		{% endif %}
 		</table>
-	<h2>CVEs to fix w/ a launchpad assigend: {{cves_to_fix_lp | length}}</h2>
+	<h2>CVEs to fix w/ a launchpad assigned: {{cves_to_fix_lp | length}}</h2>
 	<table>
 		{% if cves_to_fix_lp|length >= 1 %}
 			<tr>
@ -39,6 +40,7 @@
 				<td>{{cve["cvss3Score"]}}</td>
 				<td>{{cve["av"]}}</td>
 				<td>{{cve["ac"]}}</td>
+				<td>{{cve["pr"]}}</td>
 				<td>{{cve["ui"]}}</td>
 				<td>{{cve["ai"]}}</td>
 			</tr>
@ -61,6 +63,7 @@
 				<td>{{cve["cvss3Score"]}}</td>
 				<td>{{cve["av"]}}</td>
 				<td>{{cve["ac"]}}</td>
+				<td>{{cve["pr"]}}</td>
 				<td>{{cve["ui"]}}</td>
 				<td>{{cve["ai"]}}</td>
 			</tr>
@ -83,6 +86,7 @@
 				<td>{{cve["cvss3Score"]}}</td>
 				<td>{{cve["av"]}}</td>
 				<td>{{cve["ac"]}}</td>
+				<td>{{cve["pr"]}}</td>
 				<td>{{cve["ui"]}}</td>
 				<td>{{cve["ai"]}}</td>
 			</tr>
@ -106,6 +110,7 @@
 				<td>{{cve["cvss3Score"]}}</td>
 				<td>{{cve["av"]}}</td>
 				<td>{{cve["ac"]}}</td>
+				<td>{{cve["pr"]}}</td>
 				<td>{{cve["ui"]}}</td>
 				<td>{{cve["ai"]}}</td>
 			</tr>