cve_policy_filter: Adjust the cvssv3 metrics
To support the monthly master StarlingX CVE scans with the new CVSS v3
policy, we run the filter criteria as the following policy:
Base score >= 7.0
Base Metrics have the following:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None or Low
Availability Impact: High or Low
User Interaction: None
A correction is available upstream
We can see the policy here:
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
Meanwhile update the html report template with new criteria.
TestPlan:
PASS: python3 cve_policy_filter.py localhost.json master_V3_Sep_29_2022 cvssv3
Story: 2010387
Task: 46683
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I8ab91805b4d78c218aee85f94b6cc25929948417
This commit is contained in:
Zhixiong Chi
parent
80e0d7b828
commit
509d901837
@ -46,7 +46,7 @@ def print_html_report(cves_report, title):
|
|||||||
template_env = jinja2.Environment(loader=template_loader)
|
template_env = jinja2.Environment(loader=template_loader)
|
||||||
if CVSS_VER == "cvssv3":
|
if CVSS_VER == "cvssv3":
|
||||||
template_file = "template_v3.txt"
|
template_file = "template_v3.txt"
|
||||||
heads = ["cve_id", "status", "cvss3Score", "av", "ac", "ui","a"]
|
heads = ["cve_id", "status", "cvss3Score", "av", "ac", "pr", "ui","a"]
|
||||||
else:
|
else:
|
||||||
template_file = "template.txt"
|
template_file = "template.txt"
|
||||||
heads = ["cve_id", "status", "cvss2Score", "av", "ac", "au", "ai"]
|
heads = ["cve_id", "status", "cvss2Score", "av", "ac", "au", "ai"]
|
||||||
@ -83,6 +83,7 @@ def print_report(cves_report, title):
|
|||||||
print("Attack Vector: " + cve["av"])
|
print("Attack Vector: " + cve["av"])
|
||||||
print("Access Complexity : " + cve["ac"])
|
print("Access Complexity : " + cve["ac"])
|
||||||
if CVSS_VER == "cvssv3":
|
if CVSS_VER == "cvssv3":
|
||||||
|
print("Privileges Required: " + cve["pr"])
|
||||||
print("User Interaction: " + cve["ui"])
|
print("User Interaction: " + cve["ui"])
|
||||||
else:
|
else:
|
||||||
print("Authentication: " + cve["au"])
|
print("Authentication: " + cve["au"])
|
||||||
@ -180,10 +181,11 @@ def cvssv3_pb_alg():
|
|||||||
Patchback algo for CVSSV3 report
|
Patchback algo for CVSSV3 report
|
||||||
"""
|
"""
|
||||||
for cve in cves_valid:
|
for cve in cves_valid:
|
||||||
if (cve["cvss3Score"] >= 7.8
|
if (cve["cvss3Score"] >= 7.0
|
||||||
and cve["av"] == "N"
|
and cve["av"] == "N"
|
||||||
and cve["ac"] == "L"
|
and cve["ac"] == "L"
|
||||||
and cve["ui"] == "R"
|
and ("N" in cve["pr"] or "L" in cve["pr"])
|
||||||
|
and cve["ui"] == "N"
|
||||||
and cve["ai"] != "N"):
|
and cve["ai"] != "N"):
|
||||||
if cve["status"] == "fixed":
|
if cve["status"] == "fixed":
|
||||||
bug = find_lp_assigned(cve["id"])
|
bug = find_lp_assigned(cve["id"])
|
||||||
@ -245,6 +247,8 @@ def cvssv3_parse_n_report(cves,title,data):
|
|||||||
|
|
||||||
nvd3_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Score"]
|
nvd3_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Score"]
|
||||||
cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Vector"]
|
cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Vector"]
|
||||||
|
if cvss3vector == "":
|
||||||
|
raise KeyError
|
||||||
except KeyError:
|
except KeyError:
|
||||||
cves_w_errors.append(cve)
|
cves_w_errors.append(cve)
|
||||||
else:
|
else:
|
||||||
@ -258,11 +262,14 @@ def cvssv3_parse_n_report(cves,title,data):
|
|||||||
_ai = element.split(":")[1]
|
_ai = element.split(":")[1]
|
||||||
if "UI:" in element:
|
if "UI:" in element:
|
||||||
_ui = element.split(":")[1]
|
_ui = element.split(":")[1]
|
||||||
|
if "PR:" in element:
|
||||||
|
_pr = element.split(":")[1]
|
||||||
print(cve)
|
print(cve)
|
||||||
cve["av"] = str(_av)
|
cve["av"] = str(_av)
|
||||||
cve["ac"] = str(_ac)
|
cve["ac"] = str(_ac)
|
||||||
cve["ai"] = str(_ai)
|
cve["ai"] = str(_ai)
|
||||||
cve["ui"] = str(_ui)
|
cve["ui"] = str(_ui)
|
||||||
|
cve["pr"] = str(_pr)
|
||||||
cve["summary"] = get_summary(data, cve_id)
|
cve["summary"] = get_summary(data, cve_id)
|
||||||
cve["sourcelink"] = get_source_link(data, cve_id)
|
cve["sourcelink"] = get_source_link(data, cve_id)
|
||||||
affectedpackages_list, allfixed = get_affectedpackages(data, cve_id)
|
affectedpackages_list, allfixed = get_affectedpackages(data, cve_id)
|
||||||
|
|||||||
@ -23,7 +23,7 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</table>
|
</table>
|
||||||
<h2>CVEs to fix w/ a launchpad assigend: {{cves_to_fix_lp | length}}</h2>
|
<h2>CVEs to fix w/ a launchpad assigned: {{cves_to_fix_lp | length}}</h2>
|
||||||
<table>
|
<table>
|
||||||
{% if cves_to_fix_lp|length >= 1 %}
|
{% if cves_to_fix_lp|length >= 1 %}
|
||||||
<tr>
|
<tr>
|
||||||
|
|||||||
@ -17,13 +17,14 @@
|
|||||||
<td>{{cve["cvss3Score"]}}</td>
|
<td>{{cve["cvss3Score"]}}</td>
|
||||||
<td>{{cve["av"]}}</td>
|
<td>{{cve["av"]}}</td>
|
||||||
<td>{{cve["ac"]}}</td>
|
<td>{{cve["ac"]}}</td>
|
||||||
|
<td>{{cve["pr"]}}</td>
|
||||||
<td>{{cve["ui"]}}</td>
|
<td>{{cve["ui"]}}</td>
|
||||||
<td>{{cve["ai"]}}</td>
|
<td>{{cve["ai"]}}</td>
|
||||||
</tr>
|
</tr>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</table>
|
</table>
|
||||||
<h2>CVEs to fix w/ a launchpad assigend: {{cves_to_fix_lp | length}}</h2>
|
<h2>CVEs to fix w/ a launchpad assigned: {{cves_to_fix_lp | length}}</h2>
|
||||||
<table>
|
<table>
|
||||||
{% if cves_to_fix_lp|length >= 1 %}
|
{% if cves_to_fix_lp|length >= 1 %}
|
||||||
<tr>
|
<tr>
|
||||||
@ -39,6 +40,7 @@
|
|||||||
<td>{{cve["cvss3Score"]}}</td>
|
<td>{{cve["cvss3Score"]}}</td>
|
||||||
<td>{{cve["av"]}}</td>
|
<td>{{cve["av"]}}</td>
|
||||||
<td>{{cve["ac"]}}</td>
|
<td>{{cve["ac"]}}</td>
|
||||||
|
<td>{{cve["pr"]}}</td>
|
||||||
<td>{{cve["ui"]}}</td>
|
<td>{{cve["ui"]}}</td>
|
||||||
<td>{{cve["ai"]}}</td>
|
<td>{{cve["ai"]}}</td>
|
||||||
</tr>
|
</tr>
|
||||||
@ -61,6 +63,7 @@
|
|||||||
<td>{{cve["cvss3Score"]}}</td>
|
<td>{{cve["cvss3Score"]}}</td>
|
||||||
<td>{{cve["av"]}}</td>
|
<td>{{cve["av"]}}</td>
|
||||||
<td>{{cve["ac"]}}</td>
|
<td>{{cve["ac"]}}</td>
|
||||||
|
<td>{{cve["pr"]}}</td>
|
||||||
<td>{{cve["ui"]}}</td>
|
<td>{{cve["ui"]}}</td>
|
||||||
<td>{{cve["ai"]}}</td>
|
<td>{{cve["ai"]}}</td>
|
||||||
</tr>
|
</tr>
|
||||||
@ -83,6 +86,7 @@
|
|||||||
<td>{{cve["cvss3Score"]}}</td>
|
<td>{{cve["cvss3Score"]}}</td>
|
||||||
<td>{{cve["av"]}}</td>
|
<td>{{cve["av"]}}</td>
|
||||||
<td>{{cve["ac"]}}</td>
|
<td>{{cve["ac"]}}</td>
|
||||||
|
<td>{{cve["pr"]}}</td>
|
||||||
<td>{{cve["ui"]}}</td>
|
<td>{{cve["ui"]}}</td>
|
||||||
<td>{{cve["ai"]}}</td>
|
<td>{{cve["ai"]}}</td>
|
||||||
</tr>
|
</tr>
|
||||||
@ -106,6 +110,7 @@
|
|||||||
<td>{{cve["cvss3Score"]}}</td>
|
<td>{{cve["cvss3Score"]}}</td>
|
||||||
<td>{{cve["av"]}}</td>
|
<td>{{cve["av"]}}</td>
|
||||||
<td>{{cve["ac"]}}</td>
|
<td>{{cve["ac"]}}</td>
|
||||||
|
<td>{{cve["pr"]}}</td>
|
||||||
<td>{{cve["ui"]}}</td>
|
<td>{{cve["ui"]}}</td>
|
||||||
<td>{{cve["ai"]}}</td>
|
<td>{{cve["ai"]}}</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user