Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:add-cpes-to-check-cves into ubuntu-cve-tracker:master

Proposed by Alex Murray on 2023-07-20

Status:	Needs review
Proposed branch:	~alexmurray/ubuntu-cve-tracker:add-cpes-to-check-cves
Merge into:	ubuntu-cve-tracker:master
Diff against target:	204 lines (+83/-11) 1 file modified scripts/check-cves (+83/-11)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Security Team		2023-07-20	Pending
Review via email: mp+447308@code.staging.launchpad.net

Description of the change

Will do some more testing with this change during CVE triage tomorrow, but it gives much better support for smarter ignore entries - ie:

./scripts/check-cves --cve CVE-2023-3519 ./nvdcve-1.1-recent.json
Loading /home/amurray/ubuntu/git/security-tracker//data/CVE/list ...
Loading ./nvdcve-1.1-recent.json ...
97% [============================================================ ] 2487844 ETA: 0:00:00

***********************************************************************
CVE-2023-3519 (1/1: 100%)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3519
***********************************************************************
Published: 2023-07-19 18:15:00 UTC
MISC: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

======================== CVE details ==========================
CVE-2023-3519
Unauthenticated remote code execution

CVSS (nvd): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]
CVE-2023-3519 ignore Citrix Netscaler Application Delivery Controller

A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [skip] I
Reason to be ignored?
   a) Unauthenticated remote code execution
   b) Citrix Netscaler Application Delivery Controller
   c) Citrix Netscaler Gateway

Revision history for this message

Steve Beattie (sbeattie) wrote on 2023-07-26:

I tried this branch as part of triage today, and it failed when looking
at a non-json file:

$ ./scripts/check-cves --cve CVE-2023-37919 allitems.xml
Loading /home/steve/git/cve_trackers/debian-security-tracker/data/CVE/list ...
Loading allitems.xml ...
Traceback (most recent call last):============================================== ] 261292008 ETA: 0:00:01
  File "/home/steve/git/ubuntu-cve-tracker/./scripts/check-cves", line 1736, in <module>
    parser.parse(readable)
  File "/usr/lib/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "../Modules/pyexpat.c", line 468, in EndElement
  File "/usr/lib/python3.11/xml/sax/expatreader.py", line 336, in end_element
    self._cont_handler.endElement(name)
  File "/home/steve/git/ubuntu-cve-tracker/./scripts/check-cves", line 782, in endElement
    self.handle_cve()
  File "/home/steve/git/ubuntu-cve-tracker/./scripts/check-cves", line 813, in handle_cve
    self.cve_data[self.curr_cve].setdefault('cpes', [] + self.curr_cpes)
                                                         ^^^^^^^^^^^^^^
AttributeError: 'CVEHandler' object has no attribute 'curr_cpes'. Did you mean: 'curr_cve'?

--
Steve Beattie
<email address hidden>

Revision history for this message

Alex Murray (alexmurray) wrote on 2023-07-31:

Thanks for taking a look Steve, I really appreciate it. I just added support for curr_cpes in CVEHandler for XML inputs, as well as support for searching for any possible cpes within the description of CVEs in the XML handler since sometimes they seem to appear here if anywhere.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.