← Back to team overview

launchpad-reviewers team mailing list archive

Re: [Merge] ~lgp171188/launchpad:vulnerability-creation-api into launchpad:master

 


Diff comments:

> diff --git a/lib/lp/registry/interfaces/distribution.py b/lib/lp/registry/interfaces/distribution.py
> index 5ccc03d..afee0b5 100644
> --- a/lib/lp/registry/interfaces/distribution.py
> +++ b/lib/lp/registry/interfaces/distribution.py
> @@ -873,6 +889,70 @@ class IDistributionEditRestricted(IOfficialBugTagTargetRestricted):
>      def deleteOCICredentials():
>          """Delete any existing OCI credentials for the distribution."""
>  
> +    @call_with(creator=REQUEST_USER)
> +    @operation_parameters(
> +        status=Choice(
> +            title=_('The status of the vulnerability.'),
> +            required=True,
> +            vocabulary=VulnerabilityStatus,
> +        ),
> +        creator=Reference(
> +            title=_('Person creating the vulnerability.'),
> +            schema=IPerson,
> +            required=True,
> +        ),
> +        importance=Choice(
> +            title=_('Indicates the work priority, not the severity. '
> +                    'Defaults to `Undecided`.'),
> +            vocabulary=BugTaskImportance,
> +            required=False,
> +            default=BugTaskImportance.UNDECIDED,
> +        ),
> +        information_type=Choice(
> +            title=_('Information Type. Defaults to `Public`.'),
> +            required=False,
> +            vocabulary=InformationType,
> +            default=InformationType.PUBLIC,
> +        ),
> +        cve=Reference(
> +            ICve,
> +            title=_('External CVE reference corresponding to '
> +                    'this vulnerability, if any.'),
> +            required=False,
> +        ),
> +        description=TextLine(
> +            title=_('A short description of the vulnerability.'),
> +            required=False,
> +        ),
> +        notes = TextLine(
> +            title=_("Free-form notes for this vulnerability."),
> +            required=False,
> +            readonly=False
> +        ),
> +        mitigation=TextLine(
> +            title=_("Explains why we're ignoring this vulnerability."),
> +            required=False,
> +        ),
> +        importance_explanation=TextLine(
> +            title=_('Used to explain why our importance differs from '
> +                    "somebody else's CVSS score."),
> +            required=False,
> +        ),
> +        date_made_public=Datetime(
> +            title=_("The date this vulnerability was made public."),
> +            required=False,
> +        ),
> +    )
> +    @export_write_operation()
> +    @operation_for_version("devel")
> +    def newVulnerability(status, creator,

The access to this method is controlled by the `launchpad.Edit` permission atm. Colin mentioned that we need to investigate creating a new permission/role for the security team and getting William's take on it.

> +                         importance=BugTaskImportance.UNDECIDED,
> +                         information_type=InformationType.PUBLIC,
> +                         cve=None, description=None, notes=None,
> +                         mitigation=None, importance_explanation=None,
> +                         date_made_public=None):
> +        """Create a new vulnerability in the distribution."""
> +
>  
>  @exported_as_webservice_entry(as_of="beta")
>  class IDistribution(


-- 
https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/420401
Your team Launchpad code reviewers is requested to review the proposed merge of ~lgp171188/launchpad:vulnerability-creation-api into launchpad:master.



References