launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~andrey-fedoseev/launchpad:uct-import-vulnerability-status into launchpad:master

To: mp+427152@xxxxxxxxxxxxxxxxxx
From: Andrey Fedoseev <mp+427152@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Jul 2022 10:36:18 -0000
Reply-to: mp+427152@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Andrey Fedoseev has proposed merging ~andrey-fedoseev/launchpad:uct-import-vulnerability-status into launchpad:master.

Commit message:
Infer vulnerability status based on the parent folder of the CVE file.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~andrey-fedoseev/launchpad/+git/launchpad/+merge/427152
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~andrey-fedoseev/launchpad:uct-import-vulnerability-status into launchpad:master.

diff --git a/lib/lp/bugs/scripts/tests/test_uctimport.py b/lib/lp/bugs/scripts/tests/test_uctimport.py
index 4b52c4d..cec212f 100644
--- a/lib/lp/bugs/scripts/tests/test_uctimport.py
+++ b/lib/lp/bugs/scripts/tests/test_uctimport.py
@@ -32,6 +32,7 @@ class TestLoadCVEFromFile(TestCase):
         self.assertEqual(
             cve,
             CVE(
+                path=cve_path,
                 assigned_to="",
                 bugs=[
                     "https://github.com/mm2/Little-CMS/issues/29";,
@@ -187,6 +188,7 @@ class TestUCTImporter(TestCaseWithFactory):
 
         now = datetime.datetime.now(datetime.timezone.utc)
         cve = CVE(
+            path=Path("./ubuntu-cve-tracker/active/CVE-2022-23222"),
             assigned_to=assignee.name,
             bugs=[
                 "https://github.com/mm2/Little-CMS/issues/29";,
@@ -351,9 +353,7 @@ class TestUCTImporter(TestCaseWithFactory):
         self.assertEqual(vulnerability.distribution, ubuntu)
         self.assertEqual(vulnerability.creator, owner)
         self.assertEqual(vulnerability.cve, lp_cve)
-        self.assertEqual(
-            vulnerability.status, VulnerabilityStatus.NEEDS_TRIAGE
-        )
+        self.assertEqual(vulnerability.status, VulnerabilityStatus.ACTIVE)
         self.assertEqual(vulnerability.description, "description")
         self.assertEqual(vulnerability.notes, "author> text")
         self.assertEqual(vulnerability.mitigation, "mitigation")
diff --git a/lib/lp/bugs/scripts/uctimport.py b/lib/lp/bugs/scripts/uctimport.py
index a625c3d..b84da62 100644
--- a/lib/lp/bugs/scripts/uctimport.py
+++ b/lib/lp/bugs/scripts/uctimport.py
@@ -133,6 +133,7 @@ Note = NamedTuple(
 CVE = NamedTuple(
     "CVE",
     [
+        ("path", Path),
         ("assigned_to", str),
         ("bugs", List[str]),
         ("cvss", List[Dict[str, Any]]),
@@ -161,7 +162,7 @@ class UCTImporter:
         Priority.NEGLIGIBLE: BugTaskImportance.WISHLIST,
     }
 
-    STATUS_MAP = {
+    BUG_TASK_STATUS_MAP = {
         PackageStatus.IGNORED: BugTaskStatus.WONTFIX,
         PackageStatus.NEEDS_TRIAGE: BugTaskStatus.UNKNOWN,
         PackageStatus.DOES_NOT_EXIST: BugTaskStatus.DOESNOTEXIST,
@@ -173,6 +174,12 @@ class UCTImporter:
         PackageStatus.PENDING: BugTaskStatus.FIXCOMMITTED,
     }
 
+    VULNERABILITY_STATUS_MAP = {
+        "active": VulnerabilityStatus.ACTIVE,
+        "ignored": VulnerabilityStatus.IGNORED,
+        "retired": VulnerabilityStatus.RETIRED,
+    }
+
     def __init__(self, logger: Optional[logging.Logger] = None) -> None:
         self.logger = logger or DEFAULT_LOGGER
 
@@ -231,7 +238,7 @@ class UCTImporter:
                 )
                 if distro_series is None:
                     continue
-                if cve_package_status.status not in self.STATUS_MAP:
+                if cve_package_status.status not in self.BUG_TASK_STATUS_MAP:
                     self.logger.warning(
                         "Can't find a suitable bug task status for %s",
                         cve_package_status.status,
@@ -263,7 +270,7 @@ class UCTImporter:
                     else None
                 )
                 statuses_with_explanations[series_package] = (
-                    self.STATUS_MAP[cve_package_status.status],
+                    self.BUG_TASK_STATUS_MAP[cve_package_status.status],
                     cve_package_status.reason,
                 )
 
@@ -422,7 +429,7 @@ class UCTImporter:
             distribution=distribution,
             creator=bug.owner,
             cve=lp_cve,
-            status=VulnerabilityStatus.NEEDS_TRIAGE,
+            status=self.infer_vulnerability_status(cve),
             description=cve.description,
             notes=format_cve_notes(cve.notes),
             mitigation=cve.mitigation,
@@ -437,6 +444,15 @@ class UCTImporter:
 
         return vulnerability
 
+    def infer_vulnerability_status(self, cve: CVE) -> VulnerabilityStatus:
+        """
+        Infer vulnerability status based on the parent folder of the CVE file.
+        """
+        cve_folder_name = cve.path.absolute().parent.name
+        return self.VULNERABILITY_STATUS_MAP.get(
+            cve_folder_name, VulnerabilityStatus.NEEDS_TRIAGE
+        )
+
 
 def load_cve_from_file(cve_path: Path) -> CVE:
     """
@@ -516,6 +532,7 @@ def load_cve_from_file(cve_path: Path) -> CVE:
     date_made_public = crd or public_date or public_date_at_USN
 
     cve = CVE(
+        path=cve_path,
         assigned_to=pop_cve_property(cve_data, "Assigned-to"),
         bugs=pop_cve_property(cve_data, "Bugs").split("\n"),
         cvss=pop_cve_property(cve_data, "CVSS"),