launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #29202
[Merge] ~andrey-fedoseev/launchpad:cve-discovered-by into launchpad:master
Andrey Fedoseev has proposed merging ~andrey-fedoseev/launchpad:cve-discovered-by into launchpad:master.
Commit message:
Replace `Cve.discoverer` with `discovered_by`
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~andrey-fedoseev/launchpad/+git/launchpad/+merge/430020
`Cve.discoverer` is a reference to a `Person`, but it doesn't really work with the real data in Ubuntu CVE Tracker.
In UCT, `Discovered-By` is a free-form field which usually contains name of one or more people or an organization name which is impossible to map to a `Person`.
We agreed that a plain text field would work better for this case.
UCT import/export: handle the `cve.discovered_by` field
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~andrey-fedoseev/launchpad:cve-discovered-by into launchpad:master.
diff --git a/database/sampledata/current-dev.sql b/database/sampledata/current-dev.sql
index ae1f035..2d95651 100644
--- a/database/sampledata/current-dev.sql
+++ b/database/sampledata/current-dev.sql
@@ -3257,16 +3257,16 @@ ALTER TABLE public.customlanguagecode ENABLE TRIGGER ALL;
ALTER TABLE public.cve DISABLE TRIGGER ALL;
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (1, '1999-8979', 2, 'Firefox crashes all the time', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.508959', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (2, '1999-2345', 1, 'Possible data loss', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.513099', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (3, '2005-2730', 1, 'The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to obtain sensitive information via an invalid request, which reveals a Proxy-authorization string in an error message.', '2005-09-13 14:05:15.669384', '2005-09-13 14:05:15.669384', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (4, '2005-2731', 1, 'Directory traversal vulnerability in Astaro Security Linux 6.0, when using Webmin, allows remote authenticated webmin users to read arbitrary files via a .. (dot dot) in the wfe_download parameter to index.fpl.', '2005-09-13 14:05:15.91729', '2005-09-13 14:05:15.91729', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (5, '2005-2732', 1, 'AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist in the config parameter, which reveals the path in an error message.', '2005-09-13 14:05:15.992007', '2005-09-13 14:05:15.992007', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (6, '2005-2733', 1, 'upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.', '2005-09-13 14:05:16.072418', '2005-09-13 14:05:16.072418', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (7, '2005-2734', 1, 'Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.202393', '2005-09-13 14:05:16.202393', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (8, '2005-2735', 1, 'Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.412226', '2005-09-13 14:05:16.412226', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (9, '2005-2736', 1, 'Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.841572', '2005-09-13 14:05:16.841572', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (10, '2005-2737', 1, 'Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:17.043865', '2005-09-13 14:05:17.043865', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (1, '1999-8979', 2, 'Firefox crashes all the time', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.508959', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (2, '1999-2345', 1, 'Possible data loss', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.513099', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (3, '2005-2730', 1, 'The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to obtain sensitive information via an invalid request, which reveals a Proxy-authorization string in an error message.', '2005-09-13 14:05:15.669384', '2005-09-13 14:05:15.669384', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (4, '2005-2731', 1, 'Directory traversal vulnerability in Astaro Security Linux 6.0, when using Webmin, allows remote authenticated webmin users to read arbitrary files via a .. (dot dot) in the wfe_download parameter to index.fpl.', '2005-09-13 14:05:15.91729', '2005-09-13 14:05:15.91729', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (5, '2005-2732', 1, 'AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist in the config parameter, which reveals the path in an error message.', '2005-09-13 14:05:15.992007', '2005-09-13 14:05:15.992007', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (6, '2005-2733', 1, 'upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.', '2005-09-13 14:05:16.072418', '2005-09-13 14:05:16.072418', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (7, '2005-2734', 1, 'Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.202393', '2005-09-13 14:05:16.202393', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (8, '2005-2735', 1, 'Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.412226', '2005-09-13 14:05:16.412226', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (9, '2005-2736', 1, 'Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.841572', '2005-09-13 14:05:16.841572', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (10, '2005-2737', 1, 'Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:17.043865', '2005-09-13 14:05:17.043865', NULL, NULL, NULL, NULL);
ALTER TABLE public.cve ENABLE TRIGGER ALL;
diff --git a/database/sampledata/current.sql b/database/sampledata/current.sql
index a637af4..c739902 100644
--- a/database/sampledata/current.sql
+++ b/database/sampledata/current.sql
@@ -3194,16 +3194,16 @@ ALTER TABLE public.customlanguagecode ENABLE TRIGGER ALL;
ALTER TABLE public.cve DISABLE TRIGGER ALL;
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (1, '1999-8979', 2, 'Firefox crashes all the time', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.508959', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (2, '1999-2345', 1, 'Possible data loss', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.513099', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (3, '2005-2730', 1, 'The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to obtain sensitive information via an invalid request, which reveals a Proxy-authorization string in an error message.', '2005-09-13 14:05:15.669384', '2005-09-13 14:05:15.669384', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (4, '2005-2731', 1, 'Directory traversal vulnerability in Astaro Security Linux 6.0, when using Webmin, allows remote authenticated webmin users to read arbitrary files via a .. (dot dot) in the wfe_download parameter to index.fpl.', '2005-09-13 14:05:15.91729', '2005-09-13 14:05:15.91729', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (5, '2005-2732', 1, 'AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist in the config parameter, which reveals the path in an error message.', '2005-09-13 14:05:15.992007', '2005-09-13 14:05:15.992007', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (6, '2005-2733', 1, 'upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.', '2005-09-13 14:05:16.072418', '2005-09-13 14:05:16.072418', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (7, '2005-2734', 1, 'Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.202393', '2005-09-13 14:05:16.202393', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (8, '2005-2735', 1, 'Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.412226', '2005-09-13 14:05:16.412226', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (9, '2005-2736', 1, 'Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.841572', '2005-09-13 14:05:16.841572', NULL, NULL, NULL, NULL);
-INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discoverer, cvss) VALUES (10, '2005-2737', 1, 'Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:17.043865', '2005-09-13 14:05:17.043865', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (1, '1999-8979', 2, 'Firefox crashes all the time', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.508959', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (2, '1999-2345', 1, 'Possible data loss', '2005-09-07 19:00:32.944561', '2005-09-13 14:00:03.513099', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (3, '2005-2730', 1, 'The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to obtain sensitive information via an invalid request, which reveals a Proxy-authorization string in an error message.', '2005-09-13 14:05:15.669384', '2005-09-13 14:05:15.669384', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (4, '2005-2731', 1, 'Directory traversal vulnerability in Astaro Security Linux 6.0, when using Webmin, allows remote authenticated webmin users to read arbitrary files via a .. (dot dot) in the wfe_download parameter to index.fpl.', '2005-09-13 14:05:15.91729', '2005-09-13 14:05:15.91729', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (5, '2005-2732', 1, 'AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist in the config parameter, which reveals the path in an error message.', '2005-09-13 14:05:15.992007', '2005-09-13 14:05:15.992007', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (6, '2005-2733', 1, 'upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly restrict file extensions of uploaded files, which could allow remote attackers to execute arbitrary code.', '2005-09-13 14:05:16.072418', '2005-09-13 14:05:16.072418', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (7, '2005-2734', 1, 'Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.202393', '2005-09-13 14:05:16.202393', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (8, '2005-2735', 1, 'Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.412226', '2005-09-13 14:05:16.412226', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (9, '2005-2736', 1, 'Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:16.841572', '2005-09-13 14:05:16.841572', NULL, NULL, NULL, NULL);
+INSERT INTO public.cve (id, sequence, status, description, datecreated, datemodified, fti, date_made_public, discovered_by, cvss) VALUES (10, '2005-2737', 1, 'Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.', '2005-09-13 14:05:17.043865', '2005-09-13 14:05:17.043865', NULL, NULL, NULL, NULL);
ALTER TABLE public.cve ENABLE TRIGGER ALL;
diff --git a/lib/lp/bugs/interfaces/cve.py b/lib/lp/bugs/interfaces/cve.py
index cf6404c..8795aa9 100644
--- a/lib/lp/bugs/interfaces/cve.py
+++ b/lib/lp/bugs/interfaces/cve.py
@@ -22,7 +22,6 @@ from zope.schema import Choice, Datetime, Dict, Int, Text, TextLine
from lp import _
from lp.app.validators.validation import valid_cve_sequence
-from lp.services.fields import PersonChoice
class CveStatus(DBEnumeratedType):
@@ -154,12 +153,14 @@ class ICve(Interface):
as_of="devel",
)
- discoverer = exported(
- PersonChoice(
- title=_("Discoverer"),
+ discovered_by = exported(
+ TextLine(
+ title=_("Discovered by"),
+ description=_(
+ "The name of person(s) or organization that discovered the CVE"
+ ),
required=False,
readonly=True,
- vocabulary="ValidPerson",
),
as_of="devel",
)
@@ -206,7 +207,7 @@ class ICveSet(Interface):
description,
cvestate=CveStatus.CANDIDATE,
date_made_public=None,
- discoverer=None,
+ discovered_by=None,
cvss=None,
):
"""Create a new ICve."""
diff --git a/lib/lp/bugs/model/cve.py b/lib/lp/bugs/model/cve.py
index 26eae07..8a9f327 100644
--- a/lib/lp/bugs/model/cve.py
+++ b/lib/lp/bugs/model/cve.py
@@ -10,15 +10,7 @@ import operator
import pytz
from storm.databases.postgres import JSON
-from storm.locals import (
- DateTime,
- Desc,
- Int,
- Reference,
- ReferenceSet,
- Store,
- Unicode,
-)
+from storm.locals import DateTime, Desc, Int, ReferenceSet, Store, Unicode
from zope.component import getUtility
from zope.interface import implementer
@@ -60,8 +52,7 @@ class Cve(StormBase, BugLinkTargetMixin):
)
date_made_public = DateTime(tzinfo=pytz.UTC, allow_none=True)
- discoverer_id = Int(name="discoverer", allow_none=True)
- discoverer = Reference(discoverer_id, "Person.id")
+ discovered_by = Unicode(allow_none=True)
_cvss = JSON(name="cvss", allow_none=True)
@property
@@ -79,7 +70,7 @@ class Cve(StormBase, BugLinkTargetMixin):
status,
description,
date_made_public=None,
- discoverer=None,
+ discovered_by=None,
cvss=None,
):
super().__init__()
@@ -87,7 +78,7 @@ class Cve(StormBase, BugLinkTargetMixin):
self.status = status
self.description = description
self.date_made_public = date_made_public
- self.discoverer = discoverer
+ self.discovered_by = discovered_by
self._cvss = cvss
@property
@@ -178,7 +169,7 @@ class CveSet:
description,
status=CveStatus.CANDIDATE,
date_made_public=None,
- discoverer=None,
+ discovered_by=None,
cvss=None,
):
"""See ICveSet."""
@@ -187,7 +178,7 @@ class CveSet:
status=status,
description=description,
date_made_public=date_made_public,
- discoverer=discoverer,
+ discovered_by=discovered_by,
cvss=cvss,
)
diff --git a/lib/lp/bugs/scripts/tests/test_uct.py b/lib/lp/bugs/scripts/tests/test_uct.py
index 71b1abb..82906dd 100644
--- a/lib/lp/bugs/scripts/tests/test_uct.py
+++ b/lib/lp/bugs/scripts/tests/test_uct.py
@@ -565,7 +565,7 @@ class TestUCTImporterExporter(TestCaseWithFactory):
importance=BugTaskImportance.MEDIUM,
status=VulnerabilityStatus.ACTIVE,
assignee=self.factory.makePerson(),
- discovered_by="",
+ discovered_by="tr3e wang",
description="description",
ubuntu_description="ubuntu-description",
bug_urls=["https://github.com/mm2/Little-CMS/issues/29";],
@@ -700,6 +700,7 @@ class TestUCTImporterExporter(TestCaseWithFactory):
{cvss.authority: cvss.vector_string for cvss in cve.cvss},
lp_cve.cvss,
)
+ self.assertEqual(cve.discovered_by, lp_cve.discovered_by)
def checkCVE(self, expected: CVE, actual: CVE):
self.assertEqual(expected.sequence, actual.sequence)
diff --git a/lib/lp/bugs/scripts/uct/uctexport.py b/lib/lp/bugs/scripts/uct/uctexport.py
index f14d994..1741688 100644
--- a/lib/lp/bugs/scripts/uct/uctexport.py
+++ b/lib/lp/bugs/scripts/uct/uctexport.py
@@ -183,7 +183,7 @@ class UCTExporter:
importance=cve_importance,
status=vulnerability.status,
assignee=bug_tasks[0].assignee,
- discovered_by="", # TODO: fix this
+ discovered_by=lp_cve.discovered_by or "",
description=parsed_description.description,
ubuntu_description=vulnerability.description,
bug_urls=bug_urls,
diff --git a/lib/lp/bugs/scripts/uct/uctimport.py b/lib/lp/bugs/scripts/uct/uctimport.py
index 87d6b0d..19a0ff1 100644
--- a/lib/lp/bugs/scripts/uct/uctimport.py
+++ b/lib/lp/bugs/scripts/uct/uctimport.py
@@ -32,6 +32,7 @@ from typing import Dict, List, Optional
import transaction
from zope.component import getUtility
+from zope.security.proxy import removeSecurityProxy
from lp.app.enums import InformationType
from lp.app.interfaces.launchpad import ILaunchpadCelebrities
@@ -102,7 +103,9 @@ class UCTImporter:
cve.series_packages,
)
return
- lp_cve = getUtility(ICveSet)[cve.sequence] # type: CveModel
+ lp_cve = removeSecurityProxy(
+ getUtility(ICveSet)[cve.sequence]
+ ) # type: CveModel
if lp_cve is None:
logger.warning(
"%s: could not find the CVE in LP. Aborting.", cve.sequence
@@ -457,3 +460,4 @@ class UCTImporter:
lp_cve.setCVSSVectorForAuthority(
cvss.authority, cvss.vector_string
)
+ lp_cve.discovered_by = cve.discovered_by
diff --git a/lib/lp/bugs/tests/test_cve.py b/lib/lp/bugs/tests/test_cve.py
index a500431..8a7b50d 100644
--- a/lib/lp/bugs/tests/test_cve.py
+++ b/lib/lp/bugs/tests/test_cve.py
@@ -165,13 +165,12 @@ class TestCve(TestCaseWithFactory):
status=CveStatus.CANDIDATE,
description="A critical vulnerability",
date_made_public=None,
- discoverer=None,
+ discovered_by=None,
cvss={},
),
)
def test_cveset_new_method_parameters(self):
- person = self.factory.makePerson()
today = datetime.now(tz=pytz.UTC)
cvss = {"nvd": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}
cve = getUtility(ICveSet).new(
@@ -179,7 +178,7 @@ class TestCve(TestCaseWithFactory):
description="A critical vulnerability",
status=CveStatus.CANDIDATE,
date_made_public=today,
- discoverer=person,
+ discovered_by="A person",
cvss=cvss,
)
self.assertThat(
@@ -189,7 +188,7 @@ class TestCve(TestCaseWithFactory):
status=CveStatus.CANDIDATE,
description="A critical vulnerability",
date_made_public=today,
- discoverer=person,
+ discovered_by="A person",
cvss=cvss,
),
)
@@ -211,18 +210,6 @@ class TestCve(TestCaseWithFactory):
with ExpectedException(TypeError, "Expected datetime,.*"):
removeSecurityProxy(cve).date_made_public = invalid_value
- def test_cve_discoverer_id_invalid_values(self):
- invalid_values = ["", "abcd", "2022-01-01", datetime.now()]
-
- cve = self.factory.makeCVE(
- sequence="2099-1234",
- description="A critical vulnerability",
- cvestate=CveStatus.CANDIDATE,
- )
- for invalid_value in invalid_values:
- with ExpectedException(TypeError, "Expected int,.*"):
- removeSecurityProxy(cve).discoverer_id = invalid_value
-
def test_cve_cvss_invalid_values(self):
invalid_values = ["", "abcd", "2022-01-01", datetime.now()]
cve = self.factory.makeCVE(
diff --git a/lib/lp/testing/factory.py b/lib/lp/testing/factory.py
index 3fd560c..6ffe7d1 100644
--- a/lib/lp/testing/factory.py
+++ b/lib/lp/testing/factory.py
@@ -5789,7 +5789,7 @@ class LaunchpadObjectFactory(ObjectFactory):
description=None,
cvestate=CveStatus.CANDIDATE,
date_made_public=None,
- discoverer=None,
+ discovered_by=None,
cvss=None,
):
"""Create a new CVE record."""
@@ -5797,7 +5797,12 @@ class LaunchpadObjectFactory(ObjectFactory):
description = self.getUniqueUnicode()
return getUtility(ICveSet).new(
- sequence, description, cvestate, date_made_public, discoverer, cvss
+ sequence,
+ description,
+ cvestate,
+ date_made_public,
+ discovered_by,
+ cvss,
)
def makePublisherConfig(
Follow ups
