launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #33054
[Merge] ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master
Enrique Sánchez has proposed merging ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master with ~enriqueesanchz/launchpad:add-cve-metadata as a prerequisite.
Commit message:
Add Cve.metadata
Add metadata to Cve model
Import `affected` data from json cvelist cves
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~enriqueesanchz/launchpad/+git/launchpad/+merge/493451
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master.
diff --git a/lib/lp/bugs/interfaces/cve.py b/lib/lp/bugs/interfaces/cve.py
index 4efd60c..7f50341 100644
--- a/lib/lp/bugs/interfaces/cve.py
+++ b/lib/lp/bugs/interfaces/cve.py
@@ -180,6 +180,18 @@ class ICve(Interface):
as_of="devel",
)
+ metadata = exported(
+ Dict(
+ title=_("metadata"),
+ description=_("CVE metadata."),
+ key_type=Text(),
+ value_type=Text(),
+ required=False,
+ readonly=False,
+ ),
+ as_of="devel",
+ )
+
def createReference(source, content, url=None):
"""Create a new CveReference for this CVE."""
diff --git a/lib/lp/bugs/model/cve.py b/lib/lp/bugs/model/cve.py
index ce24b2d..aa482c7 100644
--- a/lib/lp/bugs/model/cve.py
+++ b/lib/lp/bugs/model/cve.py
@@ -63,6 +63,7 @@ class Cve(StormBase, BugLinkTargetMixin):
date_made_public = DateTime(tzinfo=timezone.utc, allow_none=True)
discovered_by = Unicode(allow_none=True)
_cvss = JSON(name="cvss", allow_none=True)
+ metadata = JSON(name="metadata", allow_none=True)
@property
def cvss(self):
@@ -81,6 +82,7 @@ class Cve(StormBase, BugLinkTargetMixin):
date_made_public=None,
discovered_by=None,
cvss=None,
+ metadata=None,
):
super().__init__()
self.sequence = sequence
diff --git a/lib/lp/bugs/scripts/cveimport.py b/lib/lp/bugs/scripts/cveimport.py
index 57b25b2..a1c27d5 100644
--- a/lib/lp/bugs/scripts/cveimport.py
+++ b/lib/lp/bugs/scripts/cveimport.py
@@ -701,6 +701,9 @@ class CVEUpdater(LaunchpadCronScript):
self.logger.debug(f"No description for CVE-{sequence}")
return
+ # get affected information
+ affected = cna_data.get("affected", {})
+
# find or create CVE entry
cveset = getUtility(ICveSet)
cve = cveset[sequence]
@@ -719,6 +722,13 @@ class CVEUpdater(LaunchpadCronScript):
if self._handle_json_references(cna_data.get("references", []), cve):
modified = True
+ # handle affected
+ metadata = cve.metadata or {}
+ if metadata.get("affected", {}) != affected:
+ metadata["affected"] = affected
+ cve.metadata = metadata
+ modified = True
+
if modified:
notify(ObjectModifiedEvent(cve))
diff --git a/lib/lp/bugs/scripts/tests/test_cveimport.py b/lib/lp/bugs/scripts/tests/test_cveimport.py
index 07f4550..63fd5b0 100644
--- a/lib/lp/bugs/scripts/tests/test_cveimport.py
+++ b/lib/lp/bugs/scripts/tests/test_cveimport.py
@@ -94,6 +94,12 @@ class TestCVEUpdater(TestCase):
"cveMetadata": {"cveId": f"CVE-{cve_id}"},
"containers": {
"cna": {
+ "affected": [
+ {
+ "vendor": "example vendor",
+ "product": "example product",
+ }
+ ],
"descriptions": [{"lang": "en", "value": description}],
"references": [
{
@@ -269,6 +275,14 @@ class TestCVEUpdater(TestCase):
cve_data = self.create_test_json_cve(
cve_id="2024-0004", description=new_desc
)
+ new_metadata = {
+ "affected": [
+ {
+ "vendor": "example vendor",
+ "product": "example product",
+ }
+ ],
+ }
# Process the update with a fresh updater
updater = self.make_updater()
@@ -278,6 +292,7 @@ class TestCVEUpdater(TestCase):
# Verify the update
updated_cve = cveset["2024-0004"]
self.assertEqual(new_desc, updated_cve.description)
+ self.assertEqual(new_metadata, updated_cve.metadata)
def test_extract_github_zip(self):
"""Test extract_github_zip for complete releases."""
Follow ups
