You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2022/10/24 12:48:42 UTC
[httpd-site] branch main updated: Make the vulnerability page conversion script tolerant to JSON v5 CVE files (to come later). Update the CVE project URL
This is an automated email from the ASF dual-hosted git repository.
mjc pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/main by this push:
new 6bfbadb Make the vulnerability page conversion script tolerant to JSON v5 CVE files (to come later). Update the CVE project URL
6bfbadb is described below
commit 6bfbadbdf5b772d968df189ae499ea9f4a029aaa
Author: Mark J. Cox <ma...@awe.com>
AuthorDate: Mon Oct 24 13:47:47 2022 +0100
Make the vulnerability page conversion script tolerant to JSON v5 CVE
files (to come later). Update the CVE project URL
---
content/security/cvejsontohtml.py | 111 +++++++++++++++++++++++++-------------
1 file changed, 74 insertions(+), 37 deletions(-)
diff --git a/content/security/cvejsontohtml.py b/content/security/cvejsontohtml.py
index f860932..6ab9ddd 100644
--- a/content/security/cvejsontohtml.py
+++ b/content/security/cvejsontohtml.py
@@ -32,7 +32,13 @@ for x in os.listdir(options.directory or "./"):
# Filter on version and store by release(s) that fixed it
for cve in cves:
- for time in cve["timeline"]:
+ if "timeline" in cve:
+ timearray = cve["timeline"]
+ cve["id"] = cve["CVE_data_meta"]["ID"]
+ else:
+ timearray = cve["containers"]["cna"]["timeline"]
+ cve["id"] = cve["cveMetadata"]["cveId"]
+ for time in timearray:
timed = time["value"]
matcher = re_fixedin.match(timed);
if (matcher and matcher.group('released').startswith(filterversion)):
@@ -52,42 +58,73 @@ for k,v in sorted(entries.items(), key=lambda s: [int(u) if u.isdigit() else 999
fixedv = k.split(",")[0]
sectioncves = []
- for cve in sorted(v, key=lambda s: [int(u) if u.isdigit() else u for u in s["CVE_data_meta"]["ID"].split('-')]):
+ for cve in sorted(v, key=lambda s: [int(u) if u.isdigit() else u for u in s["id"].split('-')]):
e = {}
- e['cveid'] = cve["CVE_data_meta"]["ID"]
- e['impact'] = cve["impact"][0]["other"]
- e['title'] = cve["CVE_data_meta"]["TITLE"]
- e['desc'] = cve["description"]["description_data"][0]["value"]
- e['credit'] = []
- if ("credit" in cve):
- for credit in cve["credit"]:
- e['credit'].append(credit["value"])
- affects = []
- product = cve["affects"]["vendor"]["vendor_data"][0]["product"]["product_data"][0]
- productname = product['product_name']
- for ver in product["version"]["version_data"]:
- if (ver["version_affected"] == "="):
- affects.append(ver["version_value"])
- elif (ver["version_affected"] == "?="):
- # We did ?= for "maybe affects" because no one checked
- affects.append(ver["version_value"]+"?")
- else:
- # Otherwise maybe we started doing things like "<2.7.8"
- affects.append(ver["version_affected"]+ver["version_value"])
- # Make a natural order sort
- affects.sort(reverse=True, key=natural_sort_key)
- e['affects'] = ", ".join(affects)
- e['timetable'] = [];
- for time in cve["timeline"]:
- timed = time["value"]
- if ("reported" in timed):
- timed = "Reported to security team"
- elif ("public" in timed):
- timed = "Issue public"
- elif ("release" in timed):
- timed = "Update "+timed
- e['timetable'].append([timed,time["time"]])
- sectioncves.append(e)
+ e['cveid'] = cve["id"]
+ if ("cveMetadata" in cve): # v5
+ e['impact'] = cve["containers"]["cna"]["metrics"][0]["other"]["content"]["text"]
+ e['title'] = cve["containers"]["cna"]["title"]
+ e['desc'] = cve["containers"]["cna"]["descriptions"][0]["value"]
+ e['credit'] = []
+ if ("credits" in cve["containers"]["cna"]):
+ for credit in cve["containers"]["cna"]["credits"]:
+ e['credit'].append(credit["type"]+": "+credit["value"])
+ affects = []
+ product = cve["containers"]["cna"]["affected"][0]
+ productname = product['product']
+ for ver in product["versions"]:
+ if ("lessThanOrEqual" in ver):
+ affects.append("<="+ver["lessThanOrEqual"])
+ if ("lessThan" in ver):
+ affects.append("<"+ver["lessThan"])
+ # Make a natural order sort
+ affects.sort(reverse=True, key=natural_sort_key)
+ e['affects'] = ", ".join(affects)
+ e['timetable'] = [];
+ for time in cve["containers"]["cna"]["timeline"]:
+ timed = time["value"]
+ if ("reported" in timed):
+ timed = "Reported to security team"
+ elif ("public" in timed):
+ timed = "Issue public"
+ elif ("release" in timed):
+ timed = "Update "+timed
+ e['timetable'].append([timed,time["time"].split('T')[0]])
+ sectioncves.append(e)
+ else:
+ e['impact'] = cve["impact"][0]["other"]
+ e['title'] = cve["CVE_data_meta"]["TITLE"]
+ e['desc'] = cve["description"]["description_data"][0]["value"]
+ e['credit'] = []
+ if ("credit" in cve):
+ for credit in cve["credit"]:
+ e['credit'].append(credit["value"])
+ affects = []
+ product = cve["affects"]["vendor"]["vendor_data"][0]["product"]["product_data"][0]
+ productname = product['product_name']
+ for ver in product["version"]["version_data"]:
+ if (ver["version_affected"] == "="):
+ affects.append(ver["version_value"])
+ elif (ver["version_affected"] == "?="):
+ # We did ?= for "maybe affects" because no one checked
+ affects.append(ver["version_value"]+"?")
+ else:
+ # Otherwise maybe we started doing things like "<2.7.8"
+ affects.append(ver["version_affected"]+ver["version_value"])
+ # Make a natural order sort
+ affects.sort(reverse=True, key=natural_sort_key)
+ e['affects'] = ", ".join(affects)
+ e['timetable'] = [];
+ for time in cve["timeline"]:
+ timed = time["value"]
+ if ("reported" in timed):
+ timed = "Reported to security team"
+ elif ("public" in timed):
+ timed = "Issue public"
+ elif ("release" in timed):
+ timed = "Update "+timed
+ e['timetable'].append([timed,time["time"]])
+ sectioncves.append(e)
sections.append({"cves":sectioncves,"fixed":fixedv,"product":productname})
# Everything is sorted and pretty, this should be some python template thing
@@ -108,7 +145,7 @@ for sectioncves in sections:
print ("\n<h1 id=\""+sectioncves["fixed"]+"\">Fixed in "+sectioncves["product"]+" "+sectioncves["fixed"]+"</h1><dl>\n")
for e in sectioncves["cves"]:
html = "<dt><h3 id=\""+e['cveid']+"\">"+e['impact']+": <name name=\""+e['cveid']+"\">"+saxutils.escape(e['title'])+"</name>\n";
- html += "(<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name="+e['cveid']+"\">"+e['cveid']+"</a>)</h3></dt>\n";
+ html += "(<a href=\"https://www.cve.org/CVERecord?id="+e['cveid']+"\">"+e['cveid']+"</a>)</h3></dt>\n";
desc = saxutils.escape(e['desc'])
desc = re.sub(r'\n','</p><p>', desc)
html += "<dd><p>"+desc+"</p>\n"