Author: gilbert-guest
Date: 2010-02-07 22:10:53 +0000 (Sun, 07 Feb 2010)
New Revision: 14058
Modified:
bin/tracker_service.py
bin/update-nvd
lib/python/bugs.py
lib/python/security_db.py
Log:
use nvd urgencies and add finer control for per-release pages
Modified: bin/tracker_service.py
==================================================================---
bin/tracker_service.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ bin/tracker_service.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -24,10 +24,11 @@
webservice_base_class = WebServiceHTTP
class BugFilter:
- default_action_list = [("show_high_urgency", "only high
urgencies"),
- ("show_medium_urgency", "only medium
and high urgencies"),
- ("show_remote_only", "only remote
vulnerabilities"),
- ("show_undetermined_urgency",
"undetermined and unimportant urgencies")]
+ default_action_list = [(''show_high_urgency'',
''only high urgencies''),
+ (''show_medium_urgency'',
''only medium and high urgencies''),
+ (''show_undetermined_urgency'',
''issues that may be vulnerable but need to be checked (shown in
purple)''),
+ (''show_unimportant_urgency'',
''unimportant issues''),
+ (''show_remote_only'',
''only remote vulnerabilities'')]
def __init__(self, params, action_list=None):
if action_list is None:
self.action_list = self.default_action_list
@@ -59,22 +60,25 @@
def urgencyFiltered(self, urg, vuln):
"""Returns True for urgencies that should be
filtered."""
filterlow = self.params[''show_medium_urgency''] and \
- urg in (''low'',
''unimportant'', ''undetermined'')
+ urg in (''low'', ''low**'',
''unimportant'',
+ ''undetermined'', ''not yet
assigned'')
filtermed = self.params[''show_high_urgency''] and \
- urg in (''medium'',
''low'', ''unimportant'',
''undetermined'')
- filteruni = not
self.params[''show_undetermined_urgency''] \
- and vuln == 2 or urg == ''unimportant''
- return filterlow or filtermed or filteruni
+ urg in (''medium'',
''medium**'', ''low'',
''low**'',
+ ''unimportant'',
''undetermined'', ''not yet assigned'')
+ filterund = not
self.params[''show_undetermined_urgency''] and vuln == 2
+ filteruni = not
self.params[''show_unimportant_urgency''] \
+ and urg == ''unimportant''
+ return filterlow or filtermed or filterund or filteruni
def remoteFiltered(self, remote):
"""Returns True for only remote flaws if
filtered."""
- return remote is not None and not
self.params[''show_remote_only''] \
+ return remote is not None and
self.params[''show_remote_only''] \
and not remote
class BugFilterNoDSA(BugFilter):
def __init__(self, params):
BugFilter.__init__(self, params, self.default_action_list
- + [(''show_nodsa'', ''non-DSA
vulnerabilities'')])
+ + [(''show_nodsa'', ''issues that are not
severe enough to warrant a DSA'')])
def nodsaFiltered(self, nodsa):
"""Returns True for no DSA issues if
filtered."""
@@ -112,6 +116,14 @@
}
'''''')).toHTML()
+ nvd_text = P(''''''If a "**" is
included, the urgency field was automatically
+ assigned by the NVD (National Vulnerability Database). Note that this
+ rating is automatically derived from a set of known factors about the
+ issue (such as access complexity, confidentiality impact,
exploitability,
+ remediation level, and others). Human intervention is involved in
+ determining the values of these factors, but the rating itself comes
+ from a fully automated formula.'''''')
+
def __init__(self, socket_name, db_name):
webservice_base_class.__init__(self, socket_name)
self.db = security_db.DB(db_name)
@@ -422,6 +434,8 @@
urgency = ''''
else:
ver = self.make_red(''(unfixed)'')
+ if urgency == ''not yet assigned'':
+ urgency = ''''
pkg = n.package
pkg_kind = n.package_kind
@@ -658,11 +672,10 @@
else:
remote = ''no''
- if vulnerable == 2:
+ if urgency.startswith(''high''):
+ urgency = self.make_red(urgency)
+ elif vulnerable == 2:
urgency = self.make_purple(urgency)
-
- if urgency == ''high'':
- urgency = self.make_red(urgency)
else:
if no_dsa:
urgency = urgency + ''*''
@@ -672,10 +685,10 @@
return self.create_page(
url, ''Vulnerable source packages in the %s suite''
% release,
[bf.actions(url), BR(),
- make_table(gen(), caption=("Package", "Bug",
"Urgency",
- "Remote")),
- P(''''''(If a "*" is included in
the urgency field, no DSA is planned
-for this vulnerability.)'''''')])
+ make_table(gen(), caption=("Package", "Bug",
"Urgency", "Remote")),
+ P(''''''If a "*" is included in
the urgency field, no DSA is planned
+ for this vulnerability.''''''),
+ self.nvd_text])
def page_status_release_stable(self, path, params, url):
return
self.page_status_release_stable_oldstable(''stable'', params,
url)
@@ -715,9 +728,6 @@
else:
remote = ''no''
- if sid_vulnerable == 2:
- urgency = self.make_purple(urgency)
-
if ts_fixed:
status = ''fixed in testing-security''
else:
@@ -726,6 +736,11 @@
else:
status = self.make_dangerous(''fixed in
unstable'')
+ if urgency.startswith(''high''):
+ urgency = self.make_red(urgency)
+ elif vulnerable == 2:
+ urgency = self.make_purple(urgency)
+
yield (pkg_name, self.make_xref(url, bug_name),
urgency, remote, status)
@@ -734,8 +749,8 @@
[make_menu(url.scriptRelative,
("status/dtsa-candidates", "Candidates
for DTSAs")),
bf.actions(url), BR(),
- make_table(gen(), caption=("Package", "Bug",
"Urgency",
- "Remote"))])
+ make_table(gen(), caption=("Package", "Bug",
"Urgency", "Remote")),
+ self.nvd_text])
def page_status_release_unstable_like(self, path, params, url,
rel, title):
@@ -774,7 +789,7 @@
else:
remote = ''no''
- if urgency == ''high'':
+ if urgency.startswith(''high''):
urgency = self.make_red(urgency)
elif vulnerable == 2:
urgency = self.make_purple(urgency)
@@ -789,8 +804,8 @@
if there are still some vulnerably binary packages present
in the archive."""),
bf.actions(url), BR(),
- make_table(gen(), caption=(''Package'',
''Bug'', ''Urgency'',
- ''Remote''))])
+ make_table(gen(), caption=(''Package'',
''Bug'', ''Urgency'',
''Remote'')),
+ self.nvd_text])
def page_status_release_unstable(self, path, params, url):
return self.page_status_release_unstable_like(
@@ -858,8 +873,10 @@
else:
remote = ''no''
- if urgency == ''high'':
+ if urgency.starstwith(''high''):
urgency = self.make_red(urgency)
+ elif vulnerable == 2:
+ urgency = self.make_purple(urgency)
if stable_later:
notes = "(fixed in stable?)"
Modified: bin/update-nvd
==================================================================---
bin/update-nvd 2010-02-07 22:10:48 UTC (rev 14057)
+++ bin/update-nvd 2010-02-07 22:10:53 UTC (rev 14058)
@@ -43,8 +43,5 @@
data.sort()
cursor = db.writeTxn()
-if incremental:
- db.updateNVD(cursor, data)
-else:
- db.replaceNVD(cursor, data)
+db.updateNVD(cursor, data, incremental)
db.commit(cursor)
Modified: lib/python/bugs.py
==================================================================---
lib/python/bugs.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ lib/python/bugs.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -23,7 +23,7 @@
def listUrgencies():
urgencies = {}
- urgs = ("high", "medium", "low",
"unimportant", "undetermined")
+ urgs = (''high'', ''medium'',
''low'', ''unimportant'', ''not yet
assigned'')
for u in range(len(urgs)):
urgencies[urgs[u]] = Urgency(urgs[u], -u)
Urgency.urgencies = urgencies
@@ -140,10 +140,7 @@
def __init__(self, package, version, notes, release=None):
bugs = []
- if version == ''undetermined'':
- urgency = ''undetermined''
- else:
- urgency = ''low''
+ urgency = ''not yet assigned''
if notes is not None:
for n in self.re_notes_split.split(notes):
u = internUrgency(n)
Modified: lib/python/security_db.py
==================================================================---
lib/python/security_db.py 2010-02-07 22:10:48 UTC (rev 14057)
+++ lib/python/security_db.py 2010-02-07 22:10:53 UTC (rev 14058)
@@ -1140,6 +1140,30 @@
# architectures.
# FIXME: MAX(n.urgency) is wrong.
+ # assign nvd urgencies to those that have not yet been assigned
+ if self.verbose:
+ print " insert nvd urgencies"
+ cursor.execute(
+ """REPLACE INTO source_package_status
+ SELECT s.bug_name, s.package, s.vulnerable,
+ CASE WHEN n.severity == ''Medium'' THEN
''medium**''
+ ELSE CASE WHEN n.severity == ''High'' THEN
''high**''
+ ELSE CASE WHEN n.severity == ''Low'' THEN
''low**''
+ ELSE ''not yet assigned'' END END END
+ FROM nvd_data AS n, source_package_status AS s
+ WHERE s.bug_name == n.cve_name
+ AND s.urgency == ''not yet
assigned''""")
+ cursor.execute(
+ """REPLACE INTO binary_package_status
+ SELECT b.bug_name, b.package, b.vulnerable,
+ CASE WHEN n.severity == ''Medium'' THEN
''medium**''
+ ELSE CASE WHEN n.severity == ''High'' THEN
''high**''
+ ELSE CASE WHEN n.severity == ''Low'' THEN
''low**''
+ ELSE ''not yet assigned'' END END END
+ FROM nvd_data AS n, binary_package_status AS b
+ WHERE b.bug_name == n.cve_name
+ AND b.urgency == ''not yet
assigned''""")
+
# Calculate the release-specific bug status.
if self.verbose:
@@ -1308,7 +1332,7 @@
c.execute("""DELETE FROM vulnlist WHERE name LIKE
''TEMP-0000000-%''""")
urgency_to_flag = {''low'' : ''L'',
''medium'' : ''M'', ''high'' :
''H'',
- ''unknown'' : '' ''
, ''undetermined'' : '' ''}
+ ''not yet assigned'' : ''
''}
result = ["VERSION 0\n"]
for (name, package, fixed_version, kind, urgency, remote, description,
@@ -1442,7 +1466,7 @@
fill_bug_to_index()
urgency_to_flag = {''low'' : ''L'',
''medium'' : ''M'', ''high'' :
''H'',
- ''unknown'' : '' '',
''undetermined'' : '' ''}
+ ''not yet assigned'' : ''
''}
vuln_list = []
source_packages = {}
@@ -1615,7 +1639,6 @@
self.calculateDebsecan0(release)
self.calculateDebsecan1()
-
def getDebsecan(self, name):
"""Returns the debsecan data item
NAME."""
for (data,) in self.cursor().execute(
@@ -1624,16 +1647,11 @@
else:
return None
- def replaceNVD(self, cursor, data):
- """Replaces the stored NVD data."""
- cursor.execute("DELETE FROM nvd_data");
- cursor.executemany("INSERT INTO nvd_data VALUES (?"
- + (", ?" * (len(data[0]) - 1))
- + ")", data)
-
- def updateNVD(self, cursor, data):
- """Adds (and overwrites) NVD data stored in the
database.
- This can be used for incremental updates."""
+ def updateNVD(self, cursor, data, incremental):
+ """Adds (and overwrites) NVD data stored in the
database. This
+ can be used for incremental updates if incremental is
True."""
+ if not incremental:
+ cursor.execute("DELETE FROM nvd_data");
cursor.executemany("INSERT OR REPLACE INTO nvd_data VALUES
(?"
+ (", ?" * (len(data[0]) - 1))
+ ")", data)