aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Reyna <David.Reyna@windriver.com>2019-01-30 16:53:14 -0800
committerDavid Reyna <David.Reyna@windriver.com>2019-01-30 16:53:14 -0800
commitb54122107f9fd5b8f9b790d1ed1507071fe83ccf (patch)
tree60839f7103ff1a17d85ab56fcf9fe9b56897bb7c
parent2feba03263ea000b2985cd80b76868beaf025459 (diff)
downloadsrtool-b54122107f9fd5b8f9b790d1ed1507071fe83ccf.tar.gz
srtool-b54122107f9fd5b8f9b790d1ed1507071fe83ccf.tar.bz2
srtool-b54122107f9fd5b8f9b790d1ed1507071fe83ccf.zip
srtool-mitre: implement CVE NEW_RESERVED status
Update the Mitre scanning tool to convert recent (and/or no date) reserved CVEs to the state NEW_RESERVED. This will keep them separate from the new CVEs that need triage, plus keep them from being unnecessarily scored by the background process. Add a fixup rountine for previoulsy imported databases: $ ./bin/common/srtool_utils.py --fix-new-reserved Signed-off-by: David Reyna <David.Reyna@windriver.com>
-rwxr-xr-xbin/common/datasource.json5
-rwxr-xr-xbin/common/srtool_utils.py58
-rwxr-xr-xbin/mitre/srtool_mitre.py11
3 files changed, 69 insertions, 5 deletions
diff --git a/bin/common/datasource.json b/bin/common/datasource.json
index 060b18e2..81d5c289 100755
--- a/bin/common/datasource.json
+++ b/bin/common/datasource.json
@@ -99,14 +99,15 @@
},
{
+ "_comment_" : "Only score 100 at a time to prevent run-away database overloading",
"key" : "0921-common-score",
"data" : "score_cves",
"source" : "common",
"name" : "Score",
"description" : "Score CVEs",
"cve_filter" : "",
- "init" : "bin/common/srtool_common.py --score-new-cves NEW",
- "update" : "bin/common/srtool_common.py --score-new-cves NEW",
+ "init" : "bin/common/srtool_common.py --score-new-cves NEW --count=100",
+ "update" : "bin/common/srtool_common.py --score-new-cves NEW --count=100",
"lookup" : "",
"update_frequency" : "0",
"_comment_" : "Update every 10 minutes",
diff --git a/bin/common/srtool_utils.py b/bin/common/srtool_utils.py
index e411c413..b48582dc 100755
--- a/bin/common/srtool_utils.py
+++ b/bin/common/srtool_utils.py
@@ -33,6 +33,8 @@ from common.srt_schema import ORM
# Setup:
verbose = False
+cmd_skip = 0
+cmd_count = 0
srtDbName = 'srt.sqlite'
@@ -110,10 +112,56 @@ def settings():
#################################
+# fix_new_reserved
+#
+
+# Is this reserved by Mitre? Is '** RESERVED **' within the first 20 char positions?
+def fix_new_reserved():
+ global cmd_skip
+ global cmd_count
+
+ conn = sqlite3.connect(srtDbName)
+ cur = conn.cursor()
+ cur_write = conn.cursor()
+
+ cur.execute('SELECT * FROM orm_cve WHERE status = "%s"' % ORM.STATUS_NEW)
+ i = 0
+ j = 0
+ for cve in cur:
+ i += 1
+
+ # Progress indicator support
+ if 0 == i % 10:
+ print('%05d: %20s\r' % (i,cve[ORM.CVE_NAME]), end='')
+ if (0 == i % 200):
+ conn.commit()
+ # Development/debug support
+ if cmd_skip:
+ if i < cmd_skip:
+ continue
+ if cmd_count:
+ if (i - cmd_skip) > cmd_count:
+ print("Count return: %s,%s" % (i,cmd_count))
+ break
+
+ reserved_pos = cve[ORM.CVE_DESCRIPTION].find('** RESERVED **')
+ if (0 <= reserved_pos) and (20 > reserved_pos):
+ print("STATUS_NEW_RESERVED:%s:%s:%s" % (cve[ORM.CVE_STATUS],cve[ORM.CVE_NAME],cve[ORM.CVE_DESCRIPTION][:40]))
+ sql = ''' UPDATE orm_cve
+ SET status = ?
+ WHERE id = ?'''
+ cur_write.execute(sql, (ORM.STATUS_NEW_RESERVED, cve[ORM.CVE_ID],))
+ j += 1
+ print("\nCVE COUNT=%5d,%5d" % (i,j))
+ conn.commit()
+
+#################################
# main loop
#
def main(argv):
global verbose
+ global cmd_skip
+ global cmd_count
# setup
parser = argparse.ArgumentParser(description='srtool.py: manage the SRTool database')
@@ -123,12 +171,20 @@ def main(argv):
parser.add_argument('--force', '-f', action='store_true', dest='force', help='Force the update')
parser.add_argument('--verbose', '-v', action='store_true', dest='verbose', help='Debugging: verbose output')
+ parser.add_argument('--skip', dest='skip', help='Debugging: skip record count')
+ parser.add_argument('--count', dest='count', help='Debugging: short run record count')
+
+ parser.add_argument('--fix-new-reserved', action='store_const', const='fix_new_reserved', dest='command', help='Reset new reserved CVEs to NEW_RESERVED')
args = parser.parse_args()
master_log = open(os.path.join(script_pathname, "update_logs/master_log.txt"), "a")
verbose = args.verbose
+ if None != args.skip:
+ cmd_skip = int(args.skip)
+ if None != args.count:
+ cmd_count = int(args.count)
if args.sources:
if args.sources.startswith('s'):
@@ -145,6 +201,8 @@ def main(argv):
sources('reset')
elif 'settings' == args.command:
settings()
+ elif 'fix_new_reserved' == args.command:
+ fix_new_reserved()
else:
print("Command not found")
master_log.close()
diff --git a/bin/mitre/srtool_mitre.py b/bin/mitre/srtool_mitre.py
index 2ac8bc08..3c6af89d 100755
--- a/bin/mitre/srtool_mitre.py
+++ b/bin/mitre/srtool_mitre.py
@@ -91,7 +91,7 @@ def srt_error_log(msg):
# Newly discovered or updated CVEs default to NEW for triage
# Inited CVEs default to HISTORICAL, unless they are within the courtesy CVE_INIT_NEW_DELTA
init_new_date = None
-def get_cve_default_status(is_init,publishedDate):
+def get_cve_default_status(is_init,publishedDate,description):
global init_new_date
if None == init_new_date:
@@ -114,7 +114,12 @@ def get_cve_default_status(is_init,publishedDate):
# Note: the NIST 'published date' is in the format "2017-05-11", so do a simple string compare
#print("INIT status: %s versus %s" % (init_new_date,publishedDate))
if not publishedDate or (publishedDate > init_new_date):
- return ORM.STATUS_NEW
+ # Is this reserved by Mitre? Is '** RESERVED **' within the first 20 char positions?
+ reserved_pos = description.find('** RESERVED **')
+ if (0 <= reserved_pos) and (20 > reserved_pos):
+ return ORM.STATUS_NEW_RESERVED
+ else:
+ return ORM.STATUS_NEW
else:
return ORM.STATUS_HISTORICAL
else:
@@ -310,7 +315,7 @@ def append_cve_database(is_init,file_xml):
print("MITRE:FOUND %20s\r" % cve_name, end='')
else:
# Get the default CVE status
- status = get_cve_default_status(is_init,summary['Published'])
+ status = get_cve_default_status(is_init,summary['Published'],summary['Description'])
sql = ''' INSERT into orm_cve (name, name_sort, priority, status, comments, comments_private, cve_data_type, cve_data_format, cve_data_version, public, publish_state, publish_date, description, publishedDate, lastModifiedDate, recommend, recommend_list, cvssV3_baseScore, cvssV3_baseSeverity, cvssV2_baseScore, cvssV2_severity, srt_updated, packages)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'''