Age | Commit message (Collapse) | Author |
|
Fix the data source update mechanism:
* Move the update functions to "bin/common/srtool_update.py"
* Remove 'lastModifiedDate' from the data source JSON files (since
every restart overwrites any updated values)
* Change the 'update_time' field to a dictionary of offset values
e.g. "{\"weekday\":\"6\",\"hour\":\"2\"}" = day of week, hour of day
* Implement the update frequency calculations
* Implement data source name filters for selected manual updates
* Add a log status file
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Add the CVE 2019 data soures for MITRE and NIST.
2. Improve the CVE default status assignment system:
* During the "Init" phase all CVEs default to HISTORICAL, unless they are
within the CVE_INIT_NEW_DELTA date range. The value CVE_INIT_NEW_DELTA is
defined in "bin/common/datasource.json", and is an out-of-box courtesy
to provide some CVEs for triage in newly initialized systems. Changing
the default value to '0' disabled this.
* During the "Update" phase, CVEs default to NEW (and thus primed for
triage)
* Better separate the Init versus Update functions in "srtool_mitre.py" and
"srtool_nist.py", and their respective datasource files.
* Remove the post-process "preset_new()" in "srtool_common.py" in favor
of directly computing the values in get_cve_default_status() in
"srtool_mitre.py" and "srtool_nist.py", for speed and consistency.
[YOCTO #13134]
[YOCTO #13135]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The initial implementation of passing CVE references used ';' as a separator.
However, some URLs use this charater to include git branch information, for
example:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8b...
Changing the separator characted to a tab fixes this and other unexpected
characters.
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
The CVE 'resource' and 'source' values for the CVE references are now
scanned and displayed.
* The JSON scanning has been moved away from CveResources to a dynamic
value in the CveDetail record, similar to the CPE table processing.
* Additional debugging support has been added
* The now unused CveResources table will be deleted in a later revision
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
Ideally, these are all centralised.
|
|
Support Django-2.2:
Move 'django.core.urlresolvers' to 'django.urls'
Disable 'register.assignment_tag' tags
Move settings 'MIDDLEWARE_CLASSES' to 'MIDDLEWARE'
Move urlpatterns 'include' to 'path'
Move 'regex.pattern' to 'pattern.regex.pattern'
Maintain Django-1.11 support
General Fixes:
Fix commit for notify_categories
Add more error halt checks during lsupdates
Add explicit 'on_delete=models.CASCADE' for all ForeignKey's
Fix 'get_defect_tag' processing
[YOCTO #13091]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Changes:
Repartition the data sources
Reconfigure the data sources into self-contained directories under the "bin" directory.
Implement dynamic data source discovery and import
Remove all hard coded data source data (e.g. fixtures, data, CVE lookups)
Add license files to all data sources
Django User model
Add "users" Django application dir
Login page
Self create user account page
Password change page
User access and delete management
CVE
Name sorting by hidden 'name_sort' field (CVE-nnnn-0nnnnnn)
CVE Triage
Auto import reserved CVEs
Add MITRE CVE records where NIST missing
Add data source count to triage page
Easy checkbox toggle by clicking any field
Triage any CVE status category (not just new)
Assign to any CVE status category
Object create/delete
Create/Delete Vulnerablities
Create/Delete Investigations from Vulnerablity page
Add "Historical" CVE status
When bootstraping system, all CVEs older than 60 days preset to "Historical"
Add CVEs withint 60 days preset to "New"
Can be overridden by defect and systaining status imports
Preadd Debian data for "New" CVEs
Abstraction
Add generic Product mappings to defect system ("defect_tag": defect prefix)
Add generic Product mappings to product system ("product_tag": product reference, related)
Manage functions via "srt" script
For example add superuser
Normalize Vulnerability to Investigation mapping
Replace orm_vulnerabilityproduct with orm_vulnerabilitytoinvestigation
General
Enable the 'srtool-requirements.txt' Django test
Speed the CVE scoring by pre-fetching the datasources
Progress display cleanup
Move and update srtool_defect prototype to 'bin/yp'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|