Age | Commit message (Collapse) | Author |
|
1.Fix NIST modified pre-emption
* When a CVE appears in the 'Modified' source
* Remove the CVE link to the normal source
* Add the CVE link to the modified source
* When a CVE disappears from the 'Modified' source
* Remove the CVE link from the modified source
* Restore the CVE link to the normal source
* If forcing a normal source update, first gather
the CVEs in the current "Modified" source, and
ignore them when scanning the normal source. This
is to avoid regressive updates.
* Add tracing to help validate this workflow.
2. Fix sql_cve_query() to always return a valid cve_id
even when there are no updates, to avoid adding
cvesource mappings to '-1'. This addresses one of the
issues in '--find-bad-links'.
3. In the NIST details web page, force the display of
impact and exploit scores to two decimal places, to
normalize the current NIST feeds that are outputting
8+ decimal places.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Fix the NIST 'alt-source' routine to correctly use the current 'modified'
datasource to preempt the regular datasources, and also set the CVE
datasource links accordingly.
2. Update the CVE NIST improve Score/Severity repair, also insure
that the 'modified' datasource values pre-empt the regular
datasource values. Also, fix missing and/or obsolete NIST datasource
references for CVEs.
./bin/common/srtool_utils.py --fix-severity [ALL|"NIST Modified Data"|...]
3. Add/improve helper routine to list Score/Severity values across the
many NIST data sources (e.g. modified and regular), plus the the
current CVE values and the current CVE datasource links. This is used
to investigate and validate the above repair routine.
./bin/nist/srtool_nist.py -S CVE-2020-7470
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add a fixup utility to repair error from the MITRE CVE creation script
that left broken V2 status values. Also add a NIST status summary debug
command to report the CVE general status across the base source file,
the 'modified' source file, and list the current datasource mappings
for that CVE.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The schema for this field is 'models.DateField' but the scoring method
in "srtool_common --score-new-cves" was setting an obsolete date_time value.
That crashes Django-2.2 (but not Django-1.11).
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add CVE publishing features, specifically add a method to generate CVE status
across the releases, filterable by CVE status.
Add dynamic schema calculations for the backup database snapshots, to enable
difference scanning even when the schema has been reordered after a migration.
Add first part of database difference scanning code migration.
Fix MITRE scanning for new source files.
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the MITRE 2020 data source
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
srtool: cumulative deployment features and fixes
High level new features:
* Publishing support to external/public databases
* Ability to label products as "active", "inactive", "under development"
Inactive (EOL) products appear but
* Do not affect status propagation
* Do not auto-create defects
Development product status is not exported to pubic database
* Extend NIST download range to 2002..2019
* Added MITRE downloads to provide RESERVED tracking
* Extended audit history tracking and meta-data
* Delete CVE records
* Ability to do "OR" searches (default is "AND")
Example: "CVE-2019-20095 OR CVE-2019-20096 OR CVE-2019-19977"
* Automated defect creation (Jira)
If selected, creates customer defect for selected and active products
Reuse existing defect if present for given product
* Many small sorting, readability, edge case fixes
Backups:
* Add meta-data stamp file for each backup
* Save daily backups with day name instead of day number
* Preserve file dates when making copies to backup
* Add list command
Automated Updates:
* Fix report format
* Add trial run test
Utilities:
* Add 13 new database fix up procedures
Some are one-shot historical fixes, some are learned validation checks
Database Schema:
* Add "SRTool" class to wrap shared enumerations (e.g. Priority)
* Add "Update" class to tag and track audit trail objects
* Change Priority naming to match CVE model instead of JIRA
* Add srt_created/srt_updated to CVE/Vul/Inv/Notify for improved updating and auditing
* Add to Defect the SRT versions of Status, Priority, Outcome
To distinguish these from the customer's defect system's values
Common Tools:
* Fix new CVE auto-scoring to skip CVE's already scored (though still NEW)
* Add automated propagation of Defects/Investigations status to parent Vulnerabilities
See "srtool_common.py" for rule details
CVEs:
* Add MITRE as an automatic upstream source
This is to specifically capture all of the "RESERVED" CVE enumerations which
will not appear in the MIST databases, and have the CVE records in place for
internal investigations and transitions to "public" status.
* Spell out the command arguments in the NIST data source files for greater legibility
* Change Priority naming to match CVE instead of JIRA
* Add parallel status states for "inactive" products
This specifically blocks state propagation from inactive objects to active objects
NIST management script:
* Refactor file for greater clarity
* Reorder methods to reflect workflow order
* Fully spell out names of objects
* Remove temporary holding class "CVE" in favor of dictionary objects
* Debugging enhancements
* Incremental update commands for stepped debugging
For example, ability to fetch/update specific CVE(s)
* Additional debugging flags
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Track the current running update task in ".srtupdate.task" to help
track background update activity and overhead. Make calls to the
update start/stop absolute paths to help track active SRTool
tasks, especially between multiple servers.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix a misplaced ')' in the updated package registration code.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix a copy/paste error in the Jira status mapping table.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
When restarting the SRTool, the main app's user and product table
should be re-read and applied. This fixes a select problem.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Update the master app tool to create new master apps.
Also, update the master app change feature to remove the previous
apps data source entries. Note that the existing users and products
are left untouched (to keep the database records working); such
such obsolete content must be removed manually or the data base
restarted clean.
Creation example, using 'yoyo' for the "Yoyodyne Corporation":
$ ./stop.sh
$ ./master_app create yoyo
$ ./start.sh
Switch bask to Yocto Project example:
$ ./stop.sh
$ ./master_app yp
$ ./start.sh
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add time till next update in update verbose output.
Indicate in table display when a datasource has an
update policy but no update script.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Update the Mitre scanning tool to convert recent (and/or no date) reserved
CVEs to the state NEW_RESERVED. This will keep them separate from the new
CVEs that need triage, plus keep them from being unnecessarily scored by
the background process.
Add a fixup rountine for previoulsy imported databases:
$ ./bin/common/srtool_utils.py --fix-new-reserved
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Various updates and fixes:
* Use the new SRT_EMAIL_* variable names
* Fix hardcoded value for 'from' address
* Add additional error handling
* Allow the email settings to be defined in SrtSetting values, and provide
example in the ACME datasource file
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Separate the environment variables of the username and password
for the defect and email systems into separate values, in case they
need separate credentials.
Also, fix a Wind River-ism in the Jira template to reflect that the
product key is not necessarily also defect name prefix.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
When the SRTool successfully starts, auto-generate helper scripts to allow
the user to stop and restart the SRTool based on the previous options.
This is also useful for scripts that need to stop then restart the SRTool
server in order to safely perform actions (like backup or restore).
Generated scripts:
bin/srt_start.sh (also first stops the server if currently running)
bin/srt_stop.sh
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Reset the backup tool to simply save the (a) sqlite database, the (b) data
files, and (c) the attachments.
Support both the weekly backup (to "backup_$year_$weeknum") and daily backup
(to "backup_$weekday").
The previous JSON export format is being reworked.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Only capture the custom sections in the in-line patch file, so that changes
to the public areas are kept to the original file. This allows the user to
push those public differences or remove them, and not affect the application
of the custom patch file.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the ability to exclude sections of the common code. The primary use
case is if the common code is executinga function that causes undesired
side effects for the customization.
Here is example code in "bin/acme/patcher/inplace/bin/srt.patch":
### ACME_EXTENSION_EXCLUDE_BEGIN ###
#echo "The system will $CMD."
#
### ACME_EXTENSION_EXCLUDE_END ###
### ACME_EXTENSION_BEGIN ###
#
# NOTE: Exclusions should be used only when necessary
# NOTE: The excluded lines are commented so that they are inactive
# but restorable
#
echo "The ACME SRTool system will now $CMD!"
### ACME_EXTENSION_END ###
The content in the excluded section are commented, so that when it is cleaned
those lines can be restored to the original.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add 'in-place' patch support for customizing organization patches on top
of regular upstream SRTool files.
An example is provided in "bin/acme/patcher/inplace/bin/srt", which adds
a custom hello message.
* To assert (merge) the custom version for runtime, run:
$ ./bin/common/srtool_patcher.py -J bin/acme/patcher.json -I
* To stash the customized version and replace with clean version (but keep
any changes in the public sections for pushing upstream), run:
$ ./bin/common/srtool_patcher.py -J bin/acme/patcher.json -i
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the description and usage examples in the header. Remove
unused command.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add formal support for extending and customizing shared template code files.
* The initial use case is a shared Jira integration file that partners can
extend to their particular installation. A working example is provided in
the ACME directory:
upstream: "bin/common/srtool_jira_template.py"
custom : "bin/acme/srtool_jira_acme.py"
* The custom sections are blocked off with comment tags (e.g. ACME)
### ACME_EXTENSION_BEGIN ###
...
### ACME_EXTENSION_END ###
* The './bin/common/srtool_patcher.py' tool provides the support, for example:
To merge shared upstream code into the custom Jira script, run:
$ ./bin/common/srtool_patcher.py -j bin/acme/patcher.json --merge-original
To merge edits in script's common areas back to upstream, run:
$ ./bin/common/srtool_patcher.py -j bin/acme/patcher.json --merge-custom
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the pylint errors in the bin directory tools. The pylint command was:
$ PYTHONPATH=./lib:./bin pylint3 --load-plugins pylint_django bin --disable=C,R,unused-variable,unused-wildcard-import,redefined-outer-name,unused-argument,fixme,bare-except,broad-except,redefined-builtin,unnecessary-pass,logging-not-lazy,wildcard-import | tee srt_bin_pylint.txt
The currently allowed exceptions are:
W0603: Using the global statement (global-statement)
W0611: Unused ORM imported from srt_schema (unused-import)
Also, remove the obsolete 'bin/common/srtool_defect.py' and skip the need
to pylint it altogether.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Add lastUpdatedDate to track when data source was updated
* Leave lastModifedDate to track upstream dates
* Introduce DataSource.DATETIME_FORMAT and ORM.DATASOURCE_DATETIME_FORMAT
to enforce date formatting in the lib and bin code
* Explicitly set 'nocache' for the data source page, so the
refresh will always show the latest
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Clean up after pull from RBurton pylint updates
* Protect against missing CVE lookup call
* Protect against disabled defect tool when creating defects
* Repair CVE 'score_date' data field default
* Update tool typos for formatting
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
This is used by lib/srtmain/management/commands/perf.py.
|
|
Add backgroup data source updates cleanup
* Add robust method for scanning ORM string lists
* Fix DATASOURCE_FREQUENCY_STR ORM string list
* Adjust '--list' columns
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The "srtool_utils.sh" script is separated into three scripts:
* srtool_update.sh: database background updates
* srtool_backup.sh: database backup tools
* srtool_utils.sh: remaining utility actions
The srtool_update.sh was pushed in a previous commit.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Complete the support for backgroup data source updates:
* Add cron-start,cron-stop to srtool_update
* Have cron update run as a user space script to avoid sudo
* Hook cron-start,cron-stop into srt start,stop
* Add list command to show update sources
* Have force command propagate to update script calls, and
add force option to all source scripts
* Add 'srt manage update ...' for access to the update functions
* Add flag SRT_SKIP_AUTOUPDATE and srt option noautoupdate to
disable the automatic update app for development assistance
Related Fixes:
* Set the schema generator to always update on startup (13138)
* Fix CVE 'recommend' default to the integer zero (13139)
with auto-fix at startup for existing databases
[YOCTO #13131]
[YOCTO #13138]
[YOCTO #13139]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the data source update mechanism:
* Move the update functions to "bin/common/srtool_update.py"
* Remove 'lastModifiedDate' from the data source JSON files (since
every restart overwrites any updated values)
* Change the 'update_time' field to a dictionary of offset values
e.g. "{\"weekday\":\"6\",\"hour\":\"2\"}" = day of week, hour of day
* Implement the update frequency calculations
* Implement data source name filters for selected manual updates
* Add a log status file
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the default environment extension files for 'bin/common'
and 'bin/yp'. They are currently passive.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Add the CVE 2019 data soures for MITRE and NIST.
2. Improve the CVE default status assignment system:
* During the "Init" phase all CVEs default to HISTORICAL, unless they are
within the CVE_INIT_NEW_DELTA date range. The value CVE_INIT_NEW_DELTA is
defined in "bin/common/datasource.json", and is an out-of-box courtesy
to provide some CVEs for triage in newly initialized systems. Changing
the default value to '0' disabled this.
* During the "Update" phase, CVEs default to NEW (and thus primed for
triage)
* Better separate the Init versus Update functions in "srtool_mitre.py" and
"srtool_nist.py", and their respective datasource files.
* Remove the post-process "preset_new()" in "srtool_common.py" in favor
of directly computing the values in get_cve_default_status() in
"srtool_mitre.py" and "srtool_nist.py", for speed and consistency.
[YOCTO #13134]
[YOCTO #13135]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Remove the obsolete and now empty 'orm_cvereference' table
from the sanity check.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The initial implementation of passing CVE references used ';' as a separator.
However, some URLs use this charater to include git branch information, for
example:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8b...
Changing the separator characted to a tab fixes this and other unexpected
characters.
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
The first number is the CPE version so this should always be 2.3.
Fix the Yocto Project release version for Thud to be 2.6 instead of 2.5.
|
|
|
|
Add a devtool helper script 'suport.sh' to help start the super user
setup call. Add 'srt_err.log' to 'tail.sh'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The CVE 'resource' and 'source' values for the CVE references are now
scanned and displayed.
* The JSON scanning has been moved away from CveResources to a dynamic
value in the CveDetail record, similar to the CPE table processing.
* Additional debugging support has been added
* The now unused CveResources table will be deleted in a later revision
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Change the new defect call to use named parameters. This will
enhance the readability and better allow for future changes.
Also, pass the CVE list and defect 'reason' so that the defect
integation tool can use that for the defect record and/or
use in creating its own version of the defect 'summary'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Enable the feature of creating defects from investigations. Consolidate
into one defect creation method for both investigations and CVE
triage.
Enhance the "srtool_defect.py" sample tools to simulate creating
new defects.
Fix the sample "srtool_jira.py" tool new defect creation to support the
new "defect_tag" variable.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Update the 'urlpatterns' processing to use the master app.
Also, update the YP master app to include a url and view class, plus
provide a default YP landing page, and abtract the default logo display.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Transition the datasource scanning from 'datasource_org' to
the new master app environment variable, so that it all works
off of one key.
Also, add a sample logo for ACME, plus fix datasource trace details.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The SRTool allows users to substitute an alternate master application
instead of the default "yp" in order to customize their instance to
their organization.
This is done by:
(a) Creating a datasource directory under bin
(b) Defining a "datasource.json" file
(c) Defining 'export SRT_MAIN_APP="<app>"' in "srtool_env.sh"
This environment files are scanned by 'bin/srt', and if such an
alternate master app is found it pre-empts the default 'yp'.
This value is set via the environment because "lib/srtmain/settings.py"
is the file that sets the app (and this the URL) ordering, and it is
processed before any database is attached.
To disable the alternate main app, simply rename its "datasource.json"
file and it will be ignored for the next start.
The sample alternate app "acme" is provided to demonstrate this facility.
Additionally, a development tool 'bin/dev_tools/master_app.sh' has been
added to help switch between master apps, to aid testing.
$ ./stop.sh
$ ./master_app.sh acme
$ ./start.sh
... test ...
$ ./stop.sh
$ ./master_app.sh yp
$ ./start.sh
Other included fixes:
* Fix the ACME JSON files formating
* Remove ACME "_sample" from all but "datasource.json_sample"
* Fix tabs to spaces in "srt"
* Add global contect values to views::managedcontextprocessor so
that other app templates can share them
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Move the "Fetch Alt Sources" out of the authenticated user block
* Connect "Documentation" to the new User wiki page
* Minor typos and debugging line fixes
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|