Age | Commit message (Collapse) | Author |
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #15382]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
When bootstrapping an installation, useful to move
existing new CVEs to historical so that CVE triage can
start as of a selected data.
Usage:
$ ./bin/cve_checker/srtool_cvechecker.py --new-to-historical all
$ ./bin/cve_checker/srtool_cvechecker.py --new-to-historical 2023-12-01
[YOCTO #15317]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
This feature provides table-driven import channels for the CVE CheckAudit
creation feature. The supported channel types include:
* File from git repo, with automatic cloning
* Auto Builder repo as a default channel
* File upload
* File over SSH via PEM files
* File from local directory (to the Server)
* Ability to specify a directory, and display an option list of sub-
directories to user (e.g. the Auto Builder case)
Resources local to the server are safely provisioned by the SRTool manager.
[YOCTO #15282]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Feature:
1. Ability to import CVE Checker results JSON files into SRTool as an audit
2. Ability to examine the results
3. Ability to generate reports
4. Ability to examine specific CVEs, and compare the status to multiple sources (e.g. Red Hat, Ubuntu).
5. Add Wind River as one of the multiple sources (via WR's Trivy shared repo)
[YOCTO #15281]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #15242]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #13624]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #13622]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #13623]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Enhancements include:
* Django 4 support
* Transition to dict for backend SQL recordsi
* Update CVE sources to 2023
* Progress bars
* User triggered datasource execution
* Enhanced backgroup task management
* User timezones
* Support and migration for Postgres
* Support for HTTPS front end
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the migration file for the new Error Log class and
'affect-components' fields.
Signed-off-by: david.reyna@windriver.com <david.reyna@windriver.com>
|
|
* Add "Affected Components" to VUL/INV/DEF, with
automatic inheritance on creation from respective
parent records. With this is a one-time fixup
routine to populate these new fields:
./bin/common/srtool_utils.py \
--fix-inherit-affected-components -f
* Add "Error Log", to capture internal errors in a
formal table and view.
Management > Maintenance > Error Logs
* Sort the Product list when add product investigation
links to Vulnerability records.
* Add Reports for Notification and Error Log
* Other small fixes
Signed-off-by: david.reyna@windriver.com <david.reyna@windriver.com>
|
|
1. Support analyzing alternate databases (e.g. backups) with potentially
older schemas by autogenerating and loading respective "srt_schema.py"
files, using the '--database /path/to/srt.sqlite' option.
2. Add the following reports to help analyize the distribution of V3/V2
severity values across the CVE years and across the CVE/VUL/INV records.
This helps spot trends and potential translation errors.
./bin/common/srtool_utils.py --report-cve-status-summary
./bin/common/srtool_utils.py --report-db-status-summary
3. Add a report to display VUL/INV/DEF recoords that are unattached to
any parent CVE/VUL/INV records respectively.
./bin/common/srtool_utils.py --report-unattached-records
4. Update the repair routines to report issues, but only fix them
if the "--force" flag is set. This allows the review of the potential
fixes before committing them.
5. General clean and internal documentation. Rename the commands to
better distinguish "fix" (one-shot), "repair" (on-going), and "report"
functions.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The model for vulnerabilities and investigation is more
stringent in defining the foreign keys when creating
records. Set these values when creating a record to
avoid a 'null-constraint' error.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
When creating a new Vulnerability or Investigation, inherit the
parent object's (CVE/Vulnerability) "comments" field.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Normally the Table display feature caches served pages for
faster refresh. However, in the SRTool the data is very
volaile so this often shows stale information. For now,
disable the caching.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1.Fix NIST modified pre-emption
* When a CVE appears in the 'Modified' source
* Remove the CVE link to the normal source
* Add the CVE link to the modified source
* When a CVE disappears from the 'Modified' source
* Remove the CVE link from the modified source
* Restore the CVE link to the normal source
* If forcing a normal source update, first gather
the CVEs in the current "Modified" source, and
ignore them when scanning the normal source. This
is to avoid regressive updates.
* Add tracing to help validate this workflow.
2. Fix sql_cve_query() to always return a valid cve_id
even when there are no updates, to avoid adding
cvesource mappings to '-1'. This addresses one of the
issues in '--find-bad-links'.
3. In the NIST details web page, force the display of
impact and exploit scores to two decimal places, to
normalize the current NIST feeds that are outputting
8+ decimal places.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Fix the NIST 'alt-source' routine to correctly use the current 'modified'
datasource to preempt the regular datasources, and also set the CVE
datasource links accordingly.
2. Update the CVE NIST improve Score/Severity repair, also insure
that the 'modified' datasource values pre-empt the regular
datasource values. Also, fix missing and/or obsolete NIST datasource
references for CVEs.
./bin/common/srtool_utils.py --fix-severity [ALL|"NIST Modified Data"|...]
3. Add/improve helper routine to list Score/Severity values across the
many NIST data sources (e.g. modified and regular), plus the the
current CVE values and the current CVE datasource links. This is used
to investigate and validate the above repair routine.
./bin/nist/srtool_nist.py -S CVE-2020-7470
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add a fixup utility to repair error from the MITRE CVE creation script
that left broken V2 status values. Also add a NIST status summary debug
command to report the CVE general status across the base source file,
the 'modified' source file, and list the current datasource mappings
for that CVE.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The schema for this field is 'models.DateField' but the scoring method
in "srtool_common --score-new-cves" was setting an obsolete date_time value.
That crashes Django-2.2 (but not Django-1.11).
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
In the summary publish report, leave the product cell blank if there
is no Investigation.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the generic CVE summary report across products to the core
report list.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add CVE publishing features, specifically add a method to generate CVE status
across the releases, filterable by CVE status.
Add dynamic schema calculations for the backup database snapshots, to enable
difference scanning even when the schema has been reordered after a migration.
Add first part of database difference scanning code migration.
Fix MITRE scanning for new source files.
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the MITRE 2020 data source
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
srtool: cumulative deployment features and fixes
High level new features:
* Publishing support to external/public databases
* Ability to label products as "active", "inactive", "under development"
Inactive (EOL) products appear but
* Do not affect status propagation
* Do not auto-create defects
Development product status is not exported to pubic database
* Extend NIST download range to 2002..2019
* Added MITRE downloads to provide RESERVED tracking
* Extended audit history tracking and meta-data
* Delete CVE records
* Ability to do "OR" searches (default is "AND")
Example: "CVE-2019-20095 OR CVE-2019-20096 OR CVE-2019-19977"
* Automated defect creation (Jira)
If selected, creates customer defect for selected and active products
Reuse existing defect if present for given product
* Many small sorting, readability, edge case fixes
Backups:
* Add meta-data stamp file for each backup
* Save daily backups with day name instead of day number
* Preserve file dates when making copies to backup
* Add list command
Automated Updates:
* Fix report format
* Add trial run test
Utilities:
* Add 13 new database fix up procedures
Some are one-shot historical fixes, some are learned validation checks
Database Schema:
* Add "SRTool" class to wrap shared enumerations (e.g. Priority)
* Add "Update" class to tag and track audit trail objects
* Change Priority naming to match CVE model instead of JIRA
* Add srt_created/srt_updated to CVE/Vul/Inv/Notify for improved updating and auditing
* Add to Defect the SRT versions of Status, Priority, Outcome
To distinguish these from the customer's defect system's values
Common Tools:
* Fix new CVE auto-scoring to skip CVE's already scored (though still NEW)
* Add automated propagation of Defects/Investigations status to parent Vulnerabilities
See "srtool_common.py" for rule details
CVEs:
* Add MITRE as an automatic upstream source
This is to specifically capture all of the "RESERVED" CVE enumerations which
will not appear in the MIST databases, and have the CVE records in place for
internal investigations and transitions to "public" status.
* Spell out the command arguments in the NIST data source files for greater legibility
* Change Priority naming to match CVE instead of JIRA
* Add parallel status states for "inactive" products
This specifically blocks state propagation from inactive objects to active objects
NIST management script:
* Refactor file for greater clarity
* Reorder methods to reflect workflow order
* Fully spell out names of objects
* Remove temporary holding class "CVE" in favor of dictionary objects
* Debugging enhancements
* Incremental update commands for stepped debugging
For example, ability to fetch/update specific CVE(s)
* Additional debugging flags
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the key for the product filter in the investigations table,
and the output for full reports in the CVE->defects report.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Track the current running update task in ".srtupdate.task" to help
track background update activity and overhead. Make calls to the
update start/stop absolute paths to help track active SRTool
tasks, especially between multiple servers.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix a misplaced ')' in the updated package registration code.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix a copy/paste error in the Jira status mapping table.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
When restarting the SRTool, the main app's user and product table
should be re-read and applied. This fixes a select problem.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add a report lists the Vulnerabilities, Investigations, and Defects
(plus status) for the givne list of CVEs.
Example:
1) Open the CVEs table
2) Search for this string: "CVE-2017-5715 OR CVE-2017-5753 OR CVE-2017-5754"
3) Click Export
* Select the new report "CVE to Defects Table". You can leave the
rest of the settings alone.
* Click "Generate and Download Report"
* Open the report CSV file in your text editor or in Excel.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|