starlingx
/
tools
Code Issues Proposed changes
tools/13039cef23df11684a4042049d5...

217 lines
9.2 KiB
Plaintext
Raw Blame History

{
"comments": [
{
"unresolved": true,
"key": {
"uuid": "f80f2164_9a200101",
"filename": "cve_support/cve_policy_filter.py",
"patchSetId": 1
},
"lineNbr": 251,
"author": {
"id": 28739
},
"writtenOn": "2024-04-08T14:06:48Z",
"side": 1,
"message": "The fact that it is named \"optional\" makes me think that instead of letting the absence of [\"optional\"][\"source\"] in one entry be a KeyError for the entire list, it might be better to keep searching the list. If there is no entry with value \"nvd@nist.gov\" then raise a KeyError.\n\nHowever, I did not find any examples in the dataset you shared with me:\n\n for k in data[\u0027scannedCves\u0027]:\n if \u0027nvd\u0027 not in data[\u0027scannedCves\u0027][k][\u0027cveContents\u0027].keys():\n continue\n missing\u003dFalse\n use_l\u003d{}\n for l in data[\u0027scannedCves\u0027][k][\u0027cveContents\u0027][\u0027nvd\u0027]:\n try:\n if l[\"optional\"][\"source\"] \u003d\u003d \"nvd@nist.gov\":\n if not use_l: \n use_l \u003d l\n else:\n print(\"Oops: two entries for nvd@nist.gov: %s\" % k)\n except KeyError:\n # ignore missing [\"optional\"][\"source\"]\n missing\u003dTrue\n pass\n if missing and use_l:\n print(\"CVE %s is example\" % k)\n\nResult of the above is empty. Please consider the above, but since I do not find an example in the dataset then also feel free to ignore the suggestion.",
"range": {
"startLine": 251,
"startChar": 89,
"endLine": 251,
"endChar": 111
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "7104c39e_ddbbe66a",
"filename": "cve_support/cve_policy_filter.py",
"patchSetId": 1
},
"lineNbr": 251,
"author": {
"id": 32753
},
"writtenOn": "2024-04-15T03:08:02Z",
"side": 1,
"message": "Thanks for your suggestion. I think the result of example is empty is right unless the dataset format is going to be updated again(nvd.optional.source to be dropped). That\u0027s the reason why I select [\"nvd\"][\"optional\"][\"source\"] as the special condition to filter the score/vector.\nI will try to include this new condition in the next version. Thanks!",
"parentUuid": "f80f2164_9a200101",
"range": {
"startLine": 251,
"startChar": 89,
"endLine": 251,
"endChar": 111
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "e28777ba_5458b4e5",
"filename": "cve_support/cve_policy_filter.py",
"patchSetId": 1
},
"lineNbr": 251,
"author": {
"id": 32753
},
"writtenOn": "2024-04-23T03:18:09Z",
"side": 1,
"message": "Done",
"parentUuid": "7104c39e_ddbbe66a",
"range": {
"startLine": 251,
"startChar": 89,
"endLine": 251,
"endChar": 111
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "42f1700f_231fb50b",
"filename": "cve_support/cve_policy_filter.py",
"patchSetId": 1
},
"lineNbr": 298,
"author": {
"id": 28739
},
"writtenOn": "2024-04-02T12:39:20Z",
"side": 1,
"message": "Could you privately send me an example copy of the report data?",
"range": {
"startLine": 298,
"startChar": 37,
"endLine": 298,
"endChar": 111
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "429af291_bad966b7",
"filename": "cve_support/cve_policy_filter.py",
"patchSetId": 1
},
"lineNbr": 298,
"author": {
"id": 32753
},
"writtenOn": "2024-04-07T01:48:13Z",
"side": 1,
"message": "Done via email",
"parentUuid": "42f1700f_231fb50b",
"range": {
"startLine": 298,
"startChar": 37,
"endLine": 298,
"endChar": 111
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "526466da_80cba180",
"filename": "cve_support/lp.py",
"patchSetId": 1
},
"lineNbr": 71,
"author": {
"id": 28739
},
"writtenOn": "2024-04-02T12:39:20Z",
"side": 1,
"message": "cve_id in string was always not specific enough of a search. cve_id in longer_more_descriptive_string seems excessively not specific enough.\n\n $ python3\n \u003e\u003e\u003e cve_id\u003d\"CVE-2014-12345\"\n \u003e\u003e\u003e bug\u003d{}\n \u003e\u003e\u003e bug[\u0027title\u0027]\u003d\"my bug mentions CVE-2014-12345\"\n \u003e\u003e\u003e bug[\u0027description\u0027]\u003d\"it just so happens that I want to mention the fact that a certain CVE fix (CVE-2014-12345) has a certain impact. So I want to talk about that CVE. This bug doesn\u0027t fix that CVE though, so I shouldn\u0027t assume just because I talked about it that this bug is intended to fix the CVE\"\n \u003e\u003e\u003e cve_id in bug[\"title\"]\n True\n \u003e\u003e\u003e cve_id in bug[\"description\"]\n True\n\nPlease decide on intentional CVE reference in the LP description that you can search for. Use \u0027import re\u0027 or something similar to find matches in the description for the specific intentional reference.",
"range": {
"startLine": 70,
"startChar": 0,
"endLine": 71,
"endChar": 22
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "d84687fd_c10f0e99",
"filename": "cve_support/lp.py",
"patchSetId": 1
},
"lineNbr": 71,
"author": {
"id": 32753
},
"writtenOn": "2024-04-07T01:48:13Z",
"side": 1,
"message": "OK, I\u0027m going to attempt to involve the re lib in the next version.",
"parentUuid": "526466da_80cba180",
"range": {
"startLine": 70,
"startChar": 0,
"endLine": 71,
"endChar": 22
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "ecdc1b3c_0923db81",
"filename": "cve_support/lp.py",
"patchSetId": 1
},
"lineNbr": 71,
"author": {
"id": 28739
},
"writtenOn": "2024-04-22T13:39:43Z",
"side": 1,
"message": "Using the full URL is an improvement, in so far as it is less likely to be present in a bug description. If you can influence the authors of the bug reports, then please feel free to make that assertion.\n\nI looked at an example from the recent Starlingx report. This format is what I see in bug https://bugs.launchpad.net/starlingx/+bug/2058868:\n\n CVE-2022-2127: https://nvd.nist.gov/vuln/detail/CVE-2022-2127\n CVE-2022-3437: https://nvd.nist.gov/vuln/detail/CVE-2022-3437\n CVE-2023-4091: https://nvd.nist.gov/vuln/detail/CVE-2023-4091\n CVE-2023-34966: https://nvd.nist.gov/vuln/detail/CVE-2023-34966\n CVE-2023-34967: https://nvd.nist.gov/vuln/detail/CVE-2023-34967\n CVE-2023-34968: https://nvd.nist.gov/vuln/detail/CVE-2023-34968\n\nIf you can assert with the security team members that this format will be used as deliberate CVE reference to be recognized by this reporting script, then this script can search for the specific format.\n\n pattern \u003d cve_id + \": \" + path.join(NVD_URL, cve_id)",
"parentUuid": "d84687fd_c10f0e99",
"range": {
"startLine": 70,
"startChar": 0,
"endLine": 71,
"endChar": 22
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "da815bbc_5dc9b460",
"filename": "cve_support/lp.py",
"patchSetId": 1
},
"lineNbr": 71,
"author": {
"id": 32753
},
"writtenOn": "2024-04-23T03:18:09Z",
"side": 1,
"message": "I have connected to Yue, when creating the new LP page to track the CVE issue he will ensure the full URL is filed into the description section every time.\nI will update the new pattern in the next version.",
"parentUuid": "ecdc1b3c_0923db81",
"range": {
"startLine": 70,
"startChar": 0,
"endLine": 71,
"endChar": 22
},
"revId": "13039cef23df11684a4042049d5e2c90ab85bac5",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
}
]
}
View Git Blame Copy Permalink