CasperSecurity
import sys
import textwrap
from collections import namedtuple
from uaclient import defaults, exceptions, messages, system, util
from uaclient.api.u.pro.security.cves._common.v1 import VulnerabilityData
from uaclient.api.u.pro.security.cves.v1 import CVEInfo, CVEsOptions, _cves
from uaclient.api.u.pro.security.fix._common import (
query_installed_source_pkg_versions,
)
from uaclient.cli import cli_util
from uaclient.cli.commands import ProArgument, ProArgumentGroup, ProCommand
from uaclient.cli.formatter import Table
from uaclient.cli.parser import HelpCategory
from uaclient.config import UAConfig
AffectedPackage = namedtuple(
"AffectedPackage", ["name", "fix_status", "fix_origin", "fix_version"]
)
@cli_util.with_spinner(msg=messages.CLI_CVES_SPINNER_MSG)
def _get_cve_vulnerabilities(args, *, cfg: UAConfig, **kwargs):
try:
result = _cves(options=CVEsOptions(), cfg=cfg)
except exceptions.VulnerabilityDataNotFound:
result = None
return result
def _get_affected_pkgs(cve_vulnerabilities, cve_info, cve_name):
rows = []
installed_pkgs_by_source = query_installed_source_pkg_versions()
for source_pkg in cve_info.related_packages:
binary_pkgs = installed_pkgs_by_source.get(source_pkg, {}).keys()
for binary_pkg in sorted(binary_pkgs):
binary_pkg_info = cve_vulnerabilities.packages.get(binary_pkg)
if binary_pkg_info:
for cve in binary_pkg_info.cves:
if cve.name == cve_name:
rows.append(
AffectedPackage(
name=binary_pkg,
fix_status=cve.fix_status,
fix_origin=cve.fix_origin,
fix_version=cve.fix_version,
)
)
break
return rows
def _format_affected_pkgs(affected_pkgs):
formatted_rows = []
for affected_pkg in affected_pkgs:
if affected_pkg.fix_status == "fixed":
formatted_rows.append(
[
"{}:".format(affected_pkg.name),
affected_pkg.fix_status,
"({})".format(affected_pkg.fix_origin),
affected_pkg.fix_version,
]
)
else:
formatted_rows.append(
[
"{}:".format(affected_pkg.name),
affected_pkg.fix_status,
"",
"",
]
)
return formatted_rows
def action_cve(args, *, cfg, **kwargs):
cve_name = args.cve.upper()
cve_vulnerabilities = _get_cve_vulnerabilities(args, cfg=cfg)
if not cve_vulnerabilities:
raise exceptions.VulnerabilityDataNotFound()
if cve_name not in cve_vulnerabilities.cves:
cve_data = (
VulnerabilityData(cfg)
.get()
.get("security_issues", {})
.get("cves", {})
.get(cve_name)
)
if not cve_data:
release = system.get_release_info().release
print(
messages.CLI_CVE_NOT_FOUND_IN_DATA.format(
issue=args.cve,
release=release,
url="{}/{}".format(defaults.BASE_SECURITY_URL, cve_name),
),
file=sys.stderr,
)
return
cve_info = CVEInfo(
description=cve_data["description"],
published_at=util.parse_rfc3339_date(cve_data["published_at"]),
priority=cve_data["ubuntu_priority"],
notes=cve_data["notes"],
cvss_score=cve_data["cvss_score"],
cvss_severity=cve_data["cvss_severity"],
related_usns=[],
)
affected_pkgs_table = ""
else:
cve_info = cve_vulnerabilities.cves[cve_name]
affected_pkgs_rows = _format_affected_pkgs(
_get_affected_pkgs(cve_vulnerabilities, cve_info, args.cve)
)
affected_pkgs_table = Table(rows=affected_pkgs_rows).to_string()
print("name: {}".format(cve_name))
print(
"public-url: {}/{}".format(defaults.BASE_SECURITY_URL, cve_name)
)
print(
"published-at: {}".format(
cve_info.published_at.strftime("%Y-%m-%d")
)
)
print(
"cve-cache-date: {}".format(
cve_vulnerabilities.vulnerability_data_published_at.strftime(
"%Y-%m-%d"
)
)
)
print(
"apt-cache-date: {}".format(
cve_vulnerabilities.apt_updated_at.strftime("%Y-%m-%d")
)
)
print(
"priority: {}".format(
cli_util.colorize_priority(cve_info.priority)
)
)
if cve_info.cvss_score:
print("cvss-score: {}".format(cve_info.cvss_score))
if cve_info.cvss_severity:
print("cvss-severity: {}".format(cve_info.cvss_severity))
print("description: |")
print(
"{}".format(
"\n".join(
textwrap.wrap(
cve_info.description,
width=defaults.PRINT_WRAP_WIDTH,
break_long_words=False,
break_on_hyphens=False,
initial_indent=" ",
subsequent_indent=" ",
)
)
)
)
if cve_info.notes:
print("notes:")
for note in cve_info.notes:
print(
textwrap.fill(
note,
width=defaults.PRINT_WRAP_WIDTH,
break_long_words=False,
break_on_hyphens=False,
initial_indent=" - ",
subsequent_indent=" ",
)
)
if affected_pkgs_table:
print("affected_packages:")
for line in affected_pkgs_table.splitlines():
print(" " + line)
else:
print("affected_packages: []")
if cve_info.related_usns:
related_usns = [
" {}: {}".format(usn.name, usn.title)
for usn in cve_info.related_usns
if usn.title
]
if related_usns:
print("related_usns:")
for related_usn in related_usns:
print(related_usn)
cve_command = ProCommand(
"cve",
help=messages.CLI_CVE,
description=messages.CLI_CVE_DESC,
action=action_cve,
help_category=HelpCategory.SECURITY,
preserve_description=True,
argument_groups=[
ProArgumentGroup(
arguments=[
ProArgument(
"cve",
help=messages.CLI_CVE_ISSUE,
),
]
)
],
)