Skip to content

Add a python script to address duplicate CVEs for projects #223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eshulman2 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add a python script to address duplicate CVEs for projects #223

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@

# ignore cloud credentials
/bot/cloud-credentials.json

__pycache__/
388 changes: 388 additions & 0 deletions cve-jira-processing/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,388 @@
# CVE Jira Processing

Tools for processing CVE Vulnerability issues in Jira. Queries Jira for unprocessed CVEs, creates tracking structures, and establishes dependency chains across versions.

The script is **idempotent** - it can be run multiple times safely without creating duplicate issues.

## Setup

1. Install dependencies:
```bash
pip install -r requirements.txt
```

2. Set environment variables:
```bash
export JIRA_API_TOKEN="your-api-token"
export JIRA_SERVER="https://issues.redhat.com" # optional, this is the default
```

## Scripts

| Script | Description |
|--------|-------------|
| `dup_cve.py` | Main script for CVE processing |
| `manage_task_cves.py` | Manage CVEs linked to a task (update fields, close, set release notes) |
| `inspect_issues.py` | Inspect issues - show status and links |
| `reset_cves.py` | Remove processed labels to allow reprocessing |

## Usage

### dup_cve.py - Main Processing Script

```bash
# Dry run - see what would be done without making changes
python dup_cve.py --dry-run

# Process CVEs for real
python dup_cve.py

# Process only a specific CVE
python dup_cve.py --cve CVE-2024-1234

# Verbose output for debugging
python dup_cve.py --dry-run -v

# Use a custom config file
python dup_cve.py --config /path/to/config.yaml
```

### inspect_issues.py - Inspect Issues

```bash
# Inspect specific issues
python inspect_issues.py OCPBUGS-12345 OSASINFRA-67890

# Inspect issues from a file
python inspect_issues.py -f issues.txt

# Combine both
python inspect_issues.py OCPBUGS-12345 -f more_issues.txt
```

### manage_task_cves.py - Manage CVEs Linked to a Task

```bash
# See what CVEs are linked to a task
python manage_task_cves.py OSASINFRA-12345 --dry-run

# Close all linked CVEs with defaults (status=Closed, resolution=Done)
python manage_task_cves.py OSASINFRA-12345

# Transition to a different status
python manage_task_cves.py OSASINFRA-12345 --status ON_QA

# Close with custom comment and resolution
python manage_task_cves.py OSASINFRA-12345 --comment "Fixed in OCPBUGS-99999" --resolution "Fixed"

# Set release note fields when closing (using defaults: type=CVE, status=Proposed)
python manage_task_cves.py OSASINFRA-12345 \
--release-note-text "This CVE was addressed upstream." \
--release-note-type \
--release-note-status

# Set release note fields with custom values
python manage_task_cves.py OSASINFRA-12345 \
--release-note-text "This CVE was addressed upstream." \
--release-note-type "Bug Fix" \
--release-note-status "Done"

# Update release notes without transitioning (no status change)
python manage_task_cves.py OSASINFRA-12345 --no-transition \
--release-note-text "This CVE was addressed upstream." \
--release-note-type \
--release-note-status

# Add a patch link to CVEs
python manage_task_cves.py OSASINFRA-12345 \
--patch-url "https://github.com/org/repo/pull/123" \
--patch-title "Fix for CVE-2024-1234"

# Transition CVEs to POST and task to POST
python manage_task_cves.py OSASINFRA-12345 --status POST --task-status POST

# Close CVEs and the parent task
python manage_task_cves.py OSASINFRA-12345 --close-task

# Close CVEs and task with patch link on both
python manage_task_cves.py OSASINFRA-12345 --close-task \
--patch-url "https://github.com/org/repo/pull/123"

# Close task with custom resolution
python manage_task_cves.py OSASINFRA-12345 \
--task-status Closed --task-resolution "Won't Fix"

# Process only Bug issues (not Vulnerabilities)
python manage_task_cves.py OSASINFRA-12345 --bugs-only --status POST
```

### reset_cves.py - Reset Processed Labels

```bash
# Dry run - see what would be reset
python reset_cves.py --dry-run

# Actually remove labels
python reset_cves.py

# Reset only a specific CVE
python reset_cves.py --cve CVE-2024-1234

# Reset issues from a file
python reset_cves.py -f issues.txt

# Also remove dependency and duplicate links
python reset_cves.py -f issues.txt --remove-links

# Transition issues back to ASSIGNED status
python reset_cves.py -f issues.txt --reassign

# Full reset: remove label, links, and reassign
python reset_cves.py -f issues.txt --remove-links --reassign
```

## Processing Flow

```
┌─────────────────────────────────────────────────────────────┐
│ 1. Query unprocessed CVEs │
│ - Status: New or Assigned │
│ - No processed label │
│ - Matching configured downstream components │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 2. Group by {component}:{cve_id} │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 3. For each CVE group: │
│ a. Find/create Epic in OSASINFRA │
│ b. Query ALL CVEs for this CVE ID (version detection) │
│ c. Determine version range: min → max CVE version │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 4. For each version with CVEs: │
│ ├─ Create Task in OSASINFRA (with Epic Link) │
│ ├─ Link Task to CVEs (is caused by) │
│ ├─ Set Target Backport Versions = Affects Version/s │
│ └─ Add processed label to all CVEs │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 5. Create VERIFIED bug for next version after max CVE: │
│ ├─ Create Task in OSASINFRA (with Epic Link) │
│ ├─ Create VERIFIED Bug in OCPBUGS │
│ └─ Link Task → is related to → Bug │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 6. Create dependency chain (older depends on newer): │
│ 4.12 → depends on → 4.13 → depends on → 4.14 │
└─────────────────────────────────────────────────────────────┘
```

## JQL Queries Used

### 1. Initial Query - Find Unprocessed CVEs

```sql
project = OCPBUGS AND type = Vulnerability
AND ("Downstream Component Name" ~ "comp1" OR "Downstream Component Name" ~ "comp2" ...)
AND labels != "{cve_processed_label}"
AND status IN (New, Assigned)
AND "CVE ID" ~ "{cve_filter}" -- only if --cve flag provided
```

### 2. Secondary Query - Find All Related CVEs

```sql
project = OCPBUGS AND type = Vulnerability
AND "CVE ID" ~ "{cve_id}"
AND ("Downstream Component Name" ~ "comp1" OR ...)
AND (status != Closed OR resolution IN (Duplicate, "Won't Do", "Not a Bug"))
```

### 3. Find Existing Epic

```sql
project = OSASINFRA AND type = Epic
AND summary ~ "\"{cve_id} - {component}\""
```

### 4. Find Existing Task

```sql
project = OSASINFRA AND type = Task
AND summary ~ "\"{cve_id} - {component} - {version}\""
```

### 5. Find Existing Bug

```sql
project = OCPBUGS AND type = Bug
AND summary ~ "\"{cve_id} - {component} - {version}\""
```

## Issue Structure Created

```
OSASINFRA:
├── Epic: CVE-2024-1234 - openstack-cinder
│ ├── Task: CVE-2024-1234 - openstack-cinder - 4.12 (Epic Link)
│ │ └── is caused by: CVE (Vulnerability) for 4.12
│ ├── Task: CVE-2024-1234 - openstack-cinder - 4.13 (Epic Link)
│ │ └── is caused by: CVE (Vulnerability) for 4.13
│ └── Task: CVE-2024-1234 - openstack-cinder - 4.14 (Epic Link)
│ └── is related to: VERIFIED Bug (CVE fixed in earlier version)

OCPBUGS (one VERIFIED bug for next version after max CVE):
└── Bug: CVE-2024-1234 - openstack-cinder - 4.14 (VERIFIED)

Dependency Chain (older depends on newer):
CVE-4.12 → depends on → CVE-4.13 → depends on → Bug-4.14
```

## Link Types Used

| Source | Link Type | Target | Description |
|--------|-----------|--------|-------------|
| Task | Epic Link (field) | Epic | Tasks belong to the Epic |
| Task | is related to | Bug (ON_QA) | Task linked to created bug |
| Task | is caused by | CVE | Task is caused by the CVE |
| Older issue | depends on | Newer issue | Dependency chain |

## Fields Set on Created Issues

### Epics (in OSASINFRA)

| Field | Value |
|-------|-------|
| Project | OSASINFRA |
| Issue Type | Epic |
| Summary | `{CVE ID} - {component}` |
| Epic Name | `{CVE ID} - {component}` |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Description | `Grouping epic for bugs related to {CVE ID} - {component}` |

### Tasks (in OSASINFRA)

| Field | Value |
|-------|-------|
| Project | OSASINFRA |
| Issue Type | Task |
| Summary | `{CVE ID} - {component} - {version}` |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Epic Link | Link to parent Epic |

### VERIFIED Bugs (in OCPBUGS)

| Field | Value |
|-------|-------|
| Project | OCPBUGS |
| Issue Type | Bug |
| Summary | `{CVE ID} - {component} - {version}` |
| Component/s | Inherited from source CVE issues |
| Target Version | `{version}.z` (e.g., 4.14.z) |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Status | Transitioned to VERIFIED |

## Version Range Logic

- **CVE versions**: Only versions with reported CVEs get processed
- **VERIFIED bug**: One bug created for next version after max CVE version
- This indicates the CVE was fixed in an earlier version

## Idempotency

The script can be run multiple times safely:

- **Existing Epics** are reused (searched by summary)
- **Existing Tasks** are reused (searched by summary)
- **Existing Bugs** are reused (searched by summary)
- **Already-processed CVEs** are identified by the processed label and skipped

## Files

| File | Description |
|------|-------------|
| `dup_cve.py` | Main script for CVE processing |
| `manage_task_cves.py` | Utility to manage CVEs linked to a task |
| `inspect_issues.py` | Utility to inspect issue status and links |
| `reset_cves.py` | Utility to remove processed labels |
| `lib/jira_client.py` | Jira API client wrapper |
| `lib/jira_formatter.py` | Field formatting utilities for Jira API requests |
| `config.yaml` | Configuration file (component mappings, labels) |

## Configuration

The `config.yaml` file contains:

- **cve_processed_label**: Label applied to processed CVE issues
- **repo_to_component**: Mapping of downstream repository names to component names

The script queries for Vulnerabilities matching the downstream components defined in `repo_to_component`.

To add support for new components, add entries to the `repo_to_component` section:

```yaml
repo_to_component:
openshift4/ose-new-component-rhel9: openshift/new-component
```

## Example Output

```
2025-01-15 10:30:00 - Loaded config from config.yaml
2025-01-15 10:30:00 - Configured components: ['openshift4/ose-cloud-provider-openstack-rhel9', ...]
2025-01-15 10:30:01 - Found 50 numeric target versions
2025-01-15 10:30:01 - Querying Jira for Vulnerabilities...
2025-01-15 10:30:05 - Found 7 unprocessed Vulnerabilities
2025-01-15 10:30:05 - Found 2 CVE groups

2025-01-15 10:30:05 - Processing CVE group: openstack-cinder:CVE-2024-1234
2025-01-15 10:30:05 - CVE: CVE-2024-1234, Component: openstack-cinder
2025-01-15 10:30:05 - Found CVEs in versions: ['4.12', '4.13']
2025-01-15 10:30:05 - Processing versions: ['4.12', '4.13', '4.14', '4.15', '4.16']
2025-01-15 10:30:06 - Created Epic: OSASINFRA-99999
2025-01-15 10:30:07 - Version 4.12:
2025-01-15 10:30:07 - Created task: OSASINFRA-100000
2025-01-15 10:30:07 - 2 CVEs (1 new)
2025-01-15 10:30:07 - OCPBUGS-11111 (already processed)
2025-01-15 10:30:08 - Linked: OCPBUGS-22222
2025-01-15 10:30:09 - Version 4.13:
2025-01-15 10:30:09 - Created task: OSASINFRA-100001
2025-01-15 10:30:09 - 1 CVEs (1 new)
2025-01-15 10:30:09 - Linked: OCPBUGS-33333
2025-01-15 10:30:10 - Version 4.14:
2025-01-15 10:30:10 - Created task: OSASINFRA-100002
2025-01-15 10:30:10 - No CVEs, creating ON_QA bug
2025-01-15 10:30:11 - Created bug: OCPBUGS-100003
2025-01-15 10:30:11 - Transitioned OCPBUGS-100003 to ON_QA
...

======================================================================
SUMMARY (DRY RUN - no changes made)
======================================================================

TOTALS
----------------------------------------
Epics: 2 (1 existing, 1 to create)
Tasks: 10 (3 existing, 7 to create)
Bugs: 6 (0 existing, 6 to create)
CVEs: 5 to link

DETAILS BY CVE GROUP
----------------------------------------
[CVE-2024-1234] openstack-cinder
Epic: OSASINFRA-99999
Tasks (5): OSASINFRA-100000, OSASINFRA-100001, ... OSASINFRA-100004
Bugs (3): OCPBUGS-100003, OCPBUGS-100004, OCPBUGS-100005
CVEs (2): OCPBUGS-11111, OCPBUGS-22222

======================================================================
```
Loading