public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Matt Jolly" <kangie@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/chromium-tools:master commit in: /
Date: Thu, 26 Sep 2024 02:39:11 +0000 (UTC)	[thread overview]
Message-ID: <1727318341.e965e5c6d8692a7ec00d255c08f670111dee1c02.kangie@gentoo> (raw)

commit:     e965e5c6d8692a7ec00d255c08f670111dee1c02
Author:     Matt Jolly <kangie <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 26 02:34:18 2024 +0000
Commit:     Matt Jolly <kangie <AT> gentoo <DOT> org>
CommitDate: Thu Sep 26 02:39:01 2024 +0000
URL:        https://gitweb.gentoo.org/proj/chromium-tools.git/commit/?id=e965e5c6

get-edge-cves.py: new script

This script currently grabs the current month's CVRF from MS
and filters for Edge (Chromium-based) CVEs, then does some
magick to identify the version that it was fixed in if the
API is for some reason deficient...

Signed-off-by: Matt Jolly <kangie <AT> gentoo.org>

 get-edge-cves.py | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 153 insertions(+)

diff --git a/get-edge-cves.py b/get-edge-cves.py
new file mode 100755
index 0000000..a41187e
--- /dev/null
+++ b/get-edge-cves.py
@@ -0,0 +1,153 @@
+#!/usr/bin/env python
+
+# SPDX-License-Identifier: GPL-2.0-or-later
+# This script extracts the Chromium version mapping for Microsoft Edge based on a given CVE ID.
+# It uses the Microsoft Security Response Center (MSRC) API to get the Common Vulnerability Reporting Framework (CVRF)
+# for a given month and extracts the Chromium version mapping for Microsoft Edge (Chromium-based) from the CVRF.
+
+# API Docs https://api.msrc.microsoft.com/cvrf/v3.0/swagger/v3/swagger.json
+
+# We can use the CVRF API to get the Common Vulnerability Reporting Framework (CVRF) for a given month.
+# We can query the API via CVE ID to get the CVRF for a specific CVE, but that just leads us back to querying
+# the month. Stretch goal to ingest directly from bgo ticket aliases and confirm the month & version?
+# https://api.msrc.microsoft.com/cvrf/v3.0/updates/CVE-2024-7969
+
+# https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Aug
+# is the URL for the CVRF for August 2024
+
+# The XML looks like this:
+# <cvrfdoc
+#  . . .
+# <vuln:Vulnerability
+#     Ordinal="261">
+#     <vuln:Title>Chromium: CVE-2024-7969 Type Confusion in V8</vuln:Title>
+#     . . .
+#     <vuln:ProductStatuses>
+#       <vuln:Status
+#         Type="Known Affected">
+#         <vuln:ProductID>11655</vuln:ProductID>
+#         . . .
+#     </vuln:ProductStatuses>
+#     . . .
+#     <vuln:CVE>CVE-2024-7969</vuln:CVE>
+#     . . .
+#     <vuln:Remediations>
+#       <vuln:Remediation
+#         Type="Vendor Fix">
+#         <vuln:Description>Release Notes</vuln:Description>
+#         <vuln:URL />
+#         <vuln:ProductID>11655</vuln:ProductID>
+#         <vuln:AffectedFiles />
+#         <vuln:RestartRequired>No</vuln:RestartRequired>
+#         <vuln:SubType>Security Update</vuln:SubType>
+#         <vuln:FixedBuild>128.0.2739.42</vuln:FixedBuild>
+#         . . .
+#     </vuln:Remediations>
+#     . . .
+# </vuln:Vulnerability>
+
+# Process: Pick a month, get the CVRF for that month, then iterate over vulnerabilities to find the ones
+# that are for Microsoft Edge (Chromium-based) `<vuln:ProductID>11655</vuln:ProductID>`.
+# Extract the <vuln:CVE>CVE-2024-7969</vuln:CVE> to extract a CVE ID and
+# map to Chromium versions using the <vuln:FixedBuild>128.0.2739.42</vuln:FixedBuild> tag (or the notes if we _have_ to).
+
+import datetime
+import requests
+from portage import versions as portage_versions
+import sys
+import xml.etree.ElementTree as ET
+from bs4 import BeautifulSoup
+
+
+class EdgeCVE:
+    def __init__(self, cve, title, fixedbuild):
+        self.cve: str = cve
+        self.title: str = title
+        self.fixedbuild: str | None = fixedbuild
+
+    def __str__(self):
+        return f"{self.cve}: {self.title}: Fixed {self.fixedbuild if not None else 'unknown'}"
+
+
+def get_edge_cves(year, month) -> list[EdgeCVE]:
+    msrcapi = f"https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/{year}-{month}"
+
+    # Get the CVRF for the specified month
+    response = requests.get(msrcapi)
+
+    if response.status_code != 200:
+        print(f"Website returned {response.status_code}")
+        print(f"Failed to get CVRF for {year}-{month}")
+        sys.exit(1)
+
+    # Parse the XML
+    root = ET.fromstring(response.text)
+
+    # Find all the vulnerabilities
+    vulnerabilities = root.findall(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}Vulnerability")
+
+    edge_cves = []  # Store the edge cves here
+    for vulnerability in vulnerabilities:
+        productstatuses = vulnerability.findall(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}ProductStatuses")
+        for productstatus in productstatuses:
+            productid = productstatus.find(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}ProductID")
+            if productid.text == "11655":
+                # This is a Microsoft Edge (Chromium-based) vulnerability
+                cve_id = vulnerability.find(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}CVE").text
+                cve_title = vulnerability.find(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}Title").text
+                remediations = vulnerability.findall(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}Remediations")
+                for remediation in remediations:
+                    fixedbuild = remediation.find(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}FixedBuild")
+                    if fixedbuild is not None:
+                        edge_cves.append(
+                            EdgeCVE(cve_id,
+                                    cve_title,
+                                    fixedbuild.text)
+                        )
+                    else:
+                        # Fall back to parsing that horrible, horrible table in the notes
+                        notes = vulnerability.find(".//{http://www.icasi.org/CVRF/schema/vuln/1.1}Notes")
+                        # There appear to be multiple notes, but only one has content that we want:
+                        # <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;What is the version information for this release?&lt;/strong&gt;&lt;/p&gt;
+                        found = False
+                        for note in notes:
+                            if note.attrib['Title'] == "FAQ" and note.attrib['Type'] == "FAQ":
+
+                                # The note contains a table with the chromium and edge versions, written in "HTML"
+                                # &lt;td&gt;8/22/2024&lt;/td&gt;
+                                content = note.text
+
+                                soup = BeautifulSoup(content, 'html.parser')
+                                rows = soup.find_all('tr')
+                                # We want the second row, second cell
+                                if len(rows) > 1:
+                                    cells = rows[1].find_all('td')
+                                    if len(cells) > 1:
+                                        # We want the second cell (The first is the channel, the third the chromium version it's based on)
+                                        edge_version = cells[1].text
+                                        if portage_versions.ververify(edge_version):
+                                            found = True
+                                            edge_cves.append(
+                                                EdgeCVE(cve_id,
+                                                        cve_title,
+                                                        edge_version)
+                                            )
+
+                        if not found:
+                            edge_cves.append(
+                                EdgeCVE(cve_id,
+                                        cve_title,
+                                        None)
+                                )
+
+    return edge_cves
+
+
+now = datetime.datetime.now()
+year = now.year
+month = now.strftime("%B")[0:3]
+
+# Call the function with current year and month
+edge_cves = get_edge_cves(year, month)
+for cve in edge_cves:
+    print(cve)


             reply	other threads:[~2024-09-26  2:39 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-26  2:39 Matt Jolly [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-10-23  3:50 [gentoo-commits] proj/chromium-tools:master commit in: / Matt Jolly
2024-10-23  3:50 Matt Jolly
2024-10-10 21:52 Matt Jolly
2024-10-10 10:03 Matt Jolly
2024-09-27  0:52 Matt Jolly
2024-09-27  0:52 Matt Jolly
2024-09-27  0:52 Matt Jolly
2024-09-26  7:25 Matt Jolly
2024-09-26  5:29 Matt Jolly
2024-09-26  5:21 Matt Jolly
2024-09-26  3:03 Matt Jolly
2024-09-26  2:36 Matt Jolly
2024-08-30  3:39 Matt Jolly
2024-06-01  7:22 Matt Jolly
2024-05-31 23:02 Matt Jolly
2024-03-28  2:39 Matt Jolly
2024-03-20 21:45 Matt Jolly
2024-03-20 21:45 Matt Jolly
2024-03-20 21:45 Matt Jolly
2024-03-20 21:45 Matt Jolly
2023-02-05 15:09 Stephan Hartmann
2022-09-01 19:33 Mike Gilbert
2022-09-01 19:24 Mike Gilbert
2022-05-06  9:55 Stephan Hartmann
2022-05-03 16:54 Mike Gilbert
2022-05-03 16:54 Mike Gilbert
2022-02-11 17:16 Stephan Hartmann
2022-02-05 16:29 Stephan Hartmann
2022-01-31 20:20 Stephan Hartmann
2020-11-21 19:34 Stephan Hartmann
2020-10-26 17:48 Mike Gilbert
2016-09-15 16:15 Mike Gilbert
2016-09-15 16:11 Mike Gilbert
2015-08-13 20:53 Mike Gilbert
2012-07-31 23:27 Mike Gilbert
2012-07-31 20:39 Mike Gilbert
2012-06-18  7:38 Paweł Hajdan
2011-10-25 16:36 Paweł Hajdan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1727318341.e965e5c6d8692a7ec00d255c08f670111dee1c02.kangie@gentoo \
    --to=kangie@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox