def show_advisory(advisory_id, raw=False):
entries = (db.session.query(
Advisory, CVEGroup, CVEGroupPackage,
CVE).filter(Advisory.id == advisory_id).join(CVEGroupPackage).join(
CVEGroup).join(CVEGroupEntry).join(CVE).order_by(CVE.id)).all()
if not entries:
return not_found()
advisory = entries[0][0]
group = entries[0][1]
package = entries[0][2]
issues = [issue for (advisory, group, package, issue) in entries]
if not advisory.content:
if raw:
return redirect('/{}/generate/raw'.format(advisory_id))
return redirect('/{}/generate'.format(advisory_id))
if raw:
return advisory.content
asa = advisory_extend_html(advisory.content, issues, package)
return render_html_advisory(advisory=advisory,
package=package,
group=group,
raw_asa=asa,
generated=False)
def show_generated_advisory(advisory_id, raw=False):
entries = (db.session.query(Advisory, CVEGroup, CVEGroupPackage, CVE)
.filter(Advisory.id == advisory_id)
.join(CVEGroupPackage).join(CVEGroup).join(CVEGroupEntry).join(CVE)
.order_by(CVE.id)
).all()
if not entries:
return not_found()
advisory = entries[0][0]
group = entries[0][1]
package = entries[0][2]
issues = sorted([issue for (advisory, group, package, issue) in entries])
severity_sorted_issues = sorted(issues, key=lambda issue: issue.issue_type)
severity_sorted_issues = sorted(severity_sorted_issues, key=lambda issue: issue.severity)
remote = any([issue.remote is Remote.remote for issue in issues])
issues_listing_formatted = (('\n{}'.format(' ' * len('CVE-ID : ')))
.join(list(map(' '.join, chunks([issue.id for issue in issues], 4)))))
link = TRACKER_ADVISORY_URL.format(advisory.id, group.id)
upstream_released = group.affected.split('-')[0].split('+')[0] != group.fixed.split('-')[0].split('+')[0]
upstream_version = group.fixed.split('-')[0].split('+')[0]
if ':' in upstream_version:
upstream_version = upstream_version[upstream_version.index(':') + 1:]
unique_issue_types = []
for issue in severity_sorted_issues:
if issue.issue_type not in unique_issue_types:
unique_issue_types.append(issue.issue_type)
references = []
if group.bug_ticket:
references.append(TRACKER_BUGTRACKER_URL.format(group.bug_ticket))
references.extend([ref for ref in multiline_to_list(group.reference)
if ref not in references])
list(map(lambda issue: references.extend(
[ref for ref in multiline_to_list(issue.reference) if ref not in references]), issues))
raw_asa = render_template('advisory.txt',
advisory=advisory,
group=group,
package=package,
issues=issues,
remote=remote,
issues_listing_formatted=issues_listing_formatted,
link=link,
workaround=advisory.workaround,
impact=advisory.impact,
upstream_released=upstream_released,
upstream_version=upstream_version,
unique_issue_types=unique_issue_types,
references=references,
TRACKER_ISSUE_URL=TRACKER_ISSUE_URL,
TRACKER_GROUP_URL=TRACKER_GROUP_URL)
if raw:
return raw_asa
raw_asa = '\n'.join(raw_asa.split('\n')[2:])
raw_asa = str(escape(raw_asa))
raw_asa = advisory_extend_html(raw_asa, issues, package)
return render_html_advisory(advisory=advisory, package=package, group=group, raw_asa=raw_asa, generated=True)
def test_advisory_extend_html():
package = namedtuple('package', 'pkgname')
pkgname = 'foo'
pkg = package(pkgname)
id = DEFAULT_ADVISORY_ID
cve = 'CVE-1111-2222'
group = DEFAULT_GROUP_NAME
pkgver = '1.0-1'
references = f'https://security.{pkgname}.com/{pkgname}'
workaround = f"""{pkgname} yap
A {pkgname} yap
Foo {pkgname}."""
description = ''
impact = ''
advisory_text = create_advisory_content(id=id,
cve=cve,
group=group,
pkgname=pkgname,
pkgver=pkgver,
workaround=workaround,
description=description,
impact=impact,
references=references)
expected = f"""Arch Linux Security Advisory {id}
==========================================
Severity: Critical
Date : 2012-12-21
CVE-ID : {cve}
Package : <a href="/package/{pkgname}" rel="noopener">{pkgname}</a>
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/{group}
Summary
=======
The package <a href="/package/{pkgname}" rel="noopener">{pkgname}</a> before version {pkgver} is vulnerable to arbitrary
code execution.
Resolution
==========
Upgrade to {pkgver}.
# pacman -Syu "<a href="/package/{pkgname}" rel="noopener">{pkgname}</a>>={pkgver}"
The problem has been fixed upstream in version {pkgver}.
Workaround
==========
<a href="/package/{pkgname}" rel="noopener">{pkgname}</a> yap
A <a href="/package/{pkgname}" rel="noopener">{pkgname}</a> yap
<a href="/package/{pkgname}" rel="noopener">Foo</a> <a href="/package/{pkgname}" rel="noopener">{pkgname}</a>.
Description
===========
{description}
Impact
======
{impact}
References
==========
https://security.archlinux.org/{group}
{references}
"""
assert expected == advisory_extend_html(advisory_text, [], pkg)