sfowl/ocp-4-important-critical-cves.py

## ocp-4-important-critical-cves.py
#!/usr/bin/env python

import csv
import sys

# rhsa module comes from https://github.com/RedHatProductSecurity/cve-pylib
import rhsda

client = rhsda.ApiClient(logLevel="DEBUG")


def get_cve_data(params):
    cves = client.cve_search_query(params, outFormat="list")
    data = client.mget_cves(
        cves=cves,
        numThreads=16,
        outFormat="json",
        product="OpenShift Container Platform 4",
    )

    return data


def get_package_info(nevr):
    if "/" in nevr:
        # is a container
        parts = nevr.split(":")
        return parts[0], parts[1]

    parts = nevr.split(":")
    return parts[0].removesuffix("-0"), parts[1]


def get_rows(cve_data):
    items = []
    advisory_to_cve_map = dict()
    for cve in cve_data:
        for p in cve.get("package_state", []):
            if "OpenShift Container Platform 4" in p["product_name"]:
                flaw_impact = cve["threat_severity"]
                component_impact = p.get("impact", flaw_impact)
                items.append([cve["name"], p["product_name"], flaw_impact, p["fix_state"], component_impact, p["package_name"], "", "", "", None])

        for advisory in cve.get("affected_release", []):
            pname = advisory["product_name"]
            if pname.startswith("Red Hat OpenShift Container Platform 4.9") or pname.startswith("Red Hat OpenShift Container Platform 4.10"):
                advisory_id = advisory["advisory"]

                try:
                    advisory_to_cve_map[advisory_id]["cves"].add((cve["name"], cve["threat_severity"]))
                except KeyError:
                    advisory_info = {
                        "cves": set([(cve["name"], cve["threat_severity"])]),
                    }
                    advisory_info.update(advisory)
                    advisory_to_cve_map[advisory_id] = advisory_info

    for advisory_id, a in sorted(advisory_to_cve_map.items()):
        for c in a["cves"]:
            package, version = get_package_info(a["package"])
            component_impact = a.get("impact", c[1])
            items.append([c[0], a["product_name"], c[1], "fixed", component_impact, package, version, advisory_id, a["cpe"], a["release_date"]])

    return items


def main():
    params = {
        "after": "2020-01-01",
        "product": "OpenShift Container Platform 4",
        "severity": "important",
    }
    importants = get_cve_data(params)
    rows = get_rows(importants)
    params = {
        "after": "2020-01-01",
        "product": "OpenShift Container Platform 4",
        "severity": "critical",
    }
    criticals = get_cve_data(params)
    rows += get_rows(criticals)

    writer = csv.writer(sys.stdout)
    writer.writerow(["CVE", "Product Name", "Flaw Impact", "Status", "Component Impact", "Package", "Fixed Version", "Advisory", "CPE", "Release Date"])
    writer.writerows(sorted(rows))


if __name__ == "__main__":
    main()
	#!/usr/bin/env python

	import csv
	import sys

	# rhsa module comes from https://github.com/RedHatProductSecurity/cve-pylib
	import rhsda

	client = rhsda.ApiClient(logLevel="DEBUG")


	def get_cve_data(params):
	cves = client.cve_search_query(params, outFormat="list")
	data = client.mget_cves(
	cves=cves,
	numThreads=16,
	outFormat="json",
	product="OpenShift Container Platform 4",
	)

	return data


	def get_package_info(nevr):
	if "/" in nevr:
	# is a container
	parts = nevr.split(":")
	return parts[0], parts[1]

	parts = nevr.split(":")
	return parts[0].removesuffix("-0"), parts[1]


	def get_rows(cve_data):
	items = []
	advisory_to_cve_map = dict()
	for cve in cve_data:
	for p in cve.get("package_state", []):
	if "OpenShift Container Platform 4" in p["product_name"]:
	flaw_impact = cve["threat_severity"]
	component_impact = p.get("impact", flaw_impact)
	items.append([cve["name"], p["product_name"], flaw_impact, p["fix_state"], component_impact, p["package_name"], "", "", "", None])

	for advisory in cve.get("affected_release", []):
	pname = advisory["product_name"]
	if pname.startswith("Red Hat OpenShift Container Platform 4.9") or pname.startswith("Red Hat OpenShift Container Platform 4.10"):
	advisory_id = advisory["advisory"]

	try:
	advisory_to_cve_map[advisory_id]["cves"].add((cve["name"], cve["threat_severity"]))
	except KeyError:
	advisory_info = {
	"cves": set([(cve["name"], cve["threat_severity"])]),
	}
	advisory_info.update(advisory)
	advisory_to_cve_map[advisory_id] = advisory_info

	for advisory_id, a in sorted(advisory_to_cve_map.items()):
	for c in a["cves"]:
	package, version = get_package_info(a["package"])
	component_impact = a.get("impact", c[1])
	items.append([c[0], a["product_name"], c[1], "fixed", component_impact, package, version, advisory_id, a["cpe"], a["release_date"]])

	return items


	def main():
	params = {
	"after": "2020-01-01",
	"product": "OpenShift Container Platform 4",
	"severity": "important",
	}
	importants = get_cve_data(params)
	rows = get_rows(importants)
	params = {
	"after": "2020-01-01",
	"product": "OpenShift Container Platform 4",
	"severity": "critical",
	}
	criticals = get_cve_data(params)
	rows += get_rows(criticals)

	writer = csv.writer(sys.stdout)
	writer.writerow(["CVE", "Product Name", "Flaw Impact", "Status", "Component Impact", "Package", "Fixed Version", "Advisory", "CPE", "Release Date"])
	writer.writerows(sorted(rows))


	if __name__ == "__main__":
	main()