{"id":18324869,"url":"https://github.com/diabonas/arch-security-tracker-tools","last_synced_at":"2025-04-06T00:31:05.703Z","repository":{"id":129987271,"uuid":"368118552","full_name":"diabonas/arch-security-tracker-tools","owner":"diabonas","description":"Tools to make working with the Arch Linux Security Tracker easier","archived":false,"fork":false,"pushed_at":"2021-11-04T14:15:09.000Z","size":45,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-21T13:53:22.110Z","etag":null,"topics":["advisory","archlinux","cve","security","tracker"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/diabonas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-17T08:53:52.000Z","updated_at":"2024-06-15T04:31:47.000Z","dependencies_parsed_at":"2023-11-20T05:30:36.272Z","dependency_job_id":null,"html_url":"https://github.com/diabonas/arch-security-tracker-tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diabonas%2Farch-security-tracker-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diabonas%2Farch-security-tracker-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diabonas%2Farch-security-tracker-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diabonas%2Farch-security-tracker-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/diabonas","download_url":"https://codeload.github.com/diabonas/arch-security-tracker-tools/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247419597,"owners_count":20936009,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advisory","archlinux","cve","security","tracker"],"created_at":"2024-11-05T18:36:02.578Z","updated_at":"2025-04-06T00:31:05.698Z","avatar_url":"https://github.com/diabonas.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Arch Linux Security Tracker Tools\n\nThis is a collection of Python scripts to make working with the [Arch Linux\nSecurity Tracker](https://github.com/archlinux/arch-security-tracker) easier.\n\n## Features\n\n* CVE entry extraction from multiple sources (currently\n  [Chromium](#chromium), [GitLab](#gitlab), [Mozilla](#mozilla),\n  [NVD](#national-vulnerability-database-nvd), [Oracle](#oracle) and [WebKitGTK](#webkitgtk)) into\n  a JSON format consumable by the tracker\n* Automatic batch addition of the extracted CVE entries to the tracker\n\n## Dependencies\n\n* python \u003e= 3.6\n* python-click\n* python-lxml\n* python-requests\n\n## CVE entry extraction\n\nCVEs can be extracted from multiple sources. All extractors take the CVEs to\nbe considered as a list of arguments and output the extracted CVE in JSON form.\nThe JSON format follows the one used by the tracker as part of its API\nendpoints, e.g. \u003chttps://security.archlinux.org/CVE-2019-9956.json\u003e.\n\n### Chromium\n\n```sh\n./trackertools extract chromium URL...\n```\nextracts CVEs issued for [Chrome](https://chromereleases.googleblog.com/), where\n`URL` is the URL of a Chrome release blog post, e.g.\n\u003chttps://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop.html\u003e.\n\nThe description is of the form \"A `type` security issue has been found in the\n`component` component of the Chromium browser engine before version\n`new_version`.\", where `type`, `component` and `new_version` are extracted from\nthe blog post. The corresponding severity is taken from the blog post as well.\nThe URL of the blog post and the link to the corresponding Chromium bug report\nas specified in the blog post are used as references. The attack vector is\nassumed to be \"Remote\" by default as Chromium is a browser. The type of the\nvulnerability is always set to \"Unknown\" and needs to be filled in by hand by\nthe user.\n\n### GitLab\n\n```sh\n./trackertools extract gitlab CVE...\n```\nextracts CVE entries assigned by the [GitLab\nCNA](https://gitlab.com/gitlab-org/cves), for the GitLab products as well as\nsome projects hosted on GitLab. These CVEs are usually added to the NVD\ndatabase quite quickly as well, but the GitLab entries have more detailed\ninformation regarding the CVSS score quicker.\n\nDescription and references are taken verbatim from the NVD CVE entry. Severity\nand attack vector are derived from the CVSS v3. The type of the vulnerability\nis always set to \"Unknown\" and needs to be filled by hand by the user.\n\n### Mozilla\n\n```sh\n./trackertools extract mozilla CVE... MFSA...\n```\nextracts CVEs issued by\n[Mozilla](https://www.mozilla.org/en-US/security/advisories/), mostly for\nFirefox and Thunderbird. `MFSA` is an advisory number issued by Mozilla, e.g.\n[`mfsa2021-01`](https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/).\nIf a MFSA is specified, all CVEs included in this advisory will be extracted.\n\nDescription, references and severity are taken verbatim from the Mozilla\nadvisory. The attack vector is assumed to be \"Remote\" by default due to the\nnature of the Mozilla products. The type of the vulnerability is always set to\n\"Unknown\" and needs to be filled by hand by the user.\n\n### National Vulnerability Database (NVD)\n\n```sh\n./trackertools extract nvd CVE...\n```\nextracts CVE entries from the official [National Vulnerability\nDatabase](https://nvd.nist.gov/). This is mostly included as an example for\nworking with the JSON format. CVEs obtained from this source often require\nmanual changes to the description and references before they can be used for\nthe tracker.\n\nDescription and references are taken verbatim from the NVD CVE entry. Severity\nand attack vector are derived from the CVSS v3 if present (this usually takes a\nfew day after the CVE has been published). The type of the vulnerability is\nalways set to \"Unknown\" and needs to be filled by hand by the user.\n\n### Oracle\n\n```sh\n./trackertools extract oracle URL...\n```\nextracts CVEs issued by [Oracle](https://www.oracle.com/security-alerts/),\nwhere `URL` is the URL of the *verbose text form* of an Oracle Critical Patch\nUpdate (CPU), e.g.\n\u003chttps://www.oracle.com/security-alerts/cpuoct2021verbose.html\u003e.\n\nThe description is taken verbatim from the adivsory (and is therefore quite low\nquality because these texts are autogenerated). Severity and attack vector are\nderived from the CVSS v3. The URL of the advisory is used as a reference. The\ntype of the vulnerability is always set to \"Unknown\" and needs to be filled in\nby hand by the user.\n\n### WebKitGTK\n\n```sh\n./trackertools extract webkitgtk URL...\n```\nextracts CVEs issued for [WebKitGTK](https://webkitgtk.org/security.html),\nwhere `URL` is the URL of a WebKitGTK advisory, e.g.\n\u003chttps://webkitgtk.org/security/WSA-2021-0004.html\u003e.\n\nThe description is of the form \"A security issue has been found in `version`.\n`impact`\", where `version` and `impact` are extracted from the advisory. The\nURL of the advisory is used as a reference. The attack vector is assumed to be\n\"Remote\" by default as WebKitGTK is a browser engine. The type and severity of\nthe vulnerability are always set to \"Unknown\" and need to be filled in by hand\nby the user.\n\n## CVE upload to the security tracker\n\n```sh\n./trackertools add INPUT\n```\nadds CVEs to the Arch Linux Security Tracker. It reads a JSON file generated by\none of the extractors and tries to create a new CVE for each of the items found in\nthere. The necessary login credentials can be supplied using the `--username`\nand `--password` options, the `TRACKER_USERNAME` and `TRACKER_PASSWORD`\nenvironment variables, or will otherwise be queried on the TTY.\n\nNote that only adding new CVEs is supported at the moment. Trying to add an\nalready existing CVE will try to merge the data according to the upstream\ntracker logic, which will only partially succeed if the data is conflicting.\n\nThe URL to the tracker is set as \u003chttps://security.archlinux.org\u003e by default,\nbut can be changed for debugging purposes by setting the `--tracker-url` option\nor `TRACKER_URL` environment variable, e.g. to a tracker instance running\nlocally:\n\n```sh\nTRACKER_URL='http://127.0.0.32:5000' ./trackertools add\n```\n\n## Example workflow\n\n1. Download a set of CVEs using one of the extractors to a JSON file, e.g.\n\n    ```sh\n    ./trackertools extract mozilla --output=mfsa2021-01.json mfsa2021-01\n    ```\n\n2. Edit the file to check the generated data and add missing information like\nthe vulnerability type:\n\n    ```sh\n    $EDITOR mfsa2021-01.json\n    ```\n\n3. Upload the CVEs to the tracker:\n\n    ```sh\n    ./trackertools add mfsa2021-01.json\n    ```\n\nMissing or incorrect information can be edited afterwards using the web\ninterface of the tracker. Be careful, mass-editing messed up CVE entries has\nnot been implemented yet...\n\n## Utilities\n\n```sh\n./trackertools strip-markdown INPUT\n```\ntakes a JSON list of CVEs and strips all markdown formatting from it, which can\nbe useful if the upstream advisory makes use of it because the Arch Linux\nsecurity tracker does not. The stripped version is written to stdout by\ndefault, but can be redirected to a file using the `--output` option.\n\n## TODO\n\n* Implement more extractors\n* Validation of the generated JSON files, at least in `./trackertools add`\n* Better error handling\n* [SSO support using Keycloak](https://github.com/archlinux/arch-security-tracker/pull/181)\n* Batch editing of existing CVEs\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiabonas%2Farch-security-tracker-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdiabonas%2Farch-security-tracker-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiabonas%2Farch-security-tracker-tools/lists"}