-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new "create" command to CVElib for MITRE CVE Services 2.1.0 #17
Add new "create" command to CVElib for MITRE CVE Services 2.1.0 #17
Conversation
This reverts commit 8f0967e. The change introduced by this commit has not been released to currently deployed production version of CVE Services. It will be made available when CVE Services 2.x is generally available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also please add some examples of how to use this new functionality into the readme file?
I switched this to merge to the 2.1.0 branch instead of master. We can merge this branch into master once 2.1.0 is live and we are ready to publish a cvelib version that supports it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Actually, couple more comments before this gets merged:
Couple of improvements we should file as issues and address in separate MR:
|
It already uses json.loads, so I wrapped it in a try-except block to print a friendly message about invalid CVE JSON, plus the traceback with the exact error message.
Fixed.
You can pipe in arguments using "echo '{json_body}' | xargs cve create id" to do this, but it's not very user-friendly. I tried switching the argument to a --json option, which would let us add --file in the future. But using --option makes it...optional. So the error message when it's missing isn't as clear, and this also breaks "echo '{json_body}' | xargs cve create id". It seems like options have to be passed to the command directly and can't be piped in. Even "echo '--json {json_body}' | xargs cve create id" and many other variations don't work.
It does take only the CNA container, not the full CVE record, but the API changed so now we have to wrap the container. Added a fix.
|
You can mark the option as |
@mprpic Probably shouldn't be merged until after the new API version is released, but this should be ready to go.
EDIT: And per yesterday's AWG meeting the release has been delayed to address findings uncovered during testing, so no rush to review this.
Tested against a local (Docker container) instance of CVEProject/cve-services using the "staging" branch, per docs in that repo: https://github.com/CVEProject/cve-services/blob/dev/docker/README.md