Set Bugzilla aliases while assigning CVE-IDs

mozilla · Oct 25, 2023 · 8653374 · 8653374
1 parent f54704e
commit 8653374
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/foundation_security_advisories/assign_cve_ids.py b/foundation_security_advisories/assign_cve_ids.py
@@ -13,14 +13,16 @@
 )
 from foundation_security_advisories.common_cve import *
 
+
 def main():
     local_cve_advisories: dict[str, CVEAdvisory] = get_local_cve_advisories()
 
     for cve_id in local_cve_advisories:
         cve_advisory = local_cve_advisories[cve_id]
         if cve_id.startswith("MFSA-RESERVE"):
             print(f"\n-> {cve_id}")
-            replace_cve_id(cve_advisory)
+            if replace_cve_id(cve_advisory):
+                try_set_bugzilla_alias(cve_id.split("-")[-1], cve_advisory.id)
 
     if os.getenv("CI"):
         subprocess.run(

diff --git a/foundation_security_advisories/common_cve.py b/foundation_security_advisories/common_cve.py
@@ -11,6 +11,7 @@
 from json import dumps
 import difflib
 from bisect import insort
+import requests
 
 from cvelib.cve_api import CveApi
 from requests import HTTPError
@@ -30,6 +31,8 @@
 )
 
 announced_cve_steps: list[str] = []
+
+
 def print_cve_step(cve_id: str):
     if cve_id not in announced_cve_steps:
         print(f"\n-> {cve_id}")
@@ -340,3 +343,42 @@ def get_local_cve_advisories():
                         key=lambda x: x.mfsa_id,
                     )
     return local_advisories
+
+
+def try_set_bugzilla_alias(bug: str, cve_id: int):
+    """
+    Try to set the alias of the given bugzilla bug to the given CVE-ID.
+    The bug number is supposed to come from the temporary MSFA-RESERVE-{year}-{id}
+    IDs, where {id} potentially is a bugzilla bug number. All {id}s smaller than 100000
+    will be ignored. Will return without error if anything fails.
+    """
+    try:
+        # Check if we have a bugzilla API key available
+        BUGZILLA_API_KEY = os.getenv("BUGZILLA_API_KEY")
+        if not BUGZILLA_API_KEY:
+            print(
+                "Skipping alias assignment for {cve_id} (bug {bug}) as no BUGZILLA_API_KEY was provided"
+            )
+            return
+        # Make sure this is actually a number
+        bug_number = int(str)
+        # Skip smaller numbers as there is a high chance these aren't any actual bugzilla bug numbers
+        if bug_number < 100000:
+            print(
+                "Skipping alias assignment for {cve_id} as '{bug_number}' does not seem to be a bug number"
+            )
+            return
+        if not prompt_yes_no(
+            f"Should '{cve_id}' be set as an alias for bug {bug_number} on bugzilla?"
+        ):
+            print(f"Skipping alias assignment for {cve_id} (bug {bug})")
+            return False
+        # Try to update the alias for the given bug number. If this fails our try block will catch it.
+        requests.put(
+            f"https://bugzilla.mozilla.org/rest/bug/{bug_number}",
+            data={"alias": cve_id},
+            headers={"X-BUGZILLA-API-KEY": BUGZILLA_API_KEY},
+        )
+        print(f"Assigned alias {cve_id} to bug {bug}")
+    except:
+        print(f"Failed to assign alias {cve_id} to bug {bug}")
diff --git a/foundation_security_advisories/publish_cve_advisories.py b/foundation_security_advisories/publish_cve_advisories.py
@@ -24,6 +24,7 @@ def main():
             print_cve_step(cve_id)
             if not replace_cve_id(cve_advisory):
                 continue
+            try_set_bugzilla_alias(cve_id.split("-")[-1], cve_advisory.id)
             cve_id = cve_advisory.id
             owned_cve_ids.append(cve_id)