fix: fix filtering of the cves in triage process

mastersans · Jul 28, 2024 · 01d64dc · 01d64dc
1 parent 8977fda
commit 01d64dc
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 12 deletions.
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -181,12 +181,6 @@ def main(argv=None):
         default="",
         help="provide input filename",
     )
-    input_group.add_argument(
-        "--triage-input-file",
-        action="store",
-        default="",
-        help="provide input filename for triage data",
-    )
     input_group.add_argument(
         "-C", "--config", action="store", default="", help="provide config file"
     )
@@ -390,8 +384,8 @@ def main(argv=None):
     )
     output_group.add_argument(
         "--filter-triage",
-        action="store",
-        default=True,
+        action="store_true",
+        default=False,
         help="Filter cves based on triage data from Vex file",
     )
     parser.add_argument(

diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -82,12 +82,42 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
             return
 
         if product_info in self.all_cve_data:
-            # If product_info already in all_cve_data no need to fetch cves from database again
-            # We just need to update paths.
+            # If product_info already in all_cve_data, no need to fetch CVEs from the database again.
+            # We just need to update paths and triage data.
             self.logger.debug(
-                f"{product_info} already processed. Update path {triage_data['paths']}"
+                f"{product_info} already processed. Update paths {triage_data['paths']}"
             )
-            # self.products_with_cve += 1
+
+            # Update the triage data
+            cve_data = self.all_cve_data[product_info]["cves"]
+            new_cve_data = []
+
+            for cve in cve_data:
+                cve_number = cve.cve_number
+                if cve_number in triage_data:
+                    for key in [
+                        "remarks",
+                        "comments",
+                        "response",
+                        "justification",
+                        "severity",
+                    ]:
+                        data = triage_data[cve_number].get(key)
+                        if data:
+                            if (
+                                key == "severity"
+                                and self.check_exploits
+                                and cve_number in self.exploits_list
+                            ):
+                                data += "-EXPLOIT"
+
+                            self.logger.debug(f"Setting field {key} to: {data}")
+                            cve = cve._replace(**{key: data})
+                new_cve_data.append(cve)
+
+            self.all_cve_data[product_info]["cves"] = new_cve_data
+
+            # Update paths
             self.all_cve_data[product_info]["paths"] |= set(triage_data["paths"])
             return