diff --git a/CHANGELOG.md b/CHANGELOG.md index 26f1717..ee193fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Changelog +## [1.3.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.2.1...1.3.0) (Jan 26, 2024) + +* Fixed displaying timestamps for older records (#66). +* Added auto-completion of sub-commands (#73). +* Added support for ADP containers (#70): + * A new `publish-adp` command is added that allows publishing of ADP containers into an existing CVE record (this is + only possible if a CVE is in the published state). + * The `show` subcommand now allows displaying a CNA container or all/subset of existing ADP containers (identified by + the org's name that created it). + * ADP containers can only be published and updated, so there is no functionality to remove them. +* CVE state constants were updated to match the case used by CVE Services, e.g. `rejected` -> `REJECTED` (#75). +* Fixed displaying CVE ID reservations for records that are missing the `user` attribute (#76). + ## [1.2.1](https://github.com/RedHatProductSecurity/cvelib/compare/1.2.0...1.2.1) (Feb 16, 2023) * Improved `CveRecordValidationError` exception error message. diff --git a/README.md b/README.md index 9b23e06..17bef48 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ A library and a command line interface for the CVE Services API. -**Note**: version 1.0.0 of cvelib is compatible with CVE Services 2.1. +**Note**: version 1.3.0 of cvelib is compatible with CVE Services 2.2.0. ## Requirements @@ -255,27 +255,23 @@ above to your `venv/bin/activate` file, for example: echo 'eval "$(_CVE_COMPLETE=bash_source cve)"' >> venv/bin/activate ``` -This project uses the [Black](https://black.readthedocs.io) code formatter. To reformat the entire -code base after you make any changes, run: +This project uses the [Black](https://black.readthedocs.io) code formatter. To reformat the entire code base after you make any changes, run: ```bash -# Reformat code base with Black -pip install black black . ``` -To sort all imports using [isort](https://pycqa.github.io/isort/), run: +To sort all imports using [ruff](https://docs.astral.sh/ruff/) (which replicates the behavior of +[isort](https://pycqa.github.io/isort/), run: ```bash -# Sort all imports -pip install isort -isort . +ruff check --select I --fix . ``` -Running tests and linters (`flake8`, `mypy`, and `isort`/`black` formatting checks): +Running tests and linters: ```bash -# Run all tests and format check (also run as a Github action) +# Run all tests and format/lint checks (also run as a Github action) tox # Run format check only tox -e black diff --git a/cvelib/__init__.py b/cvelib/__init__.py index a955fda..67bc602 100644 --- a/cvelib/__init__.py +++ b/cvelib/__init__.py @@ -1 +1 @@ -__version__ = "1.2.1" +__version__ = "1.3.0" diff --git a/man/cve-list.1 b/man/cve-list.1 index 0d19886..228c54b 100644 --- a/man/cve-list.1 +++ b/man/cve-list.1 @@ -1,4 +1,4 @@ -.TH "CVE LIST" "1" "2023-02-15" "1.2.1" "cve list Manual" +.TH "CVE LIST" "1" "2024-01-26" "1.3.0" "cve list Manual" .SH NAME cve\-list \- Filter and list reserved CVE IDs owned by... .SH SYNOPSIS @@ -20,7 +20,7 @@ Sort output. \fB\-\-year\fP TEXT Filter by year. .TP -\fB\-\-state\fP [reserved|published|rejected] +\fB\-\-state\fP [RESERVED|PUBLISHED|REJECTED] Filter by reservation state. .TP \fB\-\-reserved\-lt\fP [%Y\-%m\-%d|%Y\-%m\-%dT%H:%M:%S|%Y\-%m\-%d %H:%M:%S] diff --git a/man/cve-org-users.1 b/man/cve-org-users.1 index 79b62a3..e6d923e 100644 --- a/man/cve-org-users.1 +++ b/man/cve-org-users.1 @@ -1,4 +1,4 @@ -.TH "CVE ORG USERS" "1" "2023-02-15" "1.2.1" "cve org users Manual" +.TH "CVE ORG USERS" "1" "2024-01-26" "1.3.0" "cve org users Manual" .SH NAME cve\-org\-users \- List all users in your organization. .SH SYNOPSIS diff --git a/man/cve-org.1 b/man/cve-org.1 index 6383664..1007e8d 100644 --- a/man/cve-org.1 +++ b/man/cve-org.1 @@ -1,4 +1,4 @@ -.TH "CVE ORG" "1" "2023-02-15" "1.2.1" "cve org Manual" +.TH "CVE ORG" "1" "2024-01-26" "1.3.0" "cve org Manual" .SH NAME cve\-org \- Show information about your organization. .SH SYNOPSIS diff --git a/man/cve-ping.1 b/man/cve-ping.1 index e6ddbad..4439ccb 100644 --- a/man/cve-ping.1 +++ b/man/cve-ping.1 @@ -1,4 +1,4 @@ -.TH "CVE PING" "1" "2023-02-15" "1.2.1" "cve ping Manual" +.TH "CVE PING" "1" "2024-01-26" "1.3.0" "cve ping Manual" .SH NAME cve\-ping \- Ping the CVE Services API to see if it is up. .SH SYNOPSIS diff --git a/man/cve-publish-adp.1 b/man/cve-publish-adp.1 new file mode 100644 index 0000000..95eab1d --- /dev/null +++ b/man/cve-publish-adp.1 @@ -0,0 +1,39 @@ +.TH "CVE PUBLISH-ADP" "1" "2024-01-26" "1.3.0" "cve publish-adp Manual" +.SH NAME +cve\-publish-adp \- Add or update an ADP container in a CVE... +.SH SYNOPSIS +.B cve publish-adp +[OPTIONS] CVE_ID +.SH DESCRIPTION +Add or update an ADP container in a CVE record for a published CVE ID. +.PP + NOTE: a published ADP container cannot be removed, only updated with new data. +.PP + The ADP container can be specified as a string: +.PP + cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' +.PP + Or passed in a file: +.PP + cve publish-adp CVE-2022-1234 -f adp.json +.PP + For information on the required properties in a given ADP container of a CVE record, + see the schema in: +.PP + https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json + https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_adp +.PP + Because the CVE Services API only expects the ADP container contents of the full CVE v5 record, + the data you pass to this command can specify just the attributes defined by the adpContainer + subschema. + +.SH OPTIONS +.TP +\fB\-j,\fP \-\-adp\-json TEXT +JSON body of the ADP container to publish. +.TP +\fB\-f,\fP \-\-adp\-json\-file FILENAME +File containing JSON body of ADP container to publish. +.TP +\fB\-\-raw\fP +Print response JSON. diff --git a/man/cve-publish.1 b/man/cve-publish.1 index 12e68c3..1eba1d0 100644 --- a/man/cve-publish.1 +++ b/man/cve-publish.1 @@ -1,30 +1,33 @@ -.TH "CVE PUBLISH" "1" "2023-02-15" "1.2.1" "cve publish Manual" +.TH "CVE PUBLISH" "1" "2024-01-26" "1.3.0" "cve publish Manual" .SH NAME -cve\-publish \- Publish a CVE record for a reserved (or... +cve\-publish \- Publish a CNA container of a CVE record... .SH SYNOPSIS .B cve publish [OPTIONS] CVE_ID .SH DESCRIPTION -Publish a CVE record for a reserved (or rejected) CVE ID. +Publish a CNA container of a CVE record for a reserved (or rejected) CVE ID. .PP - If the CVE is already published, this action will update its record. A published CVE can only be - moved to the rejected state with an appropriate reject record (see `cve reject`). A published - CVE cannot be moved back to the reserved state. + If the CVE is already published, this action will update the CNA container in its record. A + published CVE can only be moved to the rejected state with an appropriate reject record (see + `cve reject`). A published CVE cannot be moved back to the reserved state. .PP - The CVE record can be specified as a string: + The CNA container can be specified as a string: .PP cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}' .PP Or passed in a file: .PP - cve publish CVE-2022-1234 -f v5_record.json + cve publish CVE-2022-1234 -f cve.json .PP - For information on the required properties in a given CVE JSON record, see the schema in: + For information on the required properties in a given CNA container of a CVE record, + see the schema in: .PP https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json + https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna .PP - Because the CVE Services API only expects the cnaPublishedContainer contents of the full record, - the record you pass to this command can specify just that data, and not the full record. + Because the CVE Services API only expects the CNA container contents of the full CVE v5 record, + the data you pass to this command can specify just the attributes defined by the + cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record. .SH OPTIONS .TP diff --git a/man/cve-quota.1 b/man/cve-quota.1 index 1159614..09fa7b4 100644 --- a/man/cve-quota.1 +++ b/man/cve-quota.1 @@ -1,4 +1,4 @@ -.TH "CVE QUOTA" "1" "2023-02-15" "1.2.1" "cve quota Manual" +.TH "CVE QUOTA" "1" "2024-01-26" "1.3.0" "cve quota Manual" .SH NAME cve\-quota \- Display the available CVE ID quota for... .SH SYNOPSIS diff --git a/man/cve-reject.1 b/man/cve-reject.1 index 00e49a3..9a32677 100644 --- a/man/cve-reject.1 +++ b/man/cve-reject.1 @@ -1,4 +1,4 @@ -.TH "CVE REJECT" "1" "2023-02-15" "1.2.1" "cve reject Manual" +.TH "CVE REJECT" "1" "2024-01-26" "1.3.0" "cve reject Manual" .SH NAME cve\-reject \- Reject a CVE record for a reserved or... .SH SYNOPSIS @@ -11,6 +11,8 @@ Reject a CVE record for a reserved or published CVE ID. A rejected CVE with a record can only be moved to the published state (see `cve publish`). A rejected CVE without a record can be moved to the reserved state. A published CVE can only be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record. +.PP + Note: Rejecting a published CVE removes both the CNA and ADP data of that record. .PP The CVE reject record can be specified as a string: .PP diff --git a/man/cve-reserve.1 b/man/cve-reserve.1 index 52d33b3..4b90642 100644 --- a/man/cve-reserve.1 +++ b/man/cve-reserve.1 @@ -1,4 +1,4 @@ -.TH "CVE RESERVE" "1" "2023-02-15" "1.2.1" "cve reserve Manual" +.TH "CVE RESERVE" "1" "2024-01-26" "1.3.0" "cve reserve Manual" .SH NAME cve\-reserve \- Reserve one or more CVE IDs. .SH SYNOPSIS diff --git a/man/cve-show.1 b/man/cve-show.1 index 5cf9e79..c95506f 100644 --- a/man/cve-show.1 +++ b/man/cve-show.1 @@ -1,4 +1,4 @@ -.TH "CVE SHOW" "1" "2023-02-15" "1.2.1" "cve show Manual" +.TH "CVE SHOW" "1" "2024-01-26" "1.3.0" "cve show Manual" .SH NAME cve\-show \- Display a specific CVE ID (and optionally... .SH SYNOPSIS @@ -9,7 +9,13 @@ Display a specific CVE ID (and optionally its record) owned by your CNA. .SH OPTIONS .TP \fB\-r,\fP \-\-show\-record -Show full CVE record in JSON v5 format. +Show full CVE v5 record. +.TP +\fB\-c,\fP \-\-show\-cna +Show only the CNA container of a CVE v5 record. +.TP +\fB\-a,\fP \-\-show\-adp TEXT +Show all ADP containers, or a specific one identified by the owning org (option can be used multiple times). [default: (all ADP containers)] .TP \fB\-\-raw\fP Print response JSON. diff --git a/man/cve-undo-reject.1 b/man/cve-undo-reject.1 index e3e4145..6001e33 100644 --- a/man/cve-undo-reject.1 +++ b/man/cve-undo-reject.1 @@ -1,4 +1,4 @@ -.TH "CVE UNDO-REJECT" "1" "2023-02-15" "1.2.1" "cve undo-reject Manual" +.TH "CVE UNDO-REJECT" "1" "2024-01-26" "1.3.0" "cve undo-reject Manual" .SH NAME cve\-undo-reject \- Move a rejected CVE ID without a record... .SH SYNOPSIS diff --git a/man/cve-user-create.1 b/man/cve-user-create.1 index c89f6f5..d29d6e5 100644 --- a/man/cve-user-create.1 +++ b/man/cve-user-create.1 @@ -1,4 +1,4 @@ -.TH "CVE USER CREATE" "1" "2023-02-15" "1.2.1" "cve user create Manual" +.TH "CVE USER CREATE" "1" "2024-01-26" "1.3.0" "cve user create Manual" .SH NAME cve\-user\-create \- Create a user in your organization. .SH SYNOPSIS diff --git a/man/cve-user-reset-key.1 b/man/cve-user-reset-key.1 index 2a7cafc..0516dd8 100644 --- a/man/cve-user-reset-key.1 +++ b/man/cve-user-reset-key.1 @@ -1,4 +1,4 @@ -.TH "CVE USER RESET-KEY" "1" "2023-02-15" "1.2.1" "cve user reset-key Manual" +.TH "CVE USER RESET-KEY" "1" "2024-01-26" "1.3.0" "cve user reset-key Manual" .SH NAME cve\-user\-reset-key \- Reset a user's personal access token (API... .SH SYNOPSIS diff --git a/man/cve-user-update.1 b/man/cve-user-update.1 index df30107..8916be8 100644 --- a/man/cve-user-update.1 +++ b/man/cve-user-update.1 @@ -1,4 +1,4 @@ -.TH "CVE USER UPDATE" "1" "2023-02-15" "1.2.1" "cve user update Manual" +.TH "CVE USER UPDATE" "1" "2024-01-26" "1.3.0" "cve user update Manual" .SH NAME cve\-user\-update \- Update a user. .SH SYNOPSIS diff --git a/man/cve-user.1 b/man/cve-user.1 index 15b3f03..b77a279 100644 --- a/man/cve-user.1 +++ b/man/cve-user.1 @@ -1,4 +1,4 @@ -.TH "CVE USER" "1" "2023-02-15" "1.2.1" "cve user Manual" +.TH "CVE USER" "1" "2024-01-26" "1.3.0" "cve user Manual" .SH NAME cve\-user \- Show information about a user. .SH SYNOPSIS diff --git a/man/cve.1 b/man/cve.1 index d04184b..612b90e 100644 --- a/man/cve.1 +++ b/man/cve.1 @@ -1,4 +1,4 @@ -.TH "CVE" "1" "2023-02-15" "1.2.1" "cve Manual" +.TH "CVE" "1" "2024-01-26" "1.3.0" "cve Manual" .SH NAME cve \- A CLI interface for the CVE Services API. .SH SYNOPSIS @@ -31,9 +31,13 @@ Show the version and exit. .SH COMMANDS .PP \fBpublish\fP - Publish a CVE record for a reserved (or... + Publish a CNA container of a CVE record... See \fBcve-publish(1)\fP for full documentation on the \fBpublish\fP command. .PP +\fBpublish-adp\fP + Add or update an ADP container in a CVE... + See \fBcve-publish-adp(1)\fP for full documentation on the \fBpublish-adp\fP command. +.PP \fBreject\fP Reject a CVE record for a reserved or... See \fBcve-reject(1)\fP for full documentation on the \fBreject\fP command. diff --git a/setup.py b/setup.py index 0d6df5a..f2629b2 100644 --- a/setup.py +++ b/setup.py @@ -13,9 +13,8 @@ dev_require = [ *tests_require, "black", + "ruff", "click-man", - "flake8", - "isort", "mypy", "tox", "types-click",