Release 1.3.0

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [1.3.0](https://github.com/RedHatProductSecurity/cvelib/compare/1.2.1...1.3.0) (Jan 26, 2024)
+
+* Fixed displaying timestamps for older records (#66).
+* Added auto-completion of sub-commands (#73).
+* Added support for ADP containers (#70):
+  * A new `publish-adp` command is added that allows publishing of ADP containers into an existing CVE record (this is
+    only possible if a CVE is in the published state).
+  * The `show` subcommand now allows displaying a CNA container or all/subset of existing ADP containers (identified by
+    the org's name that created it).
+  * ADP containers can only be published and updated, so there is no functionality to remove them.
+* CVE state constants were updated to match the case used by CVE Services, e.g. `rejected` -> `REJECTED` (#75).
+* Fixed displaying CVE ID reservations for records that are missing the `user` attribute (#76).
+
 ## [1.2.1](https://github.com/RedHatProductSecurity/cvelib/compare/1.2.0...1.2.1) (Feb 16, 2023)
 
 * Improved `CveRecordValidationError` exception error message.

README.md

@@ -2,7 +2,7 @@
 
 A library and a command line interface for the CVE Services API.
 
-**Note**: version 1.0.0 of cvelib is compatible with CVE Services 2.1.
+**Note**: version 1.3.0 of cvelib is compatible with CVE Services 2.2.0.
 
 ## Requirements
 
@@ -255,27 +255,23 @@ above to your `venv/bin/activate` file, for example:
 echo 'eval "$(_CVE_COMPLETE=bash_source cve)"' >> venv/bin/activate
 ```
 
-This project uses the [Black](https://black.readthedocs.io) code formatter. To reformat the entire
-code base after you make any changes, run:
+This project uses the [Black](https://black.readthedocs.io) code formatter. To reformat the entire code base after you make any changes, run:
 
 ```bash
-# Reformat code base with Black
-pip install black
 black .
 ```
 
-To sort all imports using [isort](https://pycqa.github.io/isort/), run:
+To sort all imports using [ruff](https://docs.astral.sh/ruff/) (which replicates the behavior of
+[isort](https://pycqa.github.io/isort/), run:
 
 ```bash
-# Sort all imports
-pip install isort
-isort .
+ruff check --select I --fix .
 ```
 
-Running tests and linters (`flake8`, `mypy`, and `isort`/`black` formatting checks):
+Running tests and linters:
 
 ```bash
-# Run all tests and format check (also run as a Github action)
+# Run all tests and format/lint checks (also run as a Github action)
 tox
 # Run format check only
 tox -e black

cvelib/__init__.py

@@ -1 +1 @@
-__version__ = "1.2.1"
+__version__ = "1.3.0"

man/cve-list.1

@@ -1,4 +1,4 @@
-.TH "CVE LIST" "1" "2023-02-15" "1.2.1" "cve list Manual"
+.TH "CVE LIST" "1" "2024-01-26" "1.3.0" "cve list Manual"
 .SH NAME
 cve\-list \- Filter and list reserved CVE IDs owned by...
 .SH SYNOPSIS
@@ -20,7 +20,7 @@ Sort output.
 \fB\-\-year\fP TEXT
 Filter by year.
 .TP
-\fB\-\-state\fP [reserved|published|rejected]
+\fB\-\-state\fP [RESERVED|PUBLISHED|REJECTED]
 Filter by reservation state.
 .TP
 \fB\-\-reserved\-lt\fP [%Y\-%m\-%d|%Y\-%m\-%dT%H:%M:%S|%Y\-%m\-%d %H:%M:%S]

man/cve-org-users.1

@@ -1,4 +1,4 @@
-.TH "CVE ORG USERS" "1" "2023-02-15" "1.2.1" "cve org users Manual"
+.TH "CVE ORG USERS" "1" "2024-01-26" "1.3.0" "cve org users Manual"
 .SH NAME
 cve\-org\-users \- List all users in your organization.
 .SH SYNOPSIS

man/cve-org.1

@@ -1,4 +1,4 @@
-.TH "CVE ORG" "1" "2023-02-15" "1.2.1" "cve org Manual"
+.TH "CVE ORG" "1" "2024-01-26" "1.3.0" "cve org Manual"
 .SH NAME
 cve\-org \- Show information about your organization.
 .SH SYNOPSIS

man/cve-ping.1

@@ -1,4 +1,4 @@
-.TH "CVE PING" "1" "2023-02-15" "1.2.1" "cve ping Manual"
+.TH "CVE PING" "1" "2024-01-26" "1.3.0" "cve ping Manual"
 .SH NAME
 cve\-ping \- Ping the CVE Services API to see if it is up.
 .SH SYNOPSIS

man/cve-publish-adp.1

@@ -0,0 +1,39 @@
+.TH "CVE PUBLISH-ADP" "1" "2024-01-26" "1.3.0" "cve publish-adp Manual"
+.SH NAME
+cve\-publish-adp \- Add or update an ADP container in a CVE...
+.SH SYNOPSIS
+.B cve publish-adp
+[OPTIONS] CVE_ID
+.SH DESCRIPTION
+Add or update an ADP container in a CVE record for a published CVE ID.
+.PP
+    NOTE: a published ADP container cannot be removed, only updated with new data.
+.PP
+    The ADP container can be specified as a string:
+.PP
+      cve publish-adp CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
+.PP
+    Or passed in a file:
+.PP
+      cve publish-adp CVE-2022-1234 -f adp.json
+.PP
+    For information on the required properties in a given ADP container of a CVE record,
+    see the schema in:
+.PP
+    https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
+    https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_adp
+.PP
+    Because the CVE Services API only expects the ADP container contents of the full CVE v5 record,
+    the data you pass to this command can specify just the attributes defined by the adpContainer
+    subschema.
+
+.SH OPTIONS
+.TP
+\fB\-j,\fP \-\-adp\-json TEXT
+JSON body of the ADP container to publish.
+.TP
+\fB\-f,\fP \-\-adp\-json\-file FILENAME
+File containing JSON body of ADP container to publish.
+.TP
+\fB\-\-raw\fP
+Print response JSON.

man/cve-publish.1

@@ -1,30 +1,33 @@
-.TH "CVE PUBLISH" "1" "2023-02-15" "1.2.1" "cve publish Manual"
+.TH "CVE PUBLISH" "1" "2024-01-26" "1.3.0" "cve publish Manual"
 .SH NAME
-cve\-publish \- Publish a CVE record for a reserved (or...
+cve\-publish \- Publish a CNA container of a CVE record...
 .SH SYNOPSIS
 .B cve publish
 [OPTIONS] CVE_ID
 .SH DESCRIPTION
-Publish a CVE record for a reserved (or rejected) CVE ID.
+Publish a CNA container of a CVE record for a reserved (or rejected) CVE ID.
 .PP
-    If the CVE is already published, this action will update its record. A published CVE can only be
-    moved to the rejected state with an appropriate reject record (see `cve reject`). A published
-    CVE cannot be moved back to the reserved state.
+    If the CVE is already published, this action will update the CNA container in its record. A
+    published CVE can only be moved to the rejected state with an appropriate reject record (see
+    `cve reject`). A published CVE cannot be moved back to the reserved state.
 .PP
-    The CVE record can be specified as a string:
+    The CNA container can be specified as a string:
 .PP
       cve publish CVE-2022-1234 -j '{"affected": [], "descriptions": [], "references": {}, ...}'
 .PP
     Or passed in a file:
 .PP
-      cve publish CVE-2022-1234 -f v5_record.json
+      cve publish CVE-2022-1234 -f cve.json
 .PP
-    For information on the required properties in a given CVE JSON record, see the schema in:
+    For information on the required properties in a given CNA container of a CVE record,
+    see the schema in:
 .PP
     https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json
+    https://cveproject.github.io/cve-schema/schema/v5.0/docs/#oneOf_i0_containers_cna
 .PP
-    Because the CVE Services API only expects the cnaPublishedContainer contents of the full record,
-    the record you pass to this command can specify just that data, and not the full record.
+    Because the CVE Services API only expects the CNA container contents of the full CVE v5 record,
+    the data you pass to this command can specify just the attributes defined by the
+    cnaPublishedContainer or cnaRejectedContainer subschemas, and not the full schema record.
 
 .SH OPTIONS
 .TP

man/cve-quota.1

@@ -1,4 +1,4 @@
-.TH "CVE QUOTA" "1" "2023-02-15" "1.2.1" "cve quota Manual"
+.TH "CVE QUOTA" "1" "2024-01-26" "1.3.0" "cve quota Manual"
 .SH NAME
 cve\-quota \- Display the available CVE ID quota for...
 .SH SYNOPSIS

man/cve-reject.1

@@ -1,4 +1,4 @@
-.TH "CVE REJECT" "1" "2023-02-15" "1.2.1" "cve reject Manual"
+.TH "CVE REJECT" "1" "2024-01-26" "1.3.0" "cve reject Manual"
 .SH NAME
 cve\-reject \- Reject a CVE record for a reserved or...
 .SH SYNOPSIS
@@ -11,6 +11,8 @@ Reject a CVE record for a reserved or published CVE ID.
     A rejected CVE with a record can only be moved to the published state (see `cve publish`).
     A rejected CVE without a record can be moved to the reserved state. A published CVE can only
     be rejected with an accompanying record. Reserved CVEs can be rejected with or without a record.
+.PP
+    Note: Rejecting a published CVE removes both the CNA and ADP data of that record.
 .PP
     The CVE reject record can be specified as a string:
 .PP

man/cve-reserve.1

@@ -1,4 +1,4 @@
-.TH "CVE RESERVE" "1" "2023-02-15" "1.2.1" "cve reserve Manual"
+.TH "CVE RESERVE" "1" "2024-01-26" "1.3.0" "cve reserve Manual"
 .SH NAME
 cve\-reserve \- Reserve one or more CVE IDs.
 .SH SYNOPSIS

man/cve-show.1

@@ -1,4 +1,4 @@
-.TH "CVE SHOW" "1" "2023-02-15" "1.2.1" "cve show Manual"
+.TH "CVE SHOW" "1" "2024-01-26" "1.3.0" "cve show Manual"
 .SH NAME
 cve\-show \- Display a specific CVE ID (and optionally...
 .SH SYNOPSIS
@@ -9,7 +9,13 @@ Display a specific CVE ID (and optionally its record) owned by your CNA.
 .SH OPTIONS
 .TP
 \fB\-r,\fP \-\-show\-record
-Show full CVE record in JSON v5 format.
+Show full CVE v5 record.
+.TP
+\fB\-c,\fP \-\-show\-cna
+Show only the CNA container of a CVE v5 record.
+.TP
+\fB\-a,\fP \-\-show\-adp TEXT
+Show all ADP containers, or a specific one identified by the owning org (option can be used multiple times).  [default: (all ADP containers)]
 .TP
 \fB\-\-raw\fP
 Print response JSON.

man/cve-undo-reject.1

@@ -1,4 +1,4 @@
-.TH "CVE UNDO-REJECT" "1" "2023-02-15" "1.2.1" "cve undo-reject Manual"
+.TH "CVE UNDO-REJECT" "1" "2024-01-26" "1.3.0" "cve undo-reject Manual"
 .SH NAME
 cve\-undo-reject \- Move a rejected CVE ID without a record...
 .SH SYNOPSIS

man/cve-user-create.1

@@ -1,4 +1,4 @@
-.TH "CVE USER CREATE" "1" "2023-02-15" "1.2.1" "cve user create Manual"
+.TH "CVE USER CREATE" "1" "2024-01-26" "1.3.0" "cve user create Manual"
 .SH NAME
 cve\-user\-create \- Create a user in your organization.
 .SH SYNOPSIS

man/cve-user-reset-key.1

@@ -1,4 +1,4 @@
-.TH "CVE USER RESET-KEY" "1" "2023-02-15" "1.2.1" "cve user reset-key Manual"
+.TH "CVE USER RESET-KEY" "1" "2024-01-26" "1.3.0" "cve user reset-key Manual"
 .SH NAME
 cve\-user\-reset-key \- Reset a user's personal access token (API...
 .SH SYNOPSIS

man/cve-user-update.1

@@ -1,4 +1,4 @@
-.TH "CVE USER UPDATE" "1" "2023-02-15" "1.2.1" "cve user update Manual"
+.TH "CVE USER UPDATE" "1" "2024-01-26" "1.3.0" "cve user update Manual"
 .SH NAME
 cve\-user\-update \- Update a user.
 .SH SYNOPSIS

man/cve-user.1

@@ -1,4 +1,4 @@
-.TH "CVE USER" "1" "2023-02-15" "1.2.1" "cve user Manual"
+.TH "CVE USER" "1" "2024-01-26" "1.3.0" "cve user Manual"
 .SH NAME
 cve\-user \- Show information about a user.
 .SH SYNOPSIS

man/cve.1

@@ -1,4 +1,4 @@
-.TH "CVE" "1" "2023-02-15" "1.2.1" "cve Manual"
+.TH "CVE" "1" "2024-01-26" "1.3.0" "cve Manual"
 .SH NAME
 cve \- A CLI interface for the CVE Services API.
 .SH SYNOPSIS
@@ -31,9 +31,13 @@ Show the version and exit.
 .SH COMMANDS
 .PP
 \fBpublish\fP
-  Publish a CVE record for a reserved (or...
+  Publish a CNA container of a CVE record...
   See \fBcve-publish(1)\fP for full documentation on the \fBpublish\fP command.
 .PP
+\fBpublish-adp\fP
+  Add or update an ADP container in a CVE...
+  See \fBcve-publish-adp(1)\fP for full documentation on the \fBpublish-adp\fP command.
+.PP
 \fBreject\fP
   Reject a CVE record for a reserved or...
   See \fBcve-reject(1)\fP for full documentation on the \fBreject\fP command.

setup.py

@@ -13,9 +13,8 @@
 dev_require = [
     *tests_require,
     "black",
+    "ruff",
     "click-man",
-    "flake8",
-    "isort",
     "mypy",
     "tox",
     "types-click",