Add page with additional details about a CVE

This page contains most information that may be found on 3rd party sites about a particular CVE, but with the benefit of being hosted on the PostgreSQL infrastructure. This does require inserting the CVE description into the website, which will include backporting the CVE descriptions throughout many existing CVEs, but the added benefit is that this information is available when we publish a release, vs. waiting for a 3rd party to publish the info. This patch also adds sitemap indexing for each of the CVE entries, and ensures the top-level CVE URL is in the sitemap.
author: Jonathan S. Katz 2021-03-21 18:15:19 +0000
committer: Jonathan S. Katz 2021-03-28 16:22:24 +0000
commit: cd616da5578780afca4202716eaef898622e93a2 (patch)
tree: 16776688996b3148a570518623657f4e6776168e /pgweb/security
parent: 62a686f34de9d286be183d4b93f7d599c934a011 (diff)
4 files changed, 64 insertions, 3 deletions
diff --git a/pgweb/security/migrations/0003_add_security_patch_details.py b/pgweb/security/migrations/0003_add_security_patch_details.py
new file mode 100644
index 00000000..23acb72b
--- /dev/null
+++ b/pgweb/security/migrations/0003_add_security_patch_details.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.13 on 2018-11-12 16:37
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('security', '0002_cve_visible'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='securitypatch',
+            name='details',
+            field=models.TextField(blank=True, help_text='Additional details about the security patch', null=True),
+        ),
+    ]
diff --git a/pgweb/security/models.py b/pgweb/security/models.py
index e82c7d4f..208a9de7 100644
--- a/pgweb/security/models.py
+++ b/pgweb/security/models.py
@@ -70,6 +70,7 @@ class SecurityPatch(models.Model):
     cvenumber = models.IntegerField(null=False, blank=False, db_index=True)
     detailslink = models.URLField(null=False, blank=True)
     description = models.TextField(null=False, blank=False)
+    details = models.TextField(blank=True, null=True, help_text="Additional details about the security patch")
     component = models.CharField(max_length=32, null=False, blank=False, help_text="If multiple components, choose the most critical one", choices=component_choices)
 
     versions = models.ManyToManyField(Version, through='SecurityPatchVersion')
@@ -84,7 +85,9 @@ class SecurityPatch(models.Model):
     vector_a = models.CharField(max_length=1, null=False, blank=True, verbose_name="Availability Impact", choices=vector_choices['A'])
     legacyscore = models.CharField(max_length=1, null=False, blank=True, verbose_name='Legacy score', choices=(('A', 'A'), ('B', 'B'), ('C', 'C'), ('D', 'D')))
 
-    purge_urls = ('/support/security/', )
+    def purge_urls(self):
+        yield '/support/security/CVE-%s/' % self.cve
+        yield '/support/security/'
 
     def save(self, force_insert=False, force_update=False):
         # Calculate a number from the CVE, that we can use to sort by. We need to
diff --git a/pgweb/security/struct.py b/pgweb/security/struct.py
new file mode 100644
index 00000000..fd5a713b
--- /dev/null
+++ b/pgweb/security/struct.py
@@ -0,0 +1,9 @@
+from datetime import date, timedelta
+from .models import SecurityPatch
+
+
+def get_struct():
+    """create sitemap entries for each CVE entry and the top level CVE URL"""
+    yield ('support/security/', None)
+    for s in SecurityPatch.objects.filter(public=True).order_by('-cvenumber'):
+        yield ('support/security/CVE-{}'.format(s.cve), None)
diff --git a/pgweb/security/views.py b/pgweb/security/views.py
index 0a7f2041..b36fcc04 100644
--- a/pgweb/security/views.py
+++ b/pgweb/security/views.py
@@ -1,9 +1,11 @@
-from django.shortcuts import get_object_or_404
+from django.core.validators import ValidationError
+from django.http import Http404
+from django.shortcuts import get_object_or_404, redirect
 
 from pgweb.util.contexts import render_pgweb
 
 from pgweb.core.models import Version
-from .models import SecurityPatch
+from .models import SecurityPatch, make_cvenumber
 
 
 def GetPatchesList(filt):
@@ -22,6 +24,33 @@ def _list_patches(request, filt):
     })
 
 
+def details(request, cve_prefix, cve):
+    """Provides additional details about a specific CVE"""
+    # First determine if the entrypoint of the URL is a lowercase "cve". If it
+    # is, redirect to the uppercase
+    if cve_prefix != "CVE":
+        return redirect('/support/security/CVE-{}/'.format(cve), permanent=True)
+    # Get the CVE number from the CVE ID string so we can look it up
+    # against the database. This shouldn't fail due to an ill-formatted CVE,
+    # as both use the same validation check, but we will wrap it just in case.
+    #
+    # However, we do need to ensure that the CVE does both exist and
+    # is published.
+    try:
+        security_patch = get_object_or_404(
+            SecurityPatch,
+            cvenumber=make_cvenumber(cve),
+            public=True,
+        )
+    except ValidationError:
+        raise Http404()
+
+    return render_pgweb(request, 'support', 'security/details.html', {
+        'security_patch': security_patch,
+        'versions': security_patch.securitypatchversion_set.select_related('version').order_by('-version__tree').all(),
+    })
+
+
 def index(request):
     # Show all supported versions
     return _list_patches(request, "v.supported")
author	Jonathan S. Katz	2021-03-21 18:15:19 +0000
committer	Jonathan S. Katz	2021-03-28 16:22:24 +0000
commit	cd616da5578780afca4202716eaef898622e93a2 (patch)
tree	16776688996b3148a570518623657f4e6776168e /pgweb/security
parent	62a686f34de9d286be183d4b93f7d599c934a011 (diff)