From 888aa53139a53109a61ad0c5cfe4194267b17b97 Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 3 Nov 2021 11:47:25 +0100
Subject: Add a script to remove dist tags (e.g. postponed) from CVE/list

This can be useful when releasing a DSA that fixes some CVEs that
were previously triaged as no-dsa.
---
 bin/remove-cve-dist-tags | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100755 bin/remove-cve-dist-tags

diff --git a/bin/remove-cve-dist-tags b/bin/remove-cve-dist-tags
new file mode 100755
index 0000000000..c428127092
--- /dev/null
+++ b/bin/remove-cve-dist-tags
@@ -0,0 +1,60 @@
+#!/usr/bin/python3
+#
+# Remove no-dsa tags from data/CVE/list
+#
+# Copyright © 2021 Emilio Pozuelo Monfort <pochu@debian.org>
+
+import os.path
+import sys
+
+import setup_paths  # noqa
+import config
+from sectracker.parsers import cvelist, writecvelist, PackageAnnotation
+
+
+def keep_annotation(cve, annotation):
+    if not isinstance(annotation, PackageAnnotation):
+        return True
+
+    if cve.header.name in cves and \
+       annotation.release == release and \
+       annotation.package == package:
+        print(f"removing annotation for {cve.header.name}/{package}/{release}")
+        return False
+
+    return True
+
+
+def parse_list(path):
+    data, messages = cvelist(path)
+
+    return data
+
+if len(sys.argv) <= 3:
+    # assume there are no CVEs, so nothing to do
+    sys.exit(0)
+
+release = sys.argv[1]
+package = sys.argv[2]
+cves = sys.argv[3:]
+
+main_list = os.path.dirname(__file__) + '/../data/CVE/list'
+# check if another file was specified in config, e.g. a ExtendedFile
+distconfig = config.get_config()[release]
+if 'maincvefile' in distconfig:
+    main_list = os.path.dirname(__file__) + '/../' + distconfig['maincvefile']
+
+data = parse_list(main_list)
+new_data = []
+
+for cve in data:
+    annotations = list(
+        annotation
+        for annotation in cve.annotations
+        if keep_annotation(cve, annotation)
+    )
+    cve = cve._replace(annotations=annotations)
+    new_data.append(cve)
+
+with open(main_list, 'w') as f:
+    writecvelist(new_data, f)
-- 
cgit v1.2.3