Show more CVE data when performing searches without --extract-cves #17
Description
So if I do a search like this:
$ rhsecapi --q-after 2016-06-01 --q-before 2016-09-01 --q-severity critical --count
CVEs found: 102
The above data was generated by a single http request and altogether it took less than a second for rhsecapi to finish. As things stand now, if I want to print details about those CVEs, I need to use -s/--extract-search which will then kick off 102 additional http API requests. Thanks to multithreading, that doesn't need to take too long ... on my 4-core system with the default settings, I get:
$ time rhsecapi --q-after 2016-06-01 --q-before 2016-09-01 --q-severity critical --count --extract-search
CVEs found: 102
Valid Red Hat CVE results retrieved: 102 of 102
real 0m5.819s
user 0m1.775s
sys 0m0.099s
That said, it's still kind of wasteful when you realize that a lot of that data was already gathered (and discarded) in the very first http request. For example, here's the raw json (--json) returned for one of the CVEs -- i.e., this was returned with the very first request and then discarded after extracting only the CVE number:
{
"CVE": "CVE-2016-2819",
"CWE": null,
"advisories": [
"RHSA-2016:1217"
],
"affected_packages": [
"firefox-45.2.0-1.el5_11",
"firefox-45.2.0-1.el6_8",
"firefox-45.2.0-1.el7_2"
],
"bugzilla": "1342891",
"cvss_score": 6.8,
"cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"public_date": "2016-06-08T00:00:00+00:00",
"resource_url": "https://access.redhat.com/labs/securitydataapi/cve/CVE-2016-2819.json",
"severity": "critical"
},
That's quite a lot of info we could use. Here's what we'd get if we did a full CVE lookup instead of a search:
$ rhsecapi CVE-2016-2819 --json
Valid Red Hat CVE results retrieved: 1 of 1
{
"acknowledgement": "\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges firehack as the original reporter.\n ",
"affected_release": [
{
"advisory": "RHSA-2016:1217",
"cpe": "cpe:/o:redhat:enterprise_linux:5",
"package": "firefox-45.2.0-1.el5_11",
"product_name": "Red Hat Enterprise Linux 5",
"release_date": "2016-06-08T00:00:00"
},
{
"advisory": "RHSA-2016:1217",
"cpe": "cpe:/o:redhat:enterprise_linux:6",
"package": "firefox-45.2.0-1.el6_8",
"product_name": "Red Hat Enterprise Linux 6",
"release_date": "2016-06-08T00:00:00"
},
{
"advisory": "RHSA-2016:1217",
"cpe": "cpe:/o:redhat:enterprise_linux:7",
"package": "firefox-45.2.0-1.el7_2",
"product_name": "Red Hat Enterprise Linux 7",
"release_date": "2016-06-08T00:00:00"
}
],
"bugzilla": {
"description": "\nCVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)\n ",
"id": "1342891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1342891"
},
"cvss": {
"cvss_base_score": "6.8",
"cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"status": "verified"
},
"details": "\nHeap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.\n ",
"document_distribution": "Copyright \u00a9 2016 Red Hat, Inc. All rights reserved.",
"name": "CVE-2016-2819",
"package_state": [
{
"cpe": "cpe:/o:redhat:enterprise_linux:5",
"fix_state": "Not affected",
"package_name": "thunderbird",
"product_name": "Red Hat Enterprise Linux 5"
},
{
"cpe": "cpe:/o:redhat:enterprise_linux:6",
"fix_state": "Not affected",
"package_name": "thunderbird",
"product_name": "Red Hat Enterprise Linux 6"
},
{
"cpe": "cpe:/o:redhat:enterprise_linux:7",
"fix_state": "Not affected",
"package_name": "thunderbird",
"product_name": "Red Hat Enterprise Linux 7"
}
],
"public_date": "2016-06-08T00:00:00",
"references": "\nhttps://www.mozilla.org/security/announce/2016/mfsa2016-50.html\n ",
"threat_severity": "Critical"
}
So the question is really ... whether it makes sense to do anything with the search-result output even tho it's not the full picture. I mean the default IMHO should clearly be to ONLY print CVE numbers when doing searches, but we could give the option to print some extra minimal info ... but then from a usability standpoint, I'm not quite sure how to communicate that ... I feel like it could get confusing for users.
Hmmm. Have to ponder on this. And of course I welcome feedback.