I am Niraj and I will be sharing my code contribution of the seventh week of the GSoC. If you haven't read my previous InputEngine post you should read it first.
I have added a feature for specifying product wise remarks in my previous InputEngine PR but what if user want to specify remarks for particular CVE? What if user want to customize severity level of CVEs since the severity is usually application dependent anyhow? What if user wants to add comments for specific CVE or product?
Currently, we only accepts vendor, product, version and remarks fields as valid input to InputEngine. So, if we want to give user fine-grained control of specifying triage data for a CVE, We need to add support for new fields: 1) cve_number 2) comments and 3) severity.
I have added support for above new fields in InputEngine. Now, if user specifies remarks, severity and/or comments for a specific CVE then these fields are only going to reflect for this particular CVE. For example if CSV file contains following data then comments states what will be reflected in the output:
|libjpeg-turbo||libjpeg-turbo||2.0.1||3||CVE-2018-19664||CRITICAL||severity will be CRITICAL in output|
|libjpeg-turbo||libjpeg-turbo||2.0.1||2||HIGH||default severity will be HIGH for the product|
|haxx||curl||7.59.0||1||severity will be fetched from NVD database|
I have also added support for wheel and egg archive format. I have modernize error handling in OutputEngine and Extractor. I have also fixed a bug which was causing progress bar to be displayed in the quite mode. I have also triaged several bugs specified by a user into proper issues.
I am going to work on configuration file support for our tool. I have experimented with different configuration file format and I think YAML and TOML are the best one. I am waiting for my mentor to choose the one that would be perfect for our tool.