GSoC 20: Week 7

Hello everyone!
I am Niraj and I will be sharing my code contribution of the seventh week of the GSoC. If you haven't read my previous InputEngine post you should read it first.

Background

I have added a feature for specifying product wise remarks in my previous InputEngine PR but what if user want to specify remarks for particular CVE? What if user want to customize severity level of CVEs since the severity is usually application dependent anyhow? What if user wants to add comments for specific CVE or product?

Currently, we only accepts vendor, product, version and remarks fields as valid input to InputEngine. So, if we want to give user fine-grained control of specifying triage data for a CVE, We need to add support for new fields: 1) cve_number 2) comments and 3) severity.

What did I do this week?

I have added support for above new fields in InputEngine. Now, if user specifies remarks, severity and/or comments for a specific CVE then these fields are only going to reflect for this particular CVE. For example if CSV file contains following data then comments states what will be reflected in the output:

vendor	product	version	remarks	cve_number	severity	comments
libjpeg-turbo	libjpeg-turbo	2.0.1	3	CVE-2018-19664	CRITICAL	severity will be CRITICAL in output
libjpeg-turbo	libjpeg-turbo	2.0.1	2		HIGH	default severity will be HIGH for the product
haxx	curl	7.59.0	1			severity will be fetched from NVD database

I have also added support for wheel and egg archive format. I have modernize error handling in OutputEngine and Extractor. I have also fixed a bug which was causing progress bar to be displayed in the quite mode. I have also triaged several bugs specified by a user into proper issues.

What am I doing this week?

I am going to work on configuration file support for our tool. I have experimented with different configuration file format and I think YAML and TOML are the best one. I am waiting for my mentor to choose the one that would be perfect for our tool.