Merge pull request #109 from RedHatProductSecurity/transfer-cve

Add new subcommand for transfering CVE IDs to other CNAs

Author: mprpic

cvelib/cli.py

@@ -627,6 +627,43 @@ def undo_reject(ctx: click.Context, cve_id: str, print_raw: bool) -> None:
         print_cve_id(response_data["updated"])
 
 
+@cli.command()
+@click.argument("cve_id", callback=validate_cve)
+@click.option(
+    "-n",
+    "--new-cna",
+    required=True,
+    help="Shortname of the new owning CNA for the CVE ID.",
+)
+@click.option("--raw", "print_raw", default=False, is_flag=True, help="Print response JSON.")
+@click.pass_context
+@handle_cve_api_error
+def transfer(ctx: click.Context, cve_id: str, new_cna: str, print_raw: bool) -> None:
+    """Transfer ownership of a CVE ID to another CNA.
+
+    This command updates the owning_cna attribute of the specified CVE ID to transfer
+    ownership to another CNA organization. CNAs can only transfer CVE IDs they own.
+    """
+    if ctx.obj.interactive:
+        click.echo("You are about to transfer ownership of ", nl=False)
+        click.secho(cve_id, bold=True, nl=False)
+        click.echo(" to CNA ", nl=False)
+        click.secho(new_cna, bold=True, nl=False)
+        click.echo(".")
+        if not click.confirm("\nDo you want to continue?"):
+            click.echo("Exiting...")
+            sys.exit(0)
+        click.echo()
+
+    cve_api = ctx.obj.cve_api
+    response_data = cve_api.transfer(cve_id, new_cna)
+    if print_raw:
+        print_json_data(response_data)
+    else:
+        click.echo("Successfully transferred the following CVE:\n")
+        print_cve_id(response_data["updated"])
+
+
 @cli.command()
 @click.option(
     "-r",

cvelib/cve_api.py

@@ -289,6 +289,14 @@ def move_to_reserved(self, cve_id):
         params = {"state": self.States.RESERVED}
         return self._put(f"cve-id/{cve_id}", params=params).json()
 
+    def transfer(self, cve_id: str, new_cna: str) -> dict:
+        """Transfer ownership of a CVE ID to another CNA.
+
+        This updates the owning_cna attribute of the specified CVE ID.
+        """
+        params = {"org": new_cna}
+        return self._put(f"cve-id/{cve_id}", params=params).json()
+
     def reserve(self, count: int, random: bool, year: str) -> dict:
         """Reserve a set of CVE IDs.
 

tests/test_cli.py

@@ -556,6 +556,99 @@ def test_cve_undo_reject(move_to_reserved):
     )
 
 
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer(transfer):
+    cve_id = "CVE-2023-1234"
+    response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "cve_year": "2023",
+            "owning_cna": "new-cna",
+            "requested_by": {"cna": "old-cna", "user": "test@example.com"},
+            "reserved": "2021-01-14T18:35:17.469Z",
+            "state": "RESERVED",
+            "time": {"created": "2021-01-14T18:35:17.469Z", "modified": "2021-01-14T18:35:17.469Z"},
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = response
+    runner = CliRunner()
+    result = runner.invoke(cli, DEFAULT_OPTS + ["transfer", cve_id, "--new-cna", "new-cna"])
+    assert result.exit_code == 0, result.output
+    assert result.output == (
+        "Successfully transferred the following CVE:\n"
+        "\n"
+        f"{cve_id}\n"
+        "├─ State:\tRESERVED\n"
+        "├─ Owning CNA:\tnew-cna\n"
+        "├─ Reserved by:\ttest@example.com (old-cna)\n"
+        "├─ Reserved on:\tThu Jan 14 18:35:17 2021 +0000\n"
+        "└─ Updated on:\tThu Jan 14 18:35:17 2021 +0000\n"
+    )
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_raw_output(transfer):
+    cve_id = "CVE-2023-1234"
+    response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = response
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["transfer", cve_id, "--new-cna", "new-cna", "--raw"]
+    )
+    assert result.exit_code == 0, result.output
+    assert json.loads(result.output) == response
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_interactive_confirm(transfer):
+    cve_id = "CVE-2023-1234"
+    transfer_response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = transfer_response
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["-i", "transfer", cve_id, "--new-cna", "new-cna"], input="y\n"
+    )
+    assert result.exit_code == 0, result.output
+    assert "You are about to transfer ownership of CVE-2023-1234 to CNA new-cna" in result.output
+    assert "Do you want to continue?" in result.output
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_interactive_abort(transfer):
+    cve_id = "CVE-2023-1234"
+
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["-i", "transfer", cve_id, "--new-cna", "new-cna"], input="n\n"
+    )
+    assert result.exit_code == 0, result.output
+    assert "You are about to transfer ownership of CVE-2023-1234 to CNA new-cna" in result.output
+    assert "Do you want to continue?" in result.output
+    assert "Exiting..." in result.output
+    transfer.assert_not_called()
+
+
 def test_quota():
     quota = {"id_quota": 100, "total_reserved": 10, "available": 90}
     with mock.patch("cvelib.cli.CveApi.quota") as get_quota:

tests/test_cve_api.py

@@ -107,3 +107,23 @@ def test_count_cves():
         count = cve_api.count_cves(state="published")
         get_mock.assert_called_with("cve_count", params={"state": "PUBLISHED"})
         assert count == {"totalCount": 42}
+
+
+def test_transfer():
+    with mock.patch("cvelib.cve_api.CveApi._put") as put_mock:
+        response = {
+            "updated": "CVE-2099-1234",
+            "message": "CVE-2099-1234 owning_cna updated",
+            "cve_id": "CVE-2099-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+            "requested_by": {"cna": "old-cna", "user": "test@example.com"},
+            "reserved": "2021-01-14T18:35:17.469Z",
+            "time": {"created": "2021-01-14T18:35:17.469Z", "modified": "2021-01-14T18:35:17.469Z"},
+        }
+        put_mock.return_value.json.return_value = response
+        cve_api = CveApi(username="test_user", org="test_org", api_key="test_key")
+
+        result = cve_api.transfer("CVE-2099-1234", "new-cna")
+        put_mock.assert_called_with("cve-id/CVE-2099-1234", params={"org": "new-cna"})
+        assert result == response