Merge branch 'release/2.11.0'

Author: hlavanant

.gitlab-ci.yml

@@ -27,7 +27,7 @@ stages:
   tags:
     - docker20
   before_script:
-    - curl -sSL https://install.python-poetry.org | python -
+    - curl -sSL https://install.python-poetry.org | python - --version 1.8.4
     - export PATH="/root/.local/bin:$PATH"
     - poetry install --no-root --with dev
 

.gitlab/issue_templates/Bug.md

@@ -0,0 +1,52 @@
+## Subject
+_Description of the bug_
+
+## Steps to reproduce
+  - Action 1
+  - Action 2
+  - ...
+
+## Actual results
+_What actually happens_
+
+## Expected results
+_What you should see instead_
+
+## Technical solution
+_Write technical solution if identified_
+
+## Security and Privacy
+>  Risk level MUST be systematically assessed before designing a change. Actions to handle risk and approval depend on the risk level:
+>- None/low: no or low impact and probability considered. If the risk is considered low, actions to handle the risk may be defined. No approval required.
+>- Medium: either significant impact or significant probability considered. Actions must be defined in the sections below and approved/completed by a team lead before implementing the change.
+>- High: significant impact AND probability considered. Actions must be defined in the section below and approved/completed by CTO or CISO before implementing the change.
+
+| Risk level | None     | Low      | Med.   | High                  |
+|------------|----------|----------|--------|-----------------------|
+| Rating     |          |          |        | :heavy_check_mark:    |
+
+### Actions to handle risk
+_to be filled by actions of any kind if level >= low_
+
+## Personal data
+_Anything concerning user personal data that should be discussed with legal team_
+
+> This section should **always** be updated. In case there is nothing to say, simply add "nothing relevant" or "nothing identified"
+
+## Tests
+_In addition to the classic unit and functional tests, additional tests that should be performed either automatic or manual_
+
+> This section should **always** be updated. In case there is nothing to say, simply add "nothing relevant" or "nothing identified"
+
+## Impacts
+_List of impacted routes or functionality_
+
+## DoD
+_In front of each item write one of those: N/A, Done, link to wiki/infra issue, or the modification made_
+
+| Item                                          |     |
+|-----------------------------------------------|:---:|
+| Feature tested locally                        |     |
+| Merge request created from feature to develop |     |
+
+/label ~Bug

.gitlab/issue_templates/Feature.md

@@ -0,0 +1,58 @@
+## Description
+_Description of the feature_
+
+## Functional solution
+_Add task list of functionality to implement_
+  - [ ] functionality 1
+  - [ ] functionality 2
+
+## Technical solution
+_Add task list of relevant technical modification_
+  - [ ] modification 1
+  - [ ] modification 2
+
+## Security and Privacy
+>  Risk level MUST be systematically assessed before designing a change. Actions to handle risk and approval depend on the risk level:
+>- None/low: no or low impact and probability considered. If the risk is considered low, actions to handle the risk may be defined. No approval required.
+>- Medium: either significant impact or significant probability considered. Actions must be defined in the sections below and approved/completed by a team lead before implementing the change.
+>- High: significant impact AND probability considered. Actions must be defined in the section below and approved/completed by CTO or CISO before implementing the change.
+
+| Risk level | None     | Low      | Med.   | High                  |
+|------------|----------|----------|--------|-----------------------|
+| Rating     |          |          |        | :heavy_check_mark:    |
+
+### Actions to handle risk
+_to be filled by actions of any kind if level >= low_
+
+## Personal data
+_Anything concerning user personal data that should be discussed with legal team_
+
+> This section should **always** be updated. In case there is nothing to say, simply add "nothing relevant" or "nothing identified"
+
+## Tests
+_In addition to the classic unit and functional tests, additional tests that should be performed either automatic or manual_
+
+> This section should **always** be updated. In case there is nothing to say, simply add "nothing relevant" or "nothing identified"
+
+## Impacts
+_List of impacted routes or functionality_
+
+## Estimation
+x jH
+
+## Questions
+- Question
+> answer
+
+## DoD 
+_In front of each item write one of those: N/A, Done, link to infra issue, or the modification made_
+
+| Item                                                                                                                                      |     |
+|-------------------------------------------------------------------------------------------------------------------------------------------|:---:|
+| New environment variables added in settings files and issue created in [infra board](https://git.clacos.ninja/infra/infradev/-/boards)    |     |
+| New command and consumer described in [Readme.md]() and issue created in [infra board](https://git.clacos.ninja/infra/infradev/-/boards)  |     |
+| Feature tested locally                                                                                                                    |     |
+| Merge request created from feature to develop                                                                                             |     |
+
+
+/label ~Feature

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.12.1-slim-bookworm AS builder
 RUN apt-get update && apt-get install -yq curl
-RUN curl -sSL https://install.python-poetry.org | python -
+RUN curl -sSL https://install.python-poetry.org | python - --version 1.8.4
 WORKDIR /ywh2bt
 COPY / ./
 RUN /root/.local/bin/poetry build

README.md

@@ -49,6 +49,8 @@ Since data is pulled from YWH platform to your server, only regular outbound web
 
 ## Changelog
 
+- v2.11:
+    - added support for new impact and cve fields
 - v2.10: 
     - added support for new ask for fix process
     - added support for report transfer log 

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ywh2bt"
-version = "2.10.0"
+version = "2.11.0"
 description = "ywh2bt - YesWeHack to Bug Tracker"
 readme = "README.md"
 authors = ["m.honel <m.honel@yeswehack.com>"]
@@ -68,7 +68,7 @@ frozenlist = [
     { version="^1.3.0", python = "<3.8" },
     { version="^1.4.0", python = ">=3.8" },
 ]
-yeswehack = ">=0.8.7"
+yeswehack = ">=0.8.8"
 
 [tool.poetry.extras]
 gui = ["pyside6"]

pyproject.toml

@@ -170,6 +170,8 @@ class Report:
     tracking_status: str
     vulnerable_part: str
     ask_for_fix_verification_status: str
+    cve: Dict[str, Any]
+    impact: str
 
     def __init__(
         self,

stubs/yeswehack/api.pyi

@@ -167,6 +167,10 @@ def format_report_description(
             bug_type_name=report.bug_type.name,
             bug_type_link=report.bug_type.link,
             bug_type_remediation_link=report.bug_type.remediation_link or "/",
+            cve_label=self._get_property_label("cve"),
+            cve_name=report.cve.get("id") or "",
+            impact_label=self._get_property_label("impact"),
+            impact_name=report.impact or "",
             scope_label=self._get_property_label("scope"),
             scope=self._transform_value(
                 value=report.scope,

ywh2bt/core/api/formatter/formatter.py

@@ -13,6 +13,8 @@
 |-------|---------------------|
 | Priority | ${priority_name} |
 | ${bug_type_label} | [${bug_type_name}](${bug_type_link}) → [Remediation](${bug_type_remediation_link}) |
+| ${cve_label} | ${cve_name} |
+| ${impact_label} | ${impact_name} |
 | ${scope_label} | ${scope} |
 | Severity | ${cvss_criticity}, score: ${cvss_score}, vector: ${cvss_vector} |
 | ${end_point_label} | ${end_point} |