Tools for processing CVE Vulnerability issues in Jira. Queries Jira for unprocessed CVEs, creates tracking structures, and establishes dependency chains across versions.
The script is idempotent - it can be run multiple times safely without creating duplicate issues.
-
Install dependencies:
pip install -r requirements.txt
-
Set environment variables:
export JIRA_API_TOKEN="your-api-token" export JIRA_SERVER="https://issues.redhat.com" # optional, this is the default
| Script | Description |
|---|---|
dup_cve.py |
Main script for CVE processing |
manage_task_cves.py |
Manage CVEs linked to a task (update fields, close, set release notes) |
inspect_issues.py |
Inspect issues - show status and links |
reset_cves.py |
Remove processed labels to allow reprocessing |
# Dry run - see what would be done without making changes
python dup_cve.py --dry-run
# Process CVEs for real
python dup_cve.py
# Process only a specific CVE
python dup_cve.py --cve CVE-2024-1234
# Verbose output for debugging
python dup_cve.py --dry-run -v
# Use a custom config file
python dup_cve.py --config /path/to/config.yaml
# Use a different Jira project for epics and tasks (default: OSASINFRA)
python dup_cve.py --project MYPROJECT# Inspect specific issues
python inspect_issues.py OCPBUGS-12345 OSASINFRA-67890
# Inspect issues from a file
python inspect_issues.py -f issues.txt
# Combine both
python inspect_issues.py OCPBUGS-12345 -f more_issues.txt# See what CVEs are linked to a task
python manage_task_cves.py OSASINFRA-12345 --dry-run
# Close all linked CVEs with defaults (status=Closed, resolution=Done)
python manage_task_cves.py OSASINFRA-12345
# Transition to a different status
python manage_task_cves.py OSASINFRA-12345 --status ON_QA
# Close with custom comment and resolution
python manage_task_cves.py OSASINFRA-12345 --comment "Fixed in OCPBUGS-99999" --resolution "Fixed"
# Set release note fields when closing (using defaults: type=CVE, status=Proposed)
python manage_task_cves.py OSASINFRA-12345 \
--release-note-text "This CVE was addressed upstream." \
--release-note-type \
--release-note-status
# Set release note fields with custom values
python manage_task_cves.py OSASINFRA-12345 \
--release-note-text "This CVE was addressed upstream." \
--release-note-type "Bug Fix" \
--release-note-status "Done"
# Update release notes without transitioning (no status change)
python manage_task_cves.py OSASINFRA-12345 --no-transition \
--release-note-text "This CVE was addressed upstream." \
--release-note-type \
--release-note-status
# Add a patch link to CVEs
python manage_task_cves.py OSASINFRA-12345 \
--patch-url "https://github.com/org/repo/pull/123" \
--patch-title "Fix for CVE-2024-1234"
# Transition CVEs to POST and task to POST
python manage_task_cves.py OSASINFRA-12345 --status POST --task-status POST
# Close CVEs and the parent task
python manage_task_cves.py OSASINFRA-12345 --close-task
# Close CVEs and task with patch link on both
python manage_task_cves.py OSASINFRA-12345 --close-task \
--patch-url "https://github.com/org/repo/pull/123"
# Close task with custom resolution
python manage_task_cves.py OSASINFRA-12345 \
--task-status Closed --task-resolution "Won't Fix"
# Process only Bug issues (not Vulnerabilities)
python manage_task_cves.py OSASINFRA-12345 --bugs-only --status POST# Dry run - see what would be reset
python reset_cves.py --dry-run
# Actually remove labels
python reset_cves.py
# Reset only a specific CVE
python reset_cves.py --cve CVE-2024-1234
# Reset issues from a file
python reset_cves.py -f issues.txt
# Also remove dependency and duplicate links
python reset_cves.py -f issues.txt --remove-links
# Transition issues back to ASSIGNED status
python reset_cves.py -f issues.txt --reassign
# Full reset: remove label, links, and reassign
python reset_cves.py -f issues.txt --remove-links --reassign┌─────────────────────────────────────────────────────────────┐
│ 1. Query unprocessed CVEs │
│ - Status: New or Assigned │
│ - No processed label │
│ - Matching configured downstream components │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 2. Group by {component}:{cve_id} │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 3. For each CVE group: │
│ a. Find/create Epic in OSASINFRA │
│ b. Query ALL CVEs for this CVE ID (version detection) │
│ c. Determine version range: min → max CVE version │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 4. For each version with CVEs: │
│ ├─ Create Task in OSASINFRA (with Epic Link) │
│ ├─ Link Task to CVEs (is caused by) │
│ ├─ Set Target Backport Versions = Affects Version/s │
│ └─ Add processed label to all CVEs │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 5. Create VERIFIED bug for next version after max CVE: │
│ ├─ Create Task in OSASINFRA (with Epic Link) │
│ ├─ Create VERIFIED Bug in OCPBUGS │
│ └─ Link Task → is related to → Bug │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 6. Create dependency chain (older depends on newer): │
│ 4.12 → depends on → 4.13 → depends on → 4.14 │
└─────────────────────────────────────────────────────────────┘
project = OCPBUGS AND type = Vulnerability
AND ("Downstream Component Name" ~ "comp1" OR "Downstream Component Name" ~ "comp2" ...)
AND labels != "{cve_processed_label}"
AND status IN (New, Assigned)
AND "CVE ID" ~ "{cve_filter}" -- only if --cve flag providedproject = OCPBUGS AND type = Vulnerability
AND "CVE ID" ~ "{cve_id}"
AND ("Downstream Component Name" ~ "comp1" OR ...)
AND (status != Closed OR resolution IN (Duplicate, "Won't Do", "Not a Bug"))project = OSASINFRA AND type = Epic
AND summary ~ "\"{cve_id} - {component}\""project = OSASINFRA AND type = Task
AND summary ~ "\"{cve_id} - {component} - {version}\""project = OCPBUGS AND type = Bug
AND summary ~ "\"{cve_id} - {component} - {version}\""OSASINFRA:
├── Epic: CVE-2024-1234 - openstack-cinder
│ ├── Task: CVE-2024-1234 - openstack-cinder - 4.12 (Epic Link)
│ │ └── is caused by: CVE (Vulnerability) for 4.12
│ ├── Task: CVE-2024-1234 - openstack-cinder - 4.13 (Epic Link)
│ │ └── is caused by: CVE (Vulnerability) for 4.13
│ └── Task: CVE-2024-1234 - openstack-cinder - 4.14 (Epic Link)
│ └── is related to: VERIFIED Bug (CVE fixed in earlier version)
OCPBUGS (one VERIFIED bug for next version after max CVE):
└── Bug: CVE-2024-1234 - openstack-cinder - 4.14 (VERIFIED)
Dependency Chain (older depends on newer):
CVE-4.12 → depends on → CVE-4.13 → depends on → Bug-4.14
| Source | Link Type | Target | Description |
|---|---|---|---|
| Task | Epic Link (field) | Epic | Tasks belong to the Epic |
| Task | is related to | Bug (ON_QA) | Task linked to created bug |
| Task | is caused by | CVE | Task is caused by the CVE |
| Older issue | depends on | Newer issue | Dependency chain |
| Field | Value |
|---|---|
| Project | OSASINFRA |
| Issue Type | Epic |
| Summary | {CVE ID} - {component} |
| Epic Name | {CVE ID} - {component} |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Description | Grouping epic for bugs related to {CVE ID} - {component} |
| Field | Value |
|---|---|
| Project | OSASINFRA |
| Issue Type | Task |
| Summary | {CVE ID} - {component} - {version} |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Epic Link | Link to parent Epic |
| Field | Value |
|---|---|
| Project | OCPBUGS |
| Issue Type | Bug |
| Summary | {CVE ID} - {component} - {version} |
| Component/s | Inherited from source CVE issues |
| Target Version | {version}.z (e.g., 4.14.z) |
| Security Level | Red Hat Employee |
| Assignee | User running the script |
| Status | Transitioned to VERIFIED |
- CVE versions: Only versions with reported CVEs get processed
- VERIFIED bug: One bug created for next version after max CVE version
- This indicates the CVE was fixed in an earlier version
The script can be run multiple times safely:
- Existing Epics are reused (searched by summary)
- Existing Tasks are reused (searched by summary)
- Existing Bugs are reused (searched by summary)
- Already-processed CVEs are identified by the processed label and skipped
| File | Description |
|---|---|
dup_cve.py |
Main script for CVE processing |
manage_task_cves.py |
Utility to manage CVEs linked to a task |
inspect_issues.py |
Utility to inspect issue status and links |
reset_cves.py |
Utility to remove processed labels |
lib/jira_client.py |
Jira API client wrapper |
lib/jira_formatter.py |
Field formatting utilities for Jira API requests |
config.yaml |
Configuration file (component mappings, labels) |
The config.yaml file contains:
- cve_processed_label: Label applied to processed CVE issues
- repo_to_component: Mapping of downstream repository names to component names
The script queries for Vulnerabilities matching the downstream components defined in repo_to_component.
To add support for new components, add entries to the repo_to_component section:
repo_to_component:
openshift4/ose-new-component-rhel9: openshift/new-component2025-01-15 10:30:00 - Loaded config from config.yaml
2025-01-15 10:30:00 - Configured components: ['openshift4/ose-cloud-provider-openstack-rhel9', ...]
2025-01-15 10:30:01 - Found 50 numeric target versions
2025-01-15 10:30:01 - Querying Jira for Vulnerabilities...
2025-01-15 10:30:05 - Found 7 unprocessed Vulnerabilities
2025-01-15 10:30:05 - Found 2 CVE groups
2025-01-15 10:30:05 - Processing CVE group: openstack-cinder:CVE-2024-1234
2025-01-15 10:30:05 - CVE: CVE-2024-1234, Component: openstack-cinder
2025-01-15 10:30:05 - Found CVEs in versions: ['4.12', '4.13']
2025-01-15 10:30:05 - Processing versions: ['4.12', '4.13', '4.14', '4.15', '4.16']
2025-01-15 10:30:06 - Created Epic: OSASINFRA-99999
2025-01-15 10:30:07 - Version 4.12:
2025-01-15 10:30:07 - Created task: OSASINFRA-100000
2025-01-15 10:30:07 - 2 CVEs (1 new)
2025-01-15 10:30:07 - OCPBUGS-11111 (already processed)
2025-01-15 10:30:08 - Linked: OCPBUGS-22222
2025-01-15 10:30:09 - Version 4.13:
2025-01-15 10:30:09 - Created task: OSASINFRA-100001
2025-01-15 10:30:09 - 1 CVEs (1 new)
2025-01-15 10:30:09 - Linked: OCPBUGS-33333
2025-01-15 10:30:10 - Version 4.14:
2025-01-15 10:30:10 - Created task: OSASINFRA-100002
2025-01-15 10:30:10 - No CVEs, creating ON_QA bug
2025-01-15 10:30:11 - Created bug: OCPBUGS-100003
2025-01-15 10:30:11 - Transitioned OCPBUGS-100003 to ON_QA
...
======================================================================
SUMMARY (DRY RUN - no changes made)
======================================================================
TOTALS
----------------------------------------
Epics: 2 (1 existing, 1 to create)
Tasks: 10 (3 existing, 7 to create)
Bugs: 6 (0 existing, 6 to create)
CVEs: 5 to link
DETAILS BY CVE GROUP
----------------------------------------
[CVE-2024-1234] openstack-cinder
Epic: OSASINFRA-99999
Tasks (5): OSASINFRA-100000, OSASINFRA-100001, ... OSASINFRA-100004
Bugs (3): OCPBUGS-100003, OCPBUGS-100004, OCPBUGS-100005
CVEs (2): OCPBUGS-11111, OCPBUGS-22222
======================================================================