Re: [LTP] [PATCH v3 1/2] doc: generate CVE catalog documentation

[Sachin Sant <sachinp@linux.ibm.com>]

>> Add a Sphinx builder hook to parse runtest/cve and generate a
>> comprehensive CVE catalog in a single documentation file.
>>
>> The implementation:
>> - Parses runtest/cve to extract CVE IDs, test names, and options
>> - Generates a single CVE catalog file (_static/cves.rst) containing:
> Please use just 'cve.rst' instead of 'cves.rst'. The plural is not
> providing any info here.
Sure, will change the name.
>> +def generate_cve_catalog(_):
>> +    """
>> +    Generate CVE catalog in a single file. Parse runtest/cve file and
>> +    generate documentation with links to CVE databases and test sources.
>> +    Similar to test_catalog, creates a single _static/cves.rst file with
>> +    all CVE information.
>> +    """
>> +    output = '_static/cves.rst'
>> +    runtest_cve = '../runtest/cve'
>> +
>> +    # Parse runtest/cve file
>> +    cve_data = {}
>> +    cve_pattern = re.compile(r'^(cve-(\d{4})-\d+)\s+(\S+)(?:\s+(.*))?$')
> Do we need a regexp for this? The runtest file is well defining the
> following structure:
Yeah, we may not need a regexp here.
>
>    <cve-id> <binary> <arg0> <arg1> ..
>
> We only need to split lines which are not starting with # char,
> considering space as separator.
got it. Will include this change in the next version.
>> +
>> +        text.extend([
>> +            f'This test reproduces the vulnerability described in {cve_id}.',
>> +            'The test verifies that the system is properly patched against',
>> +            'this known security vulnerability.',
>> +            '',
>> +            f'* **CVE Year:** {cve_info["year"]}',
>> +            f'* **Test Command:** {test_cmd}',
>> +            '',
>> +            '.. raw:: html',
>> +            '',
>> +            '    <hr>',
>> +            '',
>> +        ])
> All this text is redundant and occupying space for no reason.
> Also I'm not sure about this approach, now we have tests list duplication
> inside the documentation.
>
> What about generating only a simple reference table? There are only 3
> information we need: CVE ID, test binary, year.
>
> | ID | Test name | Year |
> -------------------------
> | .. |    ..     |  ..  |
>
> etc..
Okay. Do we need year in the column since the CVE name also has year.
For cve.rst, I implemented the same logic as tests.rst.

A separate entry for CVE catalog.
Once a user clicks on this option it will expand with a list of 
individual CVE pages
in the left pane. Each entry follows the following format

<CVE ID> ( <Test Name> )

Based on review comments how should the page look like?

A separate entry for CVE catalog.
Once a user clicks on this option it will display the CVE list in 
tabular format
sorted by year. The table will follow (assuming Year to be retained)

| ID | Test name | Year |
-------------------------
| .. |    ..     |  ..  |


Test name will point to an entry in Test catalog.
No individual pages required for each CVE.

Can you confirm?
> There's no need to have a direct link to the CVE, since we already pointing
Okay. I can make this change. I followed the earlier

Thanks for the review.

-- 
Thanks
- Sachin



-- 
Mailing list info: https://lists.linux.it/listinfo/ltp