search

RedHatProductSecurity / cvelib

A Python library and command line interface for CVE Services.
MIT License
56 stars 24 forks source link

add instructions for rejecting published CVEs #84

Closed raboof closed 3 months ago

raboof commented 3 months ago

Currently,

$ cve reject CVE-2024-31861
ERROR: 403 Client Error: Forbidden for url: https://cveawg.mitre.org/api/cve-id/CVE-2024-31861?state=REJECTED
DETAILS: {'error': 'CANNOT_CHANGE_CVE_ID_WITH_RECORD', 'message': 'A record was found for CVE-2024-31861. A CVE ID cannot be changed once a record exists for it. Instead, it changes according to the record.'}

It might be nice to recognize this error and instruct the user to use cve reject CVE-2024-31861 -f rejection-body.json

mprpic commented 3 months ago

@raboof What would you expect the output to be instead of the current backend error message? Note that this condition is mentioned in cve reject -h:

...A published CVE can only be rejected with an accompanying record...

I would almost argue that the error message from CVE Services should simply be improved to note that a published CVE record can only be rejected by providing a reject record since Instead, it changes according to the record. sounds a bit ambiguous.

raboof commented 3 months ago

@raboof What would you expect the output to be instead of the current backend error message? Note that this condition is mentioned in cve reject -h:

...A published CVE can only be rejected with an accompanying record...

Ah, that documentation is indeed pretty great, but I totally missed it ;).

I would almost argue that the error message from CVE Services should simply be improved to note that a published CVE record can only be rejected by providing a reject record since Instead, it changes according to the record. sounds a bit ambiguous.

As a data point, what I did after encountering this error was:

Perhaps it would be neat to end the error reporting with a generic "See cve <command> -h ", like #85?