Bug 1624909

Summary: CVE number above 9999 are rejected as invalid
Product: [Retired] Beaker Reporter: Alicja Kario <hkario>
Component: command lineAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: developCC: dcallagh, kvolny
Target Milestone: 26.0Keywords: Patch, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-08 02:16:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alicja Kario 2018-09-03 14:54:14 UTC 
Description of problem:
When using beaker-wizard CVE-2018-12384 is rejected as not a valid CVE number.

Version-Release number of selected component (if applicable):
beaker-client-25.5-1.fc27eng.noarch

How reproducible:
always

Steps to Reproduce:
1. start beaker-wizard
2. modify the "Bug or CVE numbers"
3. provide "CVE-2018-12384" as the number

Actual results:
[2018-12384 is not a valid bug or cve number, what about None?] CVE-2018-12384
Supply one or more bug or CVE numbers (e.g. 123456 or 2009-7890). Use
the '+' sign to add the bugs instead of replacing the current list.
[2018-12384 is not a valid bug or cve number, what about None?]

Expected results:
CVE number accepted (the current specification of CVE's does not limit the length of the number – e.g. DWF assignes numbers in the 1000000 range)

Additional info:
Comment 1 Roman Joost 2018-09-04 07:20:14 UTC 
Dear Hubert,

thank you for your bug report. Yes it seems that the length of the CVE number is restricted:

RegExpCVE        = re.compile("^\d{4}-\d{4}$")

Perhaps changing it to:

re.compile("^\d{4}-\d{4,7}$")

according to: https://cve.mitre.org/cve/identifiers/syntaxchange.html

will still validate, but give room for the change?
Comment 2 Alicja Kario 2018-09-04 09:52:56 UTC 
from the article:
> CVE IDs can now have four or more digits in the sequence number portion of the ID.

so, no, limit to 7 digits is not ok, it needs to be unlimited or some very high limit
Comment 3 Roman Joost 2018-09-05 03:55:26 UTC 
Ah dang... yes. I guess for whatever reason I missed the arbitrary in:

  CVE prefix + Year + Arbitrary Digits

I guess then the regexp becomes just:

re.compile("^\d{4}-\d+$")
Comment 4 Matt Tyson 🤬 2018-09-05 04:11:36 UTC 
It should reject CVEs with < 4 digits in the final section as they are not valid. So the regex should be:

^\d{4}-\d{4,}$
Comment 5 Roman Joost 2018-09-05 04:12:44 UTC 
Hah of course. Good point Matt!
Comment 7 Dan Callaghan 2018-09-28 05:56:21 UTC 
This bug was fixed on the release-25 branch, but the next release will be Beaker 26.0.
Comment 8 Dan Callaghan 2018-10-08 02:16:44 UTC 
Beaker 26.0 has been released.
Comment 9 Renan Rodrigo Barbosa 2019-09-30 12:45:05 UTC 
*** Bug 1555256 has been marked as a duplicate of this bug. ***