CVE Analysis

Analyzes HUM Jira issues with component Security (CVE-related). Fetches issues from Jira, extracts CVE links, and uses the MITRE CVE API to provide affected / not affected / fixed-in version information.

Features

CVE ID Extraction: Scans all Jira issue fields for cve.org links and bare CVE-YYYY-NNNN identifiers
CVE 5.0 Record Parsing: Fetches CVE records from the MITRE CVE API and parses affected versions, unaffected versions, and fixed-in data
Hummingbird Repo Check: Compares CVE version data against RPM versions in the Hummingbird package repo (x86_64 and aarch64)
Jira State Recommendations: Suggests tracker state and resolution based on the ProdSec tracker states table
Multiple Output Formats: Human-readable (default), JSON, or pretty-printed JSON

Prerequisites

Python 3.11 or later
Jira API token (Bearer or Basic auth)
Network access to issues.redhat.com, cveawg.mitre.org, and packages.redhat.com

Usage

# Token from environment
export JIRA_TOKEN=your_token
python3 -m hummingbird_tools.cve_analysis

# Token as argument
python3 -m hummingbird_tools.cve_analysis your_token

# JSON output, skip issues without CVE links
python3 -m hummingbird_tools.cve_analysis -o json-pretty --skip-no-cve

# Basic auth
python3 -m hummingbird_tools.cve_analysis --jira-user user@example.com

# Limit results
python3 -m hummingbird_tools.cve_analysis --max-results 50

Configuration

Option	Environment Variable	Description
`JIRA_TOKEN`	`JIRA_TOKEN`	Jira API or Bearer token (positional arg or env var)
`--jira-url`		Jira base URL (default: `https://issues.redhat.com`)
`--output`, `-o`		Output format: `human`, `json`, `json-pretty`
`--skip-no-cve`		Omit issues that have no CVE link or ID
`--jira-user`		Username for Basic auth (optional)
`--max-results`		Max number of issues to fetch (default: 100)
	`SENTRY_DSN`	Optional Sentry DSN for error tracking

Output

Human-Readable

Project: HUM  Component: Security
Issues: 2

  HUM-100: CVE-2026-1642 nginx: buffer overflow
    Jira current:    Open / (none)
    Jira resolved as: Closed / Notabug
    CVE: Affected versions: 1.27.0
    CVE: Not affected:       1.28.0
    CVE: Fixed in:           1.27.4
    CVE: Resolution:          not affected (hummingbird repo version: 1.29.0)

JSON

Each issue includes: key, summary, cve_ids, cves (with version and resolution data), jira_current (status/resolution), and jira_resolved_as (recommended state).

Development

See the main README for development workflows.

make hummingbird-tools/setup  # Install dependencies
make check                     # Lint code (ruff)
make test                      # Run unit tests

License

This project is licensed under the GNU General Public License v3.0 or later - see the LICENSE file for details.