advisory tiers

2026-06-18 20:22:27 -06:00 · 2026-05-25 10:10:01 +00:00 · 2026-05-25 10:10:01 +00:00 · 4e9ad781b6
parent f4f97b6cc3
commit 4e9ad781b6
3 changed files with 22 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -1336,9 +1336,15 @@ using arguments or config files, or a mix of both:

 sleep better at night  by telling copyparty to periodically check whether your version has a [known vulnerability](https://github.com/9001/copyparty/security/advisories)

-this feature can be enabled by setting the global-option `--vc-url` to one of the following URLs; all of them provide the same information, so which one you choose is whatever
-* `https://api.copyparty.eu/advisories`
-* `https://api.github.com/repos/9001/copyparty/security-advisories?per_page=9`
+this feature can be enabled by setting the global-option `--vc-url` to one of the following URLs; choose what severity level you want to be notified for:
+* `https://api.copyparty.eu/advisories-panic` -- only really bad stuff, the "UPGRADE NOW" kind
+* `https://api.copyparty.eu/advisories` -- everything important / noteworthy, "upgrade when you can"
+* `https://api.copyparty.eu/advisories-all` -- *everything*, including stuff that's unlikely to affect anyone
+* `https://api.github.com/repos/9001/copyparty/security-advisories?per_page=9` -- same as `advisories-all`
+
+note that `https://api.copyparty.eu/advisories` may (for example) skip some advisories rated `High` but include some `Low`; that's because an easily-reachable `Low` in a default-enabled feature is more severe than a `High` which is a theoretical bug in a contrived use of a fringe feature, but the CVE calculator would still classify that as `High`
+
+if you want to use the github advisory feed but only care about advisories rated `medium`/`moderate` or higher, then global-option `--vc-sev medium` does that, but see previous paragraph

 > to see what happens when a bad version is detected, try `--vc-url https://api.copyparty.eu/advisories-test`

@ -1354,6 +1360,7 @@ config file example:
  vc-url: https://api.copyparty.eu/advisories
  vc-age: 3  # how many hours to wait between each check
  vc-exit    # emergency-exit if current version is vulnerable
+  vc-sev: medium  # only care about severity 'Medium'/'Moderate' or higher (github-only; don't use this with api.copyparty.eu)
 ```


--- a/copyparty/main.py
+++ b/copyparty/main.py
@ -1237,6 +1237,7 @@ def add_general(ap, nc, srvname):
    ap2.add_argument("--reload-sig", metavar="S", type=u, default=("" if ANYWIN else "USR1"), help="reload server config when unix-signal \033[33mS\033[0m is received; examples: [\033[32mSIGUSR1\033[0m], [\033[32mUSR1\033[0m], [\033[32m10\033[0m]")
    ap2.add_argument("--vc-url", metavar="URL", type=u, default="", help="URL to check for vulnerable versions (default-disabled)")
    ap2.add_argument("--vc-age", metavar="HOURS", type=int, default=3, help="how many hours to wait between vulnerability checks")
+    ap2.add_argument("--vc-sev", metavar="LEVEL", type=u, default="low", help="minimum severity to care about; one of these: \033[32mlow medium high critical\033[0m")
    ap2.add_argument("--vc-exit", action="store_true", help="panic and exit if current version is vulnerable")
    ap2.add_argument("--license", action="store_true", help="show licenses and exit")
    ap2.add_argument("--version", action="store_true", help="show versions and exit")
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@ -119,6 +119,8 @@ VER_IDP_DB = 1
 VER_SESSION_DB = 1
 VER_SHARES_DB = 2

+CVE_SEVS = {"low": 1, "medium": 2, "moderate": 2, "high": 3, "critical": 4}
+

 class SvcHub(object):
    """
@ -298,6 +300,9 @@ class SvcHub(object):
                self.log("root", "vc-age too low for copyparty.eu; will use 3 hours")
            args.vc_age = zi

+        if args.vc_sev and args.vc_sev not in CVE_SEVS:
+            self.log("root", "vc-sev %r invalid; will use 'low'" % (args.vc_sev,), 3)
+
        zs = ""
        if args.th_ram_max < 0.22:
            zs = "generate thumbnails"
@ -1948,6 +1953,7 @@ class SvcHub(object):
        next_chk = 0
        # self.args.vc_age = 2 / 60
        fpath = os.path.join(self.E.cfg, "vuln_advisory.json")
+        minsev = CVE_SEVS.get(self.args.vc_sev, 0)
        while not self.stopping:
            now = time.time()
            if now < next_chk:
@ -1991,10 +1997,13 @@ class SvcHub(object):
                continue

            try:
+                sver = "0.1"
                advisories = json.loads(jtxt)
                for adv in advisories:
                    if adv.get("state") == "closed":
                        continue
+                    if CVE_SEVS.get(adv.get("severity"), 9) < minsev:
+                        continue
                    vuln = {}
                    for x in adv["vulnerabilities"]:
                        if x["package"]["name"].lower() == "copyparty":
@ -2012,7 +2021,6 @@ class SvcHub(object):
                        if self.args.vc_exit:
                            self.sigterm()
                        return
-                    else:
                t = "%sok; v%s and newer is safe"
                self.log("ver-chk", t % (src, sver), 2)
                next_chk = time.time() + self.args.vc_age * 3600 - age