Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:parse-patches-for-lp-1892523 into ubuntu-cve-tracker:master

Proposed by Alex Murray on 2021-09-21

Status:

Merged

Merged at revision:

fc1f947b23c1bfe73caa112ef879561b03115b7b

Proposed branch:

~alexmurray/ubuntu-cve-tracker:parse-patches-for-lp-1892523

Merge into:

ubuntu-cve-tracker:master

Diff against target:

2426 lines (+673/-190)

132 files modified

active/00boilerplate.firefox (+1/-1)
active/00boilerplate.mozjs (+8/-8)
active/CVE-2011-2896 (+1/-2)
active/CVE-2011-3170 (+1/-2)
active/CVE-2017-13803 (+1/-1)
active/CVE-2018-4133 (+1/-1)
active/CVE-2018-4233 (+1/-1)
active/CVE-2018-4299 (+1/-1)
active/CVE-2018-4359 (+1/-1)
active/CVE-2019-8611 (+1/-1)
active/CVE-2019-8622 (+1/-1)
active/CVE-2019-8623 (+1/-1)
active/CVE-2020-15660 (+1/-1)
active/CVE-2020-21913 (+1/-1)
active/CVE-2021-23963 (+1/-1)
active/CVE-2021-23964 (+1/-1)
active/CVE-2021-23968 (+1/-1)
active/CVE-2021-23969 (+1/-1)
active/CVE-2021-23970 (+1/-1)
active/CVE-2021-23971 (+1/-1)
active/CVE-2021-23972 (+1/-1)
active/CVE-2021-23973 (+1/-1)
active/CVE-2021-23974 (+1/-1)
active/CVE-2021-23975 (+1/-1)
active/CVE-2021-23976 (+1/-1)
active/CVE-2021-23977 (+1/-1)
active/CVE-2021-23978 (+1/-1)
active/CVE-2021-23979 (+1/-1)
active/CVE-2021-23981 (+1/-1)
active/CVE-2021-23982 (+1/-1)
active/CVE-2021-23983 (+1/-1)
active/CVE-2021-23984 (+1/-1)
active/CVE-2021-23985 (+1/-1)
active/CVE-2021-23986 (+1/-1)
active/CVE-2021-23987 (+1/-1)
active/CVE-2021-23988 (+1/-1)
active/CVE-2021-23994 (+1/-1)
active/CVE-2021-23995 (+1/-1)
active/CVE-2021-23996 (+1/-1)
active/CVE-2021-23997 (+1/-1)
active/CVE-2021-23998 (+1/-1)
active/CVE-2021-23999 (+1/-1)
active/CVE-2021-24000 (+1/-1)
active/CVE-2021-24001 (+1/-1)
active/CVE-2021-24002 (+1/-1)
active/CVE-2021-29945 (+1/-1)
active/CVE-2021-29946 (+1/-1)
active/CVE-2021-29947 (+1/-1)
active/CVE-2021-29952 (+1/-1)
active/CVE-2021-29955 (+1/-1)
active/CVE-2021-29959 (+1/-1)
active/CVE-2021-29960 (+1/-1)
active/CVE-2021-29961 (+1/-1)
active/CVE-2021-29962 (+1/-1)
active/CVE-2021-29963 (+1/-1)
active/CVE-2021-29964 (+1/-1)
active/CVE-2021-29965 (+1/-1)
active/CVE-2021-29966 (+1/-1)
active/CVE-2021-29967 (+1/-1)
active/CVE-2021-29968 (+1/-1)
active/CVE-2021-29970 (+1/-1)
active/CVE-2021-29971 (+1/-1)
active/CVE-2021-29972 (+1/-1)
active/CVE-2021-29973 (+1/-1)
active/CVE-2021-29974 (+1/-1)
active/CVE-2021-29975 (+1/-1)
active/CVE-2021-29976 (+1/-1)
active/CVE-2021-29977 (+1/-1)
active/CVE-2021-29980 (+1/-1)
active/CVE-2021-29981 (+1/-1)
active/CVE-2021-29982 (+1/-1)
active/CVE-2021-29983 (+1/-1)
active/CVE-2021-29984 (+1/-1)
active/CVE-2021-29985 (+1/-1)
active/CVE-2021-29986 (+1/-1)
active/CVE-2021-29987 (+1/-1)
active/CVE-2021-29988 (+1/-1)
active/CVE-2021-29989 (+1/-1)
active/CVE-2021-29990 (+1/-1)
active/CVE-2021-29991 (+1/-1)
active/CVE-2021-38491 (+1/-1)
active/CVE-2021-38492 (+1/-1)
active/CVE-2021-38493 (+1/-1)
active/CVE-2021-38494 (+1/-1)
ignored/CVE-2021-29953 (+1/-1)
retired/CVE-2011-4330 (+1/-1)
retired/CVE-2014-1739 (+1/-1)
retired/CVE-2014-2580 (+1/-1)
retired/CVE-2014-4508 (+1/-1)
retired/CVE-2014-7843 (+1/-1)
retired/CVE-2015-6252 (+1/-1)
retired/CVE-2015-7799 (+1/-1)
retired/CVE-2015-8543 (+1/-1)
retired/CVE-2016-1784 (+1/-1)
retired/CVE-2016-2143 (+1/-1)
retired/CVE-2016-4735 (+1/-1)
retired/CVE-2016-7039 (+1/-1)
retired/CVE-2016-7598 (+1/-1)
retired/CVE-2017-0794 (+1/-1)
retired/CVE-2017-10810 (+1/-1)
retired/CVE-2017-12134 (+1/-1)
retired/CVE-2017-14106 (+1/-1)
retired/CVE-2017-7482 (+1/-1)
retired/CVE-2017-7645 (+1/-1)
retired/CVE-2017-7895 (+1/-1)
retired/CVE-2017-7979 (+1/-1)
retired/CVE-2018-5344 (+1/-1)
retired/CVE-2018-7566 (+1/-1)
retired/CVE-2020-16048 (+1/-1)
scripts/check-syntax (+29/-16)
scripts/cve_lib.py (+20/-3)
scripts/html_export.py (+5/-12)
scripts/publish-cves-to-website-api.py (+1/-3)
scripts/report-pending-fixes (+4/-6)
scripts/sync-bugs-kernel.py (+16/-23)
scripts/test_cve_lib.py (+2/-0)
test/okay/cve-id-N7.json (+3/-1)
test/okay/cve-id-NNNN.json (+3/-1)
test/okay/patches-missing-1 (+26/-0)
test/okay/patches-missing-1.json (+54/-0)
test/okay/patches-missing-2 (+35/-0)
test/okay/patches-missing-2.json (+88/-0)
test/okay/patches-missing-3 (+36/-0)
test/okay/patches-missing-3.json (+90/-0)
test/okay/patches-missing-4 (+36/-0)
test/okay/patches-missing-4.json (+90/-0)
test/okay/priority-critical.json (+3/-1)
test/okay/priority-high.json (+3/-1)
test/okay/priority-low.json (+3/-1)
test/okay/priority-medium.json (+4/-2)
test/okay/priority-negligible.json (+3/-1)
test/okay/priority-untriaged.json (+3/-1)

Related bugs:

Bug #1892523: cve_lib patches structure

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Steve Beattie	2021-09-21	Approve on 2021-09-21
Albert Kolozsvari	2021-09-21	Pending
Review via email: mp+408919@code.launchpad.net

Description of the change

To fix https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1892523

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-09-21:

I've not poked through this entirely, but on a couple of specific CVEs:

On Tue, Sep 21, 2021 at 05:09:27AM -0000, Alex Murray wrote:
> diff --git a/active/CVE-2011-2896 b/active/CVE-2011-2896
> index 14aab42..3e21273 100644
> --- a/active/CVE-2011-2896
> +++ b/active/CVE-2011-2896
> @@ -29,7 +29,6 @@ CVSS:
>
> Patches_cups:
> upstream: http://cups.org/str.php?L3867
> - upstream: r9840

That's a subversion revision number. Unfortunately, it looks like apple
based their github conversion on an internal tree that merged in changes
from upstream cups back in 2011, so it appears the original commit is
lost.

Based on one of the packages where it was fixed in Ubuntu
(https://launchpad.net/ubuntu/+source/cups/1.4.6-5ubuntu1.4) we can see
what the patches look like for the two cups cves.

For this one, given the merging behavior described above, the closest git commit I could find
for this issue is:

https://github.com/apple/cups/commit/771bd8cbffe1ffb06d90b2c7f00191830e6b738c

Also, http://cups.org/str.php?L3867 should probably be moved to the bugs
section (and maybe replaced with its current github location).

> upstream_cups: released (1.4.7)
> hardy_cups: DNE
> lucid_cups: released (1.4.3-1ubuntu1.5)
> diff --git a/active/CVE-2011-3170 b/active/CVE-2011-3170
> index ab01c3d..0fb2405 100644
> --- a/active/CVE-2011-3170
> +++ b/active/CVE-2011-3170
> @@ -24,7 +24,6 @@ CVSS:
>
> Patches_cups:
> upstream: http://cups.org/str.php?L3914
> - upstream: r9865
> upstream_cups: released (1.5.0-8)
> hardy_cups: DNE
> lucid_cups: released (1.4.3-1ubuntu1.5)

Similarly, the only reference I could find in the current cups git repo
is again

https://github.com/apple/cups/commit/771bd8cbffe1ffb06d90b2c7f00191830e6b738c

or a48458814a4c26a6430b27105c0ab747c907473f (a merge of 1.6 devel cycle
which contains even more extraneous stuff).

And same point about the bug reference, too.

All the other deletions of DNE and not-affected look good, as well as
the cleaned up break-fix entry.

--
Steve Beattie
<email address hidden>

I've not poked through this entirely, but on a couple of specific CVEs:

On Tue, Sep 21, 2021 at 05:09:27AM -0000, Alex Murray wrote:
> diff --git a/active/CVE-2011-2896 b/active/CVE-2011-2896
> index 14aab42..3e21273 100644
> --- a/active/CVE-2011-2896
> +++ b/active/CVE-2011-2896
> @@ -29,7 +29,6 @@ CVSS:
>  
>  Patches_cups:
>   upstream: http://cups.org/str.php?L3867
> - upstream: r9840

Based on one of the packages where it was fixed in Ubuntu
(https://launchpad.net/ubuntu/+source/cups/1.4.6-5ubuntu1.4) we can see
what the patches look like for the two cups cves.

For this one, given the merging behavior described above, the closest git commit I could find
for this issue is:

https://github.com/apple/cups/commit/771bd8cbffe1ffb06d90b2c7f00191830e6b738c

Also, http://cups.org/str.php?L3867 should probably be moved to the bugs
section (and maybe replaced with its current github location).

>  upstream_cups: released (1.4.7)
>  hardy_cups: DNE
>  lucid_cups: released (1.4.3-1ubuntu1.5)
> diff --git a/active/CVE-2011-3170 b/active/CVE-2011-3170
> index ab01c3d..0fb2405 100644
> --- a/active/CVE-2011-3170
> +++ b/active/CVE-2011-3170
> @@ -24,7 +24,6 @@ CVSS:
>  
>  Patches_cups:
>   upstream: http://cups.org/str.php?L3914
> - upstream: r9865
>  upstream_cups: released (1.5.0-8)
>  hardy_cups: DNE
>  lucid_cups: released (1.4.3-1ubuntu1.5)

Similarly, the only reference I could find in the current cups git repo
is again

https://github.com/apple/cups/commit/771bd8cbffe1ffb06d90b2c7f00191830e6b738c

or a48458814a4c26a6430b27105c0ab747c907473f (a merge of 1.6 devel cycle
which contains even more extraneous stuff).

And same point about the bug reference, too.

All the other deletions of DNE and not-affected look good, as well as
the cleaned up break-fix entry.

-- 
Steve Beattie
<sbeattie@ubuntu.com>

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-09-21:

Thanks for the reviews Steve and for chasing down some more useful patch links - I've added these in 5d5cb999c5 and removed the http://cups.org/str.php?L3867 etc entries from under Patches_cups: as they were already duplicated in Bugs:.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-09-21:

Download full text (14.9 KiB)

Comments and a question inline; modulo the answer to the question,
I'm okay with this patch set.

Thanks.

On Tue, Sep 21, 2021 at 05:09:27AM -0000, Alex Murray wrote:
> index 384fb7e..b3224c0 100755
> --- a/scripts/check-syntax
> +++ b/scripts/check-syntax
> @@ -812,23 +812,36 @@ for cve in args:
> )
> cve_okay = False
>
> - # Check to make sure all patch references match the type:reference
> - # pattern
> - for key in data.keys():
> - if "Patches_" in key and len(data[key]) > 0:
> - for line in re.split("\n", data[key]):
> - patch_type = re.split(":", line)[0]
> - if re.search("http", patch_type):
> - print(
> - "%s: %d: patch reference %s doesn't contain a type modifier (e.g. upstream:)"
> - % (cvepath, srcmap[key] if key in srcmap else 1, key),
> - file=sys.stderr,
> - )
> - cve_okay = False
> - if re.search("patch", patch_type):
> + for pkg in data["patches"]:
> + for index, value in enumerate(data["patches"][pkg]):
> + patch_type, patch = data["patches"][pkg][index]
> + # validate break-fix entries as 'I?hash|-|local-|URL' and
> + # others should be a URL - but don't bother with retired
> + # CVEs as these have a lot of old cruft
> + if patch_type == "break-fix":
> + try:
> + bfre = "^(-|I?[a-f0-9]{1,40}|local-[A-Za-z0-9-]+|https?://.*)$"
> + breaks, fixes = patch.split(' ', 1)
> + # breaks and fixes can contain multiple entries separated by |
> + for brk in breaks.split('|'):
> + if re.match(bfre, brk) is None:
> + raise ValueError("invalid break entry '%s':" % brk)
> + # fixes can contain multiple entries separated by |
> + for fix in fixes.split('|'):
> + if re.match(bfre, fix) is None:
> + raise ValueError("invalid fix entry '%s':" % fix)
> + except Exception as e:
> + print(
> + "%s: %d: invalid break-fix entry: '%s': %s"
> + % (cvepath, srcmap["patches"][pkg][index], patch, e),
> + file=sys.stderr,
> + )
> + cve_okay = False
> + elif not "retired/" in cvepath:

It would possibly be okay to check retired CVEs when --strict is passed.

Comments and a question inline; modulo the answer to the question,
I'm okay with this patch set.

Thanks.

On Tue, Sep 21, 2021 at 05:09:27AM -0000, Alex Murray wrote:
> index 384fb7e..b3224c0 100755
> --- a/scripts/check-syntax
> +++ b/scripts/check-syntax
> @@ -812,23 +812,36 @@ for cve in args:
>                  )
>                  cve_okay = False
>  
> -    # Check to make sure all patch references match the type:reference
> -    # pattern
> -    for key in data.keys():
> -        if "Patches_" in key and len(data[key]) > 0:
> -            for line in re.split("\n", data[key]):
> -                patch_type = re.split(":", line)[0]
> -                if re.search("http", patch_type):
> -                    print(
> -                        "%s: %d: patch reference %s doesn't contain a type modifier (e.g. upstream:)"
> -                        % (cvepath, srcmap[key] if key in srcmap else 1, key),
> -                        file=sys.stderr,
> -                    )
> -                    cve_okay = False
> -                if re.search("patch", patch_type):
> +    for pkg in data["patches"]:
> +        for index, value in enumerate(data["patches"][pkg]):
> +            patch_type, patch = data["patches"][pkg][index]
> +            # validate break-fix entries as 'I?hash|-|local-|URL' and
> +            # others should be a URL - but don't bother with retired
> +            # CVEs as these have a lot of old cruft
> +            if patch_type == "break-fix":
> +                try:
> +                    bfre = "^(-|I?[a-f0-9]{1,40}|local-[A-Za-z0-9-]+|https?://.*)$"
> +                    breaks, fixes = patch.split(' ', 1)
> +                    # breaks and fixes can contain multiple entries separated by |
> +                    for brk in breaks.split('|'):
> +                        if re.match(bfre, brk) is None:
> +                            raise ValueError("invalid break entry '%s':" % brk)
> +                    # fixes can contain multiple entries separated by |
> +                    for fix in fixes.split('|'):
> +                        if re.match(bfre, fix) is None:
> +                            raise ValueError("invalid fix entry '%s':" % fix)
> +                except Exception as e:
> +                        print(
> +                            "%s: %d: invalid break-fix entry: '%s': %s"
> +                            % (cvepath, srcmap["patches"][pkg][index], patch, e),
> +                            file=sys.stderr,
> +                        )
> +                        cve_okay = False
> +            elif not "retired/" in cvepath:

It would possibly be okay to check retired CVEs when --strict is passed.

> +                if "://" not in patch:
>                      print(
> -                        "%s: %d: invalid type modifier in %s, please use upstream:, vendor:, debdiff:, other:, etc."
> -                        % (cvepath, srcmap[key] if key in srcmap else 1, key),
> +                        "%s: %d: invalid patch URL '%s'"
> +                        % (cvepath, srcmap["patches"][pkg][index], patch),
>                          file=sys.stderr,
>                      )
>                      cve_okay = False
> diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
> index c706a61..88dd326 100755
> --- a/scripts/cve_lib.py
> +++ b/scripts/cve_lib.py
> @@ -1195,6 +1195,8 @@ def load_cve(cve, strict=False, subprojects=list(), srcmap=None):
>      srcmap.setdefault('pkgs', dict())
>      srcmap.setdefault('tags', dict())
>      data.setdefault('tags', dict())
> +    srcmap.setdefault('patches', dict())
> +    data.setdefault('patches', dict())
>      affected = dict()
>      non_ubuntu_affected = dict()
>      lastfield = None
> @@ -1220,6 +1222,17 @@ def load_cve(cve, strict=False, subprojects=list(), srcmap=None):
>                      code, newmsg = notes_parser.parse_line(cve, line, linenum, code)
>                      if code != EXIT_OKAY:
>                          msg += newmsg
> +                elif 'Patches_' in lastfield:
> +                    try:
> +                        _, pkg = lastfield.split('_', 1)
> +                        patch_type, entry = line.split(':', 1)
> +                        patch_type = patch_type.strip()
> +                        entry = entry.strip()
> +                        data['patches'][pkg].append((patch_type, entry))
> +                        srcmap['patches'][pkg].append(linenum)
> +                    except Exception as e:
> +                        msg += "%s: %d: Failed to parse '%s' entry %s: %s\n" % (cve, linenum, lastfield, line, e)
> +                        code = EXIT_FAIL
>                  elif lastfield == 'CVSS':
>                      source, vector = line.split(':', 1)
>                      try:
> @@ -1280,15 +1293,19 @@ def load_cve(cve, strict=False, subprojects=list(), srcmap=None):
>                  msg += "%s: %d: unknown Priority '%s'\n" % (cve, linenum, value)
>                  code = EXIT_FAIL
>          elif 'Patches_' in field:
> -            '''These are raw fields'''
>              try:
>                  foo, pkg = field.split('_', 1)
>              except ValueError:
>                  msg += "%s: %d: bad field with 'Patches_': '%s'\n" % (cve, linenum, field)
>                  code = EXIT_FAIL
>                  continue
> -            data.setdefault(field, value)
> -            srcmap.setdefault(field, linenum)
> +            # value should be empty
> +            if len(value) > 0:
> +                msg += "%s: %d: '%s' field should have no value\n" % (cve, linenum, field)
> +                code = EXIT_FAIL
> +                continue
> +            data['patches'].setdefault(pkg, list())
> +            srcmap['patches'].setdefault(pkg, list())

So one consequence here is that the patches gets populated with empty
lists for every package in the CVE, whether it has a reference to a
patch or not, unlike how tags are handled. For example, using Albert's
example CVE in the motivating bug report, we get:

In [1]: import cve_lib

In [2]: cve_lib.load_cve('active/CVE-2012-4542')
  Out[2]: 
  {'tags': {'linux-armadaxp': {'not-ue'},
    'linux-lts-quantal': {'not-ue'},
    'linux-lts-saucy': {'not-ue'}},
   'patches': {'linux': [('vendor',
      'https://oss.oracle.com/git/gitweb.cgi?p=redpatch.git;a=commitdiff;h=76a274e17114abf1a77de6b651424648ce9e10c8'),
     ('vendor', 'http://rhn.redhat.com/errata/RHSA-2013-0496.html'),
     ('vendor', 'http://rhn.redhat.com/errata/RHSA-2013-0579.html'),
     ('vendor', 'http://rhn.redhat.com/errata/RHSA-2013-0882.html'),
     ('vendor', 'http://rhn.redhat.com/errata/RHSA-2013-0928.html')],
    'linux-ec2': [],
    'linux-mvl-dove': [],
    'linux-ti-omap4': [],
    'linux-lts-backport-maverick': [],
    'linux-fsl-imx51': [],
    'linux-lts-backport-oneiric': [],
    'linux-linaro-omap': [],
    'linux-linaro-shared': [],
    'linux-linaro-vexpress': [],
    'linux-qcm-msm': [],
    'linux-armadaxp': [],
  [ rest elided ]

Is that what we want? It makes programmatic manipulation later on
easier (because the entry list will always exist to append to),
but it also means your exporters have to check the length for each
to see if there's anything to export.

>          elif 'Tags_' in field:
>              '''These are processed into the "tags" hash'''
>              try:
> diff --git a/scripts/html_export.py b/scripts/html_export.py
> index 066ffea..0253eaa 100755
> --- a/scripts/html_export.py
> +++ b/scripts/html_export.py
> @@ -272,16 +272,10 @@ def htmlize_cve(cvefile, outfd, commit=None):
>              print('</td></tr>', file=outfd)
>          print('</table>', file=outfd)
>  
> -        patches = 'Patches_%s' % (pkg)
> -        if patches in data:
> -            entries = data[patches]
> -            if entries != "":
> -                print('<div class="patches">Patches:</div>', file=outfd)
> -                print('<table class="table table-responsive patches">', file=outfd)
> -            for patch in entries.split('\n'):
> -                if not ':' in patch:
> -                    continue
> -                source, url = patch.split(':', 1)
> +        if len(data['patches'][pkg]) > 0:
> +            print('<div class="patches">Patches:</div>', file=outfd)
> +            print('<table class="table table-responsive patches">', file=outfd)
> +            for source, url in data['patches'][pkg]:
>                  # We need to handle the line info first, since it may have
>                  # additional info as (master) or something else after the patch
>                  # url.
> @@ -304,8 +298,7 @@ def htmlize_cve(cvefile, outfd, commit=None):
>                          print('<tr><td>%s:</td><td><a href="%s">%s %s</a></td></tr>' % (escape(source).capitalize(), url.replace('"', '%22'), escape(url), url_additional_info), file=outfd)
>                      else:
>                          print('<tr><td>%s:</td><td>%s</td></tr>' % (escape(source).capitalize(), escape(url)), file=outfd)
> -            if entries != "":
> -                print('</table>', file=outfd)
> +            print('</table>', file=outfd)
>  
>          # tags
>          urlregex = re.compile(r"(http[^\s]+)")
> diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
> index b5dddab..65c2a4f 100755
> --- a/scripts/publish-cves-to-website-api.py
> +++ b/scripts/publish-cves-to-website-api.py
> @@ -40,9 +40,7 @@ def get_tags(cve_data, pkg):
>      return list(cve_data['tags'].get(pkg, list()))
>  
>  def get_patches(cve_data, pkg):
> -    patches_str = cve_data.get(f'Patches_{pkg}', "")
> -    return [line for line in patches_str.split('\n') if line]
> -
> +    return [ patch_type + ": " + entry for patch_type, entry in cve_data['patches'].get(pkg, list())]

Not needed for this patchset, but it would be good if we could be
smarter about our local break-fix entries where there's an alternation
(e.g. $UPSTREAM_HASH|local-CVE-fix ), where maybe we only report the
upstream hash to the web api.

Ideally I'd like to come up with some way to surface the local commits
to point reverse engineer them back to pointers to the commits in
the ubuntu kernel git repos, for transparency.

(See the recent merge request from Kees updating some of the kernel
break-fix entries.)

>  def get_devel_codename(cve_releases):
>      for skip_release in ['upstream', 'devel', 'product', 'snap']:
> diff --git a/scripts/report-pending-fixes b/scripts/report-pending-fixes
> index ca7b7f4..6800f10 100755
> --- a/scripts/report-pending-fixes
> +++ b/scripts/report-pending-fixes
> @@ -67,12 +67,10 @@ for name in cves:
>              report += " %s %s %s %s" % (opt.pkg, rel, state, version)
>  
>          if opt.fixes:
> -            patch_section = 'Patches_%s' % ('linux' if opt.pkg in cve_lib.kernel_srcs else opt.pkg)
> -            if patch_section in cve:
> -                for line in cve[patch_section].split('\n'):
> -                    line.strip()
> -                    if line.lstrip().startswith('break-fix:'):
> -                        report += '\n %s' % line.split()[2]
> +            pkg = 'linux' if opt.pkg in cve_lib.kernel_srcs else opt.pkg
> +            for (patch_type, patch) in cve['patches'][pkg]:
> +                if patch_type == 'break-fix':
> +                        report += '\n %s' % patch.split()[1]

It probably would have been helpful if the author of this code had
left a comment explaining that because we only record break-fix
entries for the primary 'linux' source package, when we're looking
what fixes are pending for a different (derived) kernel, we need to
pull the fixing hashes out of the primary kernel.

>          if opt.descriptions:
>              desc = cve['Ubuntu-Description'].strip()
> diff --git a/scripts/sync-bugs-kernel.py b/scripts/sync-bugs-kernel.py
> index a379f8b..67b1bf9 100755
> --- a/scripts/sync-bugs-kernel.py
> +++ b/scripts/sync-bugs-kernel.py

This script is not used anymore, we used to need to have a corresponding
launchpad bug for each kernel cve and keep the states in sync in both
directions.

Hopefully we won't ever have to bring this back.

> @@ -283,8 +283,8 @@ def add_uct_sha(data, src, sha_pair_to_add):
>  
>      raise ValueError("TODO")
>  
> -    if value.strip() != data.get(patchfield, ''):
> -        data[patchfield] = cve_lib.update_multiline_field('%s/%s' % (cve_lib.active_dir, data['Candidate']), patchfield, value)
> +    # if value.strip() != data.get(patchfield, ''):
> +    #     data[patchfield] = cve_lib.update_multiline_field('%s/%s' % (cve_lib.active_dir, data['Candidate']), patchfield, value)
>  
>  
>  def del_uct_sha(data, src, sha_pair_to_remove):
> @@ -298,8 +298,8 @@ def del_uct_sha(data, src, sha_pair_to_remove):
>  
>      raise ValueError("TODO")
>  
> -    if value.strip() != data.get(patchfield, ''):
> -        data[patchfield] = cve_lib.update_multiline_field('%s/%s' % (cve_lib.active_dir, data['Candidate']), patchfield, value)
> +    # if value.strip() != data.get(patchfield, ''):
> +    #     data[patchfield] = cve_lib.update_multiline_field('%s/%s' % (cve_lib.active_dir, data['Candidate']), patchfield, value)
>  
>  # FIXME: there is a lot of copy/paste loop code here to walk the bug
>  # task vs uct status maps. This should probably be generalized into a
> @@ -454,24 +454,18 @@ def _update_description_from_uct(bug, tasks, data):
>              # a full abort is not needed.
>              continue
>  
> -        if 'Patches_%s' % (src) in data:
> -            for line in data['Patches_%s' % (src)].splitlines():
> -                if ':' not in line:
> -                    continue
> -                field, value = line.strip().split(':', 1)
> -                field = field.strip()
> -                if field not in ['upstream', 'break-fix']:
> -                    continue
> -                value = value.strip()
> -                broken = None
> -                sha = None
> -                if field == 'upstream':
> -                    broken = '-'
> -                    sha = _extract_sha(value)
> -                if field == 'break-fix' and ' ' in value:
> -                    broken, sha = [_extract_sha(x) for x in value.split(' ', 1)]
> -                if sha:
> -                    shas.append((broken, sha))
> +        for (field, value) in data['patches'][src]:
> +            if field not in ['upstream', 'break-fix']:
> +                continue
> +            broken = None
> +            sha = None
> +            if field == 'upstream':
> +                broken = '-'
> +                sha = _extract_sha(value)
> +            if field == 'break-fix' and ' ' in value:
> +                broken, sha = [_extract_sha(x) for x in value.split(' ', 1)]
> +            if sha:
> +                shas.append((broken, sha))
>  
>      description = data['Description'].strip().replace('\n', ' ').strip()
>      if description == "":
> @@ -525,7 +519,6 @@ def sync_new_bug(bug, tasks, data):
>      touched = False
>      if opt.debug:
>          print("\tsync new bug", file=sys.stderr)
> -    shas = []
>      for src in data['pkgs']:
>          if src not in cve_lib.kernel_srcs:
>              continue

-- 
Steve Beattie
<sbeattie@ubuntu.com>

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-09-21:

Tags do always get processed from what I can see in a very similar manner - if no Tags_foo are found then the source package 'foo' won't exist in data['tags'] - so if you have an empty Tags_foo: entry then data['tags']['foo'] will be an empty set.

The difference in this case is the boilerplates etc all contain empty Patches_foo: entries (but there is no corresponding Tags_foo:) so we will always get empty lists for each 'foo' in the data['patches']['foo'] - ie the parsing matches the underlying CVE file. Which seems more correct IMO but I am not really fussed either way.

I added the --strict check for retired CVEs in ffc1c94acb.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-09-21:

Download full text (19.6 KiB)

On Tue, Sep 21, 2021 at 09:11:46AM -0000, Alex Murray wrote:
> Tags do always get processed from what I can see in a very similar
> manner - if no Tags_foo are found then the source package 'foo' won't
> exist in data['tags'] - so if you have an empty Tags_foo: entry then
> data['tags']['foo'] will be an empty set.
>
> The difference in this case is the boilerplates etc all contain empty
> Patches_foo: entries (but there is no corresponding Tags_foo:) so we
> will always get empty lists for each 'foo' in the data['patches']['foo']
> - ie the parsing matches the underlying CVE file. Which seems more
> correct IMO but I am not really fussed either way.

Yeah, not really fussed, just wanted to think about the implications.
>
> I added the --strict check for retired CVEs in ffc1c94acb.

Thanks.

Okay to merge with the following patches applied; though we should
convert the json into yaml so we can encode python tuples into the
comparison structure, which is why I don't have any test cases with
actual patch entries in them. You can run just the parsing tests
(skipping most of the CVSS test time) by doing:

pytest-3 ./scripts/test_cve_lib.py -k TestParseCVEFiles

(It'd be good to add/make tests conformant with check-syntax, so that
the equivalent of

find test/okay/ -type f -a -not -name "*.json" -print0 | xargs -0 ./scripts/check-syntax

could be done as tests.)

From 9d6c895e62e57661c48c3096f701905c421db8d8 Mon Sep 17 00:00:00 2001
From: Steve Beattie <email address hidden>
Date: Tue, 21 Sep 2021 08:19:55 -0700
Subject: [PATCH 1/2] cve_lib tests: update for patches restructuring

Signed-off-by: Steve Beattie <email address hidden>
---
test/okay/cve-id-N7.json | 4 +++-
test/okay/cve-id-NNNN.json | 4 +++-
test/okay/priority-critical.json | 4 +++-
test/okay/priority-high.json | 4 +++-
test/okay/priority-low.json | 4 +++-
test/okay/priority-medium.json | 6 ++++--
test/okay/priority-negligible.json | 4 +++-
test/okay/priority-untriaged.json | 4 +++-
8 files changed, 25 insertions(+), 9 deletions(-)

Yeah, not really fussed, just wanted to think about the implications.
>
> I added the --strict check for retired CVEs in ffc1c94acb.

Thanks.

pytest-3 ./scripts/test_cve_lib.py -k TestParseCVEFiles

(It'd be good to add/make tests conformant with check-syntax, so that
the equivalent of

find test/okay/ -type f -a -not -name "*.json" -print0 | xargs -0 ./scripts/check-syntax

could be done as tests.)

From 9d6c895e62e57661c48c3096f701905c421db8d8 Mon Sep 17 00:00:00 2001
From: Steve Beattie <steve.beattie@canonical.com>
Date: Tue, 21 Sep 2021 08:19:55 -0700
Subject: [PATCH 1/2] cve_lib tests: update for patches restructuring

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
---
 test/okay/cve-id-N7.json           | 4 +++-
 test/okay/cve-id-NNNN.json         | 4 +++-
 test/okay/priority-critical.json   | 4 +++-
 test/okay/priority-high.json       | 4 +++-
 test/okay/priority-low.json        | 4 +++-
 test/okay/priority-medium.json     | 6 ++++--
 test/okay/priority-negligible.json | 4 +++-
 test/okay/priority-untriaged.json  | 4 +++-
 8 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/test/okay/cve-id-N7.json b/test/okay/cve-id-N7.json
index 071d883086..b246c169a1 100644
--- a/test/okay/cve-id-N7.json
+++ b/test/okay/cve-id-N7.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-1234567",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/cve-id-NNNN.json b/test/okay/cve-id-NNNN.json
index e0cf3cfb99..9c6411fb42 100644
--- a/test/okay/cve-id-NNNN.json
+++ b/test/okay/cve-id-NNNN.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-1234",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/priority-critical.json b/test/okay/priority-critical.json
index d2b7ba2ee9..6c960ab506 100644
--- a/test/okay/priority-critical.json
+++ b/test/okay/priority-critical.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0001",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/priority-high.json b/test/okay/priority-high.json
index 315cd84fd9..d2088c1a03 100644
--- a/test/okay/priority-high.json
+++ b/test/okay/priority-high.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0001",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/priority-low.json b/test/okay/priority-low.json
index 332e089ee4..4674b3ea8e 100644
--- a/test/okay/priority-low.json
+++ b/test/okay/priority-low.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0003",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/priority-medium.json b/test/okay/priority-medium.json
index 9b08b9f928..e3b5227918 100644
--- a/test/okay/priority-medium.json
+++ b/test/okay/priority-medium.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0001",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
@@ -51,4 +53,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/test/okay/priority-negligible.json b/test/okay/priority-negligible.json
index 64c288fbbf..f940c73137 100644
--- a/test/okay/priority-negligible.json
+++ b/test/okay/priority-negligible.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0002",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
diff --git a/test/okay/priority-untriaged.json b/test/okay/priority-untriaged.json
index 3ae7ed0203..f4c977fcdb 100644
--- a/test/okay/priority-untriaged.json
+++ b/test/okay/priority-untriaged.json
@@ -1,5 +1,8 @@
 {
   "tags": {},
+  "patches": {
+     "ppp": []
+  },
   "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
   "Candidate": "CVE-2020-0001",
   "CRD": "2020-08-04 17:00:00 UTC",
@@ -14,7 +17,6 @@
   "Discovered-by": "",
   "Assigned-to": "",
   "CVSS": [],
-  "Patches_ppp": "",
   "pkgs": {
     "ppp": {
       "upstream": [
-- 
2.32.0

From 7a2747f9c2af4496ca87d30022d74ec7f60c8172 Mon Sep 17 00:00:00 2001
From: Steve Beattie <steve.beattie@canonical.com>
Date: Tue, 21 Sep 2021 09:01:56 -0700
Subject: [PATCH 2/2] cve_lib tests: add additional tests for missing patches
 entries

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
---
 scripts/test_cve_lib.py          |  2 +
 test/okay/patches-missing-1      | 26 +++++++++
 test/okay/patches-missing-1.json | 54 +++++++++++++++++++
 test/okay/patches-missing-2      | 35 +++++++++++++
 test/okay/patches-missing-2.json | 88 +++++++++++++++++++++++++++++++
 test/okay/patches-missing-3      | 36 +++++++++++++
 test/okay/patches-missing-3.json | 90 ++++++++++++++++++++++++++++++++
 test/okay/patches-missing-4      | 36 +++++++++++++
 test/okay/patches-missing-4.json | 90 ++++++++++++++++++++++++++++++++
 9 files changed, 457 insertions(+)
 create mode 100644 test/okay/patches-missing-1
 create mode 100644 test/okay/patches-missing-1.json
 create mode 100644 test/okay/patches-missing-2
 create mode 100644 test/okay/patches-missing-2.json
 create mode 100644 test/okay/patches-missing-3
 create mode 100644 test/okay/patches-missing-3.json
 create mode 100644 test/okay/patches-missing-4
 create mode 100644 test/okay/patches-missing-4.json

diff --git a/scripts/test_cve_lib.py b/scripts/test_cve_lib.py
index 7cd8244a1c..7147b6e147 100755
--- a/scripts/test_cve_lib.py
+++ b/scripts/test_cve_lib.py
@@ -71,6 +71,8 @@ PARSE_OKAY_TESTS = [
     "priority-negligible", "priority-low", "priority-medium",
     "priority-high", "priority-critical", "priority-untriaged",
     'cve-id-NNNN', 'cve-id-N7',
+    "patches-missing-1", "patches-missing-2", "patches-missing-3",
+    "patches-missing-4",
 ]
 
 # these are tests located the 'bad' subdirectory that cve_lib should
diff --git a/test/okay/patches-missing-1 b/test/okay/patches-missing-1
new file mode 100644
index 0000000000..81f8d3f8d0
--- /dev/null
+++ b/test/okay/patches-missing-1
@@ -0,0 +1,26 @@
+PublicDateAtUSN: 2020-08-04 17:00:00 UTC
+Candidate: CVE-2020-0001
+CRD: 2020-08-04 17:00:00 UTC
+PublicDate: 2020-08-04 17:00:00 UTC
+References: 
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001
+Description: 
+ test when patches entry is missing
+Ubuntu-Description: 
+Notes: 
+Mitigation: 
+Bugs: 
+Priority: medium
+Discovered-by:
+Assigned-to:
+CVSS:
+
+
+upstream_ppp: needs-triage
+precise/esm_ppp: needed
+trusty_ppp: ignored (out of standard support)
+trusty/esm_ppp: needed
+xenial_ppp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_ppp: released (2.4.7-2+2ubuntu1.3)
+focal_ppp: released (2.4.7-2+4.1ubuntu5.1)
+devel_ppp: released (2.4.7-2+4.1ubuntu6)
diff --git a/test/okay/patches-missing-1.json b/test/okay/patches-missing-1.json
new file mode 100644
index 0000000000..4dc6073076
--- /dev/null
+++ b/test/okay/patches-missing-1.json
@@ -0,0 +1,54 @@
+{
+  "tags": {},
+  "patches": {},
+  "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
+  "Candidate": "CVE-2020-0001",
+  "CRD": "2020-08-04 17:00:00 UTC",
+  "PublicDate": "2020-08-04 17:00:00 UTC",
+  "References": "\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001",
+  "Description": "\ntest when patches entry is missing",
+  "Ubuntu-Description": "",
+  "Notes": [],
+  "Mitigation": "",
+  "Bugs": "",
+  "Priority": "medium",
+  "Discovered-by": "",
+  "Assigned-to": "",
+  "CVSS": [],
+  "pkgs": {
+    "ppp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "needed",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    }
+  }
+}
diff --git a/test/okay/patches-missing-2 b/test/okay/patches-missing-2
new file mode 100644
index 0000000000..bf29047c62
--- /dev/null
+++ b/test/okay/patches-missing-2
@@ -0,0 +1,35 @@
+PublicDateAtUSN: 2020-08-04 17:00:00 UTC
+Candidate: CVE-2020-0001
+CRD: 2020-08-04 17:00:00 UTC
+PublicDate: 2020-08-04 17:00:00 UTC
+References: 
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001
+Description: 
+ test when patches entry is missing
+Ubuntu-Description: 
+Notes: 
+Mitigation: 
+Bugs: 
+Priority: medium
+Discovered-by:
+Assigned-to:
+CVSS:
+
+
+upstream_ppp: needs-triage
+precise/esm_ppp: needed
+trusty_ppp: ignored (out of standard support)
+trusty/esm_ppp: needed
+xenial_ppp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_ppp: released (2.4.7-2+2ubuntu1.3)
+focal_ppp: released (2.4.7-2+4.1ubuntu5.1)
+devel_ppp: released (2.4.7-2+4.1ubuntu6)
+
+upstream_pptp: needs-triage
+precise/esm_pptp: needed
+trusty_pptp: ignored (out of standard support)
+trusty/esm_pptp: not-affected
+xenial_pptp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_pptp: released (2.4.7-2+2ubuntu1.3)
+focal_pptp: released (2.4.7-2+4.1ubuntu5.1)
+devel_pptp: released (2.4.7-2+4.1ubuntu6)
diff --git a/test/okay/patches-missing-2.json b/test/okay/patches-missing-2.json
new file mode 100644
index 0000000000..c4714d1b42
--- /dev/null
+++ b/test/okay/patches-missing-2.json
@@ -0,0 +1,88 @@
+{
+  "tags": {},
+  "patches": {},
+  "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
+  "Candidate": "CVE-2020-0001",
+  "CRD": "2020-08-04 17:00:00 UTC",
+  "PublicDate": "2020-08-04 17:00:00 UTC",
+  "References": "\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001",
+  "Description": "\ntest when patches entry is missing",
+  "Ubuntu-Description": "",
+  "Notes": [],
+  "Mitigation": "",
+  "Bugs": "",
+  "Priority": "medium",
+  "Discovered-by": "",
+  "Assigned-to": "",
+  "CVSS": [],
+  "pkgs": {
+    "ppp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "needed",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    },
+    "pptp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "not-affected",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    }
+  }
+}
diff --git a/test/okay/patches-missing-3 b/test/okay/patches-missing-3
new file mode 100644
index 0000000000..bcb93a9877
--- /dev/null
+++ b/test/okay/patches-missing-3
@@ -0,0 +1,36 @@
+PublicDateAtUSN: 2020-08-04 17:00:00 UTC
+Candidate: CVE-2020-0001
+CRD: 2020-08-04 17:00:00 UTC
+PublicDate: 2020-08-04 17:00:00 UTC
+References: 
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001
+Description: 
+ test when patches entry is missing
+Ubuntu-Description: 
+Notes: 
+Mitigation: 
+Bugs: 
+Priority: medium
+Discovered-by:
+Assigned-to:
+CVSS:
+
+
+Patches_ppp:
+upstream_ppp: needs-triage
+precise/esm_ppp: needed
+trusty_ppp: ignored (out of standard support)
+trusty/esm_ppp: needed
+xenial_ppp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_ppp: released (2.4.7-2+2ubuntu1.3)
+focal_ppp: released (2.4.7-2+4.1ubuntu5.1)
+devel_ppp: released (2.4.7-2+4.1ubuntu6)
+
+upstream_pptp: needs-triage
+precise/esm_pptp: needed
+trusty_pptp: ignored (out of standard support)
+trusty/esm_pptp: not-affected
+xenial_pptp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_pptp: released (2.4.7-2+2ubuntu1.3)
+focal_pptp: released (2.4.7-2+4.1ubuntu5.1)
+devel_pptp: released (2.4.7-2+4.1ubuntu6)
diff --git a/test/okay/patches-missing-3.json b/test/okay/patches-missing-3.json
new file mode 100644
index 0000000000..846d6b1eb6
--- /dev/null
+++ b/test/okay/patches-missing-3.json
@@ -0,0 +1,90 @@
+{
+  "tags": {},
+  "patches": {
+     "ppp": []
+  },
+  "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
+  "Candidate": "CVE-2020-0001",
+  "CRD": "2020-08-04 17:00:00 UTC",
+  "PublicDate": "2020-08-04 17:00:00 UTC",
+  "References": "\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001",
+  "Description": "\ntest when patches entry is missing",
+  "Ubuntu-Description": "",
+  "Notes": [],
+  "Mitigation": "",
+  "Bugs": "",
+  "Priority": "medium",
+  "Discovered-by": "",
+  "Assigned-to": "",
+  "CVSS": [],
+  "pkgs": {
+    "ppp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "needed",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    },
+    "pptp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "not-affected",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    }
+  }
+}
diff --git a/test/okay/patches-missing-4 b/test/okay/patches-missing-4
new file mode 100644
index 0000000000..4c1395a8bb
--- /dev/null
+++ b/test/okay/patches-missing-4
@@ -0,0 +1,36 @@
+PublicDateAtUSN: 2020-08-04 17:00:00 UTC
+Candidate: CVE-2020-0001
+CRD: 2020-08-04 17:00:00 UTC
+PublicDate: 2020-08-04 17:00:00 UTC
+References: 
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001
+Description: 
+ test when patches entry is missing
+Ubuntu-Description: 
+Notes: 
+Mitigation: 
+Bugs: 
+Priority: medium
+Discovered-by:
+Assigned-to:
+CVSS:
+
+
+upstream_ppp: needs-triage
+precise/esm_ppp: needed
+trusty_ppp: ignored (out of standard support)
+trusty/esm_ppp: needed
+xenial_ppp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_ppp: released (2.4.7-2+2ubuntu1.3)
+focal_ppp: released (2.4.7-2+4.1ubuntu5.1)
+devel_ppp: released (2.4.7-2+4.1ubuntu6)
+
+Patches_pptp:
+upstream_pptp: needs-triage
+precise/esm_pptp: needed
+trusty_pptp: ignored (out of standard support)
+trusty/esm_pptp: not-affected
+xenial_pptp: released (2.4.7-1+2ubuntu1.16.04.3)
+bionic_pptp: released (2.4.7-2+2ubuntu1.3)
+focal_pptp: released (2.4.7-2+4.1ubuntu5.1)
+devel_pptp: released (2.4.7-2+4.1ubuntu6)
diff --git a/test/okay/patches-missing-4.json b/test/okay/patches-missing-4.json
new file mode 100644
index 0000000000..6a9ba18e7f
--- /dev/null
+++ b/test/okay/patches-missing-4.json
@@ -0,0 +1,90 @@
+{
+  "tags": {},
+  "patches": {
+     "pptp": []
+  },
+  "PublicDateAtUSN": "2020-08-04 17:00:00 UTC",
+  "Candidate": "CVE-2020-0001",
+  "CRD": "2020-08-04 17:00:00 UTC",
+  "PublicDate": "2020-08-04 17:00:00 UTC",
+  "References": "\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0001",
+  "Description": "\ntest when patches entry is missing",
+  "Ubuntu-Description": "",
+  "Notes": [],
+  "Mitigation": "",
+  "Bugs": "",
+  "Priority": "medium",
+  "Discovered-by": "",
+  "Assigned-to": "",
+  "CVSS": [],
+  "pkgs": {
+    "ppp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "needed",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    },
+    "pptp": {
+      "upstream": [
+        "needs-triage",
+        ""
+      ],
+      "precise/esm": [
+        "needed",
+        ""
+      ],
+      "trusty": [
+        "ignored",
+        "out of standard support"
+      ],
+      "trusty/esm": [
+        "not-affected",
+        ""
+      ],
+      "xenial": [
+        "released",
+        "2.4.7-1+2ubuntu1.16.04.3"
+      ],
+      "bionic": [
+        "released",
+        "2.4.7-2+2ubuntu1.3"
+      ],
+      "focal": [
+        "released",
+        "2.4.7-2+4.1ubuntu5.1"
+      ],
+      "devel": [
+        "released",
+        "2.4.7-2+4.1ubuntu6"
+      ]
+    }
+  }
+}
-- 
2.32.0

-- 
Steve Beattie
<sbeattie@ubuntu.com>

Revision history for this message

Steve Beattie (sbeattie) on 2021-09-21:

review: Approve

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-09-22:

Awesome - thanks for the test sbeattie - I have added those commits to this branch.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alex Murray

Aravind

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

1	diff --git a/active/00boilerplate.firefox b/active/00boilerplate.firefox
2	index 7192bea..81491c7 100644
3	--- a/active/00boilerplate.firefox
4	+++ b/active/00boilerplate.firefox
5	@@ -65,7 +65,7 @@ focal_mozjs68: needs-triage
6	hirsute_mozjs68: DNE
7	devel_mozjs68: DNE
8
9	-Patches_mozjs78: DNE
10	+Patches_mozjs78:
11	upstream_mozjs78: needs-triage
12	trusty_mozjs78: DNE
13	trusty/esm_mozjs78: DNE
14	diff --git a/active/00boilerplate.mozjs b/active/00boilerplate.mozjs
15	index 020a8f3..6ca78f3 100644
16	--- a/active/00boilerplate.mozjs
17	+++ b/active/00boilerplate.mozjs
18	@@ -11,7 +11,7 @@ Discovered-by: DNE
19	Assigned-to:
20	CVSS:
21
22	-Patches_mozjs: DNE
23	+Patches_mozjs:
24	upstream_mozjs: needs-triage
25	trusty_mozjs: ignored (out of standard support)
26	trusty/esm_mozjs: DNE
27	@@ -21,7 +21,7 @@ focal_mozjs: DNE
28	hirsute_mozjs: DNE
29	devel_mozjs: DNE
30
31	-Patches_mozjs17: DNE
32	+Patches_mozjs17:
33	upstream_mozjs17: needs-triage
34	trusty_mozjs17: ignored (out of standard support)
35	trusty/esm_mozjs17: DNE
36	@@ -31,7 +31,7 @@ focal_mozjs17: DNE
37	hirsute_mozjs17: DNE
38	devel_mozjs17: DNE
39
40	-Patches_mozjs24: DNE

Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:parse-patches-for-lp-1892523 into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers