Merge into master : binary-versions : lp:~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker : Git : Code : Ubuntu CVE Tracker

Status:

Merged

Merge reported by:

Alex Murray

Merged at revision:

93d06bc49a2b3a8e45f22609d3216746dc724a94

Proposed branch:

~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:binary-versions

Merge into:

ubuntu-cve-tracker:master

Diff against target:

135 lines (+43/-7)

2 files modified

scripts/sis-changes (+22/-7)
scripts/sis-generate-usn (+21/-0)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Jamie Strandboge (community)	2019-08-29	Approve on 2019-09-03
Steve Beattie	2019-08-29	Pending
Review via email: mp+371983@code.launchpad.net

Description of the change

Ensure binary package versions listed in USNs are correct.

This resolves https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1841848 by having sis-changes export the actual binary package version from launchpad to a json file, and then having sis-generate-usn import this json file to override the source package version with this binary version when available.

A quick test doing a fake USN for libreoffice from the Ubuntu archive:

$ SRCPKG=libreoffice; $UCT/scripts/sis-changes --ppa ubuntu --download /tmp/pending $SRCPKG;
$ cd /tmp/pending
$ USN=100000-1; $UCT/scripts/sis-generate-usn $USN *.changes > ~/new-usn.sh.orig

$ cd $UCT
$ git checkout binary-versions # is this branch
$ cd /tmp/pending
$ USN=100000-1; $UCT/scripts/sis-generate-usn $USN *.changes > ~/new-usn.sh

$ diff ~/new-usn.sh.orig ~/new-usn.sh
< usn.py $DB $USN --release bionic --package fonts-opensymbol --binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package fonts-opensymbol --binary-version 2:102.10+LibO6.0.7-0ubuntu0.18.04.9
183,184c183,184
< usn.py $DB $USN --release bionic --package libreoffice-mysql-connector --binary-version 1:6.0.7-0ubuntu0.18.04.9
< usn.py $DB $USN --release bionic --package libreoffice-nlpsolver --binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package libreoffice-mysql-connector --binary-version 1.0.2+LibO6.0.7-0ubuntu0.18.04.9
> usn.py $DB $USN --release bionic --package libreoffice-nlpsolver --binary-version 0.9+LibO6.0.7-0ubuntu0.18.04.9
206c206
< usn.py $DB $USN --release bionic --package libreoffice-wiki-publisher --binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package libreoffice-wiki-publisher --binary-version 1.2.0+LibO6.0.7-0ubuntu0.18.04.9
211,212c211,212
< usn.py $DB $USN --release bionic --package uno-libs3 --binary-version 1:6.0.7-0ubuntu0.18.04.9
< usn.py $DB $USN --release bionic --package ure --binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package uno-libs3 --binary-version 6.0.7-0ubuntu0.18.04.9
> usn.py $DB $USN --release bionic --package ure --binary-version 6.0.7-0ubuntu0.18.04.9
215c215
< usn.py $DB $USN --release disco --package fonts-opensymbol --binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package fonts-opensymbol --binary-version 2:102.10+LibO6.2.6-0ubuntu0.19.04.1
244c244
< usn.py $DB $USN --release disco --package libreoffice-nlpsolver --binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package libreoffice-nlpsolver --binary-version 0.9+LibO6.2.6-0ubuntu0.19.04.1
271c271
< usn.py $DB $USN --release disco --package libreoffice-wiki-publisher --binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package libreoffice-wiki-publisher --binary-version 1.2.0+LibO6.2.6-0ubuntu0.19.04.1
276,277c276,277
< usn.py $DB $USN --release disco --package uno-libs3 --binary-version 1:6.2.6-0ubuntu0.19.04.1
< usn.py $DB $USN --release disco --package ure --binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package uno-libs3 --binary-version 6.2.6-0ubuntu0.19.04.1
> usn.py $DB $USN --release disco --package ure --binary-version 6.2.6-0ubuntu0.19.04.1
280c280
< usn.py $DB $USN --release xenial --package fonts-opensymbol --binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package fonts-opensymbol --binary-version 2:102.7+LibO5.1.6~rc2-0ubuntu1~xenial9
304c304
< usn.py $DB $USN --release xenial --package libreoffice-mysql-connector --binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package libreoffice-mysql-connector --binary-version 1.0.2+LibO5.1.6~rc2-0ubuntu1~xenial9
325c325
< usn.py $DB $USN --release xenial --package libreoffice-wiki-publisher --binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package libreoffice-wiki-publisher --binary-version 1.2.0+LibO5.1.6~rc2-0ubuntu1~xenial9
329,330c329,330
< usn.py $DB $USN --release xenial --package uno-libs3 --binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
< usn.py $DB $USN --release xenial --package ure --binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package uno-libs3 --binary-version 5.1.6~rc2-0ubuntu1~xenial9
> usn.py $DB $USN --release xenial --package ure --binary-version 5.1.6~rc2-0ubuntu1~xenial9
1045c1045
< usn.py $DB $USN --release bionic --package fonts-opensymbol --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package fonts-opensymbol --all-binary-version 2:102.10+LibO6.0.7-0ubuntu0.18.04.9
1074,1075c1074,1075
< usn.py $DB $USN --release bionic --package libreoffice-mysql-connector --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
< usn.py $DB $USN --release bionic --package libreoffice-nlpsolver --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package libreoffice-mysql-connector --all-binary-version 1.0.2+LibO6.0.7-0ubuntu0.18.04.9
> usn.py $DB $USN --release bionic --package libreoffice-nlpsolver --all-binary-version 0.9+LibO6.0.7-0ubuntu0.18.04.9
1097c1097
< usn.py $DB $USN --release bionic --package libreoffice-wiki-publisher --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package libreoffice-wiki-publisher --all-binary-version 1.2.0+LibO6.0.7-0ubuntu0.18.04.9
1102,1103c1102,1103
< usn.py $DB $USN --release bionic --package uno-libs3 --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
< usn.py $DB $USN --release bionic --package ure --all-binary-version 1:6.0.7-0ubuntu0.18.04.9
---
> usn.py $DB $USN --release bionic --package uno-libs3 --all-binary-version 6.0.7-0ubuntu0.18.04.9
> usn.py $DB $USN --release bionic --package ure --all-binary-version 6.0.7-0ubuntu0.18.04.9
1106c1106
< usn.py $DB $USN --release disco --package fonts-opensymbol --all-binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package fonts-opensymbol --all-binary-version 2:102.10+LibO6.2.6-0ubuntu0.19.04.1
1135c1135
< usn.py $DB $USN --release disco --package libreoffice-nlpsolver --all-binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package libreoffice-nlpsolver --all-binary-version 0.9+LibO6.2.6-0ubuntu0.19.04.1
1162c1162
< usn.py $DB $USN --release disco --package libreoffice-wiki-publisher --all-binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package libreoffice-wiki-publisher --all-binary-version 1.2.0+LibO6.2.6-0ubuntu0.19.04.1
1167,1168c1167,1168
< usn.py $DB $USN --release disco --package uno-libs3 --all-binary-version 1:6.2.6-0ubuntu0.19.04.1
< usn.py $DB $USN --release disco --package ure --all-binary-version 1:6.2.6-0ubuntu0.19.04.1
---
> usn.py $DB $USN --release disco --package uno-libs3 --all-binary-version 6.2.6-0ubuntu0.19.04.1
> usn.py $DB $USN --release disco --package ure --all-binary-version 6.2.6-0ubuntu0.19.04.1
1171c1171
< usn.py $DB $USN --release xenial --package fonts-opensymbol --all-binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package fonts-opensymbol --all-binary-version 2:102.7+LibO5.1.6~rc2-0ubuntu1~xenial9
1195c1195
< usn.py $DB $USN --release xenial --package libreoffice-mysql-connector --all-binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package libreoffice-mysql-connector --all-binary-version 1.0.2+LibO5.1.6~rc2-0ubuntu1~xenial9
1216c1216
< usn.py $DB $USN --release xenial --package libreoffice-wiki-publisher --all-binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package libreoffice-wiki-publisher --all-binary-version 1.2.0+LibO5.1.6~rc2-0ubuntu1~xenial9
1220,1221c1220,1221
< usn.py $DB $USN --release xenial --package uno-libs3 --all-binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
< usn.py $DB $USN --release xenial --package ure --all-binary-version 1:5.1.6~rc2-0ubuntu1~xenial9
---
> usn.py $DB $USN --release xenial --package uno-libs3 --all-binary-version 5.1.6~rc2-0ubuntu1~xenial9
> usn.py $DB $USN --release xenial --package ure --all-binary-version 5.1.6~rc2-0ubuntu1~xenial9

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-08-29:

#

Thanks for this patch! A few comments inline.

review: Needs Fixing

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2019-08-30:

#

Looks good to me; is the binaries.json stored in the /tmp/pending/ directory if following the wiki instructions for sis-changes and sis-generate-usn?

Thanks

~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:binary-versions updated on 2019-09-03

de6e9f0... by Alex Murray on 2019-09-03

sis-generate-usn: Clarify comments and catch more specific exception

93d06bc... by Alex Murray on 2019-09-03

sis-changes: refactor binary version mapping for efficiency

Gather binary version info for all commands but only output on the changes
action so we don't have to query launchpad twice for this info.

Revision history for this message

Alex Murray (alexmurray) wrote on 2019-09-03:

#

@jdstrand - see additional commits which should address your comments.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-09-03:

#

Thanks! LGTM

review: Approve

Revision history for this message

Alex Murray (alexmurray) wrote on 2019-09-04:

#

Thanks - merged as 7f96b9f7cb db5e98e15a and 55a0652ff5

1	diff --git a/scripts/sis-changes b/scripts/sis-changes
2	index e9bd8f5..be9e793 100755
3	--- a/scripts/sis-changes
4	+++ b/scripts/sis-changes
5	@@ -21,6 +21,7 @@ import sys
6	import tempfile
7	import urllib2
8	import cve_lib
9	+import json
10	from source_map import version_compare
11
12	try:
13	@@ -207,7 +208,7 @@ def get_arch_from_dsc(dsc):
14
15
16	# pkg -> { release, release -> { version } }
17	-def load_pkg_details_from_lp(pkgs, pkg, item):
18	+def load_pkg_details_from_lp(pkgs, binaries, pkg, item):
19
20	rel = item.distro_series.name
21	if opt.debug:
22	@@ -346,11 +347,20 @@ def load_pkg_details_from_lp(pkgs, pkg, item):
23	else:
24	raise ValueError("Unknown downloadable source file from %s %s '%s'" % (pkg, version, file_url))
25
26	- # Check that all built binaries have actually published into the PPA
27	- if opt.skip_build_check is True:
28	- print("WARNING: skipping binary publication check. Please check manually.", file=sys.stderr)
29	- else:
30	- for binary in item.getPublishedBinaries():
31	+ binaries.setdefault(pkg, dict())
32	+ binaries[pkg].setdefault(rel, dict())
33	+ # map binaries as pkg -> rel -> binary -> version - this is used by
34	+ # sis-generate-usn to know what the actual binary package version is
35	+ # since this may be different than the version of the source
36	+ # package. Also check that all built binaries have actually published
37	+ # into the PPA
38	+ for binary in item.getPublishedBinaries():
39	+ # collect binary versions
40	+ binaries[pkg][rel].setdefault(binary.binary_package_name,
41	+ binary.binary_package_version)
42	+ if opt.skip_build_check is True:
43	+ print("WARNING: skipping binary publication check. Please check manually.", file=sys.stderr)
44	+ else:
45	if binary.status != 'Published':
46	if opt.debug:
47	print("BinaryPublication(%s,%s,%s) state: %s" % (rel, binary.distro_arch_series.architecture_tag, binary.binary_package_name, binary.status), file=sys.stderr)
48	@@ -380,6 +390,7 @@ else:
49	archive, group, ppa = lpl_common.get_archive(opt.ppa, lp, opt.debug, distribution=distribution)
50
51	pkgs = dict()
52	+binaries = dict()
53	if opt.superseded_version:
54	status = "Superseded"
55	else:
56	@@ -392,7 +403,7 @@ for pkg_name in args:
57	params['pocket'] = opt.pocket
58
59	for item in archive.getPublishedSources(**params):
60	- load_pkg_details_from_lp(pkgs, pkg_name, item)
61	+ load_pkg_details_from_lp(pkgs, binaries, pkg_name, item)
62
63	if opt.action == 'changes':
64	for pkg in args:
65	@@ -439,6 +450,10 @@ if opt.action == 'changes':
66	continue
67	download_url(pkgs[pkg][rel][arch]['changes'])
68
69	+ # write out binaries as json so can be consumed by sis-generate-usn
70	+ with open(os.path.join(tmpdir, "binaries.json"), 'w') as fp:
71	+ json.dump(binaries, fp)
72	+
73	elif opt.action == 'binaries':
74	for pkg in args:
75	if pkg not in pkgs:
76	diff --git a/scripts/sis-generate-usn b/scripts/sis-generate-usn
77	index e1ecd9f..15aa258 100755
78	--- a/scripts/sis-generate-usn
79	+++ b/scripts/sis-generate-usn
80	@@ -12,6 +12,7 @@
81	from __future__ import print_function
82
83	import apt_pkg
84	+import json
85	import gzip
86	import optparse
87	import os
88	@@ -33,6 +34,7 @@ opter.add_option("--add-cves", metavar="CVES", help="Comma separated list of CVE
89	opter.add_option("--ignore-cves", metavar="CVES", help="Comma separated list of CVEs to ignore when doing CVE autodetection.", default=None)
90	opter.add_option("--embargoed", help="Include embargoed directory when looking for CVE descriptions", action='store_true')
91	opter.add_option("--include-eol", help="Include EoL releases", action='store_true')
92	+opter.add_option("--binaries-json", help="Path to JSON mapping of binary packages to versions (default: binaries.json)", default="binaries.json")
93	(opt, args) = opter.parse_args()
94
95	if len(args) < 2:
96	@@ -457,6 +459,11 @@ usn = args[0]
97	for changes in args[1:]:
98	parse_changes(changes, info, CVEs, cvelines)
99
100	+# don't try and catch this exception if binaries.json is not available for
101	+# now since we want this to be noisy
102	+with open(opt.binaries_json) as fp:
103	+ binaries = json.load(fp)
104	+
105	if opt.ignore_cves:
106	CVEs.difference_update(set(opt.ignore_cves.split(',')))
107
108	@@ -747,6 +754,13 @@ for release in releases:
109	for source in sorted(info[release].keys()):
110	version = info[release][source]['version']
111	for deb in sorted(info[release][source]['binaries']):
112	+ # binary packages can have different versions than their source
113	+ # package, so override the source package version with the
114	+ # binary package version if we have this available
115	+ try:
116	+ version = binaries[source][release][deb]
117	+ except KeyError as e:
118	+ pass
119	if not filter_dbg.search(deb) and (not opt.filter_bins or opt.filter_bins.search(deb)):
120	print(' usn.py $DB $USN --release %s --package %s --binary-version %s' % (release,deb,version))
121	print()
122	@@ -777,6 +791,13 @@ for release in releases:
123	for source in sorted(info[release].keys()):
124	version = info[release][source]['version']
125	for deb in sorted(info[release][source]['binaries']):
126	+ # binary packages can have different versions than their source
127	+ # package, so override the source package version with the
128	+ # binary package version if we have this available
129	+ try:
130	+ version = binaries[source][release][deb]
131	+ except KeyError as e:
132	+ pass
133	if not filter_dbg.search(deb) and (not opt.filter_bins or opt.filter_bins.search(deb)):
134	print(' usn.py $DB $USN --release %s --package %s --all-binary-version %s' % (release,deb,version))
135	print()

Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:binary-versions into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers