ubuntu-security-tools

Merge ~alexmurray/ubuntu-security-tools:umt-check-warn-missing-cve-lp-bugs into ubuntu-security-tools:master

  1. Git
  2. lp:~alexmurray/ubuntu-security-tools
  3. umt-check-warn-missing-cve-lp-bugs
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: 05054be937715b8b49f43b52fda0f4e96ea74aa6
Proposed branch: ~alexmurray/ubuntu-security-tools:umt-check-warn-missing-cve-lp-bugs
Merge into: ubuntu-security-tools:master
Diff against target: 34 lines (+16/-0)
1 file modified
build-tools/umt (+16/-0)
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+416072@code.launchpad.net

Description of the change

Add new functionality to umt check so that for each CVE referenced in the debian/changelog entry, check for any Bugs: entries from the CVE file for launchpad bugs which are not mentioned in the changelog itself.

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Nice update, thanks for that :)
Just left a little comment, but if someone else approves it, please don't bother with that.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I like Rodrigo's idea but there's several hundred entries in UCT with 'short' launchpad URLs:

± rg https://launchpad.net/bugs/1 | wc -l
803

It'd be nice to be a bit tighter than just 'launchpad'; 'launchpad.*bug' seems to work to catch cases like:

https://bugs.edge.launchpad.net/ubuntu/+source/lynx-cur/+bug/613254
https://bugs.launchpad.net/bugs/1570694
https://bugs.launchpad.net/qemu/+bug/1914353
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/617489
https://launchpad.net/bugs/999359

Is adding regex here okay?

Thanks

Revision history for this message
Alex Murray (alexmurray) wrote :

Good idea re a regex sarnold - let me know what you think of https://git.launchpad.net/~alexmurray/ubuntu-security-tools/commit/?id=05054be937715b8b49f43b52fda0f4e96ea74aa6

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I like it :) thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/build-tools/umt b/build-tools/umt
2index ee74cbe..3c33569 100755
3--- a/build-tools/umt
4+++ b/build-tools/umt
5@@ -912,6 +912,20 @@ def cmd_check():
6 if not releases or details['release'] in releases:
7 warn(warning)
8
9+ # finally check changes file as well for missing LP: # references
10+ changes_file = dscfile.replace(".dsc", "_source.changes")
11+ details = parse_changes_file(changes_file)
12+ lpbug_re = re.compile("https?://(bugs\\.)?(edge\\.)?launchpad\\.net/(bugs|[a-z0-9+/-]+)/([0-9]+)")
13+ for cve in details["cves"]:
14+ cvefile = source_map.cve_lib.find_cve(cve)
15+ data = source_map.cve_lib.load_cve(cvefile)
16+ for line in data["Bugs"].splitlines():
17+ m = lpbug_re.search(line)
18+ if m is not None:
19+ bug = m[4]
20+ if 'bugs' not in details or bug not in details['bugs']:
21+ warn(cve + ' references launchpad bug LP: #' + bug + ' but this is missing from debian/changelog')
22+
23 # return check-source-package error code
24 if rc != 0:
25 sys.exit(rc)
26@@ -4104,6 +4118,8 @@ def parse_changes_file(changes_file):
27 else:
28 details['distribution'] = line.strip().split()[1]
29 details['pocket'] = 'release'
30+ elif re.search('^Launchpad-Bugs-Fixed:', line) and 'bugs' not in details:
31+ details['bugs'] = line.strip().split()[1:]
32 else:
33 cves = re.findall(r'\bCVE-[0-9]{4}-[0-9]+\b', line)
34 if cves:

Subscribers

People subscribed via source and target branches