ubuntu-security-tools

Merge ~alexmurray/ubuntu-security-tools:umt-check-warn-missing-cve-lp-bugs into ubuntu-security-tools:master

  1. Git
  2. lp:~alexmurray/ubuntu-security-tools
  3. umt-check-warn-missing-cve-lp-bugs
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: 05054be937715b8b49f43b52fda0f4e96ea74aa6
Proposed branch: ~alexmurray/ubuntu-security-tools:umt-check-warn-missing-cve-lp-bugs
Merge into: ubuntu-security-tools:master
Diff against target: 34 lines (+16/-0)
1 file modified
build-tools/umt (+16/-0)
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+416072@code.launchpad.net

Description of the change

Add new functionality to umt check so that for each CVE referenced in the debian/changelog entry, check for any Bugs: entries from the CVE file for launchpad bugs which are not mentioned in the changelog itself.

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Nice update, thanks for that :)
Just left a little comment, but if someone else approves it, please don't bother with that.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I like Rodrigo's idea but there's several hundred entries in UCT with 'short' launchpad URLs:

± rg https://launchpad.net/bugs/1 | wc -l
803

It'd be nice to be a bit tighter than just 'launchpad'; 'launchpad.*bug' seems to work to catch cases like:

https://bugs.edge.launchpad.net/ubuntu/+source/lynx-cur/+bug/613254
https://bugs.launchpad.net/bugs/1570694
https://bugs.launchpad.net/qemu/+bug/1914353
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/617489
https://launchpad.net/bugs/999359

Is adding regex here okay?

Thanks

Revision history for this message
Alex Murray (alexmurray) wrote :

Good idea re a regex sarnold - let me know what you think of https://git.launchpad.net/~alexmurray/ubuntu-security-tools/commit/?id=05054be937715b8b49f43b52fda0f4e96ea74aa6

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I like it :) thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/build-tools/umt b/build-tools/umt
index ee74cbe..3c33569 100755
--- a/build-tools/umt
+++ b/build-tools/umt
@@ -912,6 +912,20 @@ def cmd_check():
912 if not releases or details['release'] in releases:912 if not releases or details['release'] in releases:
913 warn(warning)913 warn(warning)
914914
915 # finally check changes file as well for missing LP: # references
916 changes_file = dscfile.replace(".dsc", "_source.changes")
917 details = parse_changes_file(changes_file)
918 lpbug_re = re.compile("https?://(bugs\\.)?(edge\\.)?launchpad\\.net/(bugs|[a-z0-9+/-]+)/([0-9]+)")
919 for cve in details["cves"]:
920 cvefile = source_map.cve_lib.find_cve(cve)
921 data = source_map.cve_lib.load_cve(cvefile)
922 for line in data["Bugs"].splitlines():
923 m = lpbug_re.search(line)
924 if m is not None:
925 bug = m[4]
926 if 'bugs' not in details or bug not in details['bugs']:
927 warn(cve + ' references launchpad bug LP: #' + bug + ' but this is missing from debian/changelog')
928
915 # return check-source-package error code929 # return check-source-package error code
916 if rc != 0:930 if rc != 0:
917 sys.exit(rc)931 sys.exit(rc)
@@ -4104,6 +4118,8 @@ def parse_changes_file(changes_file):
4104 else:4118 else:
4105 details['distribution'] = line.strip().split()[1]4119 details['distribution'] = line.strip().split()[1]
4106 details['pocket'] = 'release'4120 details['pocket'] = 'release'
4121 elif re.search('^Launchpad-Bugs-Fixed:', line) and 'bugs' not in details:
4122 details['bugs'] = line.strip().split()[1:]
4107 else:4123 else:
4108 cves = re.findall(r'\bCVE-[0-9]{4}-[0-9]+\b', line)4124 cves = re.findall(r'\bCVE-[0-9]{4}-[0-9]+\b', line)
4109 if cves:4125 if cves:

Subscribers

People subscribed via source and target branches