Ubuntu CVE Tracker

Merge ~allenpthuang/ubuntu-cve-tracker:usn-oval-generator into ubuntu-cve-tracker:master

  1. Git
  2. lp:~allenpthuang/ubuntu-cve-tracker
  3. usn-oval-generator
  4. Merge into master
Proposed by Allen Huang
Status: Merged
Approved by: Eduardo Barretto
Approved revision: 249182a53eebda50fcaa9c67151ae7c9aeb38b50
Merged at revision: 8dcfdfba46bbacae6986c6771f2901624636b42e
Proposed branch: ~allenpthuang/ubuntu-cve-tracker:usn-oval-generator
Merge into: ubuntu-cve-tracker:master
Diff against target: 88 lines (+46/-19)
1 file modified
scripts/oval_lib.py (+46/-19)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
David Fernandez Gonzalez Approve
Review via email: mp+460231@code.launchpad.net

Commit message

Load USNs and link CVEs and Packages to them.

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Hey Allen, thanks! I left a couple comments on the code

review: Needs Fixing
Revision history for this message
David Fernandez Gonzalez (litios) :
Revision history for this message
Allen Huang (allenpthuang) wrote :

> Hey Allen, thanks! I left a couple comments on the code

Thanks for the input, David! Fixed and updated.

Revision history for this message
Allen Huang (allenpthuang) wrote :

(was not aware diff comments were left unsaved)

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

A couple more things!

review: Needs Fixing
Revision history for this message
Allen Huang (allenpthuang) :
Revision history for this message
Allen Huang (allenpthuang) wrote :

Apologies for confusion, the previous commit did not remove the code from OvalGenerator. This has been fixed.

We might need some changes to the `generate-oval` script in the future to enable the use of OvalGeneratorUSNs as it needs more arguments for its parent's init.

Revision history for this message
Allen Huang (allenpthuang) wrote :

As per offline discussion with @litios, we'd like to keep USN database loading in `generate-oval`. I'll work on this change and update here.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

could you please squash all the commits and force push, that will make review easier

review: Needs Fixing
Revision history for this message
Allen Huang (allenpthuang) wrote :

> could you please squash all the commits and force push, that will make review
> easier

Sure thing! Changes have been made for keeping JSON loading in `generate-oval`, and all commits have been squashed into one.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Thanks!

review: Approve
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

This change seems to be affecting the <cve> tag, specially in the usns field.
Could you check it please?

Revision history for this message
Allen Huang (allenpthuang) wrote :

> This change seems to be affecting the <cve> tag, specially in the usns field.
> Could you check it please?

Hi Eduardo,

Just want to confirm, do you mean `USN.cves`? The attribute was set to a list of strings (of CVEs). In my change, it's set to a dict, with keys as CVE identifiers and values as CVE objects. Do you think we should keep a separate attribute for CVE objects? Let me know if I misunderstand your comment, thanks!

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

nvm, my bad, your branch and master were not in sync.

review: Approve
Revision history for this message
Allen Huang (allenpthuang) wrote :

> nvm, my bad, your branch and master were not in sync.

No problem at all! Thanks, Eduardo!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index b30a987..3f5dc13 100644
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -479,14 +479,26 @@ class Package:
6 return self.__str__()
7
8 class USN:
9- def __init__(self, data):
10- for item in ['description', 'releases', 'title', 'timestamp', 'summary', 'action', 'cves', 'id', 'isummary']:
11+ def __init__(self, data, cve_objs, pkgs_by_rel):
12+ for item in ['description', 'releases', 'title', 'timestamp', 'summary', 'action', 'id', 'isummary']:
13 if item in data:
14 setattr(self, item, data[item])
15 else:
16 setattr(self, item, None)
17-
18+ self.cves = cve_objs
19+ self.pkgs = self._generate_pkg_fixed_ver_tuple_dict(pkgs_by_rel)
20+
21+ def _generate_pkg_fixed_ver_tuple_dict(self, pkgs_by_rel):
22+ tup_dict = {}
23+ for rel, pkgs in pkgs_by_rel.items():
24+ tup_dict[rel] = {}
25+ for src_name, pkg_object in pkgs.items():
26+ fixed_ver = self.releases[rel]['sources'][src_name]['version']
27+ tup_dict[rel][src_name] = (pkg_object, fixed_ver)
28+ return tup_dict
29+
30 def __str__(self) -> str:
31+ # return f'description: {self.description}\nid: {self.id}\ncves: {self.cves}\npkgs: {self.pkgs}\n' # TODO: remove this ugly debug print
32 return self.id
33
34 def __repr__(self) -> str:
35@@ -1740,22 +1752,37 @@ class OvalGeneratorCVE(OvalGenerator):
36 self._write_oval_xml(xml_tree, root_element)
37
38 class OvalGeneratorUSNs(OvalGenerator):
39- def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, usn_db_dir, fixed_only=True, cve_cache=None, cve_prefix_dir=None, outdir='./', oval_format='dpkg') -> None:
40- super().__init__('usn', release, release_name, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, cve_prefix_dir, outdir, oval_format)
41- self._load_usns(usn_db_dir)
42-
43- def _load_usns(self, usn_db_dir):
44- self.usns = {}
45- for filename in glob.glob(os.path.join(usn_db_dir, 'database*.json')):
46- with open(filename, 'r') as f:
47- data = json.load(f)
48- for item in data:
49- usn = USN(item)
50- self.usns[usn.id] = usn
51-
52- for usn_id in sorted(self.usns.keys()):
53- if re.search(r'^[0-9]+-[0-9]$', usn_id):
54- self.usns[usn_id]['id'] = 'USN-' + usn_id
55+ def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, cve_prefix_dir=None, outdir='./', oval_format='dpkg') -> None:
56+ super().__init__('usn', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, cve_prefix_dir, outdir, oval_format)
57+ self.usns = self._load_usns(usn_database)
58+
59+ def _load_usns(self, usn_database):
60+ usns = {}
61+ # go thru every USN in the JSON
62+ for usn_id, usn_data in usn_database.items():
63+ # take existing CVE and Package objects
64+ cve_objs = {}
65+ pkg_objs_by_rels = {}
66+ for rel, info in usn_data['releases'].items():
67+ # CVE stays the same across releases
68+ for cve in usn_data['cves']:
69+ if cve_objs.get(cve) is None:
70+ try:
71+ cve_objs[cve] = self.cves[rel][cve]
72+ except KeyError:
73+ pass
74+ pkg_objs = {}
75+ for pkg, _ in info['sources'].items():
76+ try:
77+ pkg_objs[pkg] = self.packages[rel][pkg]
78+ except KeyError:
79+ pass
80+ if pkg_objs:
81+ pkg_objs_by_rels[rel] = pkg_objs
82+ # create a USN object with fields in the USN and
83+ # corresponding CVEs and Packages
84+ usns[usn_id] = USN(usn_data, cve_objs, pkg_objs_by_rels)
85+ return usns
86
87 def _generate_advisory(self, usn: USN) -> etree.Element:
88 severities = ['low', 'medium', 'high', 'critical']

Subscribers

People subscribed via source and target branches