Ubuntu CVE Tracker

Merge ~allenpthuang/ubuntu-cve-tracker:fix-usns-cves into ubuntu-cve-tracker:master

  1. Git
  2. lp:~allenpthuang/ubuntu-cve-tracker
  3. fix-usns-cves
  4. Merge into master
Proposed by Allen Huang
Status: Rejected
Rejected by: David Fernandez Gonzalez
Proposed branch: ~allenpthuang/ubuntu-cve-tracker:fix-usns-cves
Merge into: ubuntu-cve-tracker:master
Diff against target: 235 lines (+33/-30)
2 files modified
scripts/oval_lib.py (+12/-10)
test/test_json_generation.py (+21/-20)
Reviewer Review Type Date Requested Status
David Fernandez Gonzalez Pending
Review via email: mp+466138@code.launchpad.net

Commit message

oval_lib: USNs.cves: releases as keys

Change USNs.cves to use releases as keys instead of grouping them with
CVE numbers only.

Description of the change

Not all CVEs mentioned in a USN are affecting or fixed in all the releases.
This change fixes the wrong implementation.

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Done at: https://code.launchpad.net/~litios/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/466248

Unmerged commits

d9ad529... by Allen Huang

oval_lib: USNs.cves: releases as keys

Succeeded
[SUCCEEDED] unit-tests:0 (build)
[SUCCEEDED] check-cves:0 (build)
[SUCCEEDED] check-cve-website-state:0 (build)
13 of 3 results FirstPreviousNextLast

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index 9127dad..e0dc033 100755
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -1805,15 +1805,6 @@ class OvalGeneratorUSNs(OvalGenerator):
6 pkg_objs_by_rels = {}
7 lp_bugs = []
8 for rel, info in usn_data['releases'].items():
9- # CVE stays the same across releases
10- for cve in usn_data['cves']:
11- if 'launchpad' in cve:
12- lp_bugs.append(cve)
13- elif cve_objs.get(cve) is None:
14- try:
15- cve_objs[cve] = self.cves[rel][cve]
16- except KeyError:
17- pass
18 pkg_objs = {}
19 for pkg, _ in info['sources'].items():
20 try:
21@@ -1822,6 +1813,17 @@ class OvalGeneratorUSNs(OvalGenerator):
22 pass
23 if pkg_objs:
24 pkg_objs_by_rels[rel] = pkg_objs
25+
26+ for cve in usn_data['cves']:
27+ cve_objs.setdefault(rel, dict())
28+ if 'launchpad' in cve:
29+ lp_bugs.append(cve)
30+ elif cve_objs[rel].get(cve) is None:
31+ # take existing CVE objects
32+ cve_obj = self.cves.get(rel, {}).get(cve, None)
33+ if cve_obj is not None:
34+ cve_objs[rel][cve] = cve_obj
35+
36 # create a USN object with fields in the USN and
37 # corresponding CVEs and Packages
38 usns[usn_id] = USN(usn_data, cve_objs, pkg_objs_by_rels, lp_bugs)
39@@ -2734,7 +2736,7 @@ class JSONPkgGenerator(OvalGeneratorUSNs):
40 return {
41 'description': usn.description,
42 'published_at': datetime.fromtimestamp(usn.timestamp).isoformat(timespec="seconds"),
43- 'related_cves': list(usn.cves.keys()),
44+ 'related_cves': list(usn.cves.get(self.release, {}).keys()),
45 'related_launchpad_bugs': usn.lp_bugs
46 }
47
48diff --git a/test/test_json_generation.py b/test/test_json_generation.py
49index 9f44642..28663e3 100644
50--- a/test/test_json_generation.py
51+++ b/test/test_json_generation.py
52@@ -280,7 +280,7 @@ def test_generate_cve_pkg_info(status, note, json_status, fixed_version):
53 generate_mock_usn(
54 description='this is a test description',
55 timestamp=1708590783,
56- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
57+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
58 lp_bugs=['http://bug1.com', 'http://bug2.com']
59 ),
60 generate_mock_usn(
61@@ -291,18 +291,19 @@ def test_generate_cve_pkg_info(status, note, json_status, fixed_version):
62 generate_mock_usn(
63 description='this is a test description',
64 timestamp=1708590783,
65- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
66+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
67 ),
68 ])
69 def test_generate_usn_info(usn):
70 # 1708590783 is ~2024-02-22T09:33:03+00:00
71 date = datetime.fromtimestamp(1708590783).isoformat(timespec="seconds")
72 json_gen = EmptyJSONPkgGenerator()
73+ json_gen._init_ids('jammy')
74
75 info = json_gen._generate_usn_info(usn)
76 assert info['description'] == usn.description
77 assert info['published_at'] == date
78- assert info['related_cves'] == list(usn.cves.keys())
79+ assert info['related_cves'] == list(usn.cves.get('jammy', {}).keys())
80 assert info['related_launchpad_bugs'] == usn.lp_bugs
81
82 def test_generate_usns_info():
83@@ -312,7 +313,7 @@ def test_generate_usns_info():
84 id='1000-1',
85 description='this is a test description',
86 timestamp=1708590783,
87- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
88+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
89 lp_bugs=['http://bug1.com', 'http://bug2.com']
90 ),
91 generate_mock_usn(
92@@ -325,7 +326,7 @@ def test_generate_usns_info():
93 id='1000-3',
94 description='this is a test description',
95 timestamp=1708590783,
96- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
97+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}}
98 )]
99
100 wrong_release_usn = generate_mock_usn(
101@@ -333,7 +334,7 @@ def test_generate_usns_info():
102 description='this is a test description',
103 timestamp=1708590783,
104 releases=['bionic'],
105- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
106+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}}
107 )
108
109 final_usns = usns.copy()
110@@ -350,7 +351,7 @@ def test_generate_usns_info():
111 assert f'USN-{usn.id}' in info
112 assert info[f'USN-{usn.id}']['description'] == usn.description
113 assert info[f'USN-{usn.id}']['published_at'] == date
114- assert info[f'USN-{usn.id}']['related_cves'] == list(usn.cves.keys())
115+ assert info[f'USN-{usn.id}']['related_cves'] == list(usn.cves.get('jammy', {}).keys())
116 assert info[f'USN-{usn.id}']['related_launchpad_bugs'] == usn.lp_bugs
117
118 def test_generate_usns_info_parents():
119@@ -358,7 +359,7 @@ def test_generate_usns_info_parents():
120 id='1000-1',
121 description='this is a test description',
122 timestamp=1708590783,
123- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
124+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
125 lp_bugs=['http://bug1.com', 'http://bug2.com']
126 ),
127 generate_mock_usn(
128@@ -371,7 +372,7 @@ def test_generate_usns_info_parents():
129 id='1000-3',
130 description='this is a test description',
131 timestamp=1708590783,
132- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
133+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
134 )]
135
136 jammy_infra_usns = [
137@@ -380,7 +381,7 @@ def test_generate_usns_info_parents():
138 description='this is a test description',
139 timestamp=1708590783,
140 releases=['esm-infra/jammy'],
141- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
142+ cve_objs={'esm-infra/jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}}
143 )
144 ]
145
146@@ -390,7 +391,7 @@ def test_generate_usns_info_parents():
147 description='this is a test description',
148 timestamp=1708590783,
149 releases=['esm-apps/jammy'],
150- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None}
151+ cve_objs={'esm-infra/jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}}
152 )
153 ]
154
155@@ -451,7 +452,7 @@ def test_generate_usn_pkg_info():
156 id='1000-1',
157 description='this is a test description',
158 timestamp=1708590783,
159- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
160+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
161 lp_bugs=['http://bug1.com', 'http://bug2.com'],
162 pkgs_by_rel={'jammy': {'foo': pkg}},
163 releases=releases_1
164@@ -462,7 +463,7 @@ def test_generate_usn_pkg_info():
165 title='Regression',
166 description='this is a test description',
167 timestamp=1708590783,
168- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
169+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
170 lp_bugs=['http://bug1.com', 'http://bug2.com'],
171 pkgs_by_rel={'jammy': {'foo': pkg}},
172 releases=releases_2
173@@ -554,7 +555,7 @@ def test_generate_package_info(mocker):
174 id='1000-1',
175 description='this is a test description',
176 timestamp=1708590783,
177- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
178+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
179 lp_bugs=['http://bug1.com', 'http://bug2.com'],
180 pkgs_by_rel={'jammy': {'foo': pkg}},
181 releases=releases_1
182@@ -565,7 +566,7 @@ def test_generate_package_info(mocker):
183 title='Regression',
184 description='this is a test description',
185 timestamp=1708590783,
186- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
187+ cve_objs={'bionic': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
188 lp_bugs=['http://bug1.com', 'http://bug2.com'],
189 pkgs_by_rel={'bionic': {'bar': pkg2}},
190 releases=releases_2
191@@ -644,7 +645,7 @@ def test_generate_packages_info(mocker):
192 id='1000-1',
193 description='this is a test description',
194 timestamp=1708590783,
195- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
196+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
197 lp_bugs=['http://bug1.com', 'http://bug2.com'],
198 pkgs_by_rel={'jammy': {'foo': pkg}},
199 releases=releases_1
200@@ -655,7 +656,7 @@ def test_generate_packages_info(mocker):
201 title='Regression',
202 description='this is a test description',
203 timestamp=1708590783,
204- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
205+ cve_objs={'bionic': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
206 lp_bugs=['http://bug1.com', 'http://bug2.com'],
207 pkgs_by_rel={'bionic': {'bar': pkg2}},
208 releases=releases_2
209@@ -747,7 +748,7 @@ def test_generate_packages_info_parents(mocker):
210 id='1000-1',
211 description='this is a test description',
212 timestamp=1708590783,
213- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
214+ cve_objs={'jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
215 lp_bugs=['http://bug1.com', 'http://bug2.com'],
216 pkgs_by_rel={'jammy': {'foo': pkg}},
217 releases=releases_jammy
218@@ -758,7 +759,7 @@ def test_generate_packages_info_parents(mocker):
219 title='Infra',
220 description='this is a test description',
221 timestamp=1708590783,
222- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
223+ cve_objs={'esm-infra/jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
224 lp_bugs=['http://bug1.com', 'http://bug2.com'],
225 pkgs_by_rel={'esm-infra/jammy': {'bar': pkg2}},
226 releases=releases_infra_jammy
227@@ -769,7 +770,7 @@ def test_generate_packages_info_parents(mocker):
228 title='Apps',
229 description='this is a test description',
230 timestamp=1708590783,
231- cve_objs={'CVE-0001-0001': None, 'CVE-0001-0002': None},
232+ cve_objs={'esm-apps/jammy': {'CVE-0001-0001': None, 'CVE-0001-0002': None}},
233 lp_bugs=['http://bug1.com', 'http://bug2.com'],
234 pkgs_by_rel={'esm-apps/jammy': {'dodo': pkg3}},
235 releases=releases_apps_jammy

Subscribers

People subscribed via source and target branches