Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement into ubuntu-cve-tracker:master

Proposed by Eduardo Barretto on 2021-10-29

Status:	Merged
Merge reported by:	Eduardo Barretto
Merged at revision:	ee0cbb1103fbbba29ee5dd7267b612520c3e0b75
Proposed branch:	~ebarretto/ubuntu-cve-tracker:usn-oval-improvement
Merge into:	ubuntu-cve-tracker:master
Diff against target:	741 lines (+155/-81) (has conflicts) 3 files modified scripts/cve_lib.py (+53/-0) scripts/oval_lib.py (+26/-24) test/test_oval_lib_unit.py (+76/-57) Conflict in test/test_oval_lib_unit.py
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Alex Murray		2021-10-29	Approve on 2021-11-23
Review via email: mp+411027@code.launchpad.net

Description of the change

This PR solves the following:

1. fix generate OVAL test suite, as it is currently broken
2. update CVE tracker URL in oval generation (and also in test suite)
3. in USN OVAL use usn description instead of summary field
4. add product description, based on binary pocket information, this way we can
mention if a fix is in LTS or available via UA
5. fix generate OVAL test suite because of changes mentioned above

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-11-04:

Download full text (6.3 KiB)

LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.

Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):

[amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_oval_lib_end_to_end.py
============================================================================================================ test session starts =============================================================================================================
platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
rootdir: /home/amurray/ubuntu/git/ubuntu-cve-tracker
collected 4 items

test/test_oval_lib_end_to_end.py ..F. [100%]

================================================================================================================== FAILURES ==================================================================================================================
__________________________________________________________________ TestOvalLibEndToEnd.test_validate_entire_oci_oval[com.ubuntu.bionic.usn.oval.xml-bionic_20180814-bionic] __________________________________________________________________

self = <test_oval_lib_end_to_end.TestOvalLibEndToEnd object at 0x7f98d9e65c10>, dpkg_file = 'com.ubuntu.bionic.usn.oval.xml', manifest = 'bionic_20180814', release = 'bionic'

    @pytest.mark.parametrize("dpkg_file,manifest,release",
         # The timestamped gold manifest oscap output has not been manually
         # checked but it's nice to flag changes to the results of past USNs
         [(util.bionic_dpkg_file, "bionic_20180814", "bionic"),
         (util.trusty_dpkg_file, "trusty_20191107", "trusty")])
    def test_validate_entire_oci_oval(self, dpkg_file, manifest, release):
        """Coherence check of entire generated oci OVAL"""
> util.create_validate_oci(dpkg_file, "{}_full".format(release),
            ["--usn-oval-release", release], manifest, release)

test/test_oval_lib_end_to_end.py:31:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

cls = <class 'test_utils.TestUtilities'>, output_file = 'com.ubuntu.bionic.usn.oval.xml', new_filename = 'bionic_full', oscap_args = ['--usn-oval-release', 'bionic'], manifest = 'bionic_20180814', gold_file = 'bionic'

    @classmethod
    def create_validate_oci(cls, output_file, new_filename, oscap_args,
            manifest, gold_file):
        """Generat...

Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):

[amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_oval_lib_end_to_end.py 
============================================================================================================ test session starts =============================================================================================================
platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
rootdir: /home/amurray/ubuntu/git/ubuntu-cve-tracker
collected 4 items

test/test_oval_lib_end_to_end.py ..F.                                                                                                                                                                                                  [100%]

self = <test_oval_lib_end_to_end.TestOvalLibEndToEnd object at 0x7f98d9e65c10>, dpkg_file = 'com.ubuntu.bionic.usn.oval.xml', manifest = 'bionic_20180814', release = 'bionic'

@pytest.mark.parametrize("dpkg_file,manifest,release",
         # The timestamped gold manifest oscap output has not been manually
         # checked but it's nice to flag changes to the results of past USNs
         [(util.bionic_dpkg_file, "bionic_20180814", "bionic"),
         (util.trusty_dpkg_file, "trusty_20191107", "trusty")])
    def test_validate_entire_oci_oval(self, dpkg_file, manifest, release):
        """Coherence check of entire generated oci OVAL"""
>       util.create_validate_oci(dpkg_file, "{}_full".format(release),
            ["--usn-oval-release", release], manifest, release)

test/test_oval_lib_end_to_end.py:31: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

@classmethod
    def create_validate_oci(cls, output_file, new_filename, oscap_args,
            manifest, gold_file):
        """Generate and validate oci and dpkg oval XML files for a single Ubuntu
        release"""
    
        new_file = cls.rel_test_path + new_filename
    
        # generate-oval creates files with identical names per-release
        # This setup allows running multiple tests on the same OVAL file
        # (without regenerating an identical oval) then creating a new OVAL
        # with an identical name and different content for following tests
        # so the OVAL is generated only as needed (less frequently than
        # every test run, more frequently than once per module)
        if not os.path.exists(new_file):
            dpkg_file = cls.rel_test_path + output_file
            oci_file = cls.rel_test_path + "oci." + output_file
    
            # Generate OVAL
            if sys.version_info[0] < 3:
                pycov = "python-coverage"
            else:
                pycov = "python3-coverage"
            subprocess.check_output([pycov, "run", "-a",
                                     "scripts/generate-oval", "--oci", "--usn-oval",
                                     "--output-dir={}".format(cls.rel_test_path)] + oscap_args)
    
            # Validate file structure
            subprocess.check_output(["oscap", "oval", "validate",
                                    dpkg_file], stderr=subprocess.STDOUT)
    
            subprocess.check_output(["oscap", "oval", "validate",
                                    oci_file], stderr=subprocess.STDOUT)
    
            os.rename(oci_file, new_file)
    
            cls.files_to_del.update([new_file, dpkg_file])
    
        # Test the oci XML file against a manifest
        manifest_dir = cls.rel_test_path + "manifests/" + manifest + "/"
        cmd_output = subprocess.check_output(["oscap", "oval", "eval",
            new_file], stderr=subprocess.STDOUT, cwd=manifest_dir)
        # Convert to str for py 3 compatibility
        cmd_output = cmd_output.decode("utf-8")
    
        # Compare output to expected
        with open(cls.rel_test_path + "gold_oci_results/" + gold_file) as f:
            gold_output = f.readlines()
    
        for line in gold_output:
>           assert(line in cmd_output)
E           AssertionError: assert 'Definition oval:com.ubuntu.bionic:def:38401000000: true\n' in 'Definition oval:com.ubuntu.bionic:def:48781000000: false\nDefinition oval:com.ubuntu.bionic:def:48771000000: true\nDe...com.ubuntu.bionic:def:36293000000: false\nDefinition oval:com.ubuntu.bionic:def:36272000000: false\nEvaluation done.\n'

test/test_utils.py:70: AssertionError
========================================================================================================== short test summary info ===========================================================================================================
FAILED test/test_oval_lib_end_to_end.py::TestOvalLibEndToEnd::test_validate_entire_oci_oval[com.ubuntu.bionic.usn.oval.xml-bionic_20180814-bionic] - AssertionError: assert 'Definition oval:com.ubuntu.bionic:def:38401000000: true\n' in ...
=================================================================================================== 1 failed, 3 passed in 62.91s (0:01:02) ===================================================================================================

review: Approve

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-08:

hmm, that's odd, the tests here are passing just fine:

$ pytest-3 test/test_oval_lib_end_to_end.py
==================================================================================================================================== test session starts =====================================================================================================================================
platform linux -- Python 3.6.9, pytest-3.3.2, py-1.5.2, pluggy-0.6.0
rootdir: /home/ubuntu/git-pulls/ubuntu-cve-tracker, inifile:
collected 4 items

test/test_oval_lib_end_to_end.py .... [100%]

================================================================================================================================= 4 passed in 148.45 seconds =================================================================================================================================

did you run the tests on top of the branch or did you rebase the branch?
I'm curious on why it is giving different results.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-11-09:

Download full text (10.7 KiB)

On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> Review: Approve
>
> LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
>
> Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):

I was getting the same failure in the same way, see below for a deep
dive into why and feedback on the generated results:

On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> Review: Approve
> 
> LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
> 
> Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):

I was getting the same failure in the same way, see below for a deep
dive into why and feedback on the generated results:

> [amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_oval_lib_end_to_end.py 
> ============================================================================================================ test session starts =============================================================================================================
> platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
> rootdir: /home/amurray/ubuntu/git/ubuntu-cve-tracker
> collected 4 items                                                                                                                                                                                                                            
> 
> test/test_oval_lib_end_to_end.py ..F.                                                                                                                                                                                                  [100%]
> 
> ================================================================================================================== FAILURES ==================================================================================================================
> __________________________________________________________________ TestOvalLibEndToEnd.test_validate_entire_oci_oval[com.ubuntu.bionic.usn.oval.xml-bionic_20180814-bionic] __________________________________________________________________
> 
> self = <test_oval_lib_end_to_end.TestOvalLibEndToEnd object at 0x7f98d9e65c10>, dpkg_file = 'com.ubuntu.bionic.usn.oval.xml', manifest = 'bionic_20180814', release = 'bionic'
> 
>     @pytest.mark.parametrize("dpkg_file,manifest,release",
>          # The timestamped gold manifest oscap output has not been manually
>          # checked but it's nice to flag changes to the results of past USNs
>          [(util.bionic_dpkg_file, "bionic_20180814", "bionic"),
>          (util.trusty_dpkg_file, "trusty_20191107", "trusty")])
>     def test_validate_entire_oci_oval(self, dpkg_file, manifest, release):
>         """Coherence check of entire generated oci OVAL"""
> >       util.create_validate_oci(dpkg_file, "{}_full".format(release),
>             ["--usn-oval-release", release], manifest, release)
> 
> test/test_oval_lib_end_to_end.py:31: 
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
> 
> cls = <class 'test_utils.TestUtilities'>, output_file = 'com.ubuntu.bionic.usn.oval.xml', new_filename = 'bionic_full', oscap_args = ['--usn-oval-release', 'bionic'], manifest = 'bionic_20180814', gold_file = 'bionic'
> 
>     @classmethod
>     def create_validate_oci(cls, output_file, new_filename, oscap_args,
>             manifest, gold_file):
>         """Generate and validate oci and dpkg oval XML files for a single Ubuntu
>         release"""
>     
>         new_file = cls.rel_test_path + new_filename
>     
>         # generate-oval creates files with identical names per-release
>         # This setup allows running multiple tests on the same OVAL file
>         # (without regenerating an identical oval) then creating a new OVAL
>         # with an identical name and different content for following tests
>         # so the OVAL is generated only as needed (less frequently than
>         # every test run, more frequently than once per module)
>         if not os.path.exists(new_file):
>             dpkg_file = cls.rel_test_path + output_file
>             oci_file = cls.rel_test_path + "oci." + output_file
>     
>             # Generate OVAL
>             if sys.version_info[0] < 3:
>                 pycov = "python-coverage"
>             else:
>                 pycov = "python3-coverage"
>             subprocess.check_output([pycov, "run", "-a",
>                                      "scripts/generate-oval", "--oci", "--usn-oval",
>                                      "--output-dir={}".format(cls.rel_test_path)] + oscap_args)
>     
>             # Validate file structure
>             subprocess.check_output(["oscap", "oval", "validate",
>                                     dpkg_file], stderr=subprocess.STDOUT)
>     
>             subprocess.check_output(["oscap", "oval", "validate",
>                                     oci_file], stderr=subprocess.STDOUT)
>     
>             os.rename(oci_file, new_file)
>     
>             cls.files_to_del.update([new_file, dpkg_file])
>     
>         # Test the oci XML file against a manifest
>         manifest_dir = cls.rel_test_path + "manifests/" + manifest + "/"
>         cmd_output = subprocess.check_output(["oscap", "oval", "eval",
>             new_file], stderr=subprocess.STDOUT, cwd=manifest_dir)
>         # Convert to str for py 3 compatibility
>         cmd_output = cmd_output.decode("utf-8")
>     
>         # Compare output to expected
>         with open(cls.rel_test_path + "gold_oci_results/" + gold_file) as f:
>             gold_output = f.readlines()
>     
>         for line in gold_output:
> >           assert(line in cmd_output)
> E           AssertionError: assert 'Definition oval:com.ubuntu.bionic:def:38401000000: true\n' in 'Definition oval:com.ubuntu.bionic:def:48781000000: false\nDefinition oval:com.ubuntu.bionic:def:48771000000: true\nDe...com.ubuntu.bionic:def:36293000000: false\nDefinition oval:com.ubuntu.bionic:def:36272000000: false\nEvaluation done.\n'

I dug into this (when I should have been sleeping). The test does an
oscap oval oci usn eval against the usn db (database.json [0]) in your
$UCT against the OCI manifest file in test/manifests/bionic_20180814/
[1]. It then looks for tests that indicate a patch is needed to be
applied in the oscap tools output; i.e. definitions that return true.
The definition identifiers are derived from the USN number.

Thus in this case, the assert is tripping because it can't find

'Definition oval:com.ubuntu.bionic:def:38401000000: true\n'

in the oscap output, meaning that for the manifest, it should report
that it still needs USN 3840-1 to be applied. USN 3840-1 fixed openssl /
libssl1.1 with version 1.1.0g-2ubuntu4.3 and libssl1.0.0 with
1.0.2n-1ubuntu5.2; the manifest tested against contains:

libssl1.0.0:amd64       1.0.2n-1ubuntu5.1
  libssl1.1:amd64 1.1.0g-2ubuntu4.1

both of which should indicate tht they are vulnerable. Running the oscap
evaluation against the current USN OVAL served off of
security-metadata.ubuntu.com results in USN 3840-1 correctly being
flagged as needing to be applied, and the end_to_end tests succeed on
master.

That's how it's all supposed to work. However.

While reproducing the faiure and trying to generate reports and
output based on switching between master and Eduardo's git branch in
the same cloned tree, I got an even weirder result (due to operator
error), and in a fit of trying make sure things were in a sane state,
deleted scripts/__pycache__/ ... and Eduardo's branch started behaving
as expected. For testing, we should thus ensure python's jit files
are cleared.

(I had also hit earlier test failures because the .coverage file from a
long ago run was in a different format.)

I did go ahead and generate the oscap html report based on the trusty
and bionic test manifests and pushed them to:

https://people.canonical.com/~sbeattie/trusty-output-usn-oval-improvement.html
  https://people.canonical.com/~sbeattie/trusty-output-usn-oval-improvement.html

along with their respective base case reports generated with unpatched
oval data:

https://people.canonical.com/~sbeattie/trusty-pristine-output-usn-oval-improvement.html
  https://people.canonical.com/~sbeattie/bionic-pristine-output-usn-oval-improvement.html

Some comments on what gets generated from looking at differences in the
XML content when things are run correctly:

- there are definite bugs in CVE handling/reporting[2] being fixed by Eduardo's
  branch (e.g. see the reference to CVE-2021-25219 missing for the bind9 USN
  5126-[12] entries).

- that said, despite the expanded usn descriptions, the oscap report
  doesn't surface them. Not sure it's an issue.

- what might be an issue is the expanded usn description texts end
  up being all one entry, with no delineation between paragraph
  breaks. Not sure how parsers of the oval will handle it.

- The origin for each of the fix/USN is pulled from the product
  description and ignores the significant effort Emi and Paulo have
  gone through to annotate in all our USNs where each individual binary
  can pulled from (security or esm-infra), which leads to USNs that
  were published when trusty was still in LTS status being marked as
  available from UA Infra.

- The origin is sprinkled through as a comment field to a lot of the
  tags: criterion, constant_variable, ind:textfilecontent54_state,
  ind:textfilecontent54_object, ind:textfilecontent54_test, which
  seems like overkill, and also probably not the right way to represent
  this information. I'm not sure what the right way is, possibly as a
  'reference' entry type? Research on how something like this should
  show up in OVAL is needed.

(And despite all the origin references, none is
  surfaced in the oscap html report, but I'm not sure if that's just a
  limitation of oscap's html generator.)

- I think there is a desire to include a description of the UA products
  and that UA Infra releases are supported. Again, I don't know enough
  OVAL to know the right way to do this

I want to land this branch but I am concerned that the references to
the products are not done correctly, and if we do land it, people
parsing it for consumption in other scanners will see the changes
and assume that's the final format we're going with. And I don't think
we want that.

I'll look at what individual commits we might be able to land tomorrow.

Thanks.

[0] generate-oval.py should take json filename as an optional argument,
    not a directory where it expects to find database.json in it.

[1] the test should be updated to use a temporary directory to pull
    the latest USN db into and to output its generated xml files in,
    so that it doesn't clutter up your local $UCT directory.

[2] we should also surface launchpad bug reports here as well.

-- 
Steve Beattie
<sbeattie@ubuntu.com>

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-09:

Download full text (12.3 KiB)

On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > Review: Approve
> >
> > LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
> >
> > Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):
>
> I was getting the same failure in the same way, see below for a deep
> dive into why and feedback on the generated results:
>

Thanks for debugging it. I've a few comments below.

On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > Review: Approve
> > 
> > LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
> > 
> > Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):
> 
> I was getting the same failure in the same way, see below for a deep
> dive into why and feedback on the generated results:
>

Thanks for debugging it. I've a few comments below.

> > [amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_oval_lib_end_to_end.py 
> > ============================================================================================================ test session starts =============================================================================================================
> > platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
> > rootdir: /home/amurray/ubuntu/git/ubuntu-cve-tracker
> > collected 4 items                                                                                                                                                                                                                            
> > 
> > test/test_oval_lib_end_to_end.py ..F.                                                                                                                                                                                                  [100%]
> > 
> > ================================================================================================================== FAILURES ==================================================================================================================
> > __________________________________________________________________ TestOvalLibEndToEnd.test_validate_entire_oci_oval[com.ubuntu.bionic.usn.oval.xml-bionic_20180814-bionic] __________________________________________________________________
> > 
> > self = <test_oval_lib_end_to_end.TestOvalLibEndToEnd object at 0x7f98d9e65c10>, dpkg_file = 'com.ubuntu.bionic.usn.oval.xml', manifest = 'bionic_20180814', release = 'bionic'
> > 
> >     @pytest.mark.parametrize("dpkg_file,manifest,release",
> >          # The timestamped gold manifest oscap output has not been manually
> >          # checked but it's nice to flag changes to the results of past USNs
> >          [(util.bionic_dpkg_file, "bionic_20180814", "bionic"),
> >          (util.trusty_dpkg_file, "trusty_20191107", "trusty")])
> >     def test_validate_entire_oci_oval(self, dpkg_file, manifest, release):
> >         """Coherence check of entire generated oci OVAL"""
> > >       util.create_validate_oci(dpkg_file, "{}_full".format(release),
> >             ["--usn-oval-release", release], manifest, release)
> > 
> > test/test_oval_lib_end_to_end.py:31: 
> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
> > 
> > cls = <class 'test_utils.TestUtilities'>, output_file = 'com.ubuntu.bionic.usn.oval.xml', new_filename = 'bionic_full', oscap_args = ['--usn-oval-release', 'bionic'], manifest = 'bionic_20180814', gold_file = 'bionic'
> > 
> >     @classmethod
> >     def create_validate_oci(cls, output_file, new_filename, oscap_args,
> >             manifest, gold_file):
> >         """Generate and validate oci and dpkg oval XML files for a single Ubuntu
> >         release"""
> >     
> >         new_file = cls.rel_test_path + new_filename
> >     
> >         # generate-oval creates files with identical names per-release
> >         # This setup allows running multiple tests on the same OVAL file
> >         # (without regenerating an identical oval) then creating a new OVAL
> >         # with an identical name and different content for following tests
> >         # so the OVAL is generated only as needed (less frequently than
> >         # every test run, more frequently than once per module)
> >         if not os.path.exists(new_file):
> >             dpkg_file = cls.rel_test_path + output_file
> >             oci_file = cls.rel_test_path + "oci." + output_file
> >     
> >             # Generate OVAL
> >             if sys.version_info[0] < 3:
> >                 pycov = "python-coverage"
> >             else:
> >                 pycov = "python3-coverage"
> >             subprocess.check_output([pycov, "run", "-a",
> >                                      "scripts/generate-oval", "--oci", "--usn-oval",
> >                                      "--output-dir={}".format(cls.rel_test_path)] + oscap_args)
> >     
> >             # Validate file structure
> >             subprocess.check_output(["oscap", "oval", "validate",
> >                                     dpkg_file], stderr=subprocess.STDOUT)
> >     
> >             subprocess.check_output(["oscap", "oval", "validate",
> >                                     oci_file], stderr=subprocess.STDOUT)
> >     
> >             os.rename(oci_file, new_file)
> >     
> >             cls.files_to_del.update([new_file, dpkg_file])
> >     
> >         # Test the oci XML file against a manifest
> >         manifest_dir = cls.rel_test_path + "manifests/" + manifest + "/"
> >         cmd_output = subprocess.check_output(["oscap", "oval", "eval",
> >             new_file], stderr=subprocess.STDOUT, cwd=manifest_dir)
> >         # Convert to str for py 3 compatibility
> >         cmd_output = cmd_output.decode("utf-8")
> >     
> >         # Compare output to expected
> >         with open(cls.rel_test_path + "gold_oci_results/" + gold_file) as f:
> >             gold_output = f.readlines()
> >     
> >         for line in gold_output:
> > >           assert(line in cmd_output)
> > E           AssertionError: assert 'Definition oval:com.ubuntu.bionic:def:38401000000: true\n' in 'Definition oval:com.ubuntu.bionic:def:48781000000: false\nDefinition oval:com.ubuntu.bionic:def:48771000000: true\nDe...com.ubuntu.bionic:def:36293000000: false\nDefinition oval:com.ubuntu.bionic:def:36272000000: false\nEvaluation done.\n'
> 
> I dug into this (when I should have been sleeping). The test does an
> oscap oval oci usn eval against the usn db (database.json [0]) in your
> $UCT against the OCI manifest file in test/manifests/bionic_20180814/
> [1]. It then looks for tests that indicate a patch is needed to be
> applied in the oscap tools output; i.e. definitions that return true.
> The definition identifiers are derived from the USN number.
> 
> Thus in this case, the assert is tripping because it can't find
> 
>   'Definition oval:com.ubuntu.bionic:def:38401000000: true\n'
> 
> in the oscap output, meaning that for the manifest, it should report
> that it still needs USN 3840-1 to be applied. USN 3840-1 fixed openssl /
> libssl1.1 with version 1.1.0g-2ubuntu4.3 and libssl1.0.0 with
> 1.0.2n-1ubuntu5.2; the manifest tested against contains:
> 
>   libssl1.0.0:amd64       1.0.2n-1ubuntu5.1
>   libssl1.1:amd64 1.1.0g-2ubuntu4.1
> 
> both of which should indicate tht they are vulnerable. Running the oscap
> evaluation against the current USN OVAL served off of
> security-metadata.ubuntu.com results in USN 3840-1 correctly being
> flagged as needing to be applied, and the end_to_end tests succeed on
> master.
> 
> That's how it's all supposed to work. However.
> 
> While reproducing the faiure and trying to generate reports and
> output based on switching between master and Eduardo's git branch in
> the same cloned tree, I got an even weirder result (due to operator
> error), and in a fit of trying make sure things were in a sane state,
> deleted scripts/__pycache__/ ... and Eduardo's branch started behaving
> as expected. For testing, we should thus ensure python's jit files
> are cleared.
> 
> (I had also hit earlier test failures because the .coverage file from a
> long ago run was in a different format.)
> 
> I did go ahead and generate the oscap html report based on the trusty
> and bionic test manifests and pushed them to:
> 
>   https://people.canonical.com/~sbeattie/trusty-output-usn-oval-improvement.html
>   https://people.canonical.com/~sbeattie/trusty-output-usn-oval-improvement.html
> 
> along with their respective base case reports generated with unpatched
> oval data:
> 
>   https://people.canonical.com/~sbeattie/trusty-pristine-output-usn-oval-improvement.html
>   https://people.canonical.com/~sbeattie/bionic-pristine-output-usn-oval-improvement.html
> 
> Some comments on what gets generated from looking at differences in the
> XML content when things are run correctly:
> 
> - there are definite bugs in CVE handling/reporting[2] being fixed by Eduardo's
>   branch (e.g. see the reference to CVE-2021-25219 missing for the bind9 USN
>   5126-[12] entries).
> 
> - that said, despite the expanded usn descriptions, the oscap report
>   doesn't surface them. Not sure it's an issue.

I've discussed this with Alex B, that the oscap report tool doesn't show any
description on CVEs/USNs and he confirmed that what Lech is expecting is in
the OVAL data itself, as it seems he is in contact with Tenable to have not
only the description correctly shown by also the product/origin information.

I will work on getting the launchpad reports also referecend in the oscap report,
thanks for catching this.

> 
> - what might be an issue is the expanded usn description texts end
>   up being all one entry, with no delineation between paragraph
>   breaks. Not sure how parsers of the oval will handle it.
>

Good point. I will see how this will behave in Nessus. I will will send
another email with the results.

> - The origin for each of the fix/USN is pulled from the product
>   description and ignores the significant effort Emi and Paulo have
>   gone through to annotate in all our USNs where each individual binary
>   can pulled from (security or esm-infra), which leads to USNs that
>   were published when trusty was still in LTS status being marked as
>   available from UA Infra.
>

Feel free to correct me here, but this is something that I discussed with
Paulo during this development, as a lot of trusty USNs didn't have a pocket
information, and I had to work around it in the code. According to Paulo,
they didn't include information to trusty as the UA client doesn't support
trusty. Also, he said this would be easy to be pushed if needed, so we could
try to fix this before merging this branch.

> - The origin is sprinkled through as a comment field to a lot of the
>   tags: criterion, constant_variable, ind:textfilecontent54_state,
>   ind:textfilecontent54_object, ind:textfilecontent54_test, which
>   seems like overkill, and also probably not the right way to represent
>   this information. I'm not sure what the right way is, possibly as a
>   'reference' entry type? Research on how something like this should
>   show up in OVAL is needed.
> 
>   (And despite all the origin references, none is
>   surfaced in the oscap html report, but I'm not sure if that's just a
>   limitation of oscap's html generator.)

I will try to play with it a bit and see how we can reduce the origin. But
yes, the oscap html report is quite limited, but maybe as a reference is enough.

> 
> - I think there is a desire to include a description of the UA products
>   and that UA Infra releases are supported. Again, I don't know enough
>   OVAL to know the right way to do this
> 
> I want to land this branch but I am concerned that the references to
> the products are not done correctly, and if we do land it, people
> parsing it for consumption in other scanners will see the changes
> and assume that's the final format we're going with. And I don't think
> we want that.
> 
> I'll look at what individual commits we might be able to land tomorrow.
> 
> Thanks.
> 
> [0] generate-oval.py should take json filename as an optional argument,
>     not a directory where it expects to find database.json in it.
> 
> [1] the test should be updated to use a temporary directory to pull
>     the latest USN db into and to output its generated xml files in,
>     so that it doesn't clutter up your local $UCT directory.
> 
> [2] we should also surface launchpad bug reports here as well.
> 
> -- 
> Steve Beattie
> <sbeattie@ubuntu.com>

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-11-15:

Hi,

The changes in:

1e13b6edc8 ("Fix test test_create_dict_from_cve_file")

On Fri, Oct 29, 2021 at 03:13:31PM -0000, Eduardo Barretto wrote:
> <advisory <email address hidden>">
> <severity>Medium</severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
> </advisory>

> <advisory <email address hidden>">
> <severity>Medium</severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
> </advisory>

ends up breaking the tests:

TestOvalLibUnit::test_create_usn_definition
TestOvalLibUnit::test_invalid_priority_usn_definition

for me. The problem is that oval_lib.py::create_usn_definition()
pulls the published timestamp from the USN db via
datetime.datetime.fromtimestamp without a timezone, so python converts
it to your local timezone.

The right way to fix this is to set the timezone
to datetime.timezone.utc explicitly as an argument to
datetime.datetime.fromtimestamp() but python2.7 doesn't have that
and makes it non-trivial to use a tzinfo timezone without using a
third-party library.

Converting oval_lib.py to use datetime.datetime.utcfromtimestamp()
instead would likely address this in the short term, but people
*should* be using oval info from the public vm where python3 is used.

Thanks.

--
Steve Beattie
<email address hidden>

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-11-15:

On Tue, Nov 09, 2021 at 01:19:24PM +0100, Eduardo Barretto wrote:
> On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> > On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > - The origin for each of the fix/USN is pulled from the product
> > description and ignores the significant effort Emi and Paulo have
> > gone through to annotate in all our USNs where each individual binary
> > can pulled from (security or esm-infra), which leads to USNs that
> > were published when trusty was still in LTS status being marked as
> > available from UA Infra.
> >
>
> Feel free to correct me here, but this is something that I discussed with
> Paulo during this development, as a lot of trusty USNs didn't have a pocket
> information, and I had to work around it in the code. According to Paulo,
> they didn't include information to trusty as the UA client doesn't support
> trusty. Also, he said this would be easy to be pushed if needed, so we could
> try to fix this before merging this branch.

Oh, I totally missed that this is happening for trusty only, because I
was debugging the trusty end-to-end tests. Okay, I can
live with that. It would be good to have a xenial end-to-end test in
that case as well.

(I would like to push the logic encapsulated in
OvalGeneratorUSN.get_product_description() out of that
class/oval_lib.py so that if other tools need to rely on the same
logic, they can get access to it in a more central place. But I'm
not entirely sure what the interface for it should look like.)

--
Steve Beattie
<email address hidden>

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-16:

On Mon, Nov 15, 2021 at 07:54:53AM -0800, Steve Beattie wrote:
> On Tue, Nov 09, 2021 at 01:19:24PM +0100, Eduardo Barretto wrote:
> > On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> > > On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > > - The origin for each of the fix/USN is pulled from the product
> > > description and ignores the significant effort Emi and Paulo have
> > > gone through to annotate in all our USNs where each individual binary
> > > can pulled from (security or esm-infra), which leads to USNs that
> > > were published when trusty was still in LTS status being marked as
> > > available from UA Infra.
> > >
> >
> > Feel free to correct me here, but this is something that I discussed with
> > Paulo during this development, as a lot of trusty USNs didn't have a pocket
> > information, and I had to work around it in the code. According to Paulo,
> > they didn't include information to trusty as the UA client doesn't support
> > trusty. Also, he said this would be easy to be pushed if needed, so we could
> > try to fix this before merging this branch.
>
> Oh, I totally missed that this is happening for trusty only, because I
> was debugging the trusty end-to-end tests. Okay, I can
> live with that. It would be good to have a xenial end-to-end test in
> that case as well.
>
> (I would like to push the logic encapsulated in
> OvalGeneratorUSN.get_product_description() out of that
> class/oval_lib.py so that if other tools need to rely on the same
> logic, they can get access to it in a more central place. But I'm
> not entirely sure what the interface for it should look like.)

Ack! I will take a look at it, it might be a good idea to have this is in cve_lib.
I will try to come up with something.

Regarding my previous email that I mentioned about testing on Nessus to see
if the description looks correct. Unfortunately I couldn't because Nessus free
version doesn't allow to read OVAL files. Do we have a paid Nessus instance
anywhere at Canonical?

On Mon, Nov 15, 2021 at 07:54:53AM -0800, Steve Beattie wrote:
> On Tue, Nov 09, 2021 at 01:19:24PM +0100, Eduardo Barretto wrote:
> > On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> > > On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > > - The origin for each of the fix/USN is pulled from the product
> > >   description and ignores the significant effort Emi and Paulo have
> > >   gone through to annotate in all our USNs where each individual binary
> > >   can pulled from (security or esm-infra), which leads to USNs that
> > >   were published when trusty was still in LTS status being marked as
> > >   available from UA Infra.
> > > 
> > 
> > Feel free to correct me here, but this is something that I discussed with
> > Paulo during this development, as a lot of trusty USNs didn't have a pocket
> > information, and I had to work around it in the code. According to Paulo,
> > they didn't include information to trusty as the UA client doesn't support
> > trusty. Also, he said this would be easy to be pushed if needed, so we could
> > try to fix this before merging this branch.
> 
> Oh, I totally missed that this is happening for trusty only, because I
> was debugging the trusty end-to-end tests. Okay, I can
> live with that. It would be good to have a xenial end-to-end test in
> that case as well.
> 
> (I would like to push the logic encapsulated in
> OvalGeneratorUSN.get_product_description() out of that
> class/oval_lib.py so that if other tools need to rely on the same
> logic, they can get access to it in a more central place. But I'm
> not entirely sure what the interface for it should look like.)

Ack! I will take a look at it, it might be a good idea to have this is in cve_lib.
I will try to come up with something.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-11-17:

FYI, so far I have merged or cherry-picked into master the following commits:

  2b3442c1e2 ("test_utils: Indent")
  335af7c6ad ("Fix gold_oci_results bionic data")
  1e13b6edc8 ("Fix test test_create_dict_from_cve_file")

I also applied the commit from

https://code.launchpad.net/~ebarretto/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/411027

that was to replace the commit:

28e9604767 ("Fix test oval definition_mock and invalid_priority_ret")

but had to revert it because it turned out python2 was being used in an unexpected place (and the fix requires python3), but I'm hoping to be able to get that use converted to python3 shortly, so I can put the fix back in place.

I'll also continue to push through cherry-picking more of the commits that are okay to apply.

~ebarretto/ubuntu-cve-tracker:usn-oval-improvement updated on 2021-11-17

46f74ad... by Eduardo Barretto on 2021-11-17

cve_lib: Add description to subprojects

06eeeb2... by Eduardo Barretto on 2021-11-17

cve_lib: Add function get_subproject_description and also retrieve the

description for a external subproject

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-17:

I've rebased the commits to address:
1. removed commit ("Fix test oval definition_mock and invalid_priority_ret"), as discussed this is UTC related issue, so it isn't needed and will affect test results for others.
2. move the product description to cve_lib. Added it as part of the subprojects/releases. As Alex suggested, I will be pushing a change to the customer-ppa-tracking with the following: https://pastebin.canonical.com/p/H6Dcbd86QM/
3. Rebased oval_lib and the tests because of #2

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-11-17:

Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?

Revision history for this message

Steve Beattie (sbeattie) wrote on 2021-11-17:

On Wed, Nov 17, 2021 at 11:20:20PM -0000, Alex Murray wrote:
> Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?

I think it accidentally got pushed as a branch on the team repo,
rather than a rebased (force-)push to the branch in @ebarretto's
launchpad repo.

--
Steve Beattie
<email address hidden>

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-18:

Oh sorry about that, I've just pushed to the right place.

On Wed, Nov 17, 2021 at 11:30:39PM -0000, Steve Beattie wrote:
> On Wed, Nov 17, 2021 at 11:20:20PM -0000, Alex Murray wrote:
> > Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?
>
> I think it accidentally got pushed as a branch on the team repo,
> rather than a rebased (force-)push to the branch in @ebarretto's
> launchpad repo.
>
> --
> Steve Beattie
> <email address hidden>
>
> https://code.launchpad.net/~ebarretto/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/411027
> You are the owner of ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement.
>

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-11-18:

Thanks - one small comment on the new function for cve_lib - also I wonder about the name "Regular Release" - should this perhaps be "Standard Release" or "Interim Release" (I am not sure if we have a proper name to refer to the non-LTS releases but I am not sure "Regular" is the right word here) - perhaps just "Standard Support Release"?

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-22:

On Thu, Nov 18, 2021 at 10:56:52PM -0000, Alex Murray wrote:
> Thanks - one small comment on the new function for cve_lib - also I wonder about the name "Regular Release" - should this perhaps be "Standard Release" or "Interim Release" (I am not sure if we have a proper name to refer to the non-LTS releases but I am not sure "Regular" is the right word here) - perhaps just "Standard Support Release"?

I'm not a big fan on the Regular Release name, but I actually got it from: https://wiki.ubuntu.com/Releases
"Regular releases are supported for 9 months."

Depending on what we want to name it, we might need to revisit our external communications.

>
> Diff comments:
>
> > diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
> > index fd714cf..6e63d0a 100755
> > --- a/scripts/cve_lib.py
> > +++ b/scripts/cve_lib.py
> > @@ -374,6 +413,17 @@ def release_alias(rel):
> > pass
> > return alias
> >
> > +def get_subproject_description(rel):
> > + """Return the description for a given release."""
> > + _, _, _, details = get_subproject_details(rel)
> > + if details:
> > + try:
> > + description = details["description"]
> > + except KeyError:
> > + print("Subproject does not have a descrition.", file=sys.stderr)
> > + return description
>
> description will be unbound if the details does not contain one - also we don't usually print errors in cve_lib from what I recall... should this return an empty string perhaps if none is found? Or 'None'?
>

I can either do a 'pass' or raise the Exception, we actually have a bit of everything in cve_lib,
including printing.
Maybe 'pass' is enough as it won't stop execution. Just let me know what you think is best and
I will adjust accordingly :)

> > +
> > +
> > def get_external_subproject_cve_dir(subproject):
> > """Get the directory where CVE files are stored for the subproject.
> >
>
>
> --
> https://code.launchpad.net/~ebarretto/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/411027
> You are the owner of ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement.
>

I'm not a big fan on the Regular Release name, but I actually got it from: https://wiki.ubuntu.com/Releases
"Regular releases are supported for 9 months."

Depending on what we want to name it, we might need to revisit our external communications.

> 
> Diff comments:
> 
> > diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
> > index fd714cf..6e63d0a 100755
> > --- a/scripts/cve_lib.py
> > +++ b/scripts/cve_lib.py
> > @@ -374,6 +413,17 @@ def release_alias(rel):
> >              pass
> >      return alias
> >  
> > +def get_subproject_description(rel):
> > +    """Return the description for a given release."""
> > +    _, _, _, details = get_subproject_details(rel)
> > +    if details:
> > +        try:
> > +            description = details["description"]
> > +        except KeyError:
> > +            print("Subproject does not have a descrition.", file=sys.stderr)
> > +    return description
> 
> description will be unbound if the details does not contain one - also we don't usually print errors in cve_lib from what I recall... should this return an empty string perhaps if none is found? Or 'None'?
>

> > +
> > +
> >  def get_external_subproject_cve_dir(subproject):
> >      """Get the directory where CVE files are stored for the subproject.
> >  
> 
> 
> -- 
> https://code.launchpad.net/~ebarretto/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/411027
> You are the owner of ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement.
>

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-11-22:

Cool, let's not bikeshed on the naming - stick with Regular Release then. Also whilst I would love to move to using actual Exceptions more I found with some other updates I did which tried to raise them in more scenarios that it broke too much other stuff that wasn't written to expect them to be raised - so probably better to silently pass it and return None or an empty string I guess (depending on how the calling code expects the return value to look - ie if it is checking for None then return it)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2021-11-23:

On Mon, Nov 22, 2021 at 09:30:53AM -0000, Eduardo Barretto wrote:
> On Thu, Nov 18, 2021 at 10:56:52PM -0000, Alex Murray wrote:
> > Thanks - one small comment on the new function for cve_lib - also I
> > wonder about the name "Regular Release" - should this perhaps be
> > "Standard Release" or "Interim Release" (I am not sure if we have a
> > proper name to refer to the non-LTS releases but I am not sure
> > "Regular" is the right word here) - perhaps just "Standard Support
> > Release"?
>
> I'm not a big fan on the Regular Release name, but I actually got it from: https://wiki.ubuntu.com/Releases
> "Regular releases are supported for 9 months."

This page uses "Interim release" https://ubuntu.com/about/release-cycle
and it feels more likely to have been reviewed by marketing / brand
specialists than the wiki page :)

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-23:

Just rebased and pushed moving "Regular Release" to "Interim Release" as suggested by Seth. Thanks!
And made a pass in the description and set description to "?" as this was the previous comment in our oval files.

Revision history for this message

Alex Murray (alexmurray) wrote on 2021-11-23:

LGTM, thanks!

review: Approve

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-11-25:

Thanks, just merged it

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Eduardo Barretto

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

1	diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
2	index fd714cf..359ba25 100755
3	--- a/scripts/cve_lib.py
4	+++ b/scripts/cve_lib.py
5	@@ -101,6 +101,7 @@ subprojects = {
6	"alias": "precise/esm",
7	"ppa": "ubuntu-esm/esm",
8	"parent": "ubuntu/precise",
9	+ "description": "Available with UA Infra or UA Desktop",
10	},
11	"esm/trusty": {
12	"eol": False,
13	@@ -109,6 +110,7 @@ subprojects = {
14	"alias": "trusty/esm",
15	"ppa": "ubuntu-esm/esm-infra-security",
16	"parent": "ubuntu/trusty",
17	+ "description": "Available with UA Infra or UA Desktop",
18	},
19	"esm-infra/xenial": {
20	"eol": False,
21	@@ -117,187 +119,224 @@ subprojects = {
22	"name": "Ubuntu 16.04 ESM (Xenial Xerus)",
23	"ppa": "ubuntu-esm/esm-infra-security",
24	"parent": "ubuntu/xenial",
25	+ "description": "Available with UA Infra or UA Desktop",
26	},
27	"ubuntu/warty": {
28	"eol": True,
29	"components": ["main", "restricted", "universe", "multiverse", "partner"],
30	"alias": "warty",
31	+ "description": "Interim Release",
32	},
33	"ubuntu/hoary": {
34	"eol": True,
35	"components": ["main", "restricted", "universe", "multiverse", "partner"],
36	"alias": "hoary",
37	+ "description": "Interim Release",
38	},
39	"ubuntu/breezy": {
40	"eol": True,

Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers