Merge ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement into ubuntu-cve-tracker:master
- Git
- lp:~ebarretto/ubuntu-cve-tracker
- usn-oval-improvement
- Merge into master
Status: | Merged |
---|---|
Merge reported by: | Eduardo Barretto |
Merged at revision: | ee0cbb1103fbbba29ee5dd7267b612520c3e0b75 |
Proposed branch: | ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
741 lines (+155/-81) (has conflicts) 3 files modified
scripts/cve_lib.py (+53/-0) scripts/oval_lib.py (+26/-24) test/test_oval_lib_unit.py (+76/-57) Conflict in test/test_oval_lib_unit.py |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Alex Murray | Approve | ||
Review via email: mp+411027@code.launchpad.net |
Commit message
Description of the change
This PR solves the following:
1. fix generate OVAL test suite, as it is currently broken
2. update CVE tracker URL in oval generation (and also in test suite)
3. in USN OVAL use usn description instead of summary field
4. add product description, based on binary pocket information, this way we can
mention if a fix is in LTS or available via UA
5. fix generate OVAL test suite because of changes mentioned above
Eduardo Barretto (ebarretto) wrote : | # |
hmm, that's odd, the tests here are passing just fine:
$ pytest-3 test/test_
=======
platform linux -- Python 3.6.9, pytest-3.3.2, py-1.5.2, pluggy-0.6.0
rootdir: /home/ubuntu/
collected 4 items
test/test_
=======
did you run the tests on top of the branch or did you rebase the branch?
I'm curious on why it is giving different results.
Steve Beattie (sbeattie) wrote : | # |
On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> Review: Approve
>
> LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
>
> Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):
I was getting the same failure in the same way, see below for a deep
dive into why and feedback on the generated results:
> [amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_
> =======
> platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
> rootdir: /home/amurray/
> collected 4 items
>
> test/test_
>
> =======
> _______
>
> self = <test_oval_
>
> @pytest.
> # The timestamped gold manifest oscap output has not been manually
> # checked but it's nice to flag changes to the results of past USNs
> [(util.
> (util.trusty_
> def test_validate_
> """Coherence check of entire generated oci OVAL"""
> > util.create_
> ["--usn-
>
> test/test_
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>
> cls = <class 'test_utils.
Eduardo Barretto (ebarretto) wrote : | # |
On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > Review: Approve
> >
> > LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
> >
> > Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):
>
> I was getting the same failure in the same way, see below for a deep
> dive into why and feedback on the generated results:
>
Thanks for debugging it. I've a few comments below.
> > [amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_
> > =======
> > platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
> > rootdir: /home/amurray/
> > collected 4 items
> >
> > test/test_
> >
> > =======
> > _______
> >
> > self = <test_oval_
> >
> > @pytest.
> > # The timestamped gold manifest oscap output has not been manually
> > # checked but it's nice to flag changes to the results of past USNs
> > [(util.
> > (util.trusty_
> > def test_validate_
> > """Coherence check of entire generated oci OVAL"""
> > > util.create_
> > ["--usn-
> >
> > test/test_
> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ...
Steve Beattie (sbeattie) wrote : | # |
Hi,
The changes in:
1e13b6edc8 ("Fix test test_create_
On Fri, Oct 29, 2021 at 03:13:31PM -0000, Eduardo Barretto wrote:
> <advisory <email address hidden>">
> <severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https:/
> </advisory>
> <advisory <email address hidden>">
> <severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https:/
> </advisory>
ends up breaking the tests:
TestOvalLibUn
TestOvalLibUn
for me. The problem is that oval_lib.
pulls the published timestamp from the USN db via
datetime.
it to your local timezone.
The right way to fix this is to set the timezone
to datetime.
datetime.
and makes it non-trivial to use a tzinfo timezone without using a
third-party library.
Converting oval_lib.py to use datetime.
instead would likely address this in the short term, but people
*should* be using oval info from the public vm where python3 is used.
Thanks.
--
Steve Beattie
<email address hidden>
Steve Beattie (sbeattie) wrote : | # |
On Tue, Nov 09, 2021 at 01:19:24PM +0100, Eduardo Barretto wrote:
> On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> > On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > - The origin for each of the fix/USN is pulled from the product
> > description and ignores the significant effort Emi and Paulo have
> > gone through to annotate in all our USNs where each individual binary
> > can pulled from (security or esm-infra), which leads to USNs that
> > were published when trusty was still in LTS status being marked as
> > available from UA Infra.
> >
>
> Feel free to correct me here, but this is something that I discussed with
> Paulo during this development, as a lot of trusty USNs didn't have a pocket
> information, and I had to work around it in the code. According to Paulo,
> they didn't include information to trusty as the UA client doesn't support
> trusty. Also, he said this would be easy to be pushed if needed, so we could
> try to fix this before merging this branch.
Oh, I totally missed that this is happening for trusty only, because I
was debugging the trusty end-to-end tests. Okay, I can
live with that. It would be good to have a xenial end-to-end test in
that case as well.
(I would like to push the logic encapsulated in
OvalGeneratorUS
class/oval_lib.py so that if other tools need to rely on the same
logic, they can get access to it in a more central place. But I'm
not entirely sure what the interface for it should look like.)
--
Steve Beattie
<email address hidden>
Eduardo Barretto (ebarretto) wrote : | # |
On Mon, Nov 15, 2021 at 07:54:53AM -0800, Steve Beattie wrote:
> On Tue, Nov 09, 2021 at 01:19:24PM +0100, Eduardo Barretto wrote:
> > On Tue, Nov 09, 2021 at 03:06:31AM -0800, Steve Beattie wrote:
> > > On Thu, Nov 04, 2021 at 01:37:57AM -0000, Alex Murray wrote:
> > > - The origin for each of the fix/USN is pulled from the product
> > > description and ignores the significant effort Emi and Paulo have
> > > gone through to annotate in all our USNs where each individual binary
> > > can pulled from (security or esm-infra), which leads to USNs that
> > > were published when trusty was still in LTS status being marked as
> > > available from UA Infra.
> > >
> >
> > Feel free to correct me here, but this is something that I discussed with
> > Paulo during this development, as a lot of trusty USNs didn't have a pocket
> > information, and I had to work around it in the code. According to Paulo,
> > they didn't include information to trusty as the UA client doesn't support
> > trusty. Also, he said this would be easy to be pushed if needed, so we could
> > try to fix this before merging this branch.
>
> Oh, I totally missed that this is happening for trusty only, because I
> was debugging the trusty end-to-end tests. Okay, I can
> live with that. It would be good to have a xenial end-to-end test in
> that case as well.
>
> (I would like to push the logic encapsulated in
> OvalGeneratorUS
> class/oval_lib.py so that if other tools need to rely on the same
> logic, they can get access to it in a more central place. But I'm
> not entirely sure what the interface for it should look like.)
Ack! I will take a look at it, it might be a good idea to have this is in cve_lib.
I will try to come up with something.
Regarding my previous email that I mentioned about testing on Nessus to see
if the description looks correct. Unfortunately I couldn't because Nessus free
version doesn't allow to read OVAL files. Do we have a paid Nessus instance
anywhere at Canonical?
Steve Beattie (sbeattie) wrote : | # |
FYI, so far I have merged or cherry-picked into master the following commits:
2b3442c1e2 ("test_utils: Indent")
335af7c6ad ("Fix gold_oci_results bionic data")
1e13b6edc8 ("Fix test test_create_
I also applied the commit from
https:/
that was to replace the commit:
28e9604767 ("Fix test oval definition_mock and invalid_
but had to revert it because it turned out python2 was being used in an unexpected place (and the fix requires python3), but I'm hoping to be able to get that use converted to python3 shortly, so I can put the fix back in place.
I'll also continue to push through cherry-picking more of the commits that are okay to apply.
- 46f74ad... by Eduardo Barretto
-
cve_lib: Add description to subprojects
- 06eeeb2... by Eduardo Barretto
-
cve_lib: Add function get_subproject_
description and also retrieve the description for a external subproject
Eduardo Barretto (ebarretto) wrote : | # |
I've rebased the commits to address:
1. removed commit ("Fix test oval definition_mock and invalid_
2. move the product description to cve_lib. Added it as part of the subprojects/
3. Rebased oval_lib and the tests because of #2
Alex Murray (alexmurray) wrote : | # |
Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?
Steve Beattie (sbeattie) wrote : | # |
On Wed, Nov 17, 2021 at 11:20:20PM -0000, Alex Murray wrote:
> Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?
I think it accidentally got pushed as a branch on the team repo,
rather than a rebased (force-)push to the branch in @ebarretto's
launchpad repo.
--
Steve Beattie
<email address hidden>
Eduardo Barretto (ebarretto) wrote : | # |
Oh sorry about that, I've just pushed to the right place.
On Wed, Nov 17, 2021 at 11:30:39PM -0000, Steve Beattie wrote:
> On Wed, Nov 17, 2021 at 11:20:20PM -0000, Alex Murray wrote:
> > Thanks for the product description changes @ebarretto but I can't see any changes to cve_lib in the diff here or in any of the commits - did you push the changes?
>
> I think it accidentally got pushed as a branch on the team repo,
> rather than a rebased (force-)push to the branch in @ebarretto's
> launchpad repo.
>
> --
> Steve Beattie
> <email address hidden>
>
> https:/
> You are the owner of ~ebarretto/
>
Alex Murray (alexmurray) wrote : | # |
Thanks - one small comment on the new function for cve_lib - also I wonder about the name "Regular Release" - should this perhaps be "Standard Release" or "Interim Release" (I am not sure if we have a proper name to refer to the non-LTS releases but I am not sure "Regular" is the right word here) - perhaps just "Standard Support Release"?
Eduardo Barretto (ebarretto) wrote : | # |
On Thu, Nov 18, 2021 at 10:56:52PM -0000, Alex Murray wrote:
> Thanks - one small comment on the new function for cve_lib - also I wonder about the name "Regular Release" - should this perhaps be "Standard Release" or "Interim Release" (I am not sure if we have a proper name to refer to the non-LTS releases but I am not sure "Regular" is the right word here) - perhaps just "Standard Support Release"?
I'm not a big fan on the Regular Release name, but I actually got it from: https:/
"Regular releases are supported for 9 months."
Depending on what we want to name it, we might need to revisit our external communications.
>
> Diff comments:
>
> > diff --git a/scripts/
> > index fd714cf..6e63d0a 100755
> > --- a/scripts/
> > +++ b/scripts/
> > @@ -374,6 +413,17 @@ def release_alias(rel):
> > pass
> > return alias
> >
> > +def get_subproject_
> > + """Return the description for a given release."""
> > + _, _, _, details = get_subproject_
> > + if details:
> > + try:
> > + description = details[
> > + except KeyError:
> > + print("Subproject does not have a descrition.", file=sys.stderr)
> > + return description
>
> description will be unbound if the details does not contain one - also we don't usually print errors in cve_lib from what I recall... should this return an empty string perhaps if none is found? Or 'None'?
>
I can either do a 'pass' or raise the Exception, we actually have a bit of everything in cve_lib,
including printing.
Maybe 'pass' is enough as it won't stop execution. Just let me know what you think is best and
I will adjust accordingly :)
> > +
> > +
> > def get_external_
> > """Get the directory where CVE files are stored for the subproject.
> >
>
>
> --
> https:/
> You are the owner of ~ebarretto/
>
Alex Murray (alexmurray) wrote : | # |
Cool, let's not bikeshed on the naming - stick with Regular Release then. Also whilst I would love to move to using actual Exceptions more I found with some other updates I did which tried to raise them in more scenarios that it broke too much other stuff that wasn't written to expect them to be raised - so probably better to silently pass it and return None or an empty string I guess (depending on how the calling code expects the return value to look - ie if it is checking for None then return it)
Seth Arnold (seth-arnold) wrote : | # |
On Mon, Nov 22, 2021 at 09:30:53AM -0000, Eduardo Barretto wrote:
> On Thu, Nov 18, 2021 at 10:56:52PM -0000, Alex Murray wrote:
> > Thanks - one small comment on the new function for cve_lib - also I
> > wonder about the name "Regular Release" - should this perhaps be
> > "Standard Release" or "Interim Release" (I am not sure if we have a
> > proper name to refer to the non-LTS releases but I am not sure
> > "Regular" is the right word here) - perhaps just "Standard Support
> > Release"?
>
> I'm not a big fan on the Regular Release name, but I actually got it from: https:/
> "Regular releases are supported for 9 months."
This page uses "Interim release" https:/
and it feels more likely to have been reviewed by marketing / brand
specialists than the wiki page :)
Eduardo Barretto (ebarretto) wrote : | # |
Just rebased and pushed moving "Regular Release" to "Interim Release" as suggested by Seth. Thanks!
And made a pass in the description and set description to "?" as this was the previous comment in our oval files.
Eduardo Barretto (ebarretto) wrote : | # |
Thanks, just merged it
Preview Diff
1 | diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py |
2 | index fd714cf..359ba25 100755 |
3 | --- a/scripts/cve_lib.py |
4 | +++ b/scripts/cve_lib.py |
5 | @@ -101,6 +101,7 @@ subprojects = { |
6 | "alias": "precise/esm", |
7 | "ppa": "ubuntu-esm/esm", |
8 | "parent": "ubuntu/precise", |
9 | + "description": "Available with UA Infra or UA Desktop", |
10 | }, |
11 | "esm/trusty": { |
12 | "eol": False, |
13 | @@ -109,6 +110,7 @@ subprojects = { |
14 | "alias": "trusty/esm", |
15 | "ppa": "ubuntu-esm/esm-infra-security", |
16 | "parent": "ubuntu/trusty", |
17 | + "description": "Available with UA Infra or UA Desktop", |
18 | }, |
19 | "esm-infra/xenial": { |
20 | "eol": False, |
21 | @@ -117,187 +119,224 @@ subprojects = { |
22 | "name": "Ubuntu 16.04 ESM (Xenial Xerus)", |
23 | "ppa": "ubuntu-esm/esm-infra-security", |
24 | "parent": "ubuntu/xenial", |
25 | + "description": "Available with UA Infra or UA Desktop", |
26 | }, |
27 | "ubuntu/warty": { |
28 | "eol": True, |
29 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
30 | "alias": "warty", |
31 | + "description": "Interim Release", |
32 | }, |
33 | "ubuntu/hoary": { |
34 | "eol": True, |
35 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
36 | "alias": "hoary", |
37 | + "description": "Interim Release", |
38 | }, |
39 | "ubuntu/breezy": { |
40 | "eol": True, |
41 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
42 | "alias": "breezy", |
43 | + "description": "Interim Release", |
44 | }, |
45 | "ubuntu/dapper": { |
46 | "eol": True, |
47 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
48 | "alias": "dapper", |
49 | + "description": "Long Term Support", |
50 | }, |
51 | "ubuntu/edgy": { |
52 | "eol": True, |
53 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
54 | "alias": "edgy", |
55 | + "description": "Interim Release", |
56 | }, |
57 | "ubuntu/feisty": { |
58 | "eol": True, |
59 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
60 | "alias": "feisty", |
61 | + "description": "Interim Release", |
62 | }, |
63 | "ubuntu/gutsy": { |
64 | "eol": True, |
65 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
66 | "alias": "gutsy", |
67 | + "description": "Interim Release", |
68 | }, |
69 | "ubuntu/hardy": { |
70 | "eol": True, |
71 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
72 | "alias": "hardy", |
73 | + "description": "Long Term Support", |
74 | }, |
75 | "ubuntu/intrepid": { |
76 | "eol": True, |
77 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
78 | "alias": "intrepid", |
79 | + "description": "Interim Release", |
80 | }, |
81 | "ubuntu/jaunty": { |
82 | "eol": True, |
83 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
84 | "alias": "jaunty", |
85 | + "description": "Interim Release", |
86 | }, |
87 | "ubuntu/karmic": { |
88 | "eol": True, |
89 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
90 | "alias": "karmic", |
91 | + "description": "Interim Release", |
92 | }, |
93 | "ubuntu/lucid": { |
94 | "eol": True, |
95 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
96 | "alias": "lucid", |
97 | + "description": "Long Term Support", |
98 | }, |
99 | "ubuntu/maverick": { |
100 | "eol": True, |
101 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
102 | "alias": "maverick", |
103 | + "description": "Interim Release", |
104 | }, |
105 | "ubuntu/natty": { |
106 | "eol": True, |
107 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
108 | "alias": "natty", |
109 | + "description": "Interim Release", |
110 | }, |
111 | "ubuntu/oneiric": { |
112 | "eol": True, |
113 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
114 | "alias": "oneiric", |
115 | + "description": "Interim Release", |
116 | }, |
117 | "ubuntu/precise": { |
118 | "eol": True, |
119 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
120 | "alias": "precise", |
121 | + "description": "Long Term Support", |
122 | }, |
123 | "ubuntu/quantal": { |
124 | "eol": True, |
125 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
126 | "alias": "quantal", |
127 | + "description": "Interim Release", |
128 | }, |
129 | "ubuntu/raring": { |
130 | "eol": True, |
131 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
132 | "alias": "raring", |
133 | + "description": "Interim Release", |
134 | }, |
135 | "ubuntu/saucy": { |
136 | "eol": True, |
137 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
138 | "alias": "saucy", |
139 | + "description": "Interim Release", |
140 | }, |
141 | "ubuntu/trusty": { |
142 | "eol": True, |
143 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
144 | "alias": "trusty", |
145 | + "description": "Long Term Support", |
146 | }, |
147 | "ubuntu/utopic": { |
148 | "eol": True, |
149 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
150 | "alias": "utopic", |
151 | + "description": "Interim Release", |
152 | }, |
153 | "ubuntu/vivid": { |
154 | "eol": True, |
155 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
156 | "alias": "vivid", |
157 | + "description": "Interim Release", |
158 | }, |
159 | "ubuntu/wily": { |
160 | "eol": True, |
161 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
162 | "alias": "wily", |
163 | + "description": "Interim Release", |
164 | }, |
165 | "ubuntu/xenial": { |
166 | "eol": True, |
167 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
168 | "alias": "xenial", |
169 | + "description": "Long Term Support", |
170 | }, |
171 | "ubuntu/yakkety": { |
172 | "eol": True, |
173 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
174 | "alias": "yakkety", |
175 | + "description": "Interim Release", |
176 | }, |
177 | "ubuntu/zesty": { |
178 | "eol": True, |
179 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
180 | "alias": "zesty", |
181 | + "description": "Interim Release", |
182 | }, |
183 | "ubuntu/artful": { |
184 | "eol": True, |
185 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
186 | "alias": "artful", |
187 | + "description": "Interim Release", |
188 | }, |
189 | "ubuntu/bionic": { |
190 | "eol": False, |
191 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
192 | "alias": "bionic", |
193 | + "description": "Long Term Support", |
194 | }, |
195 | "ubuntu/cosmic": { |
196 | "eol": True, |
197 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
198 | "alias": "cosmic", |
199 | + "description": "Interim Release", |
200 | }, |
201 | "ubuntu/disco": { |
202 | "eol": True, |
203 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
204 | "alias": "disco", |
205 | + "description": "Interim Release", |
206 | }, |
207 | "ubuntu/eoan": { |
208 | "eol": True, |
209 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
210 | "alias": "eoan", |
211 | + "description": "Interim Release", |
212 | }, |
213 | "ubuntu/focal": { |
214 | "eol": False, |
215 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
216 | "alias": "focal", |
217 | + "description": "Long Term Support", |
218 | }, |
219 | "ubuntu/groovy": { |
220 | "eol": True, |
221 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
222 | "alias": "groovy", |
223 | + "description": "Interim Release", |
224 | }, |
225 | "ubuntu/hirsute": { |
226 | "eol": False, |
227 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
228 | "alias": "hirsute", |
229 | + "description": "Interim Release", |
230 | }, |
231 | "ubuntu/impish": { |
232 | "eol": False, |
233 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
234 | "alias": "impish", |
235 | + "description": "Interim Release", |
236 | }, |
237 | "ubuntu/jammy": { |
238 | "eol": False, |
239 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
240 | "alias": "jammy", |
241 | "devel": True, # there can be only one ⚔ |
242 | + "description": "Long Term Support", |
243 | }, |
244 | "snap": { |
245 | "eol": False, |
246 | @@ -374,6 +413,19 @@ def release_alias(rel): |
247 | pass |
248 | return alias |
249 | |
250 | +def get_subproject_description(rel): |
251 | + """Return the description for a given release.""" |
252 | + description = "?" |
253 | + _, _, _, details = get_subproject_details(rel) |
254 | + if details: |
255 | + try: |
256 | + description = details["description"] |
257 | + except KeyError: |
258 | + pass |
259 | + |
260 | + return description |
261 | + |
262 | + |
263 | def get_external_subproject_cve_dir(subproject): |
264 | """Get the directory where CVE files are stored for the subproject. |
265 | |
266 | @@ -462,6 +514,7 @@ def load_external_subprojects(): |
267 | # subproject settings |
268 | config = read_external_subproject_config(rel) |
269 | subprojects[rel].setdefault("ppa", config["ppa"]) |
270 | + subprojects[rel].setdefault("description", config["description"]) |
271 | subprojects[rel].setdefault("parent", config["parent"]) |
272 | except: |
273 | pass |
274 | diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py |
275 | index c01f986..fb89f71 100644 |
276 | --- a/scripts/oval_lib.py |
277 | +++ b/scripts/oval_lib.py |
278 | @@ -28,7 +28,7 @@ import sys |
279 | import tempfile |
280 | import collections |
281 | |
282 | -from cve_lib import load_cve |
283 | +from cve_lib import load_cve, get_subproject_description |
284 | from cve_lib import parse_cvss as cvss_score |
285 | |
286 | from xml.sax.saxutils import escape |
287 | @@ -743,11 +743,7 @@ class OvalGeneratorUSN(): |
288 | usn_severity = self.get_usn_severity([self.priorities[cve['Priority']] |
289 | for cve in cves_info]) |
290 | |
291 | - # Bugged USN sometimes has isummary others don't |
292 | - if 'isummary' in usn_object: |
293 | - summary_info = usn_object['isummary'] |
294 | - else: |
295 | - summary_info = usn_object['summary'] |
296 | + product_description = get_subproject_description(self.release_codename) |
297 | |
298 | mapping = { |
299 | 'id': id_base, |
300 | @@ -756,7 +752,7 @@ class OvalGeneratorUSN(): |
301 | 'title': "{} -- {}".format(usn_object['id'], usn_object['title']), |
302 | 'plataform': "Ubuntu {}".format(self.release['desc']), |
303 | 'usn_url': self.usn_base_url.format(usn_object['id']), |
304 | - 'description': ' '.join(summary_info.strip().split('\n')), |
305 | + 'description': escape(' '.join(usn_object['description'].strip().split('\n'))), |
306 | 'cves_references': cve_references, |
307 | 'bug_references': bug_references, |
308 | 'severity': usn_severity, |
309 | @@ -767,7 +763,7 @@ class OvalGeneratorUSN(): |
310 | # convert number versions of binary pkgs into test criteria |
311 | criteria = [] |
312 | for test_ref in test_refs: |
313 | - criteria.append('<criterion test_ref="{0}:tst:{1}" comment="?" />'.format(self.ns, test_ref['testref_id'])) |
314 | + criteria.append('<criterion test_ref="{0}:tst:{1}" comment="{2}" />'.format(self.ns, test_ref['testref_id'], product_description)) |
315 | mapping['criteria'] = '\n '.join(criteria) |
316 | |
317 | definition = \ |
318 | @@ -794,39 +790,41 @@ class OvalGeneratorUSN(): |
319 | |
320 | return definition |
321 | |
322 | - def create_usn_test(self, id_base): |
323 | + def create_usn_test(self, id_base, product): |
324 | mapping = { |
325 | 'id': id_base, |
326 | 'ns': self.ns, |
327 | + 'product': product, |
328 | } |
329 | |
330 | if self.oval_format == 'dpkg': |
331 | test = \ |
332 | """ |
333 | - <linux:dpkginfo_test id="{ns}:tst:{id}" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
334 | + <linux:dpkginfo_test id="{ns}:tst:{id}" version="1" check_existence="at_least_one_exists" check="at least one" comment="{product}"> |
335 | <linux:object object_ref="{ns}:obj:{id}"/> |
336 | <linux:state state_ref="{ns}:ste:{id}"/> |
337 | </linux:dpkginfo_test>""".format(**mapping) |
338 | else: |
339 | test = \ |
340 | """ |
341 | - <ind:textfilecontent54_test id="{ns}:tst:{id}" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
342 | + <ind:textfilecontent54_test id="{ns}:tst:{id}" version="1" check_existence="at_least_one_exists" check="at least one" comment="{product}"> |
343 | <ind:object object_ref="{ns}:obj:{id}"/> |
344 | <ind:state state_ref="{ns}:ste:{id}"/> |
345 | </ind:textfilecontent54_test>""".format(**mapping) |
346 | |
347 | return test |
348 | |
349 | - def create_usn_object(self, id_base): |
350 | + def create_usn_object(self, id_base, product): |
351 | mapping = { |
352 | 'id': id_base, |
353 | 'ns': self.ns, |
354 | + 'product': product, |
355 | } |
356 | |
357 | if self.oval_format == 'dpkg': |
358 | _object = \ |
359 | """ |
360 | - <linux:dpkginfo_object id="{ns}:obj:{id}" version="1"> |
361 | + <linux:dpkginfo_object id="{ns}:obj:{id}" version="1" comment="{product}"> |
362 | <linux:name var_ref="{ns}:var:{id}" var_check="at least one" /> |
363 | </linux:dpkginfo_object>""".format(**mapping) |
364 | else: |
365 | @@ -835,7 +833,7 @@ class OvalGeneratorUSN(): |
366 | |
367 | _object = \ |
368 | """ |
369 | - <ind:textfilecontent54_object id="{ns}:obj:{id}" version="1"> |
370 | + <ind:textfilecontent54_object id="{ns}:obj:{id}" version="1" comment="{product}"> |
371 | <ind:path>{path}</ind:path> |
372 | <ind:filename>manifest</ind:filename> |
373 | <ind:pattern operation="pattern match" datatype="string" var_ref="{ns}:var:{id}" var_check="at least one" /> |
374 | @@ -844,10 +842,11 @@ class OvalGeneratorUSN(): |
375 | |
376 | return _object |
377 | |
378 | - def create_usn_state(self, binary_version, id_base): |
379 | + def create_usn_state(self, binary_version, id_base, product): |
380 | mapping = { |
381 | 'id': id_base, |
382 | 'ns': self.ns, |
383 | + 'product': product, |
384 | } |
385 | |
386 | if self.oval_format == 'dpkg': |
387 | @@ -858,7 +857,7 @@ class OvalGeneratorUSN(): |
388 | |
389 | state = \ |
390 | """ |
391 | - <linux:dpkginfo_state id="{ns}:ste:{id}" version="1"> |
392 | + <linux:dpkginfo_state id="{ns}:ste:{id}" version="1" comment="{product}"> |
393 | <linux:evr datatype="evr_string" operation="less than">{bversion}</linux:evr> |
394 | </linux:dpkginfo_state>""".format(**mapping) |
395 | |
396 | @@ -867,13 +866,13 @@ class OvalGeneratorUSN(): |
397 | |
398 | state = \ |
399 | """ |
400 | - <ind:textfilecontent54_state id="{ns}:ste:{id}" version="1"> |
401 | + <ind:textfilecontent54_state id="{ns}:ste:{id}" version="1" comment="{product}"> |
402 | <ind:subexpression datatype="evr_string" operation="less than">{bversion}</ind:subexpression> |
403 | </ind:textfilecontent54_state>""".format(**mapping) |
404 | |
405 | return state |
406 | |
407 | - def create_usn_variable(self, id_base, binaries_list): |
408 | + def create_usn_variable(self, id_base, binaries_list, product): |
409 | values = "" |
410 | if self.oval_format == 'dpkg': |
411 | for binary in binaries_list: |
412 | @@ -889,12 +888,13 @@ class OvalGeneratorUSN(): |
413 | mapping = { |
414 | 'id': id_base, |
415 | 'ns': self.ns, |
416 | - 'values': values.strip() |
417 | + 'values': values.strip(), |
418 | + 'product': product, |
419 | } |
420 | |
421 | constant_variable = \ |
422 | """ |
423 | - <constant_variable id="{ns}:var:{id}" version="1" datatype="string" comment="?"> |
424 | + <constant_variable id="{ns}:var:{id}" version="1" datatype="string" comment="{product}"> |
425 | {values} |
426 | </constant_variable>""".format(**mapping) |
427 | |
428 | @@ -999,6 +999,8 @@ class OvalGeneratorUSN(): |
429 | |
430 | binary_versions = self.get_version_from_binaries(usn_allbinaries) |
431 | |
432 | + product_description = get_subproject_description(self.release_codename) |
433 | + |
434 | # group binaries with same version (most likely from same source) |
435 | # and create a test_ref for the group to be used when creating |
436 | # the oval def, test, state and var. |
437 | @@ -1016,10 +1018,10 @@ class OvalGeneratorUSN(): |
438 | self.oval_structure['definition'].write(usn_def) |
439 | |
440 | for test_ref in test_refs: |
441 | - usn_test = self.create_usn_test(test_ref['testref_id']) |
442 | - usn_obj = self.create_usn_object(test_ref['testref_id']) |
443 | - usn_state = self.create_usn_state(test_ref['version'], test_ref['testref_id']) |
444 | - usn_variable = self.create_usn_variable(test_ref['testref_id'], test_ref['pkgs']) |
445 | + usn_test = self.create_usn_test(test_ref['testref_id'], product_description) |
446 | + usn_obj = self.create_usn_object(test_ref['testref_id'], product_description) |
447 | + usn_state = self.create_usn_state(test_ref['version'], test_ref['testref_id'], product_description) |
448 | + usn_variable = self.create_usn_variable(test_ref['testref_id'], test_ref['pkgs'], product_description) |
449 | |
450 | self.oval_structure['test'].write(usn_test) |
451 | self.oval_structure['object'].write(usn_obj) |
452 | diff --git a/test/test_oval_lib_unit.py b/test/test_oval_lib_unit.py |
453 | index b904fcb..8444bde 100644 |
454 | --- a/test/test_oval_lib_unit.py |
455 | +++ b/test/test_oval_lib_unit.py |
456 | @@ -57,13 +57,18 @@ class TestOvalLibUnit: |
457 | ['linux-image-oem-osp1'], '5.0.0-1042.43': |
458 | ['linux-image-5.0.0-1042-gke']} |
459 | |
460 | - test_refs_mock = [{'version': '5.0.0.1042.27', 'pkgs': |
461 | - ['linux-image-gke-5.0'], 'testref_id': '438810000000'}, {'version': |
462 | - '5.0.0-1059.64', 'pkgs': ['linux-image-5.0.0-1059-oem-osp1'], |
463 | - 'testref_id': '438810000010'}, {'version': '5.0.0.1059.58', 'pkgs': |
464 | - ['linux-image-oem-osp1'], 'testref_id': '438810000020'}, {'version': |
465 | - '5.0.0-1042.43', 'pkgs': ['linux-image-5.0.0-1042-gke'], 'testref_id': |
466 | - '438810000030'}] |
467 | + test_refs_mock = [{'version': '5.0.0.1042.27', |
468 | + 'pkgs': ['linux-image-gke-5.0'], |
469 | + 'testref_id': '438810000000'}, |
470 | + {'version': '5.0.0-1059.64', |
471 | + 'pkgs': ['linux-image-5.0.0-1059-oem-osp1'], |
472 | + 'testref_id': '438810000010'}, |
473 | + {'version': '5.0.0.1059.58', |
474 | + 'pkgs': ['linux-image-oem-osp1'], |
475 | + 'testref_id': '438810000020'}, |
476 | + {'version': '5.0.0-1042.43', |
477 | + 'pkgs': ['linux-image-5.0.0-1042-gke'], |
478 | + 'testref_id': '438810000030'}] |
479 | |
480 | definition_mock = """ |
481 | <definition id="oval:com.ubuntu.bionic:def:43881000000" version="1" class="patch"> |
482 | @@ -79,7 +84,11 @@ class TestOvalLibUnit: |
483 | <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12464" ref_id="CVE-2020-12464"/> |
484 | <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12659" ref_id="CVE-2020-12659"/> |
485 | <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-1749" ref_id="CVE-2020-1749"/> |
486 | +<<<<<<< test/test_oval_lib_unit.py |
487 | <description>Several security issues were fixed in the Linux kernel.</description> |
488 | +======= |
489 | + <description>It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Piotr Krysiuk discovered that race conditions existed in the file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12114) It was discovered that the USB susbsystem's scatter-gather implementation in the Linux kernel did not properly take data references in some situations, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12464) Bui Quang Minh discovered that the XDP socket implementation in the Linux kernel did not properly validate meta-data passed from user space, leading to an out-of-bounds write vulnerability. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12659) Xiumei Mu discovered that the IPSec implementation in the Linux kernel did not properly encrypt IPv6 traffic in some situations. An attacker could use this to expose sensitive information. (CVE-2020-1749)</description> |
490 | +>>>>>>> test/test_oval_lib_unit.py |
491 | <advisory from="security@ubuntu.com"> |
492 | <severity>Medium</severity> |
493 | <issued date="2020-06-09"/> |
494 | @@ -87,10 +96,10 @@ class TestOvalLibUnit: |
495 | </advisory> |
496 | </metadata> |
497 | <criteria operator="OR"> |
498 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000000" comment="?" /> |
499 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000010" comment="?" /> |
500 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000020" comment="?" /> |
501 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000030" comment="?" /> |
502 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000000" comment="Long Term Support" /> |
503 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000010" comment="Long Term Support" /> |
504 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000020" comment="Long Term Support" /> |
505 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000030" comment="Long Term Support" /> |
506 | </criteria> |
507 | </definition>""" |
508 | |
509 | @@ -102,55 +111,55 @@ class TestOvalLibUnit: |
510 | <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-1749" ref_id="CVE-2020-1749"/>""" |
511 | |
512 | test_mock = [""" |
513 | - <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
514 | + <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="Long Term Support"> |
515 | <linux:object object_ref="oval:com.ubuntu.bionic:obj:438810000000"/> |
516 | <linux:state state_ref="oval:com.ubuntu.bionic:ste:438810000000"/> |
517 | </linux:dpkginfo_test>""", |
518 | """ |
519 | - <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000010" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
520 | + <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000010" version="1" check_existence="at_least_one_exists" check="at least one" comment="Long Term Support"> |
521 | <linux:object object_ref="oval:com.ubuntu.bionic:obj:438810000010"/> |
522 | <linux:state state_ref="oval:com.ubuntu.bionic:ste:438810000010"/> |
523 | </linux:dpkginfo_test> |
524 | """, |
525 | """ |
526 | - <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000020" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
527 | + <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000020" version="1" check_existence="at_least_one_exists" check="at least one" comment="Long Term Support"> |
528 | <linux:object object_ref="oval:com.ubuntu.bionic:obj:438810000020"/> |
529 | <linux:state state_ref="oval:com.ubuntu.bionic:ste:438810000020"/> |
530 | </linux:dpkginfo_test> |
531 | """, |
532 | """ |
533 | - <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000030" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
534 | + <linux:dpkginfo_test id="oval:com.ubuntu.bionic:tst:438810000030" version="1" check_existence="at_least_one_exists" check="at least one" comment="Long Term Support"> |
535 | <linux:object object_ref="oval:com.ubuntu.bionic:obj:438810000030"/> |
536 | <linux:state state_ref="oval:com.ubuntu.bionic:ste:438810000030"/> |
537 | </linux:dpkginfo_test> |
538 | """] |
539 | |
540 | test_oci_mock = """ |
541 | - <ind:textfilecontent54_test id="oval:com.ubuntu.bionic:tst:445310000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="?"> |
542 | + <ind:textfilecontent54_test id="oval:com.ubuntu.bionic:tst:445310000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="Long Term Support"> |
543 | <ind:object object_ref="oval:com.ubuntu.bionic:obj:445310000000"/> |
544 | <ind:state state_ref="oval:com.ubuntu.bionic:ste:445310000000"/> |
545 | </ind:textfilecontent54_test>""" |
546 | |
547 | |
548 | obj_mock = [""" |
549 | - <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000000" version="1"> |
550 | + <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000000" version="1" comment="Long Term Support"> |
551 | <linux:name var_ref="oval:com.ubuntu.bionic:var:438810000000" var_check="at least one" /> |
552 | </linux:dpkginfo_object>""", |
553 | """ |
554 | - <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000010" version="1"> |
555 | + <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000010" version="1" comment="Long Term Support"> |
556 | <linux:name var_ref="oval:com.ubuntu.bionic:var:438810000010" var_check="at least one" /> |
557 | </linux:dpkginfo_object>""", |
558 | """ |
559 | - <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000020" version="1"> |
560 | + <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000020" version="1" comment="Long Term Support"> |
561 | <linux:name var_ref="oval:com.ubuntu.bionic:var:438810000020" var_check="at least one" /> |
562 | </linux:dpkginfo_object>""", |
563 | """ |
564 | - <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000030" version="1"> |
565 | + <linux:dpkginfo_object id="oval:com.ubuntu.bionic:obj:438810000030" version="1" comment="Long Term Support"> |
566 | <linux:name var_ref="oval:com.ubuntu.bionic:var:438810000030" var_check="at least one" /> |
567 | </linux:dpkginfo_object>"""] |
568 | |
569 | obj_oci_mock = """ |
570 | - <ind:textfilecontent54_object id="oval:com.ubuntu.bionic:obj:445310000000" version="1"> |
571 | + <ind:textfilecontent54_object id="oval:com.ubuntu.bionic:obj:445310000000" version="1" comment="Long Term Support"> |
572 | <ind:path>.</ind:path> |
573 | <ind:filename>manifest</ind:filename> |
574 | <ind:pattern operation="pattern match" datatype="string" var_ref="oval:com.ubuntu.bionic:var:445310000000" var_check="at least one" /> |
575 | @@ -158,51 +167,51 @@ class TestOvalLibUnit: |
576 | </ind:textfilecontent54_object>""" |
577 | |
578 | state_mock = [""" |
579 | - <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000000" version="1"> |
580 | + <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000000" version="1" comment="Long Term Support"> |
581 | <linux:evr datatype="evr_string" operation="less than">0:5.0.0.1042.27</linux:evr> |
582 | </linux:dpkginfo_state>""", |
583 | """ |
584 | - <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000010" version="1"> |
585 | + <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000010" version="1" comment="Long Term Support"> |
586 | <linux:evr datatype="evr_string" operation="less than">0:5.0.0-1059.64</linux:evr> |
587 | </linux:dpkginfo_state>""", |
588 | """ |
589 | - <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000020" version="1"> |
590 | + <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000020" version="1" comment="Long Term Support"> |
591 | <linux:evr datatype="evr_string" operation="less than">0:5.0.0.1059.58</linux:evr> |
592 | </linux:dpkginfo_state>""", |
593 | """ |
594 | - <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000030" version="1"> |
595 | + <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:438810000030" version="1" comment="Long Term Support"> |
596 | <linux:evr datatype="evr_string" operation="less than">0:5.0.0-1042.43</linux:evr> |
597 | </linux:dpkginfo_state>"""] |
598 | |
599 | state_epoch_mock = """ |
600 | - <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:437210000000" version="1"> |
601 | + <linux:dpkginfo_state id="oval:com.ubuntu.bionic:ste:437210000000" version="1" comment="Long Term Support"> |
602 | <linux:evr datatype="evr_string" operation="less than">1:4.2-3ubuntu6.1</linux:evr> |
603 | </linux:dpkginfo_state>""" |
604 | |
605 | state_oci_mock = """ |
606 | - <ind:textfilecontent54_state id="oval:com.ubuntu.bionic:ste:438810000000" version="1"> |
607 | + <ind:textfilecontent54_state id="oval:com.ubuntu.bionic:ste:438810000000" version="1" comment="Long Term Support"> |
608 | <ind:subexpression datatype="evr_string" operation="less than">5.0.0.1042.27</ind:subexpression> |
609 | </ind:textfilecontent54_state>""" |
610 | |
611 | var_mock = [""" |
612 | - <constant_variable id="oval:com.ubuntu.bionic:var:438810000000" version="1" datatype="string" comment="?"> |
613 | + <constant_variable id="oval:com.ubuntu.bionic:var:438810000000" version="1" datatype="string" comment="Long Term Support"> |
614 | <value>linux-image-gke-5.0</value> |
615 | </constant_variable>""", |
616 | """ |
617 | - <constant_variable id="oval:com.ubuntu.bionic:var:438810000010" version="1" datatype="string" comment="?"> |
618 | + <constant_variable id="oval:com.ubuntu.bionic:var:438810000010" version="1" datatype="string" comment="Long Term Support"> |
619 | <value>linux-image-5.0.0-1059-oem-osp1</value> |
620 | </constant_variable>""", |
621 | """ |
622 | - <constant_variable id="oval:com.ubuntu.bionic:var:438810000020" version="1" datatype="string" comment="?"> |
623 | + <constant_variable id="oval:com.ubuntu.bionic:var:438810000020" version="1" datatype="string" comment="Long Term Support"> |
624 | <value>linux-image-oem-osp1</value> |
625 | </constant_variable>""", |
626 | """ |
627 | - <constant_variable id="oval:com.ubuntu.bionic:var:438810000030" version="1" datatype="string" comment="?"> |
628 | + <constant_variable id="oval:com.ubuntu.bionic:var:438810000030" version="1" datatype="string" comment="Long Term Support"> |
629 | <value>linux-image-5.0.0-1042-gke</value> |
630 | </constant_variable>"""] |
631 | |
632 | var_oci_mock = """ |
633 | - <constant_variable id="oval:com.ubuntu.bionic:var:438810000000" version="1" datatype="string" comment="?"> |
634 | + <constant_variable id="oval:com.ubuntu.bionic:var:438810000000" version="1" datatype="string" comment="Long Term Support"> |
635 | <value>^linux-image-gke-5.0\s+(.*)</value> |
636 | </constant_variable>""" |
637 | |
638 | @@ -211,12 +220,14 @@ class TestOvalLibUnit: |
639 | 'linux-image-oem-osp1': {'version': '5.0.0.1059.58'}, |
640 | 'linux-image-5.0.0-1042-gke': {'version': '5.0.0-1042.43'}} |
641 | |
642 | - state_args_mock = [["5.0.0.1042.27", "438810000000"], ["5.0.0-1059.64", |
643 | - "438810000010"], ["5.0.0.1059.58", "438810000020"], ["5.0.0-1042.43", |
644 | - "438810000030"]] |
645 | - var_args_mock = [["438810000000", ['linux-image-gke-5.0']], |
646 | - ["438810000010", ['linux-image-5.0.0-1059-oem-osp1']], ["438810000020", |
647 | - ['linux-image-oem-osp1']], ["438810000030", ['linux-image-5.0.0-1042-gke']]] |
648 | + state_args_mock = [["5.0.0.1042.27", "438810000000", "Long Term Support"], |
649 | + ["5.0.0-1059.64", "438810000010", "Long Term Support"], |
650 | + ["5.0.0.1059.58", "438810000020", "Long Term Support"], |
651 | + ["5.0.0-1042.43", "438810000030", "Long Term Support"]] |
652 | + var_args_mock = [["438810000000", ['linux-image-gke-5.0'], "Long Term Support"], |
653 | + ["438810000010", ['linux-image-5.0.0-1059-oem-osp1'], "Long Term Support"], |
654 | + ["438810000020", ['linux-image-oem-osp1'], "Long Term Support"], |
655 | + ["438810000030", ['linux-image-5.0.0-1042-gke'], "Long Term Support"]] |
656 | |
657 | cves_list_mock = ['CVE-2020-0067', 'CVE-2020-0543', 'CVE-2020-12114', |
658 | 'CVE-2020-12464', 'CVE-2020-12659', 'CVE-2020-1749'] |
659 | @@ -272,7 +283,11 @@ class TestOvalLibUnit: |
660 | </affected> |
661 | <reference source="USN" ref_url="https://ubuntu.com/security/notices/USN-4388-1" ref_id="USN-4388-1"/> |
662 | <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0067" ref_id="CVE-2020-0067"/> |
663 | +<<<<<<< test/test_oval_lib_unit.py |
664 | <description>Several security issues were fixed in the Linux kernel.</description> |
665 | +======= |
666 | + <description>It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Piotr Krysiuk discovered that race conditions existed in the file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12114) It was discovered that the USB susbsystem's scatter-gather implementation in the Linux kernel did not properly take data references in some situations, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12464) Bui Quang Minh discovered that the XDP socket implementation in the Linux kernel did not properly validate meta-data passed from user space, leading to an out-of-bounds write vulnerability. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12659) Xiumei Mu discovered that the IPSec implementation in the Linux kernel did not properly encrypt IPv6 traffic in some situations. An attacker could use this to expose sensitive information. (CVE-2020-1749)</description> |
667 | +>>>>>>> test/test_oval_lib_unit.py |
668 | <advisory from="security@ubuntu.com"> |
669 | <severity>Medium</severity> |
670 | <issued date="2020-06-09"/> |
671 | @@ -280,10 +295,10 @@ class TestOvalLibUnit: |
672 | </advisory> |
673 | </metadata> |
674 | <criteria operator="OR"> |
675 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000000" comment="?" /> |
676 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000010" comment="?" /> |
677 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000020" comment="?" /> |
678 | - <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000030" comment="?" /> |
679 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000000" comment="Long Term Support" /> |
680 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000010" comment="Long Term Support" /> |
681 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000020" comment="Long Term Support" /> |
682 | + <criterion test_ref="oval:com.ubuntu.bionic:tst:438810000030" comment="Long Term Support" /> |
683 | </criteria> |
684 | </definition>""" |
685 | |
686 | @@ -517,26 +532,29 @@ class TestOvalLibUnit: |
687 | |
688 | assert definition_ret == self.invalid_priority_ret |
689 | |
690 | - @pytest.mark.parametrize("oval_mock,usn_id,ret_mock", [(oval_gen_mock, |
691 | - 438810000000, test_mock[0]), (oval_gen_mock_oci, 445310000000, |
692 | - test_oci_mock)]) |
693 | - def test_create_usn_test(self, oval_mock, usn_id, ret_mock): |
694 | + @pytest.mark.parametrize("oval_mock,usn_id,prod_description,ret_mock", |
695 | + [(oval_gen_mock, 438810000000, "Long Term Support", test_mock[0]), |
696 | + (oval_gen_mock_oci, 445310000000, "Long Term Support", test_oci_mock)]) |
697 | + def test_create_usn_test(self, oval_mock, usn_id, prod_description, ret_mock): |
698 | test_ret = oval_lib.OvalGeneratorUSN.create_usn_test( |
699 | - oval_mock, usn_id) |
700 | + oval_mock, usn_id, prod_description) |
701 | |
702 | assert test_ret == ret_mock |
703 | |
704 | - @pytest.mark.parametrize("oval_mock,usn_id,ret_mock", [(oval_gen_mock, |
705 | - 438810000000, obj_mock[0]), (oval_gen_mock_oci, 445310000000, obj_oci_mock)]) |
706 | - def test_create_usn_obj(self, oval_mock, usn_id, ret_mock): |
707 | + @pytest.mark.parametrize("oval_mock,usn_id,prod_description,ret_mock", |
708 | + [(oval_gen_mock, 438810000000, "Long Term Support", obj_mock[0]), |
709 | + (oval_gen_mock_oci, 445310000000, "Long Term Support", obj_oci_mock)]) |
710 | + def test_create_usn_obj(self, oval_mock, usn_id, prod_description, ret_mock): |
711 | test_ret = oval_lib.OvalGeneratorUSN.create_usn_object(oval_mock, |
712 | - usn_id) |
713 | + usn_id, prod_description) |
714 | |
715 | assert test_ret == ret_mock |
716 | |
717 | - @pytest.mark.parametrize("oval_mock,args_mock,ret_mock", [(oval_gen_mock, |
718 | - state_args_mock[0], state_mock[0]), (oval_gen_mock, ["1:4.2-3ubuntu6.1", "437210000000"], |
719 | - state_epoch_mock), (oval_gen_mock_oci, state_args_mock[0], state_oci_mock)]) |
720 | + @pytest.mark.parametrize("oval_mock,args_mock,ret_mock", |
721 | + [(oval_gen_mock, state_args_mock[0], state_mock[0]), |
722 | + (oval_gen_mock, ["1:4.2-3ubuntu6.1", "437210000000", |
723 | + "Long Term Support"], state_epoch_mock), |
724 | + (oval_gen_mock_oci, state_args_mock[0], state_oci_mock)]) |
725 | def test_create_usn_state(self, oval_mock, args_mock, ret_mock): |
726 | test_ret = oval_lib.OvalGeneratorUSN.create_usn_state( |
727 | oval_mock, *args_mock) |
728 | @@ -566,9 +584,10 @@ class TestOvalLibUnit: |
729 | #Set up dummy vals |
730 | oval_gen_mock = MockOvalGeneratorUSN() |
731 | |
732 | - test_refs_id_calls = [mock.call(oval_gen_mock, "438810000000"), |
733 | - mock.call(oval_gen_mock, "438810000010"), mock.call(oval_gen_mock, |
734 | - "438810000020"), mock.call(oval_gen_mock, "438810000030")] |
735 | + test_refs_id_calls = [mock.call(oval_gen_mock, "438810000000", "Long Term Support"), |
736 | + mock.call(oval_gen_mock, "438810000010", "Long Term Support"), |
737 | + mock.call(oval_gen_mock, "438810000020", "Long Term Support"), |
738 | + mock.call(oval_gen_mock, "438810000030", "Long Term Support")] |
739 | state_calls = [mock.call(oval_gen_mock, *item) |
740 | for item in self.state_args_mock] |
741 | var_calls = [mock.call(oval_gen_mock, *item) |
LGTM in general but I don't love the idea of hard-coding the product name info stuff - and instead would prefer if we can somehow add this into cve_lib directly and look it up via the subprojects configuration.
Also I get one failure when running the end_to_end oval lib test on impish (but the other oval_lib test suites all pass):
[amurray:~/ubuntu … ubuntu-cve-tracker] master(13)+* 14s ± PYTHONPATH=scripts pytest-3 test/test_ oval_lib_ end_to_ end.py ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= === test session starts ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ==== ubuntu/ git/ubuntu- cve-tracker
=======
platform linux -- Python 3.9.7, pytest-6.0.2, py-1.10.0, pluggy-0.13.0
rootdir: /home/amurray/
collected 4 items
test/test_ oval_lib_ end_to_ end.py ..F. [100%]
======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= == FAILURES ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= == _______ _______ _______ _______ _______ _______ _______ _______ ___ TestOvalLibEndT oEnd.test_ validate_ entire_ oci_oval[ com.ubuntu. bionic. usn.oval. xml-bionic_ 20180814- bionic] _______ _______ _______ _______ _______ _______ _______ _______ _______ ___
_______
self = <test_oval_ lib_end_ to_end. TestOvalLibEndT oEnd object at 0x7f98d9e65c10>, dpkg_file = 'com.ubuntu. bionic. usn.oval. xml', manifest = 'bionic_20180814', release = 'bionic'
@pytest. mark.parametriz e("dpkg_ file,manifest, release" ,
[(util. bionic_ dpkg_file, "bionic_20180814", "bionic"),
(util. trusty_ dpkg_file, "trusty_20191107", "trusty")]) entire_ oci_oval( self, dpkg_file, manifest, release):
"""Coherence check of entire generated oci OVAL""" validate_ oci(dpkg_ file, "{}_full" .format( release) ,
[" --usn-oval- release" , release], manifest, release)
# The timestamped gold manifest oscap output has not been manually
# checked but it's nice to flag changes to the results of past USNs
def test_validate_
> util.create_
test/test_ oval_lib_ end_to_ end.py: 31:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
cls = <class 'test_utils. TestUtilities' >, output_file = 'com.ubuntu. bionic. usn.oval. xml', new_filename = 'bionic_full', oscap_args = ['--usn- oval-release' , 'bionic'], manifest = 'bionic_20180814', gold_file = 'bionic'
@classmethod validate_ oci(cls, output_file, new_filename, oscap_args,
manifest, gold_file):
"""Generat. ..
def create_