Code review comment for ~ebarretto/ubuntu-cve-tracker:usn-oval-improvement

Hi,

The changes in:

  1e13b6edc8 ("Fix test test_create_dict_from_cve_file")

On Fri, Oct 29, 2021 at 03:13:31PM -0000, Eduardo Barretto wrote:
> <advisory <email address hidden>">
> <severity>Medium</severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
> </advisory>

> <advisory <email address hidden>">
> <severity>Medium</severity>
> - <issued date="2020-06-09"/>
> + <issued date="2020-06-10"/>
> <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>
> </advisory>

ends up breaking the tests:

  TestOvalLibUnit::test_create_usn_definition
  TestOvalLibUnit::test_invalid_priority_usn_definition

for me. The problem is that oval_lib.py::create_usn_definition()
pulls the published timestamp from the USN db via
datetime.datetime.fromtimestamp without a timezone, so python converts
it to your local timezone.

The right way to fix this is to set the timezone
to datetime.timezone.utc explicitly as an argument to
datetime.datetime.fromtimestamp() but python2.7 doesn't have that
and makes it non-trivial to use a tzinfo timezone without using a
third-party library.

Converting oval_lib.py to use datetime.datetime.utcfromtimestamp()
instead would likely address this in the short term, but people
*should* be using oval info from the public vm where python3 is used.

Thanks.

--
Steve Beattie
<email address hidden>