Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~ebarretto/ubuntu-cve-tracker
  3. oval-roadmap-3
  4. Merge into master
Proposed by Eduardo Barretto
Status: Merged
Merge reported by: Eduardo Barretto
Merged at revision: 7091ff8b2fc3d3affdd276618c465637e336b363
Proposed branch: ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3
Merge into: ubuntu-cve-tracker:master
Diff against target: 298 lines (+61/-33)
2 files modified
scripts/cve_lib.py (+45/-8)
scripts/generate-oval (+16/-25)
Reviewer Review Type Date Requested Status
Leonidas S. Barbosa Approve
Review via email: mp+432139@code.launchpad.net

Description of the change

The changes here aim to facilitate the oval generation.
For that we add and oval parameter to the subprojects configuration.
Also, rework of product_series function and add needs_oval function.

To post a comment you must log in.
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

lgtm

review: Approve
~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 updated
65fd154... by Eduardo Barretto

cve_lib: Fix lunar indentation

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
2index 09cb6d9..d8d6bf6 100755
3--- a/scripts/cve_lib.py
4+++ b/scripts/cve_lib.py
5@@ -111,6 +111,7 @@ subprojects = {
6 },
7 "esm/trusty": {
8 "eol": False,
9+ "oval": True,
10 "packages": ["trusty-esm-supported.txt"],
11 "name": "Ubuntu 14.04 ESM",
12 "codename": "Trusty Tahr",
13@@ -122,6 +123,7 @@ subprojects = {
14 },
15 "esm-infra/xenial": {
16 "eol": False,
17+ "oval": True,
18 "components": ["main", "restricted"],
19 "packages": ["esm-infra-xenial-supported.txt"],
20 "name": "Ubuntu 16.04 ESM",
21@@ -133,6 +135,7 @@ subprojects = {
22 },
23 "fips/xenial": {
24 "eol": False,
25+ "oval": True,
26 "packages": ["fips-xenial-supported.txt"],
27 "name": "Ubuntu 16.04 FIPS Certified",
28 "codename": "Xenial Xerus",
29@@ -142,6 +145,7 @@ subprojects = {
30 },
31 "fips/bionic": {
32 "eol": False,
33+ "oval": True,
34 "packages": ["fips-bionic-supported.txt"],
35 "name": "Ubuntu 18.04 FIPS Certified",
36 "codename": "Bionic Beaver",
37@@ -151,6 +155,7 @@ subprojects = {
38 },
39 "fips/focal": {
40 "eol": False,
41+ "oval": True,
42 "packages": ["fips-focal-supported.txt"],
43 "name": "Ubuntu 20.04 FIPS Certified",
44 "codename": "Focal Fossa",
45@@ -160,6 +165,7 @@ subprojects = {
46 },
47 "fips-updates/xenial": {
48 "eol": False,
49+ "oval": True,
50 "packages": ["fips-updates-xenial-supported.txt"],
51 "name": "Ubuntu 16.04 FIPS Compliant",
52 "codename": "Xenial Xerus",
53@@ -169,6 +175,7 @@ subprojects = {
54 },
55 "fips-updates/bionic": {
56 "eol": False,
57+ "oval": True,
58 "packages": ["fips-updates-bionic-supported.txt"],
59 "name": "Ubuntu 18.04 FIPS Compliant",
60 "codename": "Bionic Beaver",
61@@ -178,6 +185,7 @@ subprojects = {
62 },
63 "fips-updates/focal": {
64 "eol": False,
65+ "oval": True,
66 "packages": ["fips-updates-focal-supported.txt"],
67 "name": "Ubuntu 20.04 FIPS Compliant",
68 "codename": "Focal Fossa",
69@@ -187,6 +195,7 @@ subprojects = {
70 },
71 "ros-esm/kinetic": {
72 "eol": False,
73+ "oval": False,
74 "packages": ["ros-esm-xenial-kinetic-supported.txt"],
75 "name": "Ubuntu 16.04 ROS ESM",
76 "codename": "Xenial Xerus",
77@@ -198,6 +207,7 @@ subprojects = {
78 },
79 "ros-esm/melodic": {
80 "eol": False,
81+ "oval": False,
82 "packages": ["ros-esm-bionic-melodic-supported.txt"],
83 "name": "Ubuntu 18.04 ROS ESM",
84 "codename": "Bionic Beaver",
85@@ -452,6 +462,7 @@ subprojects = {
86 },
87 "ubuntu/bionic": {
88 "eol": False,
89+ "oval": True,
90 "components": ["main", "restricted", "universe", "multiverse", "partner"],
91 "name": "Ubuntu 18.04 LTS",
92 "codename": "Bionic Beaver",
93@@ -488,6 +499,7 @@ subprojects = {
94 },
95 "ubuntu/focal": {
96 "eol": False,
97+ "oval": True,
98 "components": ["main", "restricted", "universe", "multiverse", "partner"],
99 "name": "Ubuntu 20.04 LTS",
100 "codename": "Focal Fossa",
101@@ -524,6 +536,7 @@ subprojects = {
102 },
103 "ubuntu/jammy": {
104 "eol": False,
105+ "oval": True,
106 "components": ["main", "restricted", "universe", "multiverse", "partner"],
107 "name": "Ubuntu 22.04 LTS",
108 "codename": "Jammy Jellyfish",
109@@ -533,6 +546,7 @@ subprojects = {
110 },
111 "ubuntu/kinetic": {
112 "eol": False,
113+ "oval": True,
114 "components": ["main", "restricted", "universe", "multiverse"],
115 "name": "Ubuntu 22.10",
116 "codename": "Kinetic Kudu",
117@@ -542,16 +556,18 @@ subprojects = {
118 "stamp": 1666461600,
119 },
120 "ubuntu/lunar": {
121- "eol": False,
122- "components": ["main", "restricted", "universe", "multiverse"],
123- "name": "Ubuntu 23.04",
124- "codename": "Lunar Lobster",
125- "alias": "lunar",
126- "devel": True, # there can be only one ⚔
127- "description": "Interim Release",
128+ "eol": False,
129+ "oval": True,
130+ "components": ["main", "restricted", "universe", "multiverse"],
131+ "name": "Ubuntu 23.04",
132+ "codename": "Lunar Lobster",
133+ "alias": "lunar",
134+ "devel": True, # there can be only one ⚔
135+ "description": "Interim Release",
136 },
137 "snap": {
138 "eol": False,
139+ "oval": False,
140 "packages": ["snap-supported.txt"],
141 }
142 }
143@@ -561,9 +577,19 @@ def product_series(rel):
144 """Return the product,series tuple for rel."""
145 series = ""
146 parts = rel.split('/', 1)
147- product = parts[0]
148 if len(parts) == 2:
149+ product = parts[0]
150 series = parts[1]
151+ # handle trusty/esm case
152+ if product in releases:
153+ product, series = series, product
154+ elif parts[0] in releases:
155+ # by default ubuntu releases have an omitted ubuntu product
156+ # this avoids cases like snaps
157+ product = PRODUCT_UBUNTU
158+ series = parts[0]
159+ else:
160+ product = parts[0]
161 return product, series
162
163 # get the subproject details for rel along with it's canonical name, product and series
164@@ -673,6 +699,16 @@ def release_ppa(rel):
165 pass
166 return ppa
167
168+def needs_oval(rel):
169+ """Return if OVAL should be generated for a given subproject"""
170+ oval_type = None
171+ _, product, series, details = get_subproject_details(rel)
172+ try:
173+ oval_type = details["oval"]
174+ except (KeyError, TypeError):
175+ pass
176+ return oval_type
177+
178 def get_subproject_description(rel):
179 """Return the description for a given release."""
180 description = "?"
181@@ -773,6 +809,7 @@ def load_external_subprojects():
182 # subproject settings
183 config = read_external_subproject_config(rel)
184 subprojects[rel].setdefault("ppa", config["ppa"])
185+ subprojects[rel].setdefault("oval", config["oval"])
186 subprojects[rel].setdefault("name", config["name"])
187 subprojects[rel].setdefault("description", config["description"])
188 subprojects[rel].setdefault("parent", config["parent"])
189diff --git a/scripts/generate-oval b/scripts/generate-oval
190index 58f1dc6..849ef82 100755
191--- a/scripts/generate-oval
192+++ b/scripts/generate-oval
193@@ -36,7 +36,7 @@ import tempfile
194 #from launchpadlib.launchpad import Launchpad
195
196 import apt_pkg
197-from cve_lib import (kernel_srcs, get_orig_rel_name, load_cve, get_subproject_details, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor)
198+from cve_lib import (kernel_srcs, product_series, load_cve, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor, needs_oval)
199 from kernel_lib import (meta_kernels, kernel_package_abi, kernel_package_version)
200 import oval_lib
201 import lpl_common
202@@ -47,16 +47,13 @@ if 'init_system' in dir(apt_pkg):
203 else:
204 apt_pkg.InitSystem()
205
206-supported_products = [PRODUCT_UBUNTU, 'esm', 'esm-infra', 'esm-apps', 'fips', 'fips-updates']
207 supported_releases = []
208 for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])):
209- _, product, _, _ = get_subproject_details(r)
210- if product in supported_products:
211- if r not in supported_releases:
212- supported_releases.append(r)
213- parent = release_parent(r)
214- if parent and parent not in supported_releases:
215- supported_releases.append(parent)
216+ if needs_oval(r):
217+ supported_releases.append(r)
218+ parent = release_parent(r)
219+ if parent and parent not in supported_releases:
220+ supported_releases.append(parent)
221
222 default_cves_to_process = ['active/CVE-*', 'retired/CVE-*']
223
224@@ -71,12 +68,12 @@ def main():
225 global debug_level
226
227 # parse command line options
228- parser = argparse.ArgumentParser(description='Generate CVE OVAL from ' +
229+ parser = argparse.ArgumentParser(description='Generate CVE OVAL from '
230 'CVE metadata files.')
231 parser.add_argument('pathname', nargs='*',
232- help='pathname patterns (globs) specifying CVE ' +
233- 'metadata files to be converted into OVAL ' +
234- '(default: "./active/CVE-*" "./retired/CVE-*")')
235+ help='pathname patterns (globs) specifying CVE '
236+ 'metadata files to be converted into OVAL '
237+ '(default: "./active/CVE-*" "./retired/CVE-*")')
238 parser.add_argument('--oci', action='store_true',
239 help='Also generate OVAL files for scanning Official Cloud Image manifests')
240 parser.add_argument('--output-dir', nargs='?', default='./',
241@@ -86,7 +83,7 @@ def main():
242 parser.add_argument('--oci-prefix', nargs='?', default='oci.',
243 help='Prefix to use for OCI manifest OVAL files names (required if oci-output-dir is the same as output-dir)')
244 parser.add_argument('--cve-prefix-dir', nargs='?', default='./',
245- help='location of CVE metadata files to process ' +
246+ help='location of CVE metadata files to process '
247 '(default is ./)')
248 parser.add_argument('--no-progress', action='store_true',
249 help='do not show progress meter')
250@@ -99,15 +96,15 @@ def main():
251 parser.add_argument('--usn-oval', action='store_true',
252 help='generates oval from the USN database')
253 parser.add_argument('--usn-db-dir', default='./', type=str,
254- help='location of USN database.json to process ' +
255+ help='location of USN database.json to process '
256 '(default is ./)')
257 parser.add_argument('--usn-number', default=None, type=str,
258 help='if passed specifics a USN for the oval_usn generator')
259 parser.add_argument('--usn-oval-release', default=None, type=str,
260 help='specifies a release to generate the oval usn')
261 parser.add_argument('--packages', nargs='+', action='store', default=None,
262- help='generates oval for specific packages. Only for'+
263- ' CVE OVAL')
264+ help='generates oval for specific packages. Only for '
265+ 'CVE OVAL')
266
267 args = parser.parse_args()
268 pathnames = args.pathname or default_cves_to_process
269@@ -356,12 +353,6 @@ def parse_cve_file(filepath, cache, pkg_filter=None):
270 continue
271 if rel not in supported_releases:
272 continue
273- try:
274- _, product, _, _ = get_subproject_details(rel)
275- if product not in supported_products:
276- continue
277- except KeyError:
278- continue
279 state, details = data['pkgs'][pkg][rel]
280 status_line = state
281 if len(details) > 0:
282@@ -556,7 +547,7 @@ class PackageCache():
283 if parent:
284 self.releases[release] = self.ubuntu.getSeries(name_or_version=parent)
285 else:
286- self.releases[release] = self.ubuntu.getSeries(name_or_version=get_orig_rel_name(release))
287+ self.releases[release] = self.ubuntu.getSeries(name_or_version=product_series(release)[1])
288
289 ppa = release_ppa(release)
290 if ppa:
291@@ -690,7 +681,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
292 else:
293 for release in supported_releases:
294 # for now we don't differentiate products (e.g. esm) in the USN DB
295- _, product, _, _ = get_subproject_details(release)
296+ product, series = product_series(release)
297 if product != PRODUCT_UBUNTU:
298 continue
299

Subscribers

People subscribed via source and target branches