Merge ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 into ubuntu-cve-tracker:master
- Git
- lp:~ebarretto/ubuntu-cve-tracker
- oval-roadmap-3
- Merge into master
Proposed by
Eduardo Barretto
Status: | Merged |
---|---|
Merge reported by: | Eduardo Barretto |
Merged at revision: | 7091ff8b2fc3d3affdd276618c465637e336b363 |
Proposed branch: | ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
298 lines (+61/-33) 2 files modified
scripts/cve_lib.py (+45/-8) scripts/generate-oval (+16/-25) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Leonidas S. Barbosa | Approve | ||
Review via email: mp+432139@code.launchpad.net |
Commit message
Description of the change
The changes here aim to facilitate the oval generation.
For that we add and oval parameter to the subprojects configuration.
Also, rework of product_series function and add needs_oval function.
To post a comment you must log in.
- 65fd154... by Eduardo Barretto
-
cve_lib: Fix lunar indentation
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py |
2 | index 09cb6d9..d8d6bf6 100755 |
3 | --- a/scripts/cve_lib.py |
4 | +++ b/scripts/cve_lib.py |
5 | @@ -111,6 +111,7 @@ subprojects = { |
6 | }, |
7 | "esm/trusty": { |
8 | "eol": False, |
9 | + "oval": True, |
10 | "packages": ["trusty-esm-supported.txt"], |
11 | "name": "Ubuntu 14.04 ESM", |
12 | "codename": "Trusty Tahr", |
13 | @@ -122,6 +123,7 @@ subprojects = { |
14 | }, |
15 | "esm-infra/xenial": { |
16 | "eol": False, |
17 | + "oval": True, |
18 | "components": ["main", "restricted"], |
19 | "packages": ["esm-infra-xenial-supported.txt"], |
20 | "name": "Ubuntu 16.04 ESM", |
21 | @@ -133,6 +135,7 @@ subprojects = { |
22 | }, |
23 | "fips/xenial": { |
24 | "eol": False, |
25 | + "oval": True, |
26 | "packages": ["fips-xenial-supported.txt"], |
27 | "name": "Ubuntu 16.04 FIPS Certified", |
28 | "codename": "Xenial Xerus", |
29 | @@ -142,6 +145,7 @@ subprojects = { |
30 | }, |
31 | "fips/bionic": { |
32 | "eol": False, |
33 | + "oval": True, |
34 | "packages": ["fips-bionic-supported.txt"], |
35 | "name": "Ubuntu 18.04 FIPS Certified", |
36 | "codename": "Bionic Beaver", |
37 | @@ -151,6 +155,7 @@ subprojects = { |
38 | }, |
39 | "fips/focal": { |
40 | "eol": False, |
41 | + "oval": True, |
42 | "packages": ["fips-focal-supported.txt"], |
43 | "name": "Ubuntu 20.04 FIPS Certified", |
44 | "codename": "Focal Fossa", |
45 | @@ -160,6 +165,7 @@ subprojects = { |
46 | }, |
47 | "fips-updates/xenial": { |
48 | "eol": False, |
49 | + "oval": True, |
50 | "packages": ["fips-updates-xenial-supported.txt"], |
51 | "name": "Ubuntu 16.04 FIPS Compliant", |
52 | "codename": "Xenial Xerus", |
53 | @@ -169,6 +175,7 @@ subprojects = { |
54 | }, |
55 | "fips-updates/bionic": { |
56 | "eol": False, |
57 | + "oval": True, |
58 | "packages": ["fips-updates-bionic-supported.txt"], |
59 | "name": "Ubuntu 18.04 FIPS Compliant", |
60 | "codename": "Bionic Beaver", |
61 | @@ -178,6 +185,7 @@ subprojects = { |
62 | }, |
63 | "fips-updates/focal": { |
64 | "eol": False, |
65 | + "oval": True, |
66 | "packages": ["fips-updates-focal-supported.txt"], |
67 | "name": "Ubuntu 20.04 FIPS Compliant", |
68 | "codename": "Focal Fossa", |
69 | @@ -187,6 +195,7 @@ subprojects = { |
70 | }, |
71 | "ros-esm/kinetic": { |
72 | "eol": False, |
73 | + "oval": False, |
74 | "packages": ["ros-esm-xenial-kinetic-supported.txt"], |
75 | "name": "Ubuntu 16.04 ROS ESM", |
76 | "codename": "Xenial Xerus", |
77 | @@ -198,6 +207,7 @@ subprojects = { |
78 | }, |
79 | "ros-esm/melodic": { |
80 | "eol": False, |
81 | + "oval": False, |
82 | "packages": ["ros-esm-bionic-melodic-supported.txt"], |
83 | "name": "Ubuntu 18.04 ROS ESM", |
84 | "codename": "Bionic Beaver", |
85 | @@ -452,6 +462,7 @@ subprojects = { |
86 | }, |
87 | "ubuntu/bionic": { |
88 | "eol": False, |
89 | + "oval": True, |
90 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
91 | "name": "Ubuntu 18.04 LTS", |
92 | "codename": "Bionic Beaver", |
93 | @@ -488,6 +499,7 @@ subprojects = { |
94 | }, |
95 | "ubuntu/focal": { |
96 | "eol": False, |
97 | + "oval": True, |
98 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
99 | "name": "Ubuntu 20.04 LTS", |
100 | "codename": "Focal Fossa", |
101 | @@ -524,6 +536,7 @@ subprojects = { |
102 | }, |
103 | "ubuntu/jammy": { |
104 | "eol": False, |
105 | + "oval": True, |
106 | "components": ["main", "restricted", "universe", "multiverse", "partner"], |
107 | "name": "Ubuntu 22.04 LTS", |
108 | "codename": "Jammy Jellyfish", |
109 | @@ -533,6 +546,7 @@ subprojects = { |
110 | }, |
111 | "ubuntu/kinetic": { |
112 | "eol": False, |
113 | + "oval": True, |
114 | "components": ["main", "restricted", "universe", "multiverse"], |
115 | "name": "Ubuntu 22.10", |
116 | "codename": "Kinetic Kudu", |
117 | @@ -542,16 +556,18 @@ subprojects = { |
118 | "stamp": 1666461600, |
119 | }, |
120 | "ubuntu/lunar": { |
121 | - "eol": False, |
122 | - "components": ["main", "restricted", "universe", "multiverse"], |
123 | - "name": "Ubuntu 23.04", |
124 | - "codename": "Lunar Lobster", |
125 | - "alias": "lunar", |
126 | - "devel": True, # there can be only one ⚔ |
127 | - "description": "Interim Release", |
128 | + "eol": False, |
129 | + "oval": True, |
130 | + "components": ["main", "restricted", "universe", "multiverse"], |
131 | + "name": "Ubuntu 23.04", |
132 | + "codename": "Lunar Lobster", |
133 | + "alias": "lunar", |
134 | + "devel": True, # there can be only one ⚔ |
135 | + "description": "Interim Release", |
136 | }, |
137 | "snap": { |
138 | "eol": False, |
139 | + "oval": False, |
140 | "packages": ["snap-supported.txt"], |
141 | } |
142 | } |
143 | @@ -561,9 +577,19 @@ def product_series(rel): |
144 | """Return the product,series tuple for rel.""" |
145 | series = "" |
146 | parts = rel.split('/', 1) |
147 | - product = parts[0] |
148 | if len(parts) == 2: |
149 | + product = parts[0] |
150 | series = parts[1] |
151 | + # handle trusty/esm case |
152 | + if product in releases: |
153 | + product, series = series, product |
154 | + elif parts[0] in releases: |
155 | + # by default ubuntu releases have an omitted ubuntu product |
156 | + # this avoids cases like snaps |
157 | + product = PRODUCT_UBUNTU |
158 | + series = parts[0] |
159 | + else: |
160 | + product = parts[0] |
161 | return product, series |
162 | |
163 | # get the subproject details for rel along with it's canonical name, product and series |
164 | @@ -673,6 +699,16 @@ def release_ppa(rel): |
165 | pass |
166 | return ppa |
167 | |
168 | +def needs_oval(rel): |
169 | + """Return if OVAL should be generated for a given subproject""" |
170 | + oval_type = None |
171 | + _, product, series, details = get_subproject_details(rel) |
172 | + try: |
173 | + oval_type = details["oval"] |
174 | + except (KeyError, TypeError): |
175 | + pass |
176 | + return oval_type |
177 | + |
178 | def get_subproject_description(rel): |
179 | """Return the description for a given release.""" |
180 | description = "?" |
181 | @@ -773,6 +809,7 @@ def load_external_subprojects(): |
182 | # subproject settings |
183 | config = read_external_subproject_config(rel) |
184 | subprojects[rel].setdefault("ppa", config["ppa"]) |
185 | + subprojects[rel].setdefault("oval", config["oval"]) |
186 | subprojects[rel].setdefault("name", config["name"]) |
187 | subprojects[rel].setdefault("description", config["description"]) |
188 | subprojects[rel].setdefault("parent", config["parent"]) |
189 | diff --git a/scripts/generate-oval b/scripts/generate-oval |
190 | index 58f1dc6..849ef82 100755 |
191 | --- a/scripts/generate-oval |
192 | +++ b/scripts/generate-oval |
193 | @@ -36,7 +36,7 @@ import tempfile |
194 | #from launchpadlib.launchpad import Launchpad |
195 | |
196 | import apt_pkg |
197 | -from cve_lib import (kernel_srcs, get_orig_rel_name, load_cve, get_subproject_details, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor) |
198 | +from cve_lib import (kernel_srcs, product_series, load_cve, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor, needs_oval) |
199 | from kernel_lib import (meta_kernels, kernel_package_abi, kernel_package_version) |
200 | import oval_lib |
201 | import lpl_common |
202 | @@ -47,16 +47,13 @@ if 'init_system' in dir(apt_pkg): |
203 | else: |
204 | apt_pkg.InitSystem() |
205 | |
206 | -supported_products = [PRODUCT_UBUNTU, 'esm', 'esm-infra', 'esm-apps', 'fips', 'fips-updates'] |
207 | supported_releases = [] |
208 | for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])): |
209 | - _, product, _, _ = get_subproject_details(r) |
210 | - if product in supported_products: |
211 | - if r not in supported_releases: |
212 | - supported_releases.append(r) |
213 | - parent = release_parent(r) |
214 | - if parent and parent not in supported_releases: |
215 | - supported_releases.append(parent) |
216 | + if needs_oval(r): |
217 | + supported_releases.append(r) |
218 | + parent = release_parent(r) |
219 | + if parent and parent not in supported_releases: |
220 | + supported_releases.append(parent) |
221 | |
222 | default_cves_to_process = ['active/CVE-*', 'retired/CVE-*'] |
223 | |
224 | @@ -71,12 +68,12 @@ def main(): |
225 | global debug_level |
226 | |
227 | # parse command line options |
228 | - parser = argparse.ArgumentParser(description='Generate CVE OVAL from ' + |
229 | + parser = argparse.ArgumentParser(description='Generate CVE OVAL from ' |
230 | 'CVE metadata files.') |
231 | parser.add_argument('pathname', nargs='*', |
232 | - help='pathname patterns (globs) specifying CVE ' + |
233 | - 'metadata files to be converted into OVAL ' + |
234 | - '(default: "./active/CVE-*" "./retired/CVE-*")') |
235 | + help='pathname patterns (globs) specifying CVE ' |
236 | + 'metadata files to be converted into OVAL ' |
237 | + '(default: "./active/CVE-*" "./retired/CVE-*")') |
238 | parser.add_argument('--oci', action='store_true', |
239 | help='Also generate OVAL files for scanning Official Cloud Image manifests') |
240 | parser.add_argument('--output-dir', nargs='?', default='./', |
241 | @@ -86,7 +83,7 @@ def main(): |
242 | parser.add_argument('--oci-prefix', nargs='?', default='oci.', |
243 | help='Prefix to use for OCI manifest OVAL files names (required if oci-output-dir is the same as output-dir)') |
244 | parser.add_argument('--cve-prefix-dir', nargs='?', default='./', |
245 | - help='location of CVE metadata files to process ' + |
246 | + help='location of CVE metadata files to process ' |
247 | '(default is ./)') |
248 | parser.add_argument('--no-progress', action='store_true', |
249 | help='do not show progress meter') |
250 | @@ -99,15 +96,15 @@ def main(): |
251 | parser.add_argument('--usn-oval', action='store_true', |
252 | help='generates oval from the USN database') |
253 | parser.add_argument('--usn-db-dir', default='./', type=str, |
254 | - help='location of USN database.json to process ' + |
255 | + help='location of USN database.json to process ' |
256 | '(default is ./)') |
257 | parser.add_argument('--usn-number', default=None, type=str, |
258 | help='if passed specifics a USN for the oval_usn generator') |
259 | parser.add_argument('--usn-oval-release', default=None, type=str, |
260 | help='specifies a release to generate the oval usn') |
261 | parser.add_argument('--packages', nargs='+', action='store', default=None, |
262 | - help='generates oval for specific packages. Only for'+ |
263 | - ' CVE OVAL') |
264 | + help='generates oval for specific packages. Only for ' |
265 | + 'CVE OVAL') |
266 | |
267 | args = parser.parse_args() |
268 | pathnames = args.pathname or default_cves_to_process |
269 | @@ -356,12 +353,6 @@ def parse_cve_file(filepath, cache, pkg_filter=None): |
270 | continue |
271 | if rel not in supported_releases: |
272 | continue |
273 | - try: |
274 | - _, product, _, _ = get_subproject_details(rel) |
275 | - if product not in supported_products: |
276 | - continue |
277 | - except KeyError: |
278 | - continue |
279 | state, details = data['pkgs'][pkg][rel] |
280 | status_line = state |
281 | if len(details) > 0: |
282 | @@ -556,7 +547,7 @@ class PackageCache(): |
283 | if parent: |
284 | self.releases[release] = self.ubuntu.getSeries(name_or_version=parent) |
285 | else: |
286 | - self.releases[release] = self.ubuntu.getSeries(name_or_version=get_orig_rel_name(release)) |
287 | + self.releases[release] = self.ubuntu.getSeries(name_or_version=product_series(release)[1]) |
288 | |
289 | ppa = release_ppa(release) |
290 | if ppa: |
291 | @@ -690,7 +681,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N |
292 | else: |
293 | for release in supported_releases: |
294 | # for now we don't differentiate products (e.g. esm) in the USN DB |
295 | - _, product, _, _ = get_subproject_details(release) |
296 | + product, series = product_series(release) |
297 | if product != PRODUCT_UBUNTU: |
298 | continue |
299 |
lgtm