Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~ebarretto/ubuntu-cve-tracker
  3. oval-roadmap-3
  4. Merge into master
Proposed by Eduardo Barretto
Status: Merged
Merge reported by: Eduardo Barretto
Merged at revision: 7091ff8b2fc3d3affdd276618c465637e336b363
Proposed branch: ~ebarretto/ubuntu-cve-tracker:oval-roadmap-3
Merge into: ubuntu-cve-tracker:master
Diff against target: 298 lines (+61/-33)
2 files modified
scripts/cve_lib.py (+45/-8)
scripts/generate-oval (+16/-25)
Reviewer Review Type Date Requested Status
Leonidas S. Barbosa Approve
Review via email: mp+432139@code.launchpad.net

Description of the change

The changes here aim to facilitate the oval generation.
For that we add and oval parameter to the subprojects configuration.
Also, rework of product_series function and add needs_oval function.

To post a comment you must log in.
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

lgtm

review: Approve
~ebarretto/ubuntu-cve-tracker:oval-roadmap-3 updated
65fd154... by Eduardo Barretto

cve_lib: Fix lunar indentation

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
index 09cb6d9..d8d6bf6 100755
--- a/scripts/cve_lib.py
+++ b/scripts/cve_lib.py
@@ -111,6 +111,7 @@ subprojects = {
111 },111 },
112 "esm/trusty": {112 "esm/trusty": {
113 "eol": False,113 "eol": False,
114 "oval": True,
114 "packages": ["trusty-esm-supported.txt"],115 "packages": ["trusty-esm-supported.txt"],
115 "name": "Ubuntu 14.04 ESM",116 "name": "Ubuntu 14.04 ESM",
116 "codename": "Trusty Tahr",117 "codename": "Trusty Tahr",
@@ -122,6 +123,7 @@ subprojects = {
122 },123 },
123 "esm-infra/xenial": {124 "esm-infra/xenial": {
124 "eol": False,125 "eol": False,
126 "oval": True,
125 "components": ["main", "restricted"],127 "components": ["main", "restricted"],
126 "packages": ["esm-infra-xenial-supported.txt"],128 "packages": ["esm-infra-xenial-supported.txt"],
127 "name": "Ubuntu 16.04 ESM",129 "name": "Ubuntu 16.04 ESM",
@@ -133,6 +135,7 @@ subprojects = {
133 },135 },
134 "fips/xenial": {136 "fips/xenial": {
135 "eol": False,137 "eol": False,
138 "oval": True,
136 "packages": ["fips-xenial-supported.txt"],139 "packages": ["fips-xenial-supported.txt"],
137 "name": "Ubuntu 16.04 FIPS Certified",140 "name": "Ubuntu 16.04 FIPS Certified",
138 "codename": "Xenial Xerus",141 "codename": "Xenial Xerus",
@@ -142,6 +145,7 @@ subprojects = {
142 },145 },
143 "fips/bionic": {146 "fips/bionic": {
144 "eol": False,147 "eol": False,
148 "oval": True,
145 "packages": ["fips-bionic-supported.txt"],149 "packages": ["fips-bionic-supported.txt"],
146 "name": "Ubuntu 18.04 FIPS Certified",150 "name": "Ubuntu 18.04 FIPS Certified",
147 "codename": "Bionic Beaver",151 "codename": "Bionic Beaver",
@@ -151,6 +155,7 @@ subprojects = {
151 },155 },
152 "fips/focal": {156 "fips/focal": {
153 "eol": False,157 "eol": False,
158 "oval": True,
154 "packages": ["fips-focal-supported.txt"],159 "packages": ["fips-focal-supported.txt"],
155 "name": "Ubuntu 20.04 FIPS Certified",160 "name": "Ubuntu 20.04 FIPS Certified",
156 "codename": "Focal Fossa",161 "codename": "Focal Fossa",
@@ -160,6 +165,7 @@ subprojects = {
160 },165 },
161 "fips-updates/xenial": {166 "fips-updates/xenial": {
162 "eol": False,167 "eol": False,
168 "oval": True,
163 "packages": ["fips-updates-xenial-supported.txt"],169 "packages": ["fips-updates-xenial-supported.txt"],
164 "name": "Ubuntu 16.04 FIPS Compliant",170 "name": "Ubuntu 16.04 FIPS Compliant",
165 "codename": "Xenial Xerus",171 "codename": "Xenial Xerus",
@@ -169,6 +175,7 @@ subprojects = {
169 },175 },
170 "fips-updates/bionic": {176 "fips-updates/bionic": {
171 "eol": False,177 "eol": False,
178 "oval": True,
172 "packages": ["fips-updates-bionic-supported.txt"],179 "packages": ["fips-updates-bionic-supported.txt"],
173 "name": "Ubuntu 18.04 FIPS Compliant",180 "name": "Ubuntu 18.04 FIPS Compliant",
174 "codename": "Bionic Beaver",181 "codename": "Bionic Beaver",
@@ -178,6 +185,7 @@ subprojects = {
178 },185 },
179 "fips-updates/focal": {186 "fips-updates/focal": {
180 "eol": False,187 "eol": False,
188 "oval": True,
181 "packages": ["fips-updates-focal-supported.txt"],189 "packages": ["fips-updates-focal-supported.txt"],
182 "name": "Ubuntu 20.04 FIPS Compliant",190 "name": "Ubuntu 20.04 FIPS Compliant",
183 "codename": "Focal Fossa",191 "codename": "Focal Fossa",
@@ -187,6 +195,7 @@ subprojects = {
187 },195 },
188 "ros-esm/kinetic": {196 "ros-esm/kinetic": {
189 "eol": False,197 "eol": False,
198 "oval": False,
190 "packages": ["ros-esm-xenial-kinetic-supported.txt"],199 "packages": ["ros-esm-xenial-kinetic-supported.txt"],
191 "name": "Ubuntu 16.04 ROS ESM",200 "name": "Ubuntu 16.04 ROS ESM",
192 "codename": "Xenial Xerus",201 "codename": "Xenial Xerus",
@@ -198,6 +207,7 @@ subprojects = {
198 },207 },
199 "ros-esm/melodic": {208 "ros-esm/melodic": {
200 "eol": False,209 "eol": False,
210 "oval": False,
201 "packages": ["ros-esm-bionic-melodic-supported.txt"],211 "packages": ["ros-esm-bionic-melodic-supported.txt"],
202 "name": "Ubuntu 18.04 ROS ESM",212 "name": "Ubuntu 18.04 ROS ESM",
203 "codename": "Bionic Beaver",213 "codename": "Bionic Beaver",
@@ -452,6 +462,7 @@ subprojects = {
452 },462 },
453 "ubuntu/bionic": {463 "ubuntu/bionic": {
454 "eol": False,464 "eol": False,
465 "oval": True,
455 "components": ["main", "restricted", "universe", "multiverse", "partner"],466 "components": ["main", "restricted", "universe", "multiverse", "partner"],
456 "name": "Ubuntu 18.04 LTS",467 "name": "Ubuntu 18.04 LTS",
457 "codename": "Bionic Beaver",468 "codename": "Bionic Beaver",
@@ -488,6 +499,7 @@ subprojects = {
488 },499 },
489 "ubuntu/focal": {500 "ubuntu/focal": {
490 "eol": False,501 "eol": False,
502 "oval": True,
491 "components": ["main", "restricted", "universe", "multiverse", "partner"],503 "components": ["main", "restricted", "universe", "multiverse", "partner"],
492 "name": "Ubuntu 20.04 LTS",504 "name": "Ubuntu 20.04 LTS",
493 "codename": "Focal Fossa",505 "codename": "Focal Fossa",
@@ -524,6 +536,7 @@ subprojects = {
524 },536 },
525 "ubuntu/jammy": {537 "ubuntu/jammy": {
526 "eol": False,538 "eol": False,
539 "oval": True,
527 "components": ["main", "restricted", "universe", "multiverse", "partner"],540 "components": ["main", "restricted", "universe", "multiverse", "partner"],
528 "name": "Ubuntu 22.04 LTS",541 "name": "Ubuntu 22.04 LTS",
529 "codename": "Jammy Jellyfish",542 "codename": "Jammy Jellyfish",
@@ -533,6 +546,7 @@ subprojects = {
533 },546 },
534 "ubuntu/kinetic": {547 "ubuntu/kinetic": {
535 "eol": False,548 "eol": False,
549 "oval": True,
536 "components": ["main", "restricted", "universe", "multiverse"],550 "components": ["main", "restricted", "universe", "multiverse"],
537 "name": "Ubuntu 22.10",551 "name": "Ubuntu 22.10",
538 "codename": "Kinetic Kudu",552 "codename": "Kinetic Kudu",
@@ -542,16 +556,18 @@ subprojects = {
542 "stamp": 1666461600,556 "stamp": 1666461600,
543 },557 },
544 "ubuntu/lunar": {558 "ubuntu/lunar": {
545 "eol": False,559 "eol": False,
546 "components": ["main", "restricted", "universe", "multiverse"],560 "oval": True,
547 "name": "Ubuntu 23.04",561 "components": ["main", "restricted", "universe", "multiverse"],
548 "codename": "Lunar Lobster",562 "name": "Ubuntu 23.04",
549 "alias": "lunar",563 "codename": "Lunar Lobster",
550 "devel": True, # there can be only one ⚔564 "alias": "lunar",
551 "description": "Interim Release",565 "devel": True, # there can be only one ⚔
566 "description": "Interim Release",
552 },567 },
553 "snap": {568 "snap": {
554 "eol": False,569 "eol": False,
570 "oval": False,
555 "packages": ["snap-supported.txt"],571 "packages": ["snap-supported.txt"],
556 }572 }
557}573}
@@ -561,9 +577,19 @@ def product_series(rel):
561 """Return the product,series tuple for rel."""577 """Return the product,series tuple for rel."""
562 series = ""578 series = ""
563 parts = rel.split('/', 1)579 parts = rel.split('/', 1)
564 product = parts[0]
565 if len(parts) == 2:580 if len(parts) == 2:
581 product = parts[0]
566 series = parts[1]582 series = parts[1]
583 # handle trusty/esm case
584 if product in releases:
585 product, series = series, product
586 elif parts[0] in releases:
587 # by default ubuntu releases have an omitted ubuntu product
588 # this avoids cases like snaps
589 product = PRODUCT_UBUNTU
590 series = parts[0]
591 else:
592 product = parts[0]
567 return product, series593 return product, series
568594
569# get the subproject details for rel along with it's canonical name, product and series595# get the subproject details for rel along with it's canonical name, product and series
@@ -673,6 +699,16 @@ def release_ppa(rel):
673 pass699 pass
674 return ppa700 return ppa
675701
702def needs_oval(rel):
703 """Return if OVAL should be generated for a given subproject"""
704 oval_type = None
705 _, product, series, details = get_subproject_details(rel)
706 try:
707 oval_type = details["oval"]
708 except (KeyError, TypeError):
709 pass
710 return oval_type
711
676def get_subproject_description(rel):712def get_subproject_description(rel):
677 """Return the description for a given release."""713 """Return the description for a given release."""
678 description = "?"714 description = "?"
@@ -773,6 +809,7 @@ def load_external_subprojects():
773 # subproject settings809 # subproject settings
774 config = read_external_subproject_config(rel)810 config = read_external_subproject_config(rel)
775 subprojects[rel].setdefault("ppa", config["ppa"])811 subprojects[rel].setdefault("ppa", config["ppa"])
812 subprojects[rel].setdefault("oval", config["oval"])
776 subprojects[rel].setdefault("name", config["name"])813 subprojects[rel].setdefault("name", config["name"])
777 subprojects[rel].setdefault("description", config["description"])814 subprojects[rel].setdefault("description", config["description"])
778 subprojects[rel].setdefault("parent", config["parent"])815 subprojects[rel].setdefault("parent", config["parent"])
diff --git a/scripts/generate-oval b/scripts/generate-oval
index 58f1dc6..849ef82 100755
--- a/scripts/generate-oval
+++ b/scripts/generate-oval
@@ -36,7 +36,7 @@ import tempfile
36#from launchpadlib.launchpad import Launchpad36#from launchpadlib.launchpad import Launchpad
3737
38import apt_pkg38import apt_pkg
39from cve_lib import (kernel_srcs, get_orig_rel_name, load_cve, get_subproject_details, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor)39from cve_lib import (kernel_srcs, product_series, load_cve, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_ppa, release_progenitor, needs_oval)
40from kernel_lib import (meta_kernels, kernel_package_abi, kernel_package_version)40from kernel_lib import (meta_kernels, kernel_package_abi, kernel_package_version)
41import oval_lib41import oval_lib
42import lpl_common42import lpl_common
@@ -47,16 +47,13 @@ if 'init_system' in dir(apt_pkg):
47else:47else:
48 apt_pkg.InitSystem()48 apt_pkg.InitSystem()
4949
50supported_products = [PRODUCT_UBUNTU, 'esm', 'esm-infra', 'esm-apps', 'fips', 'fips-updates']
51supported_releases = []50supported_releases = []
52for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])):51for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])):
53 _, product, _, _ = get_subproject_details(r)52 if needs_oval(r):
54 if product in supported_products:53 supported_releases.append(r)
55 if r not in supported_releases:54 parent = release_parent(r)
56 supported_releases.append(r)55 if parent and parent not in supported_releases:
57 parent = release_parent(r)56 supported_releases.append(parent)
58 if parent and parent not in supported_releases:
59 supported_releases.append(parent)
6057
61default_cves_to_process = ['active/CVE-*', 'retired/CVE-*']58default_cves_to_process = ['active/CVE-*', 'retired/CVE-*']
6259
@@ -71,12 +68,12 @@ def main():
71 global debug_level68 global debug_level
7269
73 # parse command line options70 # parse command line options
74 parser = argparse.ArgumentParser(description='Generate CVE OVAL from ' +71 parser = argparse.ArgumentParser(description='Generate CVE OVAL from '
75 'CVE metadata files.')72 'CVE metadata files.')
76 parser.add_argument('pathname', nargs='*',73 parser.add_argument('pathname', nargs='*',
77 help='pathname patterns (globs) specifying CVE ' +74 help='pathname patterns (globs) specifying CVE '
78 'metadata files to be converted into OVAL ' +75 'metadata files to be converted into OVAL '
79 '(default: "./active/CVE-*" "./retired/CVE-*")')76 '(default: "./active/CVE-*" "./retired/CVE-*")')
80 parser.add_argument('--oci', action='store_true',77 parser.add_argument('--oci', action='store_true',
81 help='Also generate OVAL files for scanning Official Cloud Image manifests')78 help='Also generate OVAL files for scanning Official Cloud Image manifests')
82 parser.add_argument('--output-dir', nargs='?', default='./',79 parser.add_argument('--output-dir', nargs='?', default='./',
@@ -86,7 +83,7 @@ def main():
86 parser.add_argument('--oci-prefix', nargs='?', default='oci.',83 parser.add_argument('--oci-prefix', nargs='?', default='oci.',
87 help='Prefix to use for OCI manifest OVAL files names (required if oci-output-dir is the same as output-dir)')84 help='Prefix to use for OCI manifest OVAL files names (required if oci-output-dir is the same as output-dir)')
88 parser.add_argument('--cve-prefix-dir', nargs='?', default='./',85 parser.add_argument('--cve-prefix-dir', nargs='?', default='./',
89 help='location of CVE metadata files to process ' +86 help='location of CVE metadata files to process '
90 '(default is ./)')87 '(default is ./)')
91 parser.add_argument('--no-progress', action='store_true',88 parser.add_argument('--no-progress', action='store_true',
92 help='do not show progress meter')89 help='do not show progress meter')
@@ -99,15 +96,15 @@ def main():
99 parser.add_argument('--usn-oval', action='store_true',96 parser.add_argument('--usn-oval', action='store_true',
100 help='generates oval from the USN database')97 help='generates oval from the USN database')
101 parser.add_argument('--usn-db-dir', default='./', type=str,98 parser.add_argument('--usn-db-dir', default='./', type=str,
102 help='location of USN database.json to process ' +99 help='location of USN database.json to process '
103 '(default is ./)')100 '(default is ./)')
104 parser.add_argument('--usn-number', default=None, type=str,101 parser.add_argument('--usn-number', default=None, type=str,
105 help='if passed specifics a USN for the oval_usn generator')102 help='if passed specifics a USN for the oval_usn generator')
106 parser.add_argument('--usn-oval-release', default=None, type=str,103 parser.add_argument('--usn-oval-release', default=None, type=str,
107 help='specifies a release to generate the oval usn')104 help='specifies a release to generate the oval usn')
108 parser.add_argument('--packages', nargs='+', action='store', default=None,105 parser.add_argument('--packages', nargs='+', action='store', default=None,
109 help='generates oval for specific packages. Only for'+106 help='generates oval for specific packages. Only for '
110 ' CVE OVAL')107 'CVE OVAL')
111108
112 args = parser.parse_args()109 args = parser.parse_args()
113 pathnames = args.pathname or default_cves_to_process110 pathnames = args.pathname or default_cves_to_process
@@ -356,12 +353,6 @@ def parse_cve_file(filepath, cache, pkg_filter=None):
356 continue353 continue
357 if rel not in supported_releases:354 if rel not in supported_releases:
358 continue355 continue
359 try:
360 _, product, _, _ = get_subproject_details(rel)
361 if product not in supported_products:
362 continue
363 except KeyError:
364 continue
365 state, details = data['pkgs'][pkg][rel]356 state, details = data['pkgs'][pkg][rel]
366 status_line = state357 status_line = state
367 if len(details) > 0:358 if len(details) > 0:
@@ -556,7 +547,7 @@ class PackageCache():
556 if parent:547 if parent:
557 self.releases[release] = self.ubuntu.getSeries(name_or_version=parent)548 self.releases[release] = self.ubuntu.getSeries(name_or_version=parent)
558 else:549 else:
559 self.releases[release] = self.ubuntu.getSeries(name_or_version=get_orig_rel_name(release))550 self.releases[release] = self.ubuntu.getSeries(name_or_version=product_series(release)[1])
560551
561 ppa = release_ppa(release)552 ppa = release_ppa(release)
562 if ppa:553 if ppa:
@@ -690,7 +681,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
690 else:681 else:
691 for release in supported_releases:682 for release in supported_releases:
692 # for now we don't differentiate products (e.g. esm) in the USN DB683 # for now we don't differentiate products (e.g. esm) in the USN DB
693 _, product, _, _ = get_subproject_details(release)684 product, series = product_series(release)
694 if product != PRODUCT_UBUNTU:685 if product != PRODUCT_UBUNTU:
695 continue686 continue
696687

Subscribers

People subscribed via source and target branches