Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:oval-bugs into ubuntu-cve-tracker:master

Proposed by Eduardo Barretto on 2024-02-26

Status:	Merged
Merge reported by:	Eduardo Barretto
Merged at revision:	11ea9be3dc481fe183ffb6bf66401461cb8fb189
Proposed branch:	~ebarretto/ubuntu-cve-tracker:oval-bugs
Merge into:	ubuntu-cve-tracker:master
Diff against target:	933 lines (+134/-351) 7 files modified scripts/cve_lib.py (+2/-0) scripts/generate-oval (+74/-291) scripts/oval_lib.py (+42/-44) test/test_oval_lib_end_to_end.py (+4/-4) test/test_oval_lib_functional.py (+6/-6) test/test_oval_lib_unit.py (+3/-3) test/test_utils.py (+3/-3)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
David Fernandez Gonzalez	2024-02-26	Approve on 2024-02-28
Ubuntu Security Team	2024-02-26	Pending
Review via email: mp+461249@code.launchpad.net

Description of the change

Some clean-up on generate-oval:
- removed unused variables, fuctions and imports
- removed --cve-prefix-dir
- improved helper descriptions
- added --type flag, removed --usn-oval and --pkg-oval
- rework calls to OCI OVAL generation
- rework tests to address new changes

PS: There's a few commits that launchpad is not showing, you might want to look directly at the branch.

~ebarretto/ubuntu-cve-tracker:oval-bugs updated on 2024-02-26

11ea9be... by Eduardo Barretto on 2024-02-26

generate-oval: make oval-releases use nargs instead of appending

This allow single calls with --oval-releases bionic xenial
instead of --oval-releases bionic --oval-releases xenial

Revision history for this message

David Fernandez Gonzalez (litios) wrote on 2024-02-28:

LGTM, no changes in the OVAL output before and after this PR. Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Eduardo Barretto

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
 index 416d5f7..090cdea 100755
 --- a/scripts/cve_lib.py
 +++ b/scripts/cve_lib.py
@@ -492,6 +492,7 @@ subprojects = {
      },
      "ubuntu/trusty": {
          "eol": True,
++        "oval": True,
          "components": ["main", "restricted", "universe", "multiverse"],
          "name": "Ubuntu 14.04 LTS",
          "version": 14.04,
@@ -532,6 +533,7 @@ subprojects = {
      },
      "ubuntu/xenial": {
          "eol": True,
++        "oval": True,
          "components": ["main", "restricted", "universe", "multiverse"],
          "name": "Ubuntu 16.04 LTS",
          "version": 16.04,
 diff --git a/scripts/generate-oval b/scripts/generate-oval
 index 920bba6..c555304 100755
 --- a/scripts/generate-oval
 +++ b/scripts/generate-oval
@@ -32,31 +32,11 @@ import os
  import re
  import sys
--import apt_pkg
--from cve_lib import (kernel_srcs, product_series, load_cve, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, release_progenitor, needs_oval)
--from kernel_lib import meta_kernels
++from cve_lib import (product_series, PRODUCT_UBUNTU, all_releases, eol_releases, devel_release, release_parent, release_name, needs_oval)
  import oval_lib
--# cope with apt_pkg api changes.
--if 'init_system' in dir(apt_pkg):
--    apt_pkg.init_system()
--else:
--    apt_pkg.InitSystem()
--
--supported_releases = []
--for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])):
--    if needs_oval(r):
--        supported_releases.append(r)
--    parent = release_parent(r)
--    if parent and parent not in supported_releases:
--        supported_releases.append(parent)
--
--default_cves_to_process = ['active/CVE-*', 'retired/CVE-*']
--
  debug_level = 0
--package_cache = None
--
  def main():
      """ parse command line options and iterate through files to be processed
      """
@@ -64,9 +44,10 @@ def main():
      global supported_releases
      # parse command line options
--    parser = argparse.ArgumentParser(description='Generate CVE OVAL from '
--                                     'CVE metadata files.')
--    parser.add_argument('pathname', nargs='*',
++    parser = argparse.ArgumentParser(description='Generate OVAL for CVE, PKG or USNs.')
++    parser.add_argument('--type', required=True, choices=['cve', 'pkg', 'usn'],
++                        help='OVAL format')
++    parser.add_argument('--cves', nargs='*', default=['active/CVE-*', 'retired/CVE-*'],
                          help='pathname patterns (globs) specifying CVE '
                          'metadata files to be converted into OVAL '
                          '(default: "./active/CVE-*" "./retired/CVE-*")')
@@ -78,255 +59,76 @@ def main():
                          help='output directory for OCI manifest OVAL files (default is to use the same directory as --output-dir)')
      parser.add_argument('--oci-prefix', nargs='?', default='oci.',
                          help='Prefix to use for OCI manifest OVAL files names (required if oci-output-dir is the same as output-dir)')
--    parser.add_argument('--cve-prefix-dir', nargs='?', default='./',
--                        help='location of CVE metadata files to process '
--                        '(default is ./)')
      parser.add_argument('--no-progress', action='store_true',
                          help='do not show progress meter')
      parser.add_argument('--pkg-cache-dir', action='store', default='./',
                          help='cache location for binary packages')
      parser.add_argument('-d', '--debug', action='count', default=0,
                          help="report debugging information")
--    parser.add_argument('--usn-oval', action='store_true',
--                        help='generates oval from the USN database')
--    parser.add_argument('--pkg-oval', action='store_true',
--                        help='generates oval from the Package database')
      parser.add_argument('--usn-db-dir', default='./', type=str,
                          help='location of USN database.json to process '
                          '(default is ./)')
      parser.add_argument('--usn-number', default=None, type=str,
                          help='if passed specifics a USN for the oval_usn generator')
--    parser.add_argument('--oval-releases', default=None, action='append',
--                        help='specifies releases to generate the oval')
++    parser.add_argument('--oval-releases', default=None, nargs='+',
++                        help='only generate OVAL for specific releases')
      parser.add_argument('--packages', nargs='+', action='store', default=None,
--                        help='generates oval for specific packages. Only for '
--                        'CVE OVAL')
++                        help='generates OVAL for specific packages')
      parser.add_argument('--fixed-only', action='store_true',
--                        help='only generate pkg oval for fixed CVEs')
--    parser.add_argument('--expand', action='store_true',
--                        help='avoids combining all the oval data into one '
--                        'file and expands the output oval files into different '
++                        help='only generate OVAL for fixed CVEs')
++    parser.add_argument('--expand', action='store_true', default=False,
++                        help='avoids combining all the OVAL data into one '
++                        'file and expands the output OVAL files into different '
                          'releases, such as esm-apps, esm-infra, and ubuntu')
      args = parser.parse_args()
--    pathnames = args.pathname or default_cves_to_process
      debug_level = args.debug
--    # debugging; caution, can expose credentials
--    if debug_level >= 2:
--        import httplib2
--        httplib2.debuglevel = 1
--
--    # create oval generators for each supported release
--    outdir = './'
--    if args.output_dir:
--        outdir = args.output_dir
--        if not os.path.isdir(outdir):
--            raise FileNotFoundError("Could not find '%s'" % outdir)
--    if args.oci:
--        if args.oci_output_dir:
--            ocioutdir = args.oci_output_dir
--        else:
--            ocioutdir = args.output_dir
--        if not os.path.isdir(ocioutdir):
--            raise FileNotFoundError("Could not find '%s'" % ocioutdir)
--        ociprefix = args.oci_prefix
--        if outdir == ocioutdir and len(ociprefix) < 1:
--            raise ValueError("oci-prefix must be set when output-dir and oci-output-dir are the same")
--
--    if args.usn_oval:
--        if args.oci:
--            generate_oval_usn(args.output_dir, args.usn_number, args.oval_releases,
--                              args.cve_prefix_dir, args.usn_db_dir, args.no_progress, ociprefix, ocioutdir)
--        else:
--            generate_oval_usn(args.output_dir, args.usn_number, args.oval_releases,
--                              args.cve_prefix_dir, args.usn_db_dir, args.no_progress,)
++    if args.output_dir and not os.path.isdir(args.output_dir):
++        raise FileNotFoundError("Could not find '%s'" % args.output_dir)
--        return
++    if args.oci_prefix:
++        if not args.oci_output_dir:
++            args.oci_output_dir = args.output_dir
++        elif args.output_dir == args.oci_output_dir and len(args.oci_prefix) < 1:
++            raise ValueError("oci-prefix must be set when output-dir and oci-output-dir are the same")
--    # if --oval-release, we still need to load parents cache
--    # so we can generate a complete oval for those releases that
--    # have a parent
--    releases = supported_releases
++    releases = []
      if args.oval_releases:
          releases = args.oval_releases
          for release in releases:
--            if release not in supported_releases:
++            if not needs_oval(release):
                  error(f"unknown oval release {release}")
++    else:
++        releases = []
++        for r in set(all_releases).difference(set(eol_releases)).difference(set([devel_release])):
++            if needs_oval(r):
++                releases.append(r)
++
++    # for each release we need to get its parent to also
++    # load their cache data in order to generate a complete
++    # oval for such release
++    parent_releases = set()
++    for release in releases:
++        while(release_parent(release)):
++            release = release_parent(release)
++            parent_releases.add(release)
--    expand = args.expand
--
--    cache = {}
--    for release in supported_releases:
--        cve_cache = {}
--        cache.update({release: get_package_cache(args.pkg_cache_dir, release)})
--
--    if args.pkg_oval:
--        if args.oci:
--            generate_oval_package(releases, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, ocioutdir, expand)
--        else:
--            generate_oval_package(releases, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, expand)
--        return
++    releases = set(releases + list(parent_releases))
--    if args.oci:
--        generate_oval_cve(releases, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, ocioutdir, expand)
++    if args.type == 'usn':
++            generate_oval_usn(args.output_dir, args.usn_number, releases,
++                              args.cves, args.usn_db_dir, args.no_progress, args.oci_prefix, args.oci_output_dir)
      else:
--        generate_oval_cve(releases, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, expand)
--    return
--
--
--# given a status generated by parse_package_status(), duplicate it for a
--# different source package, computing binary packages for the new source
--# package
--def duplicate_package_status(release, package, original_status, cache, override_version=None):
--    copied_status = {}
--    copied_status['status'] = original_status['status']
--    copied_status['note'] = original_status['note']
--    if override_version:
--        copied_status['fix-version'] = override_version
--    elif 'fix-version' in original_status:
--        copied_status['fix-version'] = original_status['fix-version']
--
--    if 'bin-pkgs' in original_status:
--        copied_status['bin-pkgs'] = original_status['bin-pkgs']
--
--    return copied_status
--
--
--# returns True if we should ignore this source package; primarily used
--# for -edge kernels
--def ignore_source_package(source):
--    if re.match('linux-.*-edge$', source):
--        return True
--    if re.match('linux-riscv.*$', source):
--        # linux-riscv.* currently causes a lot of false positives, skip
--        # it altogether while we don't land a better fix
--        return True
--    return False
--
--
--def parse_cve_file(filepath, cache, pkg_filter=None, expand=False):
--    """ parse CVE data file into a dictionary using cve_lib """
--
--    cve_header_data = {
--        'Candidate': '',
--        'CRD': '',
--        'PublicDate': '',
--        'PublicDateAtUSN': '',
--        'References': [get_cve_url(filepath)],
--        'Description': '',
--        'Ubuntu-Description': '',
--        'Notes': '',
--        'Mitigation': '',
--        'Bugs': [],
--        'Priority': '',
--        'Discovered-by': '',
--        'Assigned-to': '',
--        'CVSS': '',
--        'Unknown-Fields': [],
--        'Source-note': filepath
--    }
--    data = load_cve(filepath)
--    # first try a naive translation of fields
--    for f in cve_header_data:
--        try:
--            cve_header_data[f] = data[f]
--        except KeyError:
--            pass
--
--    # then handle any particular fields which are expected to have a
--    # different format
--    cve_header_data['Description'] = cve_header_data['Description'].strip().replace('\n', ' ')
--    cve_header_data['Ubuntu-Description'] = cve_header_data['Ubuntu-Description'].strip().replace('\n', ' ')
--    cve_header_data['References'] = [ref.strip() for ref in cve_header_data['References'].split('\n') if len(ref.strip()) > 0]
--    cve_header_data['References'].insert(0, get_cve_url(filepath))
--    cve_header_data['Bugs'] = [bug.strip() for bug in cve_header_data['Bugs'].split('\n') if len(bug.strip()) > 0]
--    cve_header_data['Notes'] = ' '.join(user + '> ' + note.replace('\n', ' ') for user, note in cve_header_data['Notes'])
--    cve_header_data['Priority'] = cve_header_data['Priority'][0]
--    packages = {}
--    for pkg in data['pkgs']:
--        if ignore_source_package(pkg):
--            continue
--        if pkg_filter:
--            if pkg not in pkg_filter:
--                continue
--
--        packages[pkg] = {'Releases': {},
--                         'Priority': '',
--                         'Tags': []}
--        for rel in data['pkgs'][pkg]:
--            if rel in ['upstream', 'devel']:
--                continue
--            if rel not in supported_releases:
--                continue
--            state, details = data['pkgs'][pkg][rel]
--            packages[pkg]['Releases'][rel] = oval_lib.CVEPkgRelEntry.parse_package_status(rel, pkg, state, details, filepath, cache, oval_lib.find_release_codename(rel), expand)
--
--    # add supplemental packages; usually kernels only need this special case.
--    for package in [name for name in packages if name in kernel_srcs]:
--        for release in [
--            rel for rel in packages[package]['Releases']
--            if packages[package]['Releases'][rel]['status'] != 'not-applicable'
--        ]:
--            # add signed package
--            # handle signed package of subprojects without needing to have them in kernel_lib
--            progenitor = release_progenitor(release)
--            if progenitor:
--                signed_pkg = meta_kernels.get_signed(progenitor, package, quiet=(debug_level < 1))
--            else:
--                signed_pkg = meta_kernels.get_signed(release, package, quiet=(debug_level < 1))
--            if signed_pkg:
--                if signed_pkg not in packages:
--                    packages[signed_pkg] = {
--                        'Priority': packages[package]['Priority'],
--                        'Tags': packages[package]['Tags'],
--                        'Releases': {}
--                    }
--                if release not in packages[signed_pkg]['Releases']:
--                    packages[signed_pkg]['Releases'][release] = \
--                        duplicate_package_status(release, signed_pkg, packages[package]['Releases'][release], cache)
--
--    # if subproject is based on an ubuntu release
--    for pkg in packages:
--        # if subproject is DNE for a given package, then copy parent's status
--        for rel in packages[pkg]['Releases']:
--            parent = release_parent(rel)
--            if parent and parent in packages[pkg]['Releases']:
--                if packages[pkg]['Releases'][parent]['status'] != 'not-applicable' and packages[pkg]['Releases'][rel]['status'] == 'not-applicable':
--                    packages[pkg]['Releases'][rel] = \
--                        duplicate_package_status(parent, pkg, packages[pkg]['Releases'][parent], cache)
--                    # this is needed for update instructions
--                    progenitor = release_progenitor(parent)
--                    if progenitor and progenitor in packages[pkg]['Releases']:
--                        if packages[pkg]['Releases'][parent]['status'] == packages[pkg]['Releases'][progenitor]['status']:
--                            packages[pkg]['Releases'][rel]['parent'] = progenitor
--                        else:
--                            packages[pkg]['Releases'][rel]['parent'] = parent
--                    else:
--                        packages[pkg]['Releases'][rel]['parent'] = parent
--        # if supported release not in CVE file, then copy parent's status
--        for rel in supported_releases:
--            if rel not in packages[pkg]['Releases']:
--                parent = release_parent(rel)
--                if parent and parent not in packages[pkg]['Releases']:
--                    parent = release_parent(parent)
--
--                if not parent or parent not in packages[pkg]['Releases']:
--                    continue
--
--                packages[pkg]['Releases'][rel] = \
--                    duplicate_package_status(parent, pkg, packages[pkg]['Releases'][parent], cache)
--                packages[pkg]['Releases'][rel]['parent'] = parent
--
--    return {'header': cve_header_data, 'packages': packages}
--
--
--def get_cve_url(filepath):
--    """ returns a url to CVE data from a filepath """
--    path = os.path.realpath(filepath).split(os.sep)
--    url = "https://ubuntu.com/security"
--    cve = path[-1]
--    return "%s/%s" % (url, cve)
++        cache = {}
++        for release in releases:
++            cve_cache = {}
++            cache.update({release: get_package_cache(args.pkg_cache_dir, release)})
++
++        if args.type == 'pkg':
++            generate_oval_package(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
++        elif args.type == 'cve':
++            generate_oval_cve(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
  def warn(message):
@@ -343,17 +145,6 @@ def debug(message):
      if debug_level > 0:
          sys.stdout.write('\rDEBUG: {0}\n'.format(message))
--def progress_bar(current, total, size=20):
--    """ show a simple progress bar on the CLI """
--    current_percent = float(current) / total
--    hashes = '#' * int(round(current_percent * size))
--    spaces = ' ' * (size - len(hashes))
--    sys.stdout.write('\rProgress: [{0}] {1}% ({2} of {3} CVEs processed)'.format(hashes + spaces, int(round(current_percent * 100)), current, total))
--    if (current == total):
--        sys.stdout.write('\n')
--
--    sys.stdout.flush()
--
  def prepend_usn_to_id(usn_database, usn_id):
      if re.search(r'^[0-9]+-[0-9]$', usn_id):
          usn_database[usn_id]['id'] = 'USN-' + usn_id
@@ -381,15 +172,15 @@ def get_usn_database(usn_db_dir):
  # Usage:
  # for a given release only:
--#   ./generate-oval --usn-oval --usn-db-dir ~/usndb --usn-oval-release=focal --output-dir /tmp/oval_usn
++#   ./generate-oval --type usn --usn-db-dir ~/usndb --oval-releases=focal --output-dir /tmp/oval_usn
  # for all the releases:
--#   ./generate-oval --usn-oval --usn-db-dir ~/usndb --output-dir /tmp/oval_usn
++#   ./generate-oval --type usn --usn-db-dir ~/usndb --output-dir /tmp/oval_usn
  # for a specific release and USN-number
--#   ./generate-oval --usn-oval --usn-db-dir ~/usndb --usn-oval-release=focal --usn-number=1234
++#   ./generate-oval --type usn --usn-db-dir ~/usndb --oval-releases=focal --usn-number=1234
  # WARNING:
  #  be sure the release you are passing is in the usn-number passed
  #  otherwise it will generate an oval file without the usn info.
--def generate_oval_usn(outdir, usn, usn_releases, cve_dir, usn_db_dir, no_progress, ociprefix=None, ocioutdir=None):
++def generate_oval_usn(outdir, usn, usn_releases, cves, usn_db_dir, no_progress, ociprefix, ocioutdir):
      # Get the usn database.json data
      usn_database = get_usn_database(usn_db_dir)
      if not usn_database:
@@ -404,33 +195,27 @@ def generate_oval_usn(outdir, usn, usn_releases, cve_dir, usn_db_dir, no_progres
      valid_releases = []
      # Check or generate valid releases
--    if usn_releases:
--        for usn_release in usn_releases:
--            if usn_release not in supported_releases:
--                error(f"Invalid release name '{usn_release}'.")
--        valid_releases = usn_releases
--    else:
--        valid_releases = list(filter(lambda release: product_series(release)[0] == PRODUCT_UBUNTU, supported_releases))
++    valid_releases = list(filter(lambda release: product_series(release)[0] == PRODUCT_UBUNTU, usn_releases))
      if not no_progress:
          print('[*] Generating OVAL USN for packages in releases', ', '.join(valid_releases))
      for release in valid_releases:
--        ovals.append(oval_lib.OvalGeneratorUSN(release, release_name(release), outdir, cve_dir))
++        ovals.append(oval_lib.OvalGeneratorUSN(release, release_name(release), outdir, cves))
          # Also produce oval generator object for OCI
          if ocioutdir:
              ovals.append(oval_lib.OvalGeneratorUSN(release, release_name(release), ocioutdir,
--                                                cve_dir, ociprefix, 'oci'))
++                                                cves, ociprefix, 'oci'))
      # Generate OVAL USN data
      if usn:
          prepend_usn_to_id(usn_database, usn)
          for oval in ovals:
--            oval.generate_usn_oval(usn_database[usn], usn_database[usn]['id'], cve_dir)
++            oval.generate_usn_oval(usn_database[usn], usn_database[usn]['id'], cves)
      else:
          for usn in sorted(usn_database.keys()):
              prepend_usn_to_id(usn_database, usn)
              for oval in ovals:
--                oval.generate_usn_oval(usn_database[usn], usn_database[usn]['id'], cve_dir)
++                oval.generate_usn_oval(usn_database[usn], usn_database[usn]['id'], cves)
      for oval in ovals:
          oval.write_oval_elements()
@@ -452,21 +237,20 @@ def filter_releases_for_output(releases, ov):
      return output_releases
--def generate_oval_package(releases, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ocioutdir=None, expand=False):
++def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
      if not no_progress:
          print('[*] Initiating OVAL Generation for PKG')
      ov = oval_lib.OvalGeneratorPkg(
--        releases,
--        pathnames,
--        packages,
--        not no_progress,
--        pkg_cache=pkg_cache,
--        fixed_only=fixed_only,
--        cve_cache=cve_cache,
++        releases,
++        cves,
++        packages,
++        not no_progress,
++        pkg_cache=pkg_cache,
++        fixed_only=fixed_only,
++        cve_cache=cve_cache,
          oval_format='dpkg',
--        outdir=outdir,
--        cve_prefix_dir=cve_prefix_dir,
++        outdir=outdir,
          expand=expand
+     )
@@ -485,21 +269,20 @@ def generate_oval_package(releases, outdir, cve_prefix_dir, pkg_cache, cve_cache
      if not no_progress:
          print(f'[X] Done generating OVAL PKG for packages in releases {", ".join(output_releases)}')
--def generate_oval_cve(releases, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ocioutdir=None, expand=False):
++def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
      if not no_progress:
          print('[*] Initiating OVAL Generation for CVE')
      ov = oval_lib.OvalGeneratorCVE(
--        releases,
--        pathnames,
--        packages,
++        releases,
++        cves,
++        packages,
          not no_progress,
--        pkg_cache=pkg_cache,
--        fixed_only=fixed_only,
--        cve_cache=cve_cache,
++        pkg_cache=pkg_cache,
++        fixed_only=fixed_only,
++        cve_cache=cve_cache,
          oval_format='dpkg',
--        outdir=outdir,
--        cve_prefix_dir=cve_prefix_dir,
++        outdir=outdir,
          expand=expand
+     )
 diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
 index d60c6dc..a974eaf 100644
 --- a/scripts/oval_lib.py
 +++ b/scripts/oval_lib.py
@@ -29,7 +29,6 @@ import tempfile
  import collections
  import glob
  import xml.etree.cElementTree as etree
--import json
  from xml.dom import minidom
  from typing import Tuple # Needed because of Python < 3.9 and to also support < 3.7
@@ -172,7 +171,7 @@ def get_binarypkgs(cache, source_name, release):
      """ return a list of binary packages from the source package version """
      packages_to_ignore = ("-dev", "-doc", "-dbg", "-dbgsym", "-udeb", "-locale-")
      binaries_map = collections.defaultdict(dict)
--
++
      rel = get_real_release(cache, source_name, release)
      if not rel: return None, None
@@ -316,7 +315,7 @@ class CVE:
                  self.bugs.append(url)
              elif url:
                  self.references.append(url)
--
++
          for bug in info['Bugs'].split('\n'):
              if bug:
                  self.bugs.append(bug)
@@ -331,7 +330,7 @@ class CVE:
          for pkg in self.pkgs:
              if pkg.rel not in releases:
                  continue
--
++
              if pkg.name not in pkg_rel:
                  pkg_rel[pkg.name] = pkg
              else:
@@ -356,7 +355,7 @@ class CVE:
              if pkg.name in pkg_rel and pkg_rel[pkg.name].rel == pkg.rel:
                  pkgs.append(pkg)
--
++
          return pkgs
@@ -429,7 +428,7 @@ class Package:
      def version_exists(self, source_version):
          return source_version in self.versions_binaries
--
++
      def all_binaries_same_version(self, source_version):
          if source_version not in self.versions_binaries:
              return len(self.versions_binaries[self.earliest_version]) <= 1
@@ -514,7 +513,7 @@ class OvalGenerator:
      supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable')
      generator_version = '2'
      oval_schema_version = '5.11.1'
--    def __init__(self, type, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None,  cve_prefix_dir=None, outdir='./', oval_format='dpkg', expand=False) -> None:
++    def __init__(self, type, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
          self.releases = releases
          self.output_dir = outdir
          self.oval_format = oval_format
@@ -524,7 +523,7 @@ class OvalGenerator:
          self.pkg_cache = pkg_cache
          self.cve_paths = cve_paths
          self.fixed_only = fixed_only
--        self.packages, self.cves = self._load(cve_prefix_dir, packages)
++        self.packages, self.cves = self._load(packages)
          self.expand = expand
      def _init_ids(self, release):
@@ -532,7 +531,7 @@ class OvalGenerator:
          self.release = release
          self.release_codename = cve_lib.release_progenitor(self.release) if cve_lib.release_progenitor(self.release) else self.release.replace('/', '_')
          self.release_name = cve_lib.release_name(self.release)
--
++
          self.parent_releases = list()
          current_release = self.release
          while(cve_lib.release_parent(current_release)):
@@ -540,7 +539,7 @@ class OvalGenerator:
              if current_release != self.release and \
                  current_release not in self.parent_releases:
                  self.parent_releases.append(current_release)
--
++
          self.ns = 'oval:com.ubuntu.{0}'.format(self.release_codename)
          self.id = 100
          self.host_def_id = self.id
@@ -564,7 +563,7 @@ class OvalGenerator:
              self.output_filepath = \
                  '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release.replace('/', '_'), self.generator_type)
--
++
      def _add_structure(self, root) -> None:
          structure = {}
          for element in self.supported_oval_elements:
@@ -756,14 +755,14 @@ class OvalGenerator:
          pkg_obj = packages[package_name]
          cve.add_pkg(pkg_obj, release, cve_data['pkgs'][package_name][release][0],cve_data['pkgs'][package_name][release][1], self.expand)
--    def _load(self, cve_prefix_dir, packages_filter=None) -> None:
++    def _load(self, packages_filter=None) -> None:
          cve_lib.load_external_subprojects()
--        cve_paths = []
++        path_to_cves = []
          for pathname in self.cve_paths:
--            cve_paths = cve_paths + glob.glob(os.path.join(cve_prefix_dir, pathname))
++            path_to_cves = path_to_cves + glob.glob(pathname)
--        cve_paths.sort(key=lambda cve:
++        path_to_cves.sort(key=lambda cve:
                     (int(cve.split('/')[-1].split('-')[1]), int(cve.split('/')[-1].split('-')[2])) \
                      if cve.split('/')[-1].split('-')[2].isnumeric() \
                      else (int(cve.split('/')[-1].split('-')[1]), 0)
@@ -790,12 +789,12 @@ class OvalGenerator:
                  if release not in cve_lib.external_releases else {}
          i = 0
--        for cve_path in cve_paths:
++        for cve_path in path_to_cves:
              cve_number = cve_path.rsplit('/', 1)[1]
              i += 1
              if self.progress:
--                print(f'[{i:5}/{len(cve_paths)}] Processing {cve_number:18}', end='\r')
++                print(f'[{i:5}/{len(path_to_cves)}] Processing {cve_number:18}', end='\r')
              if not cve_number in self.cve_cache:
                  self.cve_cache[cve_number] = cve_lib.load_cve(cve_path)
@@ -849,7 +848,7 @@ class OvalGenerator:
              extend_definition.set("applicability_check", "true")
          return criteria
--
++
      def _generate_definition_object(self, object) -> etree.Element:
          id = f"{self.ns}:def:{self.definition_id}"
          definition = etree.Element("definition")
@@ -889,7 +888,7 @@ class OvalGenerator:
                  cve_tag.set('usns', ','.join(cve.usns))
          return cve_tag
--
++
      def _generate_var_element(self, comment, id, binaries) -> etree.Element:
          var = etree.Element("constant_variable",
              attrib={
@@ -1323,9 +1322,9 @@ class OvalGenerator:
  class OvalGeneratorPkg(OvalGenerator):
--    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None,  cve_prefix_dir=None, outdir='./', oval_format='dpkg',expand=False) -> None:
++    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg',expand=False) -> None:
          self.expand = expand
--        super().__init__('pkg', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache,  cve_prefix_dir, outdir, oval_format, expand)
++        super().__init__('pkg', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, outdir, oval_format, expand)
      def _generate_advisory(self, package: Package) -> etree.Element:
          advisory = etree.Element("advisory")
@@ -1431,7 +1430,7 @@ class OvalGeneratorPkg(OvalGenerator):
                      binary_id_version = binary_version
                  binaries_ids.setdefault(binary_id_version, None)
--                binaries_id = binaries_ids[binary_id_version]
++                binaries_id = binaries_ids[binary_id_version]
                  test, obj, var, state = self._generate_elements(package, binaries, binary_version, pkg_rel_entry, binaries_id)
                  if state:
@@ -1451,7 +1450,7 @@ class OvalGeneratorPkg(OvalGenerator):
          self._increase_id(is_definition=True)
--    def _populate_kernel_pkg(self, package, root_element, running_kernel_id):
++    def _populate_kernel_pkg(self, package, root_element, running_kernel_id):
          for cve in package.cves:
              pkg_rel_entry = cve.pkg_rel_entries[str(package)]
              version_to_check = package.get_version_to_check(pkg_rel_entry.fixed_version)
@@ -1482,7 +1481,7 @@ class OvalGeneratorPkg(OvalGenerator):
              cve_added = True
              # Determine if CVE is linked to existing test_ref
--            test_ref_id =  self.definition_id
++            test_ref_id =  self.definition_id
              if fixed_versions.get(pkg_rel_entry.fixed_version, False):
                  test_ref_id = fixed_versions[pkg_rel_entry.fixed_version]
              self._add_test_ref_to_cve_tag(test_ref_id, cve, definition_element)
@@ -1513,7 +1512,7 @@ class OvalGeneratorPkg(OvalGenerator):
              all_pkgs = dict()
              for parent_release in self.parent_releases[::-1]:
                  all_pkgs.update(self.packages[parent_release])
--
++
              all_pkgs.update(self.packages[self.release])
              for pkg in all_pkgs:
@@ -1529,9 +1528,9 @@ class OvalGeneratorPkg(OvalGenerator):
                  self._write_oval_xml(xml_tree, root_element)
  class OvalGeneratorCVE(OvalGenerator):
--    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None,  cve_prefix_dir=None, outdir='./', oval_format='dpkg', expand=False) -> None:
++    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
          self.expand = expand
--        super().__init__('cve', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache,  cve_prefix_dir, outdir, oval_format, expand)
++        super().__init__('cve', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, outdir, oval_format, expand)
      # For CVE OVAL, the definition ID is generated
      # from the CVE ID
@@ -1551,7 +1550,7 @@ class OvalGeneratorCVE(OvalGenerator):
          if cve.assigned_to:
              assigned_to = etree.SubElement(advisory, "assigned_to")
              assigned_to.text = cve.assigned_to
--
++
          if cve.discoverd_by:
              discoverd_by = etree.SubElement(advisory, "discoverd_by")
              discoverd_by.text = cve.discoverd_by
@@ -1596,7 +1595,7 @@ class OvalGeneratorCVE(OvalGenerator):
              "ref_url": f'https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve.number}'
          })
--        return reference
++        return reference
      def prepare_instructions(self, instruction, cve: CVE, product_description, package: Package, fixed_version):
          if "LSN" in cve.number:
@@ -1729,13 +1728,13 @@ class OvalGeneratorCVE(OvalGenerator):
                  pkg_added = True
              else:
                  pkg_added = self._populate_pkg(cve, pkg, root_element, definition_element, pkg_cache, fixed_versions)
--
++
              if pkg_rel_entry.status == 'fixed' and pkg_added:
                  product_description = cve_lib.get_subproject_description(pkg_rel_entry.release)
                  instructions = self.prepare_instructions(instructions, cve, product_description, pkg, pkg_rel_entry.fixed_version)
              cve_added = cve_added | pkg_added
--
++
          if cve_added:
              definitions = root_element.find("definitions")
              metadata = definition_element.find('metadata')
@@ -1780,8 +1779,8 @@ class OvalGeneratorCVE(OvalGenerator):
                  self._write_oval_xml(xml_tree, root_element)
  class OvalGeneratorUSNs(OvalGenerator):
--    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, cve_prefix_dir=None, outdir='./', oval_format='dpkg') -> None:
--        super().__init__('usn', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, cve_prefix_dir, outdir, oval_format)
++    def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg') -> None:
++        super().__init__('usn', releases, cve_paths, packages, progress, pkg_cache, fixed_only, cve_cache, outdir, oval_format)
          self.usns = self._load_usns(usn_database)
      def _load_usns(self, usn_database):
@@ -1838,7 +1837,7 @@ class OvalGeneratorUSNs(OvalGenerator):
          platform = etree.SubElement(affected, "platform")
          reference = self._generate_reference(usn)
--        metadata.append(reference)
++        metadata.append(reference)
          advisory = self._generate_advisory(usn)
          metadata.append(reference)
          metadata.append(advisory)
@@ -1920,7 +1919,7 @@ class OvalGeneratorUSNs(OvalGenerator):
              self._increase_id(is_definition=False)
          else:
              self._add_to_criteria(main_criteria, cache[package.name], depth=2, operator='OR')
--
++
          self._increase_id(is_definition=True)
      def generate_oval(self) -> None:
@@ -1952,11 +1951,11 @@ class OvalGeneratorUSNs(OvalGenerator):
                          self._populate_kernel_pkg(self.cves[cve], pkg, root_element, definition_element, running_kernel_id, pkg_cache, fixed_versions)
                      else:
                          self._populate_pkg(self.cves[cve], pkg, root_element, definition_element, pkg_cache, fixed_versions)
--
++
                      if pkg_rel_entry.status == 'fixed' and pkg.binaries:
                          product_description = cve_lib.get_subproject_description(pkg_rel_entry.release)
                          instructions = prepare_instructions(instructions, self.cves[cve].number, product_description, {'binaries': pkg.binaries, 'fix-version': pkg_rel_entry.fixed_version})
--
++
              metadata = definition_element.find('metadata')
              metadata.find('description').text = metadata.find('description').text + instructions
              definitions.append(definition_element)
@@ -2467,14 +2466,13 @@ class OvalGeneratorUSN():
          return constant_variable
      def get_cve_info_from_file(self, cve, cve_dir):
--        cve_active_file_path = os.path.join(cve_dir, 'active', cve)
--        cve_retired_file_path = os.path.join(cve_dir, 'retired', cve)
++        cve_file_path = ""
++        for path in cve_dir:
++            if os.path.exists(os.path.join(path, cve)):
++                cve_file_path = os.path.join(path, cve)
++                break
--        if os.path.exists(cve_active_file_path):
--            cve_file_path = cve_active_file_path
--        elif os.path.exists(cve_retired_file_path):
--            cve_file_path = cve_retired_file_path
--        else:
++        if not cve_file_path:
              return None
          cve_object = cve_lib.load_cve(cve_file_path)
 diff --git a/test/test_oval_lib_end_to_end.py b/test/test_oval_lib_end_to_end.py
 index bfad6c4..db74957 100644
 --- a/test/test_oval_lib_end_to_end.py
 +++ b/test/test_oval_lib_end_to_end.py
@@ -6,13 +6,13 @@ from test_utils import TestUtilities as util
  from test_utils import OVALType
  class TestOvalLibEndToEnd:
      @pytest.mark.parametrize("output_file,oscap_args",
--        [(util.focal_dpkg_file, ["--oval-release", "focal"]),
--        (util.xenial_dpkg_file, ["--oval-release", "xenial"])])
++        [(util.focal_dpkg_file, ["--oval-releases", "focal"]),
++        (util.xenial_dpkg_file, ["--oval-releases", "xenial"])])
      def test_validate_entire_dpkg_oval(self, output_file, oscap_args):
          """Coherence check of entire generated dpkg OVAL"""
          write_file = util.rel_test_path + output_file
--        subprocess.check_output(["./scripts/generate-oval", "--usn-oval",
++        subprocess.check_output(["./scripts/generate-oval", "--type=usn",
                  "--output-dir={}".format(util.rel_test_path)] +  oscap_args,
                  stderr=subprocess.STDOUT)
@@ -29,4 +29,4 @@ class TestOvalLibEndToEnd:
      def test_validate_entire_oci_oval(self, dpkg_file, manifest, release):
          """Coherence check of entire generated oci OVAL"""
          util.create_validate_oci(dpkg_file, "{}_full".format(release),
--            ["--oval-release", release], manifest, release, OVALType.USN)
++            ["--oval-releases", release], manifest, release, OVALType.USN)
 diff --git a/test/test_oval_lib_functional.py b/test/test_oval_lib_functional.py
 index 8b400fb..aad0116 100644
 --- a/test/test_oval_lib_functional.py
 +++ b/test/test_oval_lib_functional.py
@@ -12,18 +12,18 @@ class TestOvalLibFunctional:
      def test_multiple_binary_package(self, manifest):
          """Test a package with multiple binaries"""
          util.create_validate_oci(util.focal_dpkg_file, "focal_4410",
--            ["--usn-number", "4410-1", "--oval-release", "focal"],
++            ["--usn-number", "4410-1", "--oval-releases", "focal"],
              manifest, "focal_mock_4410_vul", OVALType.USN)
      @pytest.mark.parametrize("manifest",
--        # Binary is in manifest and not vulnerable
++        # Binary is in manifest and not vulnerable
          [("bionic_mock_3642_not_vul"),
--        # Binary is in manifest and vulnerable
++        # Binary is in manifest and vulnerable
          ("bionic_mock_3642_vul")])
      def test_single_binary_package(self, manifest):
          """Test a package with a single binary"""
          util.create_validate_oci(util.bionic_dpkg_file, "bionic_3642",
--            ["--usn-number", "3642-1", "--oval-release", "bionic"],
++            ["--usn-number", "3642-1", "--oval-releases", "bionic"],
              manifest, manifest, OVALType.USN)
      @pytest.mark.parametrize("manifest",
@@ -34,7 +34,7 @@ class TestOvalLibFunctional:
      def test_multiple_packages_usn(self, manifest):
          """Test USN with multiple source packages"""
          util.create_validate_oci(util.bionic_dpkg_file, "bionic_4428",
--            ["--usn-number", "4428-1", "--oval-release", "bionic"],
++            ["--usn-number", "4428-1", "--oval-releases", "bionic"],
              manifest, "bionic_mock_4428", OVALType.USN)
      @pytest.mark.parametrize("manifest,gold_file,usn",
@@ -68,7 +68,7 @@ class TestOvalLibFunctional:
      def test_epoch(self, manifest, gold_file, usn):
          """Test epochs are used correctly in vulnerability assesments"""
          util.create_validate_oci(util.focal_dpkg_file, "focal_{}".format(usn),
--            ["--usn-number", usn, "--oval-release", "focal"], manifest,
++            ["--usn-number", usn, "--oval-releases", "focal"], manifest,
              gold_file, OVALType.USN)
 diff --git a/test/test_oval_lib_unit.py b/test/test_oval_lib_unit.py
 index c3abf85..ab3a758 100644
 --- a/test/test_oval_lib_unit.py
 +++ b/test/test_oval_lib_unit.py
@@ -429,8 +429,8 @@ No subscription required"""
          assert cve_info is None
      def test_create_dict_from_cve_file(self):
--        cve_dir = os.environ["UCT"]
--        dst_cve_file = os.path.join(cve_dir, "active", self.test_cve_file)
++        cve_dir = os.path.join(os.environ["UCT"], "active/")
++        dst_cve_file = os.path.join(cve_dir, self.test_cve_file)
          src_cve_file = os.path.join(rel_test_path, self.test_cve_file)
          copyfile(src_cve_file, dst_cve_file)
          corr_cve_info = {
@@ -451,7 +451,7 @@ No subscription required"""
+         }
          cve_info = oval_lib.OvalGeneratorUSN.get_cve_info_from_file(
--            self.oval_gen_mock, self.test_cve_file, cve_dir)
++            self.oval_gen_mock, self.test_cve_file, [cve_dir])
          try:
              assert cve_info == corr_cve_info
 diff --git a/test/test_utils.py b/test/test_utils.py
 index 682e45a..d62a842 100644
 --- a/test/test_utils.py
 +++ b/test/test_utils.py
@@ -6,9 +6,9 @@ import subprocess
  from enum import Enum
  class OVALType(Enum):
--    USN = '--usn-oval'
--    CVE = ''
--    PKG = '--pkg-oval'
++    USN = '--type=usn'
++    CVE = '--type=cve'
++    PKG = '--type=pkg'
  class TestUtilities:
      cwd = os.getcwd()

Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:oval-bugs into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers