Ubuntu CVE Tracker

Merge ~ebarretto/ubuntu-cve-tracker:oval-bugs into ubuntu-cve-tracker:master

  1. Git
  2. lp:~ebarretto/ubuntu-cve-tracker
  3. oval-bugs
  4. Merge into master
Proposed by Eduardo Barretto
Status: Merged
Merged at revision: e8bc729a439c0407a3985bd2c2f69a2c499acf32
Proposed branch: ~ebarretto/ubuntu-cve-tracker:oval-bugs
Merge into: ubuntu-cve-tracker:master
Diff against target: 26 lines (+6/-9)
1 file modified
scripts/oval_lib.py (+6/-9)
Reviewer Review Type Date Requested Status
David Fernandez Gonzalez Approve
Review via email: mp+461720@code.launchpad.net

Description of the change

Currently we handle `pending (<version>)` status as fixed, because there's a version to compare against, even though that fixed version is still not available to customers.
That usually works fine, but we realized that for kernel, the main "user" of `pending (<version>)` status that creates some issues, where for OCI based OVAL it can get tricky to match the kernel binary name.
Since `pending` status will report vulnerable anyway as the fixed version is not yet public, I'm proposing handling `pending` as vulnerable by default instead of fixing the name match.

A current example can be found today in id `2021448790000000` for OCI CVE-based OVAL for focal.
You can see that the fixed version is: 0:5.4.0-173.191 but the package being retrieved from the cache and trying to match against installed versions is: `^linux-image-(?:unsigned-)?5.3.0-\d+(?:-generic|-generic-lpae|-lowlatency|-snapdragon)(?::\w+|)\s+(.*)$`

That's because we default to getting the earliest version of such package if a version is not found in the cache, but since the kernel has the version in the binary name, that makes things tricky.

We will do a second separate check to see if that is currently happening for any other CVE that is not in `pending` status.

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

LGTM!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index ac55286..48916a8 100755
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -254,15 +254,12 @@ class CVEPkgRelEntry:
6 elif code == 'pending':
7 # pending means that packages have been prepared and are in
8 # -proposed or in a ppa somewhere, and should have a version
9- # attached. If there is a version, test for package existence
10- # with that version, otherwise mark as vulnerable
11- if fix_version:
12- status['status'] = 'fixed'
13- status['note'] = " package in {0} is affected. An update containing the fix has been completed and is pending publication{1}".format(release, note_end)
14- status['fix-version'] = fix_version
15- else:
16- status['status'] = 'vulnerable'
17- status['note'] = " package in {0} is affected. An update containing the fix has been completed and is pending publication{1}".format(release, note_end)
18+ # attached. If there is a version, we could test for package
19+ # existence with that version, but since that could mean
20+ # different binary names (e.g. kernel binaries), therefore
21+ # it is better to just treat it vulnerable
22+ status['status'] = 'vulnerable'
23+ status['note'] = " package in {0} is affected. An update containing the fix has been completed and is pending publication{1}".format(release, note_end)
24 elif code == 'deferred':
25 status['status'] = 'vulnerable'
26 status['note'] = " package in {0} is affected, but a decision has been made to defer addressing it{1}".format(release, note_end)

Subscribers

People subscribed via source and target branches