Ubuntu CVE Tracker

Merge ~emitorino/ubuntu-cve-tracker:add_support_for_non_ubuntu_releases into ubuntu-cve-tracker:master

  1. Git
  2. lp:~emitorino/ubuntu-cve-tracker
  3. add_support_for_non_ubuntu_releases
  4. Merge into master
Proposed by Emilia Torino
Status: Merged
Merge reported by: Steve Beattie
Merged at revision: a996724046c295a0dd60fb6efd0a06418c1ea373
Proposed branch: ~emitorino/ubuntu-cve-tracker:add_support_for_non_ubuntu_releases
Merge into: ubuntu-cve-tracker:master
Diff against target: 38 lines (+7/-2)
2 files modified
scripts/cve_lib.py (+1/-1)
scripts/generate-oval (+6/-1)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Eduardo Barretto Approve
Review via email: mp+402154@code.launchpad.net

Commit message

- scripts/generate-oval: ignore non-Ubuntu projects during OVAL generation

Description of the change

Running: $ mkdir /tmp/oval && ./scripts/generate-oval --output-dir /tmp/oval/ active/CVE-2021-3121
Traceback (most recent call last):
  File "./scripts/generate-oval", line 736, in <module>
    main()
  File "./scripts/generate-oval", line 212, in main
    cve_data = parse_cve_file(filepath, cache)
  File "./scripts/generate-oval", line 446, in parse_cve_file
    parse_package_status(key, package, value, filepath, cache)
  File "./scripts/generate-oval", line 253, in parse_package_status
    status['bin-pkgs'] = cache.get_binarypkgs(package, get_orig_rel_name(release))
  File "./scripts/generate-oval", line 639, in get_binarypkgs
    source = self._lookup_latest_source_package(pname, release)
  File "./scripts/generate-oval", line 595, in _lookup_latest_source_package
    self.releases[release] = self.ubuntu.getSeries(name_or_version=release)
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/resource.py", line 605, in __call__
    response, content = self.root._browser._request(
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/_browser.py", line 438, in _request
    raise error
lazr.restfulclient.errors.NotFound: HTTP Error 404: Not Found
Response headers:
---
content-length: 42
content-security-policy: frame-ancestors 'self';
content-type: text/plain
date: Mon, 03 May 2021 17:43:01 GMT
server: zope.server.http (HTTP)
status: 404
strict-transport-security: max-age=15552000
vary: Accept
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-launchpad-revision: 02afa4875ac52c169f5cddf0d1bcdd6e149a3754
x-lazr-notifications: []
x-powered-by: Zope (www.zope.org), Python (www.python.org)
x-xss-protection: 1; mode=block
---
Response body:
---
b"No such distribution series: 'git/github'."
---

After this change:
$ mkdir /tmp/oval && ./scripts/generate-oval --output-dir /tmp/oval/ active/CVE-2021-3121
Progress: [####################] 100% (1 of 1 CVEs processed)
$ ls -la /tmp/oval/
total 108
drwxrwxr-x 2 emitorino emitorino 4096 may 3 14:41 .
drwxrwxrwt 36 root root 57344 may 3 14:41 ..
-rw-rw-r-- 1 emitorino emitorino 6165 may 3 14:41 com.ubuntu.bionic.cve.oval.xml
-rw-rw-r-- 1 emitorino emitorino 6117 may 3 14:41 com.ubuntu.focal.cve.oval.xml
-rw-rw-r-- 1 emitorino emitorino 6145 may 3 14:41 com.ubuntu.groovy.cve.oval.xml
-rw-rw-r-- 1 emitorino emitorino 6173 may 3 14:41 com.ubuntu.hirsute.cve.oval.xml
-rw-rw-r-- 1 emitorino emitorino 3591 may 3 14:41 com.ubuntu.trusty.cve.oval.xml
-rw-rw-r-- 1 emitorino emitorino 6270 may 3 14:41 com.ubuntu.xenial.cve.oval.xml

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

LGTM!

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

So even with this fix, the oval generator is still failing with the following error from launchpad:

Response body:
---
b"No such distribution series: 'esm-infra/xenial'."
---

I also think that it's probably better to be explicit what we're trying to generate for, rather than enumerating all the things we shouldn't be generating.

~emitorino/ubuntu-cve-tracker:add_support_for_non_ubuntu_releases updated
a996724... by Emilia Torino

Fixing boolean condition while checking for esm string patterns

Signed-off-by: Maria Emilia Torino <email address hidden>

Revision history for this message
Emilia Torino (emitorino) wrote :

> So even with this fix, the oval generator is still failing with the following
> error from launchpad:
>
> Response body:
> ---
> b"No such distribution series: 'esm-infra/xenial'."
Eduardo's commit https://git.launchpad.net/ubuntu-cve-tracker/commit/scripts/cve_lib.py?id=96875b1ef8673c6f441852948c4067b7119b1413 fixed this issue, but iiuc introduced another one since this same script was generating outputs like:

WARNING: Unknown package field "trusty/esm" in trusty/esm_shadow in "./active/CVE-2005-4890"
WARNING: Unknown package field "esm-infra/xenial" in esm-infra/xenial_shadow in "./active/CVE-2005-4890"

Its my understanding that the issue is present in the boolean condition: https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/cve_lib.py#n1525 should be 'and' instead of 'or' as this last commit proposes: https://git.launchpad.net/~emitorino/ubuntu-cve-tracker/commit/?id=a996724046c295a0dd60fb6efd0a06418c1ea373

> ---
>
> I also think that it's probably better to be explicit what we're trying to
> generate for, rather than enumerating all the things we shouldn't be
> generating.

I agree, but on the other side we are adding several changes to $UCT and I am not sure about the effects a refactoring in this lib could generate. Maybe we can include it in a follow up MP?

Revision history for this message
Steve Beattie (sbeattie) wrote :

> > I also think that it's probably better to be explicit what we're trying to
> > generate for, rather than enumerating all the things we shouldn't be
> > generating.
>
> I agree, but on the other side we are adding several changes to $UCT and I am
> not sure about the effects a refactoring in this lib could generate. Maybe we
> can include it in a follow up MP?

Yes, that's fine.

Thanks for digging in to this and coming up with fixes!

Merged.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
2index 04ff225..0292ef8 100755
3--- a/scripts/cve_lib.py
4+++ b/scripts/cve_lib.py
5@@ -1522,7 +1522,7 @@ def get_esm_name(rel, component=None):
6
7 # get the original name of an esm release
8 def get_orig_rel_name(rel):
9- if not rel.endswith('/esm') or not rel.startswith('esm-'):
10+ if not rel.endswith('/esm') and not rel.startswith('esm-'):
11 return rel
12 if rel.startswith('esm-'):
13 return rel.split('/')[1]
14diff --git a/scripts/generate-oval b/scripts/generate-oval
15index 0b055e3..e03dec5 100755
16--- a/scripts/generate-oval
17+++ b/scripts/generate-oval
18@@ -89,6 +89,11 @@ ignored_releases = [
19 'yakkety', 'zesty', 'artful', 'cosmic', 'disco', 'eoan'
20 ]
21
22+# For now, ignore non-Ubuntu projects
23+ignored_projects = [
24+ 'git/github'
25+]
26+
27 all_releases = list(supported_releases.keys()) + ignored_releases
28
29 ignored_package_fields = [
30@@ -425,7 +430,7 @@ def parse_cve_file(filepath, cache):
31 if ignore_source_package(package):
32 continue
33
34- if key in ignored_package_fields or key in ignored_releases:
35+ if key in ignored_package_fields or key in ignored_releases or key in ignored_projects:
36 continue
37
38 if (package not in packages):

Subscribers

People subscribed via source and target branches