Merge ~eslerm/ubuntu-cve-tracker:website-fix-tag into ubuntu-cve-tracker:master
- Git
- lp:~eslerm/ubuntu-cve-tracker
- website-fix-tag
- Merge into master
Status: | Merged |
---|---|
Merged at revision: | e4d9ea612a6e31952ea21396f3c5c35fc19a2485 |
Proposed branch: | ~eslerm/ubuntu-cve-tracker:website-fix-tag |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
146 lines (+94/-8) 2 files modified
scripts/publish-cves-to-website-api.py (+14/-2) scripts/test_publish-cves-to-website-api.py (+80/-6) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Tobias Heider | Approve | ||
Mark Esler | Approve | ||
Alex Murray | Approve | ||
Eduardo Barretto | Needs Information | ||
Seth Arnold | Approve | ||
Review via email: mp+459486@code.launchpad.net |
Commit message
Description of the change
Mark Esler (eslerm) wrote : | # |
Thanks Seth
tags are not standardized, and there are some tags with spaces in the
so, I need to make a new patch :)
Diogo Sousa (0xdsousa) wrote : | # |
> Thanks Seth
>
> tags are not standardized, and there are some tags with spaces in the
>
> so, I need to make a new patch :)
If we know that the first separator will always be a space, `maxsplit=1` should ensure two components.
Eduardo Barretto (ebarretto) wrote : | # |
is this still under development?
Mark Esler (eslerm) wrote : | # |
This is ready now. I tested against all active/ ignored/ and retired/ cves.
Mark Esler (eslerm) wrote : | # |
retested with two lines of deadcode removed
Alex Murray (alexmurray) wrote : | # |
Would it be better to update cve_lib so that it can and does parse the tags and returns these as a tuple along with the patch URL that way we can encapsulate that parsing in a more logical location?
Mark Esler (eslerm) wrote (last edit ): | # |
I can move this to cve_lib if preferred. I've been hesitant to move the kludge there.
To remove all kludges, our deb822 UCT file format should change to properly track tags. i.e., tags shouldn't exist as part of the url string. (To do this, tags would first need to be sanitized to remove whitespace. And what to do in the case of no tags would need to be worked out.)
e.g.,
```
diff --git a/active/
index 453ef36a951.
--- a/active/
+++ b/active/
@@ -20,12 +20,16 @@ CVSS:
nvd: CVSS:3.
Patches_openldap:
- upstream: https:/
- upstream: https:/
- upstream: https:/
- upstream: https:/
- upstream: https:/
- upstream: https:/
+ upstream:
+ master:
+ https:/
+ https:/
+ 2_6_4:
+ https:/
+ https:/
+ 2_5_14:
+ https:/
+ https:/
upstream_openldap: released (2.6.4)
trusty_openldap: ignored (end of standard support)
trusty/
```
edit: Launchpad does not show whitespace of the above example well. Please check in an editor.
Alex Murray (alexmurray) wrote : | # |
I don't think we would have to change the CVE file format necessarily - although I do like the idea of making this more structured - so let's not bikeshed on that or let it get in the way of this MR - we can always do that work as a separate MR in the future, so +1 from me on this current MR as is.
Mark Esler (eslerm) wrote : | # |
Alex, would you still like this moved to cve_lib? I don't mind doing so. I can merge this now and remove it after.
Alex Murray (alexmurray) wrote : | # |
Assuming I understand you correctly, I think if you move it to cve_lib you'll end up having to fix up all existing users of Patches within cve_lib to then expect a list of tuples, not a list of strings which feels like too much churn - particularly if you want to restructure the CVE files eventually anyway to make this more hierarchical as per your example earlier - so I think we merge this as is then can work on improving things later.
Marc Deslauriers (mdeslaur) wrote : | # |
It's not intended to be a tag, it's a comment, and there could be whitespace in it. Trying to use comments as tags only would change the commit sort order. I think that would be a big change to how we use them now, and we'd still need to figure out how to add comments.
Marc Deslauriers (mdeslaur) wrote : | # |
Here's an example from CVE-2023-48795:
Patches_paramiko:
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
upstream: https:/
Mark Esler (eslerm) wrote : | # |
Ack, thanks for clarification Marc. This should not be merged.
My conclusion now is that the issue is on the webpage tooling end: https:/
Does that sound reasonable to others? If so, I'll update that issue with a comment for the web team.
They should be able to add an anchor link to our output `<source>: <url>` or `<source>: <url> (<note>)`.
Also, what is happening here: https:/
Seth Arnold (seth-arnold) wrote : | # |
Getting the web team to adapt to what we send them has been a challenge; I think we'd be better suited to just send them the moral equivalent of foo.split(" ")[0] and leave it at that. Changing the submission format to support both the patch URL and patch description would be nice but that's even more work. We could unbreak all the links with a simple thing that'll throw away a bit of data in the display.
Mark Esler (eslerm) wrote (last edit ): | # |
Following Seth's advice, the new patch drops notes.
I added comments to clarify why/how things are done.
Seth Arnold (seth-arnold) wrote : | # |
I think the regex is too tight, it'll skip entries with spaces in the note.
Mark Esler (eslerm) wrote : | # |
Right you are. Thanks Seth!
Now:
```
Patches_moodle:
upstream: http://
upstream: http://
upstream: http://
upstream: http://
```
Results in:
```
{'moodle': ['upstream: http://
```
Seth Arnold (seth-arnold) wrote : | # |
Cool, thanks!
You've spent a fair amount of time with this function, and this file; would it be easy to add some tests here? those four examples are a really decent start on test cases. I *think* it wouldn't be too much more to get some tests, but hooking them up to run periodically would be the bigger challenge. (And it might be super-easy once you know the trick, I just don't know it off-hand.)
Thanks
Seth Arnold (seth-arnold) wrote : | # |
Useless comment to see if I can reproduce an oops.
Mark Esler (eslerm) wrote : | # |
Updates for tests added.
Tests across UCT are a bit scattered and loosely defined, so I've filed https:/
Tobias Heider (tobhe) wrote : | # |
Just stumbled over that bug, patch looks good!
Preview Diff
1 | diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py |
2 | index 5ee1737..aafe81e 100755 |
3 | --- a/scripts/publish-cves-to-website-api.py |
4 | +++ b/scripts/publish-cves-to-website-api.py |
5 | @@ -1,7 +1,6 @@ |
6 | #! /usr/bin/env python3 |
7 | # Standard library |
8 | import os |
9 | -import pprint |
10 | import sys |
11 | import cve_lib |
12 | import re |
13 | @@ -54,7 +53,20 @@ def get_tags(cve_data): |
14 | def get_patches(cve_data): |
15 | patches = {} |
16 | for pkg in cve_data['patches']: |
17 | - patches[pkg] = [patch_type + ": " + entry for patch_type, entry in cve_data['patches'].get(pkg)] |
18 | + temp = [] |
19 | + for source, entry in cve_data['patches'].get(pkg): |
20 | + # NOTE: KLUDGE1: cve_lib is not aware of patch notes in entry |
21 | + entry_match = re.match(r"(\S+) \((.+)\)", entry) |
22 | + if entry_match: |
23 | + url = entry_match.groups()[0] |
24 | + # NOTE: KLUDGE2: external web tooling cannot handle notes |
25 | + # drop them. |
26 | + # https://github.com/canonical/ubuntu.com/issues/13498 |
27 | + #note = entry_match.groups()[1] |
28 | + else: |
29 | + url = entry |
30 | + temp.append(f"{source}: {url}") |
31 | + patches[pkg] = temp |
32 | return patches |
33 | |
34 | def get_devel_codename(cve_releases): |
35 | diff --git a/scripts/test_publish-cves-to-website-api.py b/scripts/test_publish-cves-to-website-api.py |
36 | index 7e4ed88..d2b37a5 100755 |
37 | --- a/scripts/test_publish-cves-to-website-api.py |
38 | +++ b/scripts/test_publish-cves-to-website-api.py |
39 | @@ -2,27 +2,101 @@ |
40 | |
41 | # Dependencies: python3-macaroonbakery |
42 | |
43 | -import pytest |
44 | +import cve_lib |
45 | import json |
46 | import os |
47 | import importlib |
48 | +import pytest |
49 | + |
50 | publish_cves = importlib.import_module("publish-cves-to-website-api") |
51 | |
52 | TEST_DATA_DIR = "test" |
53 | -PARSE_OKAY_TESTS = [f for f in os.listdir("test/website_api") \ |
54 | - if f.startswith("use_") and not f.endswith(".json")] |
55 | +PARSE_OKAY_TESTS = [ |
56 | + file |
57 | + for file in os.listdir("test/website_api") |
58 | + if file.startswith("use_") and not file.endswith(".json") |
59 | +] |
60 | + |
61 | |
62 | class TestWebSiteAPI: |
63 | + """pytest website api dry run""" |
64 | + |
65 | def __check_simple_okay(self, cve_test_file): |
66 | + """test website api dry run""" |
67 | _test_file = os.path.join(TEST_DATA_DIR, "website_api", cve_test_file) |
68 | assert os.path.exists(_test_file) |
69 | - payload = publish_cves.main(['--dry-run', '--ignore-filename-check', _test_file]) |
70 | + payload = publish_cves.main( |
71 | + ["--dry-run", "--ignore-filename-check", _test_file] |
72 | + ) |
73 | assert payload is not None |
74 | - with open("%s.json" % _test_file, "rt") as f: |
75 | - payload_json = json.load(f) |
76 | + with open(f"{_test_file}.json", "rt") as file: |
77 | + payload_json = json.load(file) |
78 | assert payload_json is not None |
79 | assert payload == payload_json |
80 | |
81 | @pytest.mark.parametrize("cve_test_file", PARSE_OKAY_TESTS) |
82 | def test_simple_okay(self, cve_test_file): |
83 | + """parameterize website api dry run""" |
84 | self.__check_simple_okay(cve_test_file) |
85 | + |
86 | + def test_get_patches(self): |
87 | + """test publish_cves.get_patches()""" |
88 | + test_file = "active/CVE-2023-48795" |
89 | + assert os.path.exists(test_file) |
90 | + cve_data = cve_lib.load_cve(test_file) |
91 | + patches = publish_cves.get_patches(cve_data) |
92 | + assert patches == { |
93 | + "openssh": [ |
94 | + "upstream: https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5" |
95 | + ], |
96 | + "dropbear": [ |
97 | + "upstream: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356" |
98 | + ], |
99 | + "golang-go.crypto": [ |
100 | + "upstream: https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d" |
101 | + ], |
102 | + "snapd": [], |
103 | + "lxd": [], |
104 | + "libssh": [ |
105 | + "upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/4cef5e965a46e9271aed62631b152e4bd23c1e3c", |
106 | + "upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/0870c8db28be9eb457ee3d4f9a168959d9507efd", |
107 | + "upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/5846e57538c750c5ce67df887d09fa99861c79c6", |
108 | + "upstream: https://gitlab.com/libssh/libssh-mirror/-/commit/89df759200d31fc79fbbe213d8eda0d329eebf6d", |
109 | + ], |
110 | + "libssh2": [ |
111 | + "upstream: https://github.com/libssh2/libssh2/commit/d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a", |
112 | + "upstream: https://github.com/libssh2/libssh2/pull/1291", |
113 | + ], |
114 | + "openssh-ssh1": [], |
115 | + "paramiko": [ |
116 | + "upstream: https://github.com/paramiko/paramiko/commit/be3ffc18cc466e0b0a877d716721353c12561bcc", |
117 | + "upstream: https://github.com/paramiko/paramiko/commit/4c7f0410c533cdf0df2890512237961f934f5ab9", |
118 | + "upstream: https://github.com/paramiko/paramiko/commit/773a174fb1e40e1d18dbe2625e16337ea401119e", |
119 | + "upstream: https://github.com/paramiko/paramiko/commit/c32be441a5ff0dc4914b22d6d1efa392aebe862f", |
120 | + "upstream: https://github.com/paramiko/paramiko/commit/f4dedacb9040d27d9844f51c81c28e0247d3e4a3", |
121 | + "upstream: https://github.com/paramiko/paramiko/commit/73f079f5a4bbba7f3048dadbe05b24242206745e", |
122 | + "upstream: https://github.com/paramiko/paramiko/commit/75e311d3c0845a316b6e7b3fae2488d86ad5a270", |
123 | + "upstream: https://github.com/paramiko/paramiko/commit/fa46de7feeeb8a01dc471581a0258252ce4f2db6", |
124 | + "upstream: https://github.com/paramiko/paramiko/commit/8dcb237f0ee095b1d8b26765c3d41d0ab6963be9", |
125 | + "upstream: https://github.com/paramiko/paramiko/commit/58785d29c47570fa700e096d16b9a0d3a6069048", |
126 | + "upstream: https://github.com/paramiko/paramiko/commit/96db1e2be856eac66631761bae41167a1ebd2b4e", |
127 | + "upstream: https://github.com/paramiko/paramiko/commit/33508c920309860c4a775be70f209c2a400e18ec", |
128 | + "upstream: https://github.com/paramiko/paramiko/commit/30b447b911c39460bbef5e7834e339c43a251316", |
129 | + "upstream: https://github.com/paramiko/paramiko/commit/3e4bdf998f5b1508322234a527e8fa432220368b", |
130 | + ], |
131 | + "putty": [ |
132 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9e099151574885f3c717ac10a633a9218db8e7bb", |
133 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=f2e7086902b3605c96e54ef9c956ca7ab000010e", |
134 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fcbb86f715bc03e58921482efe663aa0c662d62", |
135 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=244be5412728a7334a2d457fbac4e0a2597165e5", |
136 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=58fc33a155ad496bdcf380fa6193302240a15ae9", |
137 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=0b00e4ce26d89cd010e31e66fd02ac77cb982367", |
138 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=fdc891d17063ab26cf68c74245ab1fd9771556cb", |
139 | + "upstream: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=b80a41d386dbfa1b095c17bd2ed001477f302d46", |
140 | + ], |
141 | + "proftpd-dfsg": [], |
142 | + "python-asyncssh": [ |
143 | + "upstream: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b" |
144 | + ], |
145 | + "filezilla": [], |
146 | + } |
I think this will do the job. It's probably worth trying by-hand on both an entry with a tag and an entry without a tag before checking it in, but I've got good feelings about this.
Once it works we should do a big run over all affected CVEs.
Thanks