"When generating oval data for kernel packages (`_populate_kernel_pkg`), the `_add_test_ref_to_cve_tag` would always add the `self.defintion_id` as the id. This meant every <cve> tag had a `test_ref` that didn't always link to an oval test. Now the code checks whether there is an existing id from `fixed_versions` that would be assigned to the cve. If not, then it can assign the id as `self.definition_id`."
The race condition will always be based on the current status of the CVEs. An example:
1. Being version A the fixed version, the first CVE with a fixed status with version A will create the test with self.definition_id, making the cve tag point to the right test.
2. The second fixed CVE with an status with version A will reuse the test from 1. but it will still link the cve tag to self.definition_id, making it point to nowhere.
Each time a CVE is changed, version A may be listed, altering the order of which one is picked first, therefore not making it sure that the failing cve tag today will be the same as tomorrow, but there will be a wrong one for sure if there was one.
Evan's comment is right here:
"When generating oval data for kernel packages (`_populate_ kernel_ pkg`), the `_add_test_ ref_to_ cve_tag` would always add the `self.defintion_id` as the id. This meant every <cve> tag had a `test_ref` that didn't always link to an oval test. Now the code checks whether there is an existing id from `fixed_versions` that would be assigned to the cve. If not, then it can assign the id as `self.definitio n_id`."
The race condition will always be based on the current status of the CVEs. An example:
1. Being version A the fixed version, the first CVE with a fixed status with version A will create the test with self.definition_id, making the cve tag point to the right test.
2. The second fixed CVE with an status with version A will reuse the test from 1. but it will still link the cve tag to self.definition_id, making it point to nowhere.
Each time a CVE is changed, version A may be listed, altering the order of which one is picked first, therefore not making it sure that the failing cve tag today will be the same as tomorrow, but there will be a wrong one for sure if there was one.
Evan fix should be enough to tackle this issue.