Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:add-static-built-using into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. add-static-built-using
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 9017273fae6f79c1ef72330c9bbd7fb5175c0c8a
Proposed branch: ~litios/ubuntu-cve-tracker:add-static-built-using
Merge into: ubuntu-cve-tracker:master
Diff against target: 117 lines (+35/-30)
1 file modified
scripts/source_map.py (+35/-30)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Alex Murray Needs Fixing
Review via email: mp+435735@code.launchpad.net

Description of the change

The tool to report the packages used during the building uses Built-Using to gather them. This is not the only case for other formats like Golang.

This is a proposition to extend this to tag 'Static-Built-Using` for the tool itself and also allow other custom tags in the future like the ones in https://wiki.debian.org/Static-Built-Using for source_map.

As this is not the only tool using the functions from source_map I've tried to minimize changes to prevent other scripts from breaking and make it as generic as possible.

On a side note, the script process-cves, on line 1092, use these functions to tell the user about packages that may need to be rebuilt. I would also like to propose adding the static check there too. The worst-case scenario would be nothing extra to report.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

overall lgtm, I made some small comments and I would wait for Steve's review.

Revision history for this message
David Fernandez Gonzalez (litios) :
Revision history for this message
Shengjing Zhu (zhsj) wrote :

There will be some period that Built-Using and Static-Built-Using are both used on different packages. If we only have one tag (default_built_using_tag), then we only get a partial results. Would it be better to have a results for all tags? And maybe include X-Cargo-Built-Using as well.

Revision history for this message
Alex Murray (alexmurray) wrote :

I agree - I think the tool should gather and report the results of all known 'Built-Using' tags rather than relying on the user to invoke it will all the various possible combinations of different tags.

review: Needs Fixing
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

I definitely agree with that. I fixed it to include the Cargo tag and also make it gather and print all the tags.

Example with Static-Built-Using: https://pastebin.canonical.com/p/JWrpFc3zPG/
Example with X-Cargo-Built-Using: https://pastebin.canonical.com/p/hFkyhmyW6Z/

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

lgtm, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/source_map.py b/scripts/source_map.py
2index e53a71e..ef849d5 100755
3--- a/scripts/source_map.py
4+++ b/scripts/source_map.py
5@@ -19,6 +19,7 @@ import sys
6 import cve_lib
7 import yaml
8
9+built_using_tags = ["Built-Using", "Static-Built-Using", "X-Cargo-Built-Using"]
10 apt_pkg.init_system()
11
12
13@@ -338,8 +339,9 @@ def load_packages_collection(item, map):
14 else:
15 map[release][pkg]['source'] = parser.section['Package']
16
17- if 'Built-Using' in parser.section:
18- map[release][pkg]['built-using'] = parser.section['Built-Using'].split(', ')
19+ for tag in built_using_tags:
20+ if tag in parser.section:
21+ map[release][pkg][tag] = parser.section[tag].split(', ')
22
23 map[release][pkg]['architecture'] = parser.section['Architecture']
24
25@@ -354,38 +356,38 @@ def load_built_using_collection(pmap, releases=None, component=None):
26 continue
27
28 for pkg in pmap[rel]:
29- if 'built-using' in pmap[rel][pkg]:
30- # Built-Using for a binary in the Packages file lists the
31- # originating source package of the embedded binary
32- section = pmap[rel][pkg]['section']
33- if component is not None and section != component:
34- continue
35+ for tag in built_using_tags:
36+ if tag in pmap[rel][pkg]:
37+ section = pmap[rel][pkg]['section']
38+ if component is not None and section != component:
39+ continue
40
41- pocket = rel
42- if pmap[rel][pkg]['pocket'] != '':
43- pocket += "-%s" % pmap[rel][pkg]['pocket']
44-
45- for (s, c, v) in map(lambda x: x.split(' ', 3),
46- pmap[rel][pkg]['built-using']):
47- v = v.rstrip(')')
48- if s not in built_using:
49- built_using[s] = dict()
50- if v not in built_using[s]:
51- built_using[s][v] = dict()
52- if section not in built_using[s][v]:
53- built_using[s][v][section] = dict()
54- if pocket not in built_using[s][v][section]:
55- built_using[s][v][section][pocket] = []
56- if pkg not in built_using[s][v][section][pocket]:
57- built_using[s][v][section][pocket].append(
58- (pkg, pmap[rel][pkg]['version']))
59+ pocket = rel
60+ if pmap[rel][pkg]['pocket'] != '':
61+ pocket += "-%s" % pmap[rel][pkg]['pocket']
62+
63+ for (s, c, v) in map(lambda x: x.split(' ', 3),
64+ pmap[rel][pkg][tag]):
65+ v = v.rstrip(')')
66+ if s not in built_using:
67+ built_using[s] = dict()
68+ if v not in built_using[s]:
69+ built_using[s][v] = dict()
70+ if section not in built_using[s][v]:
71+ built_using[s][v][section] = dict()
72+ if pocket not in built_using[s][v][section]:
73+ built_using[s][v][section][pocket] = []
74+ if pkg not in built_using[s][v][section][pocket]:
75+ built_using[s][v][section][pocket].append(
76+ (pkg, pmap[rel][pkg]['version'], tag))
77
78 return built_using
79
80
81-built_using_source_format = '%-35s'
82-built_using_pocket_format = '%-15s'
83+built_using_source_format = '%-55s'
84+built_using_pocket_format = '%-20s'
85 built_using_component_format = '%-11s'
86+built_using_tag_format = '%-24s'
87 built_using_usedby_format = '%-35s'
88
89
90@@ -407,13 +409,15 @@ def get_built_using(built_using_map, src):
91 continue
92 elif src_version != version:
93 continue
94+
95 for section in sorted(built_using_map[src][version]):
96 for pocket in sorted(built_using_map[src][version][section]):
97- for s, v in sorted(
98+ for s, v, t in sorted(
99 built_using_map[src][version][section][pocket]):
100 out += built_using_source_format % ("%s (%s) " % (src, version))
101 out += built_using_pocket_format % pocket
102 out += built_using_component_format % section
103+ out += built_using_tag_format % t
104 out += built_using_usedby_format % s
105 out += '\n'
106
107@@ -424,8 +428,9 @@ def get_built_using_header():
108 header = built_using_source_format % "Source (version)"
109 header += built_using_pocket_format % "Pocket"
110 header += built_using_component_format % "Component"
111+ header += built_using_tag_format % 'Tag'
112 header += built_using_usedby_format % "Used by"
113- header += "\n" + "-" * 78
114+ header += "\n" + "-" * 120
115 return header
116
117 def get_all_aliases(sources, rel):

Subscribers

People subscribed via source and target branches