Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:add-static-built-using into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. add-static-built-using
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 9017273fae6f79c1ef72330c9bbd7fb5175c0c8a
Proposed branch: ~litios/ubuntu-cve-tracker:add-static-built-using
Merge into: ubuntu-cve-tracker:master
Diff against target: 117 lines (+35/-30)
1 file modified
scripts/source_map.py (+35/-30)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Alex Murray Needs Fixing
Review via email: mp+435735@code.launchpad.net

Description of the change

The tool to report the packages used during the building uses Built-Using to gather them. This is not the only case for other formats like Golang.

This is a proposition to extend this to tag 'Static-Built-Using` for the tool itself and also allow other custom tags in the future like the ones in https://wiki.debian.org/Static-Built-Using for source_map.

As this is not the only tool using the functions from source_map I've tried to minimize changes to prevent other scripts from breaking and make it as generic as possible.

On a side note, the script process-cves, on line 1092, use these functions to tell the user about packages that may need to be rebuilt. I would also like to propose adding the static check there too. The worst-case scenario would be nothing extra to report.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

overall lgtm, I made some small comments and I would wait for Steve's review.

Revision history for this message
David Fernandez Gonzalez (litios) :
Revision history for this message
Shengjing Zhu (zhsj) wrote :

There will be some period that Built-Using and Static-Built-Using are both used on different packages. If we only have one tag (default_built_using_tag), then we only get a partial results. Would it be better to have a results for all tags? And maybe include X-Cargo-Built-Using as well.

Revision history for this message
Alex Murray (alexmurray) wrote :

I agree - I think the tool should gather and report the results of all known 'Built-Using' tags rather than relying on the user to invoke it will all the various possible combinations of different tags.

review: Needs Fixing
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

I definitely agree with that. I fixed it to include the Cargo tag and also make it gather and print all the tags.

Example with Static-Built-Using: https://pastebin.canonical.com/p/JWrpFc3zPG/
Example with X-Cargo-Built-Using: https://pastebin.canonical.com/p/hFkyhmyW6Z/

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

lgtm, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/source_map.py b/scripts/source_map.py
index e53a71e..ef849d5 100755
--- a/scripts/source_map.py
+++ b/scripts/source_map.py
@@ -19,6 +19,7 @@ import sys
19import cve_lib19import cve_lib
20import yaml20import yaml
2121
22built_using_tags = ["Built-Using", "Static-Built-Using", "X-Cargo-Built-Using"]
22apt_pkg.init_system()23apt_pkg.init_system()
2324
2425
@@ -338,8 +339,9 @@ def load_packages_collection(item, map):
338 else:339 else:
339 map[release][pkg]['source'] = parser.section['Package']340 map[release][pkg]['source'] = parser.section['Package']
340341
341 if 'Built-Using' in parser.section:342 for tag in built_using_tags:
342 map[release][pkg]['built-using'] = parser.section['Built-Using'].split(', ')343 if tag in parser.section:
344 map[release][pkg][tag] = parser.section[tag].split(', ')
343345
344 map[release][pkg]['architecture'] = parser.section['Architecture']346 map[release][pkg]['architecture'] = parser.section['Architecture']
345347
@@ -354,38 +356,38 @@ def load_built_using_collection(pmap, releases=None, component=None):
354 continue356 continue
355357
356 for pkg in pmap[rel]:358 for pkg in pmap[rel]:
357 if 'built-using' in pmap[rel][pkg]:359 for tag in built_using_tags:
358 # Built-Using for a binary in the Packages file lists the360 if tag in pmap[rel][pkg]:
359 # originating source package of the embedded binary361 section = pmap[rel][pkg]['section']
360 section = pmap[rel][pkg]['section']362 if component is not None and section != component:
361 if component is not None and section != component:363 continue
362 continue
363364
364 pocket = rel365 pocket = rel
365 if pmap[rel][pkg]['pocket'] != '':366 if pmap[rel][pkg]['pocket'] != '':
366 pocket += "-%s" % pmap[rel][pkg]['pocket']367 pocket += "-%s" % pmap[rel][pkg]['pocket']
367368
368 for (s, c, v) in map(lambda x: x.split(' ', 3),369 for (s, c, v) in map(lambda x: x.split(' ', 3),
369 pmap[rel][pkg]['built-using']):370 pmap[rel][pkg][tag]):
370 v = v.rstrip(')')371 v = v.rstrip(')')
371 if s not in built_using:372 if s not in built_using:
372 built_using[s] = dict()373 built_using[s] = dict()
373 if v not in built_using[s]:374 if v not in built_using[s]:
374 built_using[s][v] = dict()375 built_using[s][v] = dict()
375 if section not in built_using[s][v]:376 if section not in built_using[s][v]:
376 built_using[s][v][section] = dict()377 built_using[s][v][section] = dict()
377 if pocket not in built_using[s][v][section]:378 if pocket not in built_using[s][v][section]:
378 built_using[s][v][section][pocket] = []379 built_using[s][v][section][pocket] = []
379 if pkg not in built_using[s][v][section][pocket]:380 if pkg not in built_using[s][v][section][pocket]:
380 built_using[s][v][section][pocket].append(381 built_using[s][v][section][pocket].append(
381 (pkg, pmap[rel][pkg]['version']))382 (pkg, pmap[rel][pkg]['version'], tag))
382383
383 return built_using384 return built_using
384385
385386
386built_using_source_format = '%-35s'387built_using_source_format = '%-55s'
387built_using_pocket_format = '%-15s'388built_using_pocket_format = '%-20s'
388built_using_component_format = '%-11s'389built_using_component_format = '%-11s'
390built_using_tag_format = '%-24s'
389built_using_usedby_format = '%-35s'391built_using_usedby_format = '%-35s'
390392
391393
@@ -407,13 +409,15 @@ def get_built_using(built_using_map, src):
407 continue409 continue
408 elif src_version != version:410 elif src_version != version:
409 continue411 continue
412
410 for section in sorted(built_using_map[src][version]):413 for section in sorted(built_using_map[src][version]):
411 for pocket in sorted(built_using_map[src][version][section]):414 for pocket in sorted(built_using_map[src][version][section]):
412 for s, v in sorted(415 for s, v, t in sorted(
413 built_using_map[src][version][section][pocket]):416 built_using_map[src][version][section][pocket]):
414 out += built_using_source_format % ("%s (%s) " % (src, version))417 out += built_using_source_format % ("%s (%s) " % (src, version))
415 out += built_using_pocket_format % pocket418 out += built_using_pocket_format % pocket
416 out += built_using_component_format % section419 out += built_using_component_format % section
420 out += built_using_tag_format % t
417 out += built_using_usedby_format % s421 out += built_using_usedby_format % s
418 out += '\n'422 out += '\n'
419423
@@ -424,8 +428,9 @@ def get_built_using_header():
424 header = built_using_source_format % "Source (version)"428 header = built_using_source_format % "Source (version)"
425 header += built_using_pocket_format % "Pocket"429 header += built_using_pocket_format % "Pocket"
426 header += built_using_component_format % "Component"430 header += built_using_component_format % "Component"
431 header += built_using_tag_format % 'Tag'
427 header += built_using_usedby_format % "Used by"432 header += built_using_usedby_format % "Used by"
428 header += "\n" + "-" * 78433 header += "\n" + "-" * 120
429 return header434 return header
430435
431def get_all_aliases(sources, rel):436def get_all_aliases(sources, rel):

Subscribers

People subscribed via source and target branches