Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval-remove-dup-kernel-elements into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval-remove-dup-kernel-elements
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: b3daae9600cb9ad3d6f9a3434d496030ad8528af
Proposed branch: ~litios/ubuntu-cve-tracker:oval-remove-dup-kernel-elements
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+17/-12)
2 files modified
scripts/generate-oval (+1/-1)
scripts/oval_lib.py (+16/-11)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+438890@code.launchpad.net

Description of the change

In OVAL, the test to check if a kernel is patched involves generating an object of type uname_object and a state with a reference to a local variable. Those elements allow getting the information of the running kernel in the system.

The state and the object elements were created multiple times. This PR changes this behavior so they are generated only once per OVAL file, the same as for the local variable.

CVE OVAL has been tested and the results are identical before and after this change.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

LGTM, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/generate-oval b/scripts/generate-oval
2index b6dd88e..ec3bcee 100755
3--- a/scripts/generate-oval
4+++ b/scripts/generate-oval
5@@ -635,7 +635,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
6 # Get the usn database.json data
7 usn_database = get_usn_database(usn_db_dir)
8 if not usn_database:
9- error("Error getting USN database.")
10+ error("Error getting local USN database. Please, run '$UCT/scripts/fetch-db database.json.bz2' to retrieve the database and try again.")
11
12 if usn:
13 if usn not in usn_database:
14diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
15index a0af152..51cb908 100644
16--- a/scripts/oval_lib.py
17+++ b/scripts/oval_lib.py
18@@ -590,16 +590,16 @@ class OvalGenerator:
19 kernel is greater than the running kernel
20 The result of this two will go through an AND logic to confirm
21 if we are or not vulnerable to such CVE"""
22- if not hasattr(self, 'kernel_objects'):
23- self.kernel_objects = {}
24+ if not hasattr(self, 'kernel_uname_obj_id'):
25+ self.kernel_uname_obj_id = None
26
27- if id_base not in self.kernel_objects:
28+ if not self.kernel_uname_obj_id:
29 object_id = '{0}:obj:{1}0'.format(self.ns, id_base)
30
31 self.queue_element('object', """
32 <unix-def:uname_object id="{0}" version="{1}"/>\n""".format(object_id, version))
33
34- self.kernel_objects[id_base] = object_id
35+ self.kernel_uname_obj_id = object_id
36
37 object_id_2 = '{0}:obj:{1}0'.format(self.ns, id_base + 1)
38
39@@ -609,7 +609,7 @@ class OvalGenerator:
40 </ind-def:variable_object>\n""".format(object_id_2, version, var_id))
41
42
43- return (self.kernel_objects[id_base], object_id_2)
44+ return (self.kernel_uname_obj_id, object_id_2)
45
46 def get_running_kernel_state_id(self, uname_regex, id_base, var_id, version=1):
47 """ create uname_state to compare the system uname to the affected kernel
48@@ -620,6 +620,9 @@ class OvalGenerator:
49 if not hasattr(self, 'uname_states'):
50 self.uname_states = {}
51
52+ if not hasattr(self, 'kernel_state_id'):
53+ self.kernel_state_id = None
54+
55 if uname_regex not in self.uname_states:
56 state_id = '{0}:ste:{1}0'.format(self.ns, id_base)
57 self.queue_element('state', """
58@@ -629,14 +632,16 @@ class OvalGenerator:
59
60 self.uname_states[uname_regex] = state_id
61
62- state_id_2 = '{0}:ste:{1}0'.format(self.ns, id_base + 1)
63- self.queue_element('state', """
64- <ind-def:variable_state id="{0}" version="{1}">
65- <ind-def:value operation="greater than" datatype="debian_evr_string" var_ref="{2}" var_check="at least one" />
66- </ind-def:variable_state>\n""".format(state_id_2, version, var_id))
67+ if not self.kernel_state_id:
68+ state_id_2 = '{0}:ste:{1}0'.format(self.ns, id_base + 1)
69+ self.queue_element('state', """
70+ <ind-def:variable_state id="{0}" version="{1}">
71+ <ind-def:value operation="greater than" datatype="debian_evr_string" var_ref="{2}" var_check="at least one" />
72+ </ind-def:variable_state>\n""".format(state_id_2, version, var_id))
73
74+ self.kernel_state_id = state_id_2
75
76- return (self.uname_states[uname_regex], state_id_2)
77+ return (self.uname_states[uname_regex], self.kernel_state_id)
78
79 def get_running_kernel_variable_id(self, uname_regex, id_base, fixed_version, version=1):
80 """ creates a local variable to store running kernel version in devian evr string"""

Subscribers

People subscribed via source and target branches