Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval-remove-dup-kernel-elements into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval-remove-dup-kernel-elements
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: b3daae9600cb9ad3d6f9a3434d496030ad8528af
Proposed branch: ~litios/ubuntu-cve-tracker:oval-remove-dup-kernel-elements
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+17/-12)
2 files modified
scripts/generate-oval (+1/-1)
scripts/oval_lib.py (+16/-11)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+438890@code.launchpad.net

Description of the change

In OVAL, the test to check if a kernel is patched involves generating an object of type uname_object and a state with a reference to a local variable. Those elements allow getting the information of the running kernel in the system.

The state and the object elements were created multiple times. This PR changes this behavior so they are generated only once per OVAL file, the same as for the local variable.

CVE OVAL has been tested and the results are identical before and after this change.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

LGTM, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/generate-oval b/scripts/generate-oval
index b6dd88e..ec3bcee 100755
--- a/scripts/generate-oval
+++ b/scripts/generate-oval
@@ -635,7 +635,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
635 # Get the usn database.json data635 # Get the usn database.json data
636 usn_database = get_usn_database(usn_db_dir)636 usn_database = get_usn_database(usn_db_dir)
637 if not usn_database:637 if not usn_database:
638 error("Error getting USN database.")638 error("Error getting local USN database. Please, run '$UCT/scripts/fetch-db database.json.bz2' to retrieve the database and try again.")
639639
640 if usn:640 if usn:
641 if usn not in usn_database:641 if usn not in usn_database:
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index a0af152..51cb908 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -590,16 +590,16 @@ class OvalGenerator:
590 kernel is greater than the running kernel590 kernel is greater than the running kernel
591 The result of this two will go through an AND logic to confirm591 The result of this two will go through an AND logic to confirm
592 if we are or not vulnerable to such CVE"""592 if we are or not vulnerable to such CVE"""
593 if not hasattr(self, 'kernel_objects'):593 if not hasattr(self, 'kernel_uname_obj_id'):
594 self.kernel_objects = {}594 self.kernel_uname_obj_id = None
595595
596 if id_base not in self.kernel_objects:596 if not self.kernel_uname_obj_id:
597 object_id = '{0}:obj:{1}0'.format(self.ns, id_base)597 object_id = '{0}:obj:{1}0'.format(self.ns, id_base)
598598
599 self.queue_element('object', """599 self.queue_element('object', """
600 <unix-def:uname_object id="{0}" version="{1}"/>\n""".format(object_id, version))600 <unix-def:uname_object id="{0}" version="{1}"/>\n""".format(object_id, version))
601601
602 self.kernel_objects[id_base] = object_id602 self.kernel_uname_obj_id = object_id
603603
604 object_id_2 = '{0}:obj:{1}0'.format(self.ns, id_base + 1)604 object_id_2 = '{0}:obj:{1}0'.format(self.ns, id_base + 1)
605605
@@ -609,7 +609,7 @@ class OvalGenerator:
609 </ind-def:variable_object>\n""".format(object_id_2, version, var_id))609 </ind-def:variable_object>\n""".format(object_id_2, version, var_id))
610610
611611
612 return (self.kernel_objects[id_base], object_id_2)612 return (self.kernel_uname_obj_id, object_id_2)
613613
614 def get_running_kernel_state_id(self, uname_regex, id_base, var_id, version=1):614 def get_running_kernel_state_id(self, uname_regex, id_base, var_id, version=1):
615 """ create uname_state to compare the system uname to the affected kernel615 """ create uname_state to compare the system uname to the affected kernel
@@ -620,6 +620,9 @@ class OvalGenerator:
620 if not hasattr(self, 'uname_states'):620 if not hasattr(self, 'uname_states'):
621 self.uname_states = {}621 self.uname_states = {}
622622
623 if not hasattr(self, 'kernel_state_id'):
624 self.kernel_state_id = None
625
623 if uname_regex not in self.uname_states:626 if uname_regex not in self.uname_states:
624 state_id = '{0}:ste:{1}0'.format(self.ns, id_base)627 state_id = '{0}:ste:{1}0'.format(self.ns, id_base)
625 self.queue_element('state', """628 self.queue_element('state', """
@@ -629,14 +632,16 @@ class OvalGenerator:
629632
630 self.uname_states[uname_regex] = state_id633 self.uname_states[uname_regex] = state_id
631634
632 state_id_2 = '{0}:ste:{1}0'.format(self.ns, id_base + 1)635 if not self.kernel_state_id:
633 self.queue_element('state', """636 state_id_2 = '{0}:ste:{1}0'.format(self.ns, id_base + 1)
634 <ind-def:variable_state id="{0}" version="{1}">637 self.queue_element('state', """
635 <ind-def:value operation="greater than" datatype="debian_evr_string" var_ref="{2}" var_check="at least one" />638 <ind-def:variable_state id="{0}" version="{1}">
636 </ind-def:variable_state>\n""".format(state_id_2, version, var_id))639 <ind-def:value operation="greater than" datatype="debian_evr_string" var_ref="{2}" var_check="at least one" />
640 </ind-def:variable_state>\n""".format(state_id_2, version, var_id))
637641
642 self.kernel_state_id = state_id_2
638643
639 return (self.uname_states[uname_regex], state_id_2)644 return (self.uname_states[uname_regex], self.kernel_state_id)
640645
641 def get_running_kernel_variable_id(self, uname_regex, id_base, fixed_version, version=1):646 def get_running_kernel_variable_id(self, uname_regex, id_base, fixed_version, version=1):
642 """ creates a local variable to store running kernel version in devian evr string"""647 """ creates a local variable to store running kernel version in devian evr string"""

Subscribers

People subscribed via source and target branches