Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval_pkgs_only_fixed into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval_pkgs_only_fixed
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 3e0ac9cfd550626769247713493393c2dc53266e
Proposed branch: ~litios/ubuntu-cve-tracker:oval_pkgs_only_fixed
Merge into: ubuntu-cve-tracker:master
Diff against target: 90 lines (+15/-7)
2 files modified
scripts/generate-oval (+6/-4)
scripts/oval_lib.py (+9/-3)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+442388@code.launchpad.net

Description of the change

This PR adds an option to the Package OVAL generation for only listing fixed CVEs.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

overall lgtm!
but we could make the new argument help text a bit more specific that it only works with --pkg-oval, or maybe add the same feature to CVE-based OVAL.

review: Approve
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

I agree, I'll add that before merging!

I was planning to standardize all options so we can apply them (if it makes sense) to all formats indistinguishably but for now, it's better if we say it only works with pkg format.

Thanks Eduardo!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/generate-oval b/scripts/generate-oval
2index 96d89cb..e7d13b7 100755
3--- a/scripts/generate-oval
4+++ b/scripts/generate-oval
5@@ -110,6 +110,8 @@ def main():
6 parser.add_argument('--packages', nargs='+', action='store', default=None,
7 help='generates oval for specific packages. Only for '
8 'CVE OVAL')
9+ parser.add_argument('--fixed-only', action='store_true',
10+ help='only generate pkg oval for fixed CVEs')
11
12 args = parser.parse_args()
13 pathnames = args.pathname or default_cves_to_process
14@@ -154,9 +156,9 @@ def main():
15 releases = [args.oval_release] if args.oval_release else supported_releases
16 for release in releases:
17 if args.oci:
18- generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, ociprefix, ocioutdir)
19+ generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, ociprefix, ocioutdir)
20 else:
21- generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames)
22+ generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only)
23 return
24
25 if args.oci:
26@@ -579,10 +581,10 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
27
28 return True
29
30-def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, ociprefix=None, ocioutdir=None):
31+def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ociprefix=None, ocioutdir=None):
32 if not no_progress:
33 print(f'[*] Generating OVAL for packages in release {release}')
34- ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames,packages, not no_progress,pkg_cache=pkg_cache, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix)
35+ ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames, packages, not no_progress,pkg_cache=pkg_cache, fixed_only=fixed_only, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix)
36 ov.generate_oval()
37
38 if oci:
39diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
40index 6ec8136..fa16876 100644
41--- a/scripts/oval_lib.py
42+++ b/scripts/oval_lib.py
43@@ -505,7 +505,7 @@ class Package:
44 return self.__str__()
45
46 class OvalGeneratorPkg(OvalGenerator):
47- def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, cve_cache=None, cve_prefix_dir=None, parent=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None:
48+ def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, cve_prefix_dir=None, parent=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None:
49 super().__init__(release, release_name, parent, warn_method, outdir, prefix, oval_format)
50 ###
51 # ID schema: 2204|00001|0001
52@@ -521,6 +521,7 @@ class OvalGeneratorPkg(OvalGenerator):
53 self.cve_cache = cve_cache
54 self.pkg_cache = pkg_cache
55 self.cve_paths = cve_paths
56+ self.fixed_only = fixed_only
57 self.packages = self._load_pkgs(cve_prefix_dir, packages)
58
59 def _generate_advisory(self, package: Package) -> etree.Element:
60@@ -529,7 +530,12 @@ class OvalGeneratorPkg(OvalGenerator):
61 component = etree.SubElement(advisory, "component")
62 version = etree.SubElement(advisory, "current_version")
63
64+ pkg_id = Package.get_unique_id(package.name, self.release)
65 for cve in package.cves:
66+ if cve.pkg_rel_entries[pkg_id].status == 'not-vulnerable':
67+ continue
68+ elif self.fixed_only and cve.pkg_rel_entries[pkg_id].status != 'fixed':
69+ continue
70 cve_obj = self._generate_cve_object(cve)
71 advisory.append(cve_obj)
72
73@@ -1002,7 +1008,7 @@ class OvalGeneratorPkg(OvalGenerator):
74
75 for cve in package.cves:
76 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]
77- if pkg_rel_entry.status == 'vulnerable':
78+ if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only:
79 cve_added = True
80 if one_time_added_id:
81 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)
82@@ -1069,7 +1075,7 @@ class OvalGeneratorPkg(OvalGenerator):
83
84 for cve in package.cves:
85 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]
86- if pkg_rel_entry.status == 'vulnerable':
87+ if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only:
88 cve_added = True
89 if one_time_added_id:
90 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element, depth=3)

Subscribers

People subscribed via source and target branches