Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:oval_pkgs_only_fixed into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. oval_pkgs_only_fixed
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merged at revision: 3e0ac9cfd550626769247713493393c2dc53266e
Proposed branch: ~litios/ubuntu-cve-tracker:oval_pkgs_only_fixed
Merge into: ubuntu-cve-tracker:master
Diff against target: 90 lines (+15/-7)
2 files modified
scripts/generate-oval (+6/-4)
scripts/oval_lib.py (+9/-3)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Review via email: mp+442388@code.launchpad.net

Description of the change

This PR adds an option to the Package OVAL generation for only listing fixed CVEs.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

overall lgtm!
but we could make the new argument help text a bit more specific that it only works with --pkg-oval, or maybe add the same feature to CVE-based OVAL.

review: Approve
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

I agree, I'll add that before merging!

I was planning to standardize all options so we can apply them (if it makes sense) to all formats indistinguishably but for now, it's better if we say it only works with pkg format.

Thanks Eduardo!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/generate-oval b/scripts/generate-oval
index 96d89cb..e7d13b7 100755
--- a/scripts/generate-oval
+++ b/scripts/generate-oval
@@ -110,6 +110,8 @@ def main():
110 parser.add_argument('--packages', nargs='+', action='store', default=None,110 parser.add_argument('--packages', nargs='+', action='store', default=None,
111 help='generates oval for specific packages. Only for '111 help='generates oval for specific packages. Only for '
112 'CVE OVAL')112 'CVE OVAL')
113 parser.add_argument('--fixed-only', action='store_true',
114 help='only generate pkg oval for fixed CVEs')
113115
114 args = parser.parse_args()116 args = parser.parse_args()
115 pathnames = args.pathname or default_cves_to_process117 pathnames = args.pathname or default_cves_to_process
@@ -154,9 +156,9 @@ def main():
154 releases = [args.oval_release] if args.oval_release else supported_releases156 releases = [args.oval_release] if args.oval_release else supported_releases
155 for release in releases:157 for release in releases:
156 if args.oci:158 if args.oci:
157 generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, ociprefix, ocioutdir)159 generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only, ociprefix, ocioutdir)
158 else:160 else:
159 generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames)161 generate_oval_package(release, outdir, args.cve_prefix_dir, cache, cve_cache, args.oci, args.no_progress, args.packages, pathnames, args.fixed_only)
160 return162 return
161163
162 if args.oci:164 if args.oci:
@@ -579,10 +581,10 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N
579581
580 return True582 return True
581583
582def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, ociprefix=None, ocioutdir=None):584def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ociprefix=None, ocioutdir=None):
583 if not no_progress:585 if not no_progress:
584 print(f'[*] Generating OVAL for packages in release {release}')586 print(f'[*] Generating OVAL for packages in release {release}')
585 ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames,packages, not no_progress,pkg_cache=pkg_cache, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix)587 ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames, packages, not no_progress,pkg_cache=pkg_cache, fixed_only=fixed_only, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix)
586 ov.generate_oval()588 ov.generate_oval()
587589
588 if oci:590 if oci:
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index 6ec8136..fa16876 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -505,7 +505,7 @@ class Package:
505 return self.__str__()505 return self.__str__()
506506
507class OvalGeneratorPkg(OvalGenerator):507class OvalGeneratorPkg(OvalGenerator):
508 def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, cve_cache=None, cve_prefix_dir=None, parent=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None:508 def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, cve_prefix_dir=None, parent=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None:
509 super().__init__(release, release_name, parent, warn_method, outdir, prefix, oval_format)509 super().__init__(release, release_name, parent, warn_method, outdir, prefix, oval_format)
510 ###510 ###
511 # ID schema: 2204|00001|0001511 # ID schema: 2204|00001|0001
@@ -521,6 +521,7 @@ class OvalGeneratorPkg(OvalGenerator):
521 self.cve_cache = cve_cache521 self.cve_cache = cve_cache
522 self.pkg_cache = pkg_cache522 self.pkg_cache = pkg_cache
523 self.cve_paths = cve_paths523 self.cve_paths = cve_paths
524 self.fixed_only = fixed_only
524 self.packages = self._load_pkgs(cve_prefix_dir, packages)525 self.packages = self._load_pkgs(cve_prefix_dir, packages)
525526
526 def _generate_advisory(self, package: Package) -> etree.Element:527 def _generate_advisory(self, package: Package) -> etree.Element:
@@ -529,7 +530,12 @@ class OvalGeneratorPkg(OvalGenerator):
529 component = etree.SubElement(advisory, "component")530 component = etree.SubElement(advisory, "component")
530 version = etree.SubElement(advisory, "current_version")531 version = etree.SubElement(advisory, "current_version")
531532
533 pkg_id = Package.get_unique_id(package.name, self.release)
532 for cve in package.cves:534 for cve in package.cves:
535 if cve.pkg_rel_entries[pkg_id].status == 'not-vulnerable':
536 continue
537 elif self.fixed_only and cve.pkg_rel_entries[pkg_id].status != 'fixed':
538 continue
533 cve_obj = self._generate_cve_object(cve)539 cve_obj = self._generate_cve_object(cve)
534 advisory.append(cve_obj)540 advisory.append(cve_obj)
535541
@@ -1002,7 +1008,7 @@ class OvalGeneratorPkg(OvalGenerator):
10021008
1003 for cve in package.cves:1009 for cve in package.cves:
1004 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]1010 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]
1005 if pkg_rel_entry.status == 'vulnerable':1011 if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only:
1006 cve_added = True1012 cve_added = True
1007 if one_time_added_id:1013 if one_time_added_id:
1008 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)1014 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element)
@@ -1069,7 +1075,7 @@ class OvalGeneratorPkg(OvalGenerator):
10691075
1070 for cve in package.cves:1076 for cve in package.cves:
1071 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]1077 pkg_rel_entry = cve.pkg_rel_entries[pkg_id]
1072 if pkg_rel_entry.status == 'vulnerable':1078 if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only:
1073 cve_added = True1079 cve_added = True
1074 if one_time_added_id:1080 if one_time_added_id:
1075 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element, depth=3)1081 self._add_criterion(one_time_added_id, pkg_rel_entry, cve, definition_element, depth=3)

Subscribers

People subscribed via source and target branches