Merge ~litios/ubuntu-cve-tracker:oval_pkg_parent_support into ubuntu-cve-tracker:master
- Git
- lp:~litios/ubuntu-cve-tracker
- oval_pkg_parent_support
- Merge into master
Proposed by
David Fernandez Gonzalez
| Status: | Merged |
|---|---|
| Merged at revision: | 6a3b15b2839e890e1ce769204a674f23f90f1e57 |
| Proposed branch: | ~litios/ubuntu-cve-tracker:oval_pkg_parent_support |
| Merge into: | ubuntu-cve-tracker:master |
| Diff against target: |
240 lines (+54/-50) 2 files modified
scripts/generate-oval (+1/-1) scripts/oval_lib.py (+53/-49) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Eduardo Barretto | Approve | ||
|
Review via email:
|
|||
Commit message
Description of the change
Previously, ESM-related releases were only generating OVAL data for the packages and versions contained in those ESM PPAs. This PR address this issue so they include the information regarding the parent release.
It has also been added an improvement so the filename generated is based on the class attribute.
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | diff --git a/scripts/generate-oval b/scripts/generate-oval | |||
| 2 | index e7d13b7..5bab03c 100755 | |||
| 3 | --- a/scripts/generate-oval | |||
| 4 | +++ b/scripts/generate-oval | |||
| 5 | @@ -581,7 +581,7 @@ def generate_oval_usn(outdir, usn, usn_release, cve_dir, usn_db_dir, ociprefix=N | |||
| 6 | 581 | 581 | ||
| 7 | 582 | return True | 582 | return True |
| 8 | 583 | 583 | ||
| 10 | 584 | def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ociprefix=None, ocioutdir=None): | 584 | def generate_oval_package(release, outdir, cve_prefix_dir, pkg_cache, cve_cache, oci, no_progress, packages, pathnames, fixed_only, ociprefix='', ocioutdir=None): |
| 11 | 585 | if not no_progress: | 585 | if not no_progress: |
| 12 | 586 | print(f'[*] Generating OVAL for packages in release {release}') | 586 | print(f'[*] Generating OVAL for packages in release {release}') |
| 13 | 587 | ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames, packages, not no_progress,pkg_cache=pkg_cache, fixed_only=fixed_only, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix) | 587 | ov = oval_lib.OvalGeneratorPkg(release, release_name(release), pathnames, packages, not no_progress,pkg_cache=pkg_cache, fixed_only=fixed_only, cve_cache=cve_cache, oval_format='oci' if oci else 'dpkg', outdir=outdir, cve_prefix_dir=cve_prefix_dir, prefix=ociprefix) |
| 14 | diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py | |||
| 15 | index b67ab51..d657cd6 100644 | |||
| 16 | --- a/scripts/oval_lib.py | |||
| 17 | +++ b/scripts/oval_lib.py | |||
| 18 | @@ -146,17 +146,15 @@ class OvalGenerator: | |||
| 19 | 146 | supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable') | 146 | supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable') |
| 20 | 147 | generator_version = '1.1' | 147 | generator_version = '1.1' |
| 21 | 148 | oval_schema_version = '5.11.1' | 148 | oval_schema_version = '5.11.1' |
| 23 | 149 | def __init__(self, release, release_name, parent = None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None: | 149 | def __init__(self, release, release_name = None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None: |
| 24 | 150 | self.release = release | 150 | self.release = release |
| 25 | 151 | # e.g. codename for trusty/esm should be trusty | 151 | # e.g. codename for trusty/esm should be trusty |
| 27 | 152 | self.release_codename = parent if parent else self.release.replace('/', '_') | 152 | self.release_codename = cve_lib.release_progenitor(release) if cve_lib.release_progenitor(release) else self.release.replace('/', '_') |
| 28 | 153 | self.release_name = release_name | 153 | self.release_name = release_name |
| 29 | 154 | #self.warn = warn_method or self.warn | 154 | #self.warn = warn_method or self.warn |
| 30 | 155 | self.tmpdir = tempfile.mkdtemp(prefix='oval_lib-') | 155 | self.tmpdir = tempfile.mkdtemp(prefix='oval_lib-') |
| 31 | 156 | self.output_dir = outdir | 156 | self.output_dir = outdir |
| 32 | 157 | self.oval_format = oval_format | 157 | self.oval_format = oval_format |
| 33 | 158 | self.output_filepath = \ | ||
| 34 | 159 | '{0}com.ubuntu.{1}.cve.oval.xml'.format(prefix, self.release.replace('/', '_')) | ||
| 35 | 160 | self.ns = 'oval:com.ubuntu.{0}'.format(self.release_codename) | 158 | self.ns = 'oval:com.ubuntu.{0}'.format(self.release_codename) |
| 36 | 161 | self.id = 100 | 159 | self.id = 100 |
| 37 | 162 | self.host_def_id = self.id | 160 | self.host_def_id = self.id |
| 38 | @@ -342,12 +340,13 @@ class OvalGenerator: | |||
| 39 | 342 | return family_state, state | 340 | return family_state, state |
| 40 | 343 | 341 | ||
| 41 | 344 | class CVEPkgRelEntry: | 342 | class CVEPkgRelEntry: |
| 43 | 345 | def __init__(self, pkg, cve, status, note) -> None: | 343 | def __init__(self, pkg, release, cve, status, note) -> None: |
| 44 | 346 | self.pkg = pkg | 344 | self.pkg = pkg |
| 45 | 347 | self.cve = cve | 345 | self.cve = cve |
| 46 | 348 | self.orig_status = status | 346 | self.orig_status = status |
| 47 | 349 | self.orig_note = note | 347 | self.orig_note = note |
| 49 | 350 | cve_info = CVEPkgRelEntry.parse_package_status(pkg.rel, pkg.name, status, note, cve.number, None) | 348 | self.release = release |
| 50 | 349 | cve_info = CVEPkgRelEntry.parse_package_status(self.release, pkg.name, status, note, cve.number, None) | ||
| 51 | 351 | 350 | ||
| 52 | 352 | self.note = cve_info['note'] | 351 | self.note = cve_info['note'] |
| 53 | 353 | self.status = cve_info['status'] | 352 | self.status = cve_info['status'] |
| 54 | @@ -456,9 +455,9 @@ class CVE: | |||
| 55 | 456 | self.pkg_rel_entries = {} | 455 | self.pkg_rel_entries = {} |
| 56 | 457 | self.pkgs = pkgs | 456 | self.pkgs = pkgs |
| 57 | 458 | 457 | ||
| 61 | 459 | def add_pkg(self, pkg_object, state, note): | 458 | def add_pkg(self, pkg_object, release, state, note): |
| 62 | 460 | cve_pkg_entry = CVEPkgRelEntry(pkg_object, self, state, note) | 459 | cve_pkg_entry = CVEPkgRelEntry(pkg_object, release, self, state, note) |
| 63 | 461 | self.pkg_rel_entries[Package.get_unique_id(pkg_object.name, pkg_object.rel)] = cve_pkg_entry | 460 | self.pkg_rel_entries[pkg_object.name] = cve_pkg_entry |
| 64 | 462 | self.pkgs.append(pkg_object) | 461 | self.pkgs.append(pkg_object) |
| 65 | 463 | 462 | ||
| 66 | 464 | def __str__(self) -> str: | 463 | def __str__(self) -> str: |
| 67 | @@ -492,10 +491,6 @@ class Package: | |||
| 68 | 492 | self.binaries = binaries if binaries else [] | 491 | self.binaries = binaries if binaries else [] |
| 69 | 493 | self.cves = [] | 492 | self.cves = [] |
| 70 | 494 | 493 | ||
| 71 | 495 | @staticmethod | ||
| 72 | 496 | def get_unique_id(name, rel): | ||
| 73 | 497 | return f'{name}/{rel}' | ||
| 74 | 498 | |||
| 75 | 499 | def add_cve(self, cve) -> None: | 494 | def add_cve(self, cve) -> None: |
| 76 | 500 | self.cves.append(cve) | 495 | self.cves.append(cve) |
| 77 | 501 | 496 | ||
| 78 | @@ -506,8 +501,8 @@ class Package: | |||
| 79 | 506 | return self.__str__() | 501 | return self.__str__() |
| 80 | 507 | 502 | ||
| 81 | 508 | class OvalGeneratorPkg(OvalGenerator): | 503 | class OvalGeneratorPkg(OvalGenerator): |
| 84 | 509 | def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, cve_prefix_dir=None, parent=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None: | 504 | def __init__(self, release, release_name, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, cve_prefix_dir=None, warn_method=False, outdir='./', prefix='', oval_format='dpkg') -> None: |
| 85 | 510 | super().__init__(release, release_name, parent, warn_method, outdir, prefix, oval_format) | 505 | super().__init__(release, release_name, warn_method, outdir, prefix, oval_format) |
| 86 | 511 | ### | 506 | ### |
| 87 | 512 | # ID schema: 2204|00001|0001 | 507 | # ID schema: 2204|00001|0001 |
| 88 | 513 | # * The first four digits are the ubuntu release number | 508 | # * The first four digits are the ubuntu release number |
| 89 | @@ -518,6 +513,8 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 90 | 518 | self.definition_id = release_code * 10 ** 10 | 513 | self.definition_id = release_code * 10 ** 10 |
| 91 | 519 | self.definition_step = 1 * 10 ** 5 | 514 | self.definition_step = 1 * 10 ** 5 |
| 92 | 520 | self.criterion_step = 10 | 515 | self.criterion_step = 10 |
| 93 | 516 | self.output_filepath = \ | ||
| 94 | 517 | '{0}com.ubuntu.{1}.pkg.oval.xml'.format(prefix, self.release.replace('/', '_')) | ||
| 95 | 521 | self.progress = progress | 518 | self.progress = progress |
| 96 | 522 | self.cve_cache = cve_cache | 519 | self.cve_cache = cve_cache |
| 97 | 523 | self.pkg_cache = pkg_cache | 520 | self.pkg_cache = pkg_cache |
| 98 | @@ -531,11 +528,10 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 99 | 531 | component = etree.SubElement(advisory, "component") | 528 | component = etree.SubElement(advisory, "component") |
| 100 | 532 | version = etree.SubElement(advisory, "current_version") | 529 | version = etree.SubElement(advisory, "current_version") |
| 101 | 533 | 530 | ||
| 102 | 534 | pkg_id = Package.get_unique_id(package.name, self.release) | ||
| 103 | 535 | for cve in package.cves: | 531 | for cve in package.cves: |
| 105 | 536 | if cve.pkg_rel_entries[pkg_id].status == 'not-vulnerable': | 532 | if cve.pkg_rel_entries[package.name].status == 'not-vulnerable': |
| 106 | 537 | continue | 533 | continue |
| 108 | 538 | elif self.fixed_only and cve.pkg_rel_entries[pkg_id].status != 'fixed': | 534 | elif self.fixed_only and cve.pkg_rel_entries[package.name].status != 'fixed': |
| 109 | 539 | continue | 535 | continue |
| 110 | 540 | cve_obj = self._generate_cve_object(cve) | 536 | cve_obj = self._generate_cve_object(cve) |
| 111 | 541 | advisory.append(cve_obj) | 537 | advisory.append(cve_obj) |
| 112 | @@ -991,7 +987,6 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 113 | 991 | return test, object, var, state | 987 | return test, object, var, state |
| 114 | 992 | 988 | ||
| 115 | 993 | def _populate_pkg(self, package, root_element): | 989 | def _populate_pkg(self, package, root_element): |
| 116 | 994 | pkg_id = Package.get_unique_id(package.name, self.release) | ||
| 117 | 995 | tests = root_element.find("tests") | 990 | tests = root_element.find("tests") |
| 118 | 996 | objects = root_element.find("objects") | 991 | objects = root_element.find("objects") |
| 119 | 997 | variables = root_element.find("variables") | 992 | variables = root_element.find("variables") |
| 120 | @@ -1008,7 +1003,7 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 121 | 1008 | cve_added = False | 1003 | cve_added = False |
| 122 | 1009 | 1004 | ||
| 123 | 1010 | for cve in package.cves: | 1005 | for cve in package.cves: |
| 125 | 1011 | pkg_rel_entry = cve.pkg_rel_entries[pkg_id] | 1006 | pkg_rel_entry = cve.pkg_rel_entries[package.name] |
| 126 | 1012 | if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only: | 1007 | if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only: |
| 127 | 1013 | cve_added = True | 1008 | cve_added = True |
| 128 | 1014 | if one_time_added_id: | 1009 | if one_time_added_id: |
| 129 | @@ -1052,7 +1047,6 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 130 | 1052 | self._increase_id(is_definition=True) | 1047 | self._increase_id(is_definition=True) |
| 131 | 1053 | 1048 | ||
| 132 | 1054 | def _populate_kernel_pkg(self, package, root_element, running_kernel_id): | 1049 | def _populate_kernel_pkg(self, package, root_element, running_kernel_id): |
| 133 | 1055 | pkg_id = Package.get_unique_id(package.name, self.release) | ||
| 134 | 1056 | tests = root_element.find("tests") | 1050 | tests = root_element.find("tests") |
| 135 | 1057 | objects = root_element.find("objects") | 1051 | objects = root_element.find("objects") |
| 136 | 1058 | variables = root_element.find("variables") | 1052 | variables = root_element.find("variables") |
| 137 | @@ -1075,7 +1069,7 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 138 | 1075 | self._add_to_criteria(definition_element, criteria, operator='AND') | 1069 | self._add_to_criteria(definition_element, criteria, operator='AND') |
| 139 | 1076 | 1070 | ||
| 140 | 1077 | for cve in package.cves: | 1071 | for cve in package.cves: |
| 142 | 1078 | pkg_rel_entry = cve.pkg_rel_entries[pkg_id] | 1072 | pkg_rel_entry = cve.pkg_rel_entries[package.name] |
| 143 | 1079 | if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only: | 1073 | if pkg_rel_entry.status == 'vulnerable' and not self.fixed_only: |
| 144 | 1080 | cve_added = True | 1074 | cve_added = True |
| 145 | 1081 | if one_time_added_id: | 1075 | if one_time_added_id: |
| 146 | @@ -1104,6 +1098,22 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 147 | 1104 | definitions.append(definition_element) | 1098 | definitions.append(definition_element) |
| 148 | 1105 | self._increase_id(is_definition=True) | 1099 | self._increase_id(is_definition=True) |
| 149 | 1106 | 1100 | ||
| 150 | 1101 | def _add_new_package(self, package_name, cve, release, cve_data, packages) -> None: | ||
| 151 | 1102 | if package_name not in packages: | ||
| 152 | 1103 | binaries = self.pkg_cache.get_binarypkgs(package_name, release) | ||
| 153 | 1104 | version = '' | ||
| 154 | 1105 | if binaries: | ||
| 155 | 1106 | version = self.pkg_cache.pkgcache[package_name]['Releases'][release]['source_version'] | ||
| 156 | 1107 | |||
| 157 | 1108 | pkg_obj = Package(package_name, release, binaries, version) | ||
| 158 | 1109 | packages[package_name] = pkg_obj | ||
| 159 | 1110 | |||
| 160 | 1111 | pkg_obj = packages[package_name] | ||
| 161 | 1112 | if cve not in pkg_obj.cves: | ||
| 162 | 1113 | pkg_obj.cves.append(cve) | ||
| 163 | 1114 | |||
| 164 | 1115 | cve.add_pkg(pkg_obj, release, cve_data['pkgs'][package_name][release][0],cve_data['pkgs'][package_name][release][1]) | ||
| 165 | 1116 | |||
| 166 | 1107 | def _load_pkgs(self, cve_prefix_dir, packages_filter=None) -> None: | 1117 | def _load_pkgs(self, cve_prefix_dir, packages_filter=None) -> None: |
| 167 | 1108 | cve_lib.load_external_subprojects() | 1118 | cve_lib.load_external_subprojects() |
| 168 | 1109 | 1119 | ||
| 169 | @@ -1118,12 +1128,20 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 170 | 1118 | ) | 1128 | ) |
| 171 | 1119 | 1129 | ||
| 172 | 1120 | packages = {} | 1130 | packages = {} |
| 179 | 1121 | sources[self.release] = load(releases=[self.release], skip_eol_releases=False)[self.release] | 1131 | releases = [self.release] |
| 180 | 1122 | orig_name = cve_lib.get_orig_rel_name(self.release) | 1132 | current_release = self.release |
| 181 | 1123 | if '/' in orig_name: | 1133 | while(cve_lib.release_parent(current_release)): |
| 182 | 1124 | orig_name = orig_name.split('/', maxsplit=1)[1] | 1134 | current_release = cve_lib.release_parent(current_release) |
| 183 | 1125 | source_map_binaries[self.release] = load(data_type='packages',releases=[orig_name], skip_eol_releases=False)[orig_name] \ | 1135 | releases.append(current_release) |
| 184 | 1126 | if self.release not in cve_lib.external_releases else {} | 1136 | |
| 185 | 1137 | for release in releases: | ||
| 186 | 1138 | sources[release] = load(releases=[release], skip_eol_releases=False)[release] | ||
| 187 | 1139 | |||
| 188 | 1140 | orig_name = cve_lib.get_orig_rel_name(release) | ||
| 189 | 1141 | if '/' in orig_name: | ||
| 190 | 1142 | orig_name = orig_name.split('/', maxsplit=1)[1] | ||
| 191 | 1143 | source_map_binaries[release] = load(data_type='packages',releases=[orig_name], skip_eol_releases=False)[orig_name] \ | ||
| 192 | 1144 | if release not in cve_lib.external_releases else {} | ||
| 193 | 1127 | 1145 | ||
| 194 | 1128 | i = 0 | 1146 | i = 0 |
| 195 | 1129 | for cve_path in cves: | 1147 | for cve_path in cves: |
| 196 | @@ -1143,22 +1161,11 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 197 | 1143 | if packages_filter and pkg not in packages_filter: | 1161 | if packages_filter and pkg not in packages_filter: |
| 198 | 1144 | continue | 1162 | continue |
| 199 | 1145 | 1163 | ||
| 216 | 1146 | if self.release in info['pkgs'][pkg] and \ | 1164 | for release in releases: |
| 217 | 1147 | info['pkgs'][pkg][self.release][0] != 'DNE' and \ | 1165 | if pkg in sources[release] and release in info['pkgs'][pkg] and \ |
| 218 | 1148 | pkg in sources[self.release]: | 1166 | info['pkgs'][pkg][release][0] != 'DNE': |
| 219 | 1149 | pkg_id = Package.get_unique_id(pkg, self.release) | 1167 | self._add_new_package(pkg, cve_obj, release, info, packages) |
| 220 | 1150 | if pkg_id not in packages: | 1168 | break |
| 205 | 1151 | binaries = self.pkg_cache.get_binarypkgs(pkg, self.release) | ||
| 206 | 1152 | version = '' | ||
| 207 | 1153 | if binaries: | ||
| 208 | 1154 | version = self.pkg_cache.pkgcache[pkg]['Releases'][self.release]['source_version'] | ||
| 209 | 1155 | pkg_obj = Package(pkg, self.release, binaries, version) | ||
| 210 | 1156 | packages[pkg_id] = pkg_obj | ||
| 211 | 1157 | |||
| 212 | 1158 | pkg_obj = packages[pkg_id] | ||
| 213 | 1159 | pkg_obj.cves.append(cve_obj) | ||
| 214 | 1160 | # add_pkg (pkg, status, note) | ||
| 215 | 1161 | cve_obj.add_pkg(pkg_obj, info['pkgs'][pkg][self.release][0],info['pkgs'][pkg][self.release][1]) | ||
| 221 | 1162 | 1169 | ||
| 222 | 1163 | packages = dict(sorted(packages.items())) | 1170 | packages = dict(sorted(packages.items())) |
| 223 | 1164 | if self.progress: | 1171 | if self.progress: |
| 224 | @@ -1186,14 +1193,11 @@ class OvalGeneratorPkg(OvalGenerator): | |||
| 225 | 1186 | self._populate_pkg(self.packages[pkg], root_element) | 1193 | self._populate_pkg(self.packages[pkg], root_element) |
| 226 | 1187 | 1194 | ||
| 227 | 1188 | #etree.indent(xml_tree, level=0) -> only available from Python 3.9 | 1195 | #etree.indent(xml_tree, level=0) -> only available from Python 3.9 |
| 228 | 1189 | filename = f"com.ubuntu.{self.release_codename}.pkg.oval.xml" | ||
| 229 | 1190 | xmlstr = minidom.parseString(etree.tostring(root_element)).toprettyxml(indent=" ") | 1196 | xmlstr = minidom.parseString(etree.tostring(root_element)).toprettyxml(indent=" ") |
| 230 | 1191 | if self.oval_format == 'oci': | ||
| 231 | 1192 | filename = f'oci.{filename}' | ||
| 232 | 1193 | 1197 | ||
| 234 | 1194 | with open(os.path.join(self.output_dir, filename), 'w') as file: | 1198 | with open(os.path.join(self.output_dir, self.output_filepath), 'w') as file: |
| 235 | 1195 | file.write(xmlstr) | 1199 | file.write(xmlstr) |
| 237 | 1196 | #xml_tree.write(os.path.join(self.output_dir, filename)) | 1200 | #xml_tree.write(os.path.join(self.output_dir, self.output_filepath)) |
| 238 | 1197 | return | 1201 | return |
| 239 | 1198 | 1202 | ||
| 240 | 1199 | class OvalGeneratorCVE: | 1203 | class OvalGeneratorCVE: |
lgtm, thanks!