Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:refactor/expand-handling into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. refactor/expand-handling
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merge reported by: David Fernandez Gonzalez
Merged at revision: a28ad74f5e615d34a10ed9de1c918aaade03d985
Proposed branch: ~litios/ubuntu-cve-tracker:refactor/expand-handling
Merge into: ubuntu-cve-tracker:master
Diff against target: 45 lines (+12/-2)
1 file modified
scripts/oval_lib.py (+12/-2)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Ubuntu Security Team Pending
Review via email: mp+461894@code.launchpad.net

Description of the change

Current OVAL only allows handling expansion of release for ESM releases.

This PR addresses this issue by introducing an exception list of not-to-merge releases, so we can apply the general case for any other releases.

------

Tested with esm-apps/jammy fips-updates/bionic, this PR does not introduce any OVAL output changes.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote (last edit ):

CI failure is happening on check-cves, because of enigmail on noble. Totally unrelated to this commit.

lgtm, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
2index 2eece06..17650ee 100755
3--- a/scripts/oval_lib.py
4+++ b/scripts/oval_lib.py
5@@ -217,7 +217,7 @@ class CVEPkgRelEntry:
6
7 # TODO fix for CVE Generator
8
9- if expand == False and 'esm' in release:
10+ if not OvalGenerator._expand_release(release, expand):
11 release = release_codename
12
13 # break out status code and detail
14@@ -510,6 +510,8 @@ class OvalGenerator:
15 supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable')
16 generator_version = '2'
17 oval_schema_version = '5.11.1'
18+ always_expand = [r'fips.*\/.*']
19+
20 def __init__(self, type, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
21 self.releases = releases
22 self.output_dir = outdir
23@@ -553,13 +555,21 @@ class OvalGenerator:
24 self.definition_step = 1 * 10 ** 5
25 self.criterion_step = 10
26 self.output_filepath = ''
27- if self.expand == False and 'esm' in self.release:
28+ if not self._expand_release(self.release, self.expand):
29 self.output_filepath = \
30 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release_codename, self.generator_type)
31 else:
32 self.output_filepath = \
33 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release.replace('/', '_'), self.generator_type)
34
35+ @staticmethod
36+ def _expand_release(release, expand) -> bool:
37+ if expand: return True
38+
39+ for pattern in OvalGenerator.always_expand:
40+ if re.match(pattern, release): return True
41+
42+ return False
43
44 def _add_structure(self, root) -> None:
45 structure = {}

Subscribers

People subscribed via source and target branches