Ubuntu CVE Tracker

Merge ~litios/ubuntu-cve-tracker:refactor/expand-handling into ubuntu-cve-tracker:master

  1. Git
  2. lp:~litios/ubuntu-cve-tracker
  3. refactor/expand-handling
  4. Merge into master
Proposed by David Fernandez Gonzalez
Status: Merged
Merge reported by: David Fernandez Gonzalez
Merged at revision: a28ad74f5e615d34a10ed9de1c918aaade03d985
Proposed branch: ~litios/ubuntu-cve-tracker:refactor/expand-handling
Merge into: ubuntu-cve-tracker:master
Diff against target: 45 lines (+12/-2)
1 file modified
scripts/oval_lib.py (+12/-2)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
Ubuntu Security Team Pending
Review via email: mp+461894@code.launchpad.net

Description of the change

Current OVAL only allows handling expansion of release for ESM releases.

This PR addresses this issue by introducing an exception list of not-to-merge releases, so we can apply the general case for any other releases.

------

Tested with esm-apps/jammy fips-updates/bionic, this PR does not introduce any OVAL output changes.

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote (last edit ):

CI failure is happening on check-cves, because of enigmail on noble. Totally unrelated to this commit.

lgtm, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index 2eece06..17650ee 100755
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -217,7 +217,7 @@ class CVEPkgRelEntry:
217217
218 # TODO fix for CVE Generator218 # TODO fix for CVE Generator
219219
220 if expand == False and 'esm' in release:220 if not OvalGenerator._expand_release(release, expand):
221 release = release_codename221 release = release_codename
222222
223 # break out status code and detail223 # break out status code and detail
@@ -510,6 +510,8 @@ class OvalGenerator:
510 supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable')510 supported_oval_elements = ('definition', 'test', 'object', 'state', 'variable')
511 generator_version = '2'511 generator_version = '2'
512 oval_schema_version = '5.11.1'512 oval_schema_version = '5.11.1'
513 always_expand = [r'fips.*\/.*']
514
513 def __init__(self, type, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:515 def __init__(self, type, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
514 self.releases = releases516 self.releases = releases
515 self.output_dir = outdir517 self.output_dir = outdir
@@ -553,13 +555,21 @@ class OvalGenerator:
553 self.definition_step = 1 * 10 ** 5555 self.definition_step = 1 * 10 ** 5
554 self.criterion_step = 10556 self.criterion_step = 10
555 self.output_filepath = ''557 self.output_filepath = ''
556 if self.expand == False and 'esm' in self.release:558 if not self._expand_release(self.release, self.expand):
557 self.output_filepath = \559 self.output_filepath = \
558 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release_codename, self.generator_type)560 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release_codename, self.generator_type)
559 else:561 else:
560 self.output_filepath = \562 self.output_filepath = \
561 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release.replace('/', '_'), self.generator_type)563 '{0}com.ubuntu.{1}.{2}.oval.xml'.format('oci.' if self.oval_format == 'oci' else '', self.release.replace('/', '_'), self.generator_type)
562564
565 @staticmethod
566 def _expand_release(release, expand) -> bool:
567 if expand: return True
568
569 for pattern in OvalGenerator.always_expand:
570 if re.match(pattern, release): return True
571
572 return False
563573
564 def _add_structure(self, root) -> None:574 def _add_structure(self, root) -> None:
565 structure = {}575 structure = {}

Subscribers

People subscribed via source and target branches