Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish-cves-to-website into ubuntu-cve-tracker:master

Proposed by Paulo Flabiano Smorigo on 2021-05-05

Status:	Rejected
Rejected by:	Eduardo Barretto on 2024-02-02
Proposed branch:	~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish-cves-to-website
Merge into:	ubuntu-cve-tracker:master
Diff against target:	83 lines (+8/-41) 1 file modified scripts/publish-cves-to-website-api.py (+8/-41)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Eduardo Barretto		2021-05-05	Disapprove on 2024-02-02
Review via email: mp+402230@code.launchpad.net

Description of the change

Currently, the publish cve script use only the release name and cut the suffix out (i.e. /esm). That means we are sending two status for trusty: https://pastebin.canonical.com/p/HSWwDC7ZVM/

This merge proposal use the names the same way they are in the CVE file, filtering the releases we support. Like this: https://pastebin.canonical.com/p/jXCfshrSP8/

This change will not work with the current web API so we need to ask the web team to add those new names to the release_codename list.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-02-02:

I don't think this is an issue anymore and we adapted the script to solve this in a different way.
I will be closing this PR. Please open a new one in case anything else is needed.

review: Disapprove

Unmerged commits

781641c... by Paulo Flabiano Smorigo on 2021-05-05

scripts/publish-cves-to-website-api.py: use releases names including esm

Signed-off-by: Paulo Flabiano Smorigo <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Paulo Flabiano Smorigo

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
 index ccc7f3c..7911d6c 100755
 --- a/scripts/publish-cves-to-website-api.py
 +++ b/scripts/publish-cves-to-website-api.py
@@ -29,14 +29,6 @@ def authentication(method, url, payload):
      client.cookies.save(ignore_discard=True)
      return response
--def get_codename(raw_codename, cve_releases):
--    codename = raw_codename.split("/")[0]
--
--    if codename != "devel":
--        return codename
--
--    return get_devel_codename(cve_releases)
--
  def get_tags(cve_data, pkg):
      return list(cve_data['tags'].get(pkg, list()))
@@ -44,32 +36,6 @@ def get_patches(cve_data, pkg):
      patches_str = cve_data.get(f'Patches_{pkg}', "")
      return [line for line in patches_str.split('\n') if line]
--
--def get_devel_codename(cve_releases):
--    for skip_release in ['upstream', 'devel', 'product', 'snap']:
--        if skip_release in cve_releases:
--            cve_releases.remove(skip_release)
--
--    if len(cve_releases) <= 0:
--        print ("WARNING: No valid ubuntu releases in CVE", file=sys.stderr)
--        return None
--
--    cve_releases = cve_lib.release_sort(cve_releases)
--
--    devel_release_index = cve_lib.releases.index(cve_releases[-1]) + 1
--    if devel_release_index >= len(cve_lib.releases) or devel_release_index < 0:
--        print (
--            "WARNING: Could not determine devel release codename. Perhaps it hasn't "
--            "been added to cve_lib.all_releases yet?",
--            file=sys.stderr
--        )
--        return None
--
--    cve_devel_release = cve_lib.releases[devel_release_index]
--
--    return cve_devel_release
--
--
  def post_single_cve(cve_filename):
      # Upload active and ignored (in Ubuntu)
      cve_data = cve_lib.load_cve(cve_filename)
@@ -78,6 +44,11 @@ def post_single_cve(cve_filename):
      if references[0] == "":
          references.pop(0)
++    supported_releases = cve_lib.releases
++    supported_releases += [rel + "/esm" for rel in cve_lib.esm_releases]
++    supported_releases += ["esm-infra/" + rel for rel in cve_lib.esm_infra_releases]
++    supported_releases += ["esm-apps/" + rel for rel in cve_lib.esm_apps_releases]
++
      cvss3 = None
      if len(cve_data["CVSS"]) > 0:
          if "3." in cve_data["CVSS"][0][1]:
@@ -91,15 +62,11 @@ def post_single_cve(cve_filename):
      for pkg in cve_data["pkgs"]:
          statuses = []
          cve_releases = cve_data["pkgs"][pkg].keys()
--        cve_releases = [rel for rel in cve_releases if rel in cve_lib.releases]
++        cve_releases = [rel for rel in cve_releases if rel in supported_releases]
          tags[pkg] = get_tags(cve_data, pkg)
          patches[pkg] = get_patches(cve_data, pkg)
--        for [raw_codename, value] in cve_data["pkgs"][pkg].items():
--            codename = get_codename(raw_codename, cve_releases)
--            if codename is None:
--                continue
--
--            if codename in cve_lib.releases + ["upstream"]:
++        for [codename, value] in cve_data["pkgs"][pkg].items():
++            if codename in supported_releases + ["upstream"]:
                  statuses.append(
+                     {
                          "release_codename": codename,