Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish_cves_fix_esm-apps_status into ubuntu-cve-tracker:master

Git
lp:~pfsmorigo/ubuntu-cve-tracker
pfsmorigo/publish_cves_fix_esm-apps_status
Merge into master

Proposed by Paulo Flabiano Smorigo on 2023-06-02

Status:	Merged
Merged at revision:	5267b30ee030f56105511b15830014b01e64b16f
Proposed branch:	~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish_cves_fix_esm-apps_status
Merge into:	ubuntu-cve-tracker:master
Diff against target:	88 lines (+57/-5) 3 files modified scripts/publish-cves-to-website-api.py (+7/-5) test/website_api/use_esm_status_if_esm_release (+24/-0) test/website_api/use_esm_status_if_esm_release.json (+26/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Alex Murray		2023-06-02	Approve on 2023-06-05
Review via email: mp+444054@code.launchpad.net

Description of the change

I found a bug in the publish-cves scripts that ignored "released" status when it's esm-apps and the release is not EOL (focal on). The reason is that it was checking status == "released" but since status is a tuple the correct would be to check status[0] == "released".

I'm adding a test specifically for this case and planning to add more cases in the future.

Also, I took the opportunity to change the code a little bit in order to use in my future PR to add the pocket field.

Meanwhile, I'm checking all the CVEs we have esm-apps releases and will refresh the web page to fix the status.

Revision history for this message

Alex Murray (alexmurray) wrote on 2023-06-05:

LGTM, thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Aravind

Paulo Flabiano Smorigo

Philip Roche

Robert C Jennings

Simon Quigley

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
 index 46331df..99c95b9 100755
 --- a/scripts/publish-cves-to-website-api.py
 +++ b/scripts/publish-cves-to-website-api.py
@@ -119,14 +119,16 @@ def post_single_cve(cve_filename):
              if codename in cve_data["pkgs"][pkg]:
                  status = cve_data["pkgs"][pkg][codename]
--            # If the release is EOL or there is an ESM update for it use ESM status
              if status and status[0] != "released" and codename in cve_lib.get_active_releases_with_esm():
++                # Check for possible product statuses
                  for release in [codename + "/esm", "esm-infra/" + codename,
                          "esm-apps/" + codename, "ros-esm/" + codename, codename]:
--                    if release in cve_data["pkgs"][pkg] and \
--                            (codename in cve_lib.eol_releases or cve_data["pkgs"][pkg][release] == "released"):
--                        status = cve_data["pkgs"][pkg][release]
--                        break
++                    if release in cve_data["pkgs"][pkg]:
++                        esm_status = cve_data["pkgs"][pkg][release]
++                        # Use the ESM status if there is an ESM release or release is EOL
++                        if esm_status[0] == "released" or codename in cve_lib.eol_releases:
++                            status = esm_status
++                            break
              if status:
                  statuses.append(
 diff --git a/test/website_api/use_esm_status_if_esm_release b/test/website_api/use_esm_status_if_esm_release
 new file mode 100644
 index 0000000..9281cbb
 --- /dev/null
 +++ b/test/website_api/use_esm_status_if_esm_release
@@ -0,0 +1,24 @@
++PublicDateAtUSN: 2020-08-04 17:00:00 UTC
++Candidate: CVE-2020-1234
++CRD: 2020-08-04 17:00:00 UTC
++PublicDate: 2020-08-04 17:00:00 UTC
++References:
++ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234
++Description:
++ Publish CVEs to Website API tests
++Ubuntu-Description:
++Notes:
++Mitigation:
++Bugs:
++Priority: medium
++Discovered-by:
++Assigned-to:
++CVSS:
++
++
++Patches_package:
++upstream_package: needs-triage
++focal_package: needs-triage
++esm-apps/focal_package: released (1.2.3~esm1)
++jammy_package: needed
++esm-apps/jammy_package: released (1.2.4~esm1)
 diff --git a/test/website_api/use_esm_status_if_esm_release.json b/test/website_api/use_esm_status_if_esm_release.json
 new file mode 100644
 index 0000000..b198bd5
 --- /dev/null
 +++ b/test/website_api/use_esm_status_if_esm_release.json
@@ -0,0 +1,26 @@
++[{"bugs": [""],
++  "cvss3": null,
++  "description": "\nPublish CVEs to Website API tests",
++  "id": "CVE-2020-1234",
++  "mitigation": "",
++  "notes": [],
++  "packages": [{"debian": "https://tracker.debian.org/pkg/package",
++                "name": "package",
++                "source": "https://launchpad.net/ubuntu/+source/package",
++                "statuses": [{"description": "1.2.3~esm1",
++                              "release_codename": "focal",
++                              "status": "released"},
++                             {"description": "1.2.4~esm1",
++                              "release_codename": "jammy",
++                              "status": "released"},
++                             {"description": "",
++                              "release_codename": "upstream",
++                              "status": "needs-triage"}],
++                "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
++  "patches": {"package": []},
++  "priority": "medium",
++  "published": "2020-08-04 17:00:00 UTC",
++  "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234"],
++  "status": "active",
++  "tags": {},
++  "ubuntu_description": ""}]

Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish_cves_fix_esm-apps_status into ubuntu-cve-tracker:master

Commit message

Description of the change

Preview Diff

Subscribers