Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish_cves_fix_esm-apps_status into ubuntu-cve-tracker:master

  1. Git
  2. lp:~pfsmorigo/ubuntu-cve-tracker
  3. pfsmorigo/publish_cves_fix_esm-apps_status
  4. Merge into master
Proposed by Paulo Flabiano Smorigo
Status: Merged
Merged at revision: 5267b30ee030f56105511b15830014b01e64b16f
Proposed branch: ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/publish_cves_fix_esm-apps_status
Merge into: ubuntu-cve-tracker:master
Diff against target: 88 lines (+57/-5)
3 files modified
scripts/publish-cves-to-website-api.py (+7/-5)
test/website_api/use_esm_status_if_esm_release (+24/-0)
test/website_api/use_esm_status_if_esm_release.json (+26/-0)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+444054@code.launchpad.net

Description of the change

I found a bug in the publish-cves scripts that ignored "released" status when it's esm-apps and the release is not EOL (focal on). The reason is that it was checking status == "released" but since status is a tuple the correct would be to check status[0] == "released".

I'm adding a test specifically for this case and planning to add more cases in the future.

Also, I took the opportunity to change the code a little bit in order to use in my future PR to add the pocket field.

Meanwhile, I'm checking all the CVEs we have esm-apps releases and will refresh the web page to fix the status.

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM, thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
index 46331df..99c95b9 100755
--- a/scripts/publish-cves-to-website-api.py
+++ b/scripts/publish-cves-to-website-api.py
@@ -119,14 +119,16 @@ def post_single_cve(cve_filename):
119 if codename in cve_data["pkgs"][pkg]:119 if codename in cve_data["pkgs"][pkg]:
120 status = cve_data["pkgs"][pkg][codename]120 status = cve_data["pkgs"][pkg][codename]
121121
122 # If the release is EOL or there is an ESM update for it use ESM status
123 if status and status[0] != "released" and codename in cve_lib.get_active_releases_with_esm():122 if status and status[0] != "released" and codename in cve_lib.get_active_releases_with_esm():
123 # Check for possible product statuses
124 for release in [codename + "/esm", "esm-infra/" + codename,124 for release in [codename + "/esm", "esm-infra/" + codename,
125 "esm-apps/" + codename, "ros-esm/" + codename, codename]:125 "esm-apps/" + codename, "ros-esm/" + codename, codename]:
126 if release in cve_data["pkgs"][pkg] and \126 if release in cve_data["pkgs"][pkg]:
127 (codename in cve_lib.eol_releases or cve_data["pkgs"][pkg][release] == "released"):127 esm_status = cve_data["pkgs"][pkg][release]
128 status = cve_data["pkgs"][pkg][release]128 # Use the ESM status if there is an ESM release or release is EOL
129 break129 if esm_status[0] == "released" or codename in cve_lib.eol_releases:
130 status = esm_status
131 break
130132
131 if status:133 if status:
132 statuses.append(134 statuses.append(
diff --git a/test/website_api/use_esm_status_if_esm_release b/test/website_api/use_esm_status_if_esm_release
133new file mode 100644135new file mode 100644
index 0000000..9281cbb
--- /dev/null
+++ b/test/website_api/use_esm_status_if_esm_release
@@ -0,0 +1,24 @@
1PublicDateAtUSN: 2020-08-04 17:00:00 UTC
2Candidate: CVE-2020-1234
3CRD: 2020-08-04 17:00:00 UTC
4PublicDate: 2020-08-04 17:00:00 UTC
5References:
6 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234
7Description:
8 Publish CVEs to Website API tests
9Ubuntu-Description:
10Notes:
11Mitigation:
12Bugs:
13Priority: medium
14Discovered-by:
15Assigned-to:
16CVSS:
17
18
19Patches_package:
20upstream_package: needs-triage
21focal_package: needs-triage
22esm-apps/focal_package: released (1.2.3~esm1)
23jammy_package: needed
24esm-apps/jammy_package: released (1.2.4~esm1)
diff --git a/test/website_api/use_esm_status_if_esm_release.json b/test/website_api/use_esm_status_if_esm_release.json
0new file mode 10064425new file mode 100644
index 0000000..b198bd5
--- /dev/null
+++ b/test/website_api/use_esm_status_if_esm_release.json
@@ -0,0 +1,26 @@
1[{"bugs": [""],
2 "cvss3": null,
3 "description": "\nPublish CVEs to Website API tests",
4 "id": "CVE-2020-1234",
5 "mitigation": "",
6 "notes": [],
7 "packages": [{"debian": "https://tracker.debian.org/pkg/package",
8 "name": "package",
9 "source": "https://launchpad.net/ubuntu/+source/package",
10 "statuses": [{"description": "1.2.3~esm1",
11 "release_codename": "focal",
12 "status": "released"},
13 {"description": "1.2.4~esm1",
14 "release_codename": "jammy",
15 "status": "released"},
16 {"description": "",
17 "release_codename": "upstream",
18 "status": "needs-triage"}],
19 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
20 "patches": {"package": []},
21 "priority": "medium",
22 "published": "2020-08-04 17:00:00 UTC",
23 "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1234"],
24 "status": "active",
25 "tags": {},
26 "ubuntu_description": ""}]

Subscribers

People subscribed via source and target branches