Ubuntu CVE Tracker

Merge ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/pocket_field_for_publish_cves into ubuntu-cve-tracker:master

  1. Git
  2. lp:~pfsmorigo/ubuntu-cve-tracker
  3. pfsmorigo/pocket_field_for_publish_cves
  4. Merge into master
Proposed by Paulo Flabiano Smorigo
Status: Merged
Merged at revision: a4f35692b4ff2a9d65758b18b4e16a53aae4d134
Proposed branch: ~pfsmorigo/ubuntu-cve-tracker:pfsmorigo/pocket_field_for_publish_cves
Merge into: ubuntu-cve-tracker:master
Diff against target: 149 lines (+30/-3)
7 files modified
scripts/publish-cves-to-website-api.py (+11/-2)
test/website_api/use_esm_status_for_eol_releases.json (+2/-0)
test/website_api/use_esm_status_if_esm_release (+2/-0)
test/website_api/use_esm_status_if_esm_release.json (+8/-1)
test/website_api/use_public_status_for_no_eol_releases.json (+2/-0)
test/website_api/use_public_status_if_public_release.json (+3/-0)
test/website_api/use_ros-esm_status.json (+2/-0)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+444872@code.launchpad.net

Description of the change

This commit adds the pocket field to the payload we send to the web api. More info in:
https://warthogs.atlassian.net/browse/SEC-1905

Basically checks if it's a product release and use the pocket for it, otherwise will be "security".

The field is already in place and working. I tested with one of our CVEs as you can see here:
https://ubuntu.com/security/cves/CVE-2023-28370.json

Also, more tests where added in order to test this change.

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM but I wonder if the code which extracts the pocket from the release needs to be a bit more stricter.

review: Approve
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hey Alex, I'll soon create another PR to include other possible pockets, like fips, after I have clear view about what we want. I'll try to follow your suggestion.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/publish-cves-to-website-api.py b/scripts/publish-cves-to-website-api.py
2index 99c95b9..aa80880 100755
3--- a/scripts/publish-cves-to-website-api.py
4+++ b/scripts/publish-cves-to-website-api.py
5@@ -114,6 +114,7 @@ def post_single_cve(cve_filename):
6
7 for codename in cve_lib.releases + ["upstream"]:
8 status = None
9+ pocket = "security"
10
11 # Set the public release first
12 if codename in cve_data["pkgs"][pkg]:
13@@ -121,12 +122,19 @@ def post_single_cve(cve_filename):
14
15 if status and status[0] != "released" and codename in cve_lib.get_active_releases_with_esm():
16 # Check for possible product statuses
17- for release in [codename + "/esm", "esm-infra/" + codename,
18- "esm-apps/" + codename, "ros-esm/" + codename, codename]:
19+ for release in [
20+ codename + "/esm",
21+ "esm-infra/" + codename,
22+ "esm-apps/" + codename,
23+ "ros-esm/" + codename,
24+ codename]:
25 if release in cve_data["pkgs"][pkg]:
26 esm_status = cve_data["pkgs"][pkg][release]
27 # Use the ESM status if there is an ESM release or release is EOL
28 if esm_status[0] == "released" or codename in cve_lib.eol_releases:
29+ if esm_status[0] == "released" and "esm" in release:
30+ pocket = "esm-infra" if codename == "trusty" \
31+ else release.split("/")[0]
32 status = esm_status
33 break
34
35@@ -136,6 +144,7 @@ def post_single_cve(cve_filename):
36 "release_codename": codename,
37 "status": status[0],
38 "description": status[1],
39+ "pocket": pocket,
40 }
41 )
42 package = {
43diff --git a/test/website_api/use_esm_status_for_eol_releases.json b/test/website_api/use_esm_status_for_eol_releases.json
44index 4dc91aa..095e819 100644
45--- a/test/website_api/use_esm_status_for_eol_releases.json
46+++ b/test/website_api/use_esm_status_for_eol_releases.json
47@@ -8,9 +8,11 @@
48 "name": "package",
49 "source": "https://launchpad.net/ubuntu/+source/package",
50 "statuses": [{"description": "",
51+ "pocket": "security",
52 "release_codename": "trusty",
53 "status": "needed"},
54 {"description": "",
55+ "pocket": "security",
56 "release_codename": "upstream",
57 "status": "needs-triage"}],
58 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
59diff --git a/test/website_api/use_esm_status_if_esm_release b/test/website_api/use_esm_status_if_esm_release
60index 9281cbb..80cf454 100644
61--- a/test/website_api/use_esm_status_if_esm_release
62+++ b/test/website_api/use_esm_status_if_esm_release
63@@ -18,6 +18,8 @@ CVSS:
64
65 Patches_package:
66 upstream_package: needs-triage
67+trusty_package: needs-triage
68+trusty/esm_package: released (1.0.0~esm1)
69 focal_package: needs-triage
70 esm-apps/focal_package: released (1.2.3~esm1)
71 jammy_package: needed
72diff --git a/test/website_api/use_esm_status_if_esm_release.json b/test/website_api/use_esm_status_if_esm_release.json
73index b198bd5..4ea6d3f 100644
74--- a/test/website_api/use_esm_status_if_esm_release.json
75+++ b/test/website_api/use_esm_status_if_esm_release.json
76@@ -7,13 +7,20 @@
77 "packages": [{"debian": "https://tracker.debian.org/pkg/package",
78 "name": "package",
79 "source": "https://launchpad.net/ubuntu/+source/package",
80- "statuses": [{"description": "1.2.3~esm1",
81+ "statuses": [{"description": "1.0.0~esm1",
82+ "pocket": "esm-infra",
83+ "release_codename": "trusty",
84+ "status": "released"},
85+ {"description": "1.2.3~esm1",
86+ "pocket": "esm-apps",
87 "release_codename": "focal",
88 "status": "released"},
89 {"description": "1.2.4~esm1",
90+ "pocket": "esm-apps",
91 "release_codename": "jammy",
92 "status": "released"},
93 {"description": "",
94+ "pocket": "security",
95 "release_codename": "upstream",
96 "status": "needs-triage"}],
97 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
98diff --git a/test/website_api/use_public_status_for_no_eol_releases.json b/test/website_api/use_public_status_for_no_eol_releases.json
99index 4eff239..0ea071c 100644
100--- a/test/website_api/use_public_status_for_no_eol_releases.json
101+++ b/test/website_api/use_public_status_for_no_eol_releases.json
102@@ -8,9 +8,11 @@
103 "name": "package",
104 "source": "https://launchpad.net/ubuntu/+source/package",
105 "statuses": [{"description": "",
106+ "pocket": "security",
107 "release_codename": "jammy",
108 "status": "needed"},
109 {"description": "",
110+ "pocket": "security",
111 "release_codename": "upstream",
112 "status": "needs-triage"}],
113 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
114diff --git a/test/website_api/use_public_status_if_public_release.json b/test/website_api/use_public_status_if_public_release.json
115index ffcd35e..e813ffa 100644
116--- a/test/website_api/use_public_status_if_public_release.json
117+++ b/test/website_api/use_public_status_if_public_release.json
118@@ -8,12 +8,15 @@
119 "name": "package",
120 "source": "https://launchpad.net/ubuntu/+source/package",
121 "statuses": [{"description": "1.2.3",
122+ "pocket": "security",
123 "release_codename": "trusty",
124 "status": "released"},
125 {"description": "4.5.6",
126+ "pocket": "security",
127 "release_codename": "jammy",
128 "status": "released"},
129 {"description": "",
130+ "pocket": "security",
131 "release_codename": "upstream",
132 "status": "needs-triage"}],
133 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],
134diff --git a/test/website_api/use_ros-esm_status.json b/test/website_api/use_ros-esm_status.json
135index 199d4ce..6588aa7 100644
136--- a/test/website_api/use_ros-esm_status.json
137+++ b/test/website_api/use_ros-esm_status.json
138@@ -8,9 +8,11 @@
139 "name": "package",
140 "source": "https://launchpad.net/ubuntu/+source/package",
141 "statuses": [{"description": "1.2.3",
142+ "pocket": "ros-esm",
143 "release_codename": "bionic",
144 "status": "released"},
145 {"description": "",
146+ "pocket": "security",
147 "release_codename": "upstream",
148 "status": "needs-triage"}],
149 "ubuntu": "https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=package"}],

Subscribers

People subscribed via source and target branches