Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_usn_option into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. kernel_usn_option
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 6328a97df0080172a383406c289c19c30f1bde9f
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_usn_option
Merge into: ubuntu-cve-tracker:master
Diff against target: 56 lines (+20/-0)
2 files modified
scripts/prepare-kernel-usn.py (+4/-0)
scripts/sis-generate-usn (+16/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+440359@code.launchpad.net

Commit message

prepare-kernel-usn.py and sis-generate-usn: add new argument

 with the optional argument --filter-cves it is possible to filter out
 CVEs that are marked as released but where found in the changelog.
 It is mainly needed in the kernel USNs context as kernel changelogs
 may include previous version changelogs.

Description of the change

When dealing with kernel releases, it is common to have changelogs that will include previous versions changelogs in the current.
When running `prepare-kernel-usn.py` script against a version like this, it will throw an error saying that there are CVEs in the changelog that were not passed in command line, and for this cases, we have to re-run the script ignoring those CVEs.

example:
focal/linux-aws : 5.4.0-1100.108 - https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1100.108
"linux-aws (5.4.0-1099.107)" and olders can be found there.

 $ cd $UCT
 $ ./scripts/prepare-kernel-usn.py -n -p Proposed focal focal/linux-aws: 5.4.0-1100.108
 ...
 ValueError: CVEs found in changelog but not command line: CVE-2022-3567 CVE-2022-3524 CVE-2022-3643 CVE-2022-2196 CVE-2022-3621 CVE-2022-41218 CVE-2022-3564 CVE-2023-0461 CVE-2022-4382 CVE-2022-3061 CVE-2023-0266 CVE-2022-3594 CVE-2022-42703 CVE-2022-43945 CVE-2022-2663 CVE-2022-4139 CVE-2023-23559 CVE-2021-3669 CVE-2022-3545 CVE-2022-3566 CVE-2022-3565 CVE-2022-47520 CVE-2022-42896 CVE-2022-45934
 ...

Those CVEs are already released in older kernels.
with the change proposed:

 $ cd $UCT
 $ ./scripts/prepare-kernel-usn.py -n -p Proposed focal focal/linux-aws: 5.4.0-1100.108 --filter-cves
 ...
 INFO: CVEs '{'CVE-2022-41218', 'CVE-2022-42703', 'CVE-2022-3524', 'CVE-2022-3621', 'CVE-2022-3567', 'CVE-2022-4139', 'CVE-2022-3565', 'CVE-2022-3564', 'CVE-2022-42896', 'CVE-2022-3566', 'CVE-2022-45934', 'CVE-2023-0266', 'CVE-2022-3061', 'CVE-2022-4382', 'CVE-2022-47520', 'CVE-2022-2663', 'CVE-2022-3643', 'CVE-2023-23559', 'CVE-2023-0461', 'CVE-2022-2196', 'CVE-2022-3545', 'CVE-2022-43945', 'CVE-2022-3594', 'CVE-2021-3669'}' in changelog are already released, ignoring
 ...

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The name feels a bit generic for what it does; if there's a good reason to go with this, that's fine, but I'd like to suggest something more like:

--ignore-released-cves
--filter-released-cves
--skip-released-cves
--ignore-released-cves-in-changelog
--filter-released-cves-in-changelog
--skip-released-cves-in-changelog

or something else :) -- something that's more specific about what exact operation is going to be done, and the cves that it is going to be done to.

Thanks

Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Hi Seth,

> The name feels a bit generic for what it does; if there's a good reason to go
> with this, that's fine, but I'd like to suggest something more like:
>
> --ignore-released-cves
> --filter-released-cves
> --skip-released-cves
> --ignore-released-cves-in-changelog
> --filter-released-cves-in-changelog
> --skip-released-cves-in-changelog
>
> or something else :) -- something that's more specific about what exact
> operation is going to be done, and the cves that it is going to be done to.

Thanks for the input, better be clear.
I got one of your ideas (--ignore-released-cves-in-changelog) and added in a new commit alongside with a fix for a condition that I just realized it was missing.

>
> Thanks

Thank you very much

Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Just used this feature in the last cycle's releases: 2023.03.20, and it proved to be useful, for some of the linux-azure and linux-aws kernels, old changelogs were included in the current release changelog and while using the feature I was able to quickly skip the already released CVEs and didn't get issues.

As it is using a new argument, --ignore-released-cves-in-changelog, the impacts for other users are close to nothing as the default is not to use the argument.

Does anyone opposes to merging this to master ?

Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry for the delay, this looks good to me and I had tested the script with the changed argument.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/prepare-kernel-usn.py b/scripts/prepare-kernel-usn.py
2index ee26610..ac92da5 100755
3--- a/scripts/prepare-kernel-usn.py
4+++ b/scripts/prepare-kernel-usn.py
5@@ -174,6 +174,7 @@ parser.add_argument('-P', '--ppa', action='store', default='ubuntu', help='Use k
6 parser.add_argument('-F', '--force', action='store_true', default=False, help='Override sanity checks and continue anyway')
7 parser.add_argument('--use-changes', action='store', default=None, help='Use previously downloaded changes files from prior run (sets --keep-changes as well')
8 parser.add_argument('--keep-changes', action='store_true', default=False, help='Keep changes files downloaded by sis-changes')
9+parser.add_argument("--ignore-released-cves-in-changelog", action='store_true', help="Filter out CVEs already marked as released")
10 parser.add_argument('release', action='store', nargs=1, help='Primary release name (e.g. xenial)')
11 parser.add_argument('kernel', action=KernelVersionAction, nargs='+', help='Kernel source package name and versions; e.g. "linux 4.4.0-42.62. Source package can be a release/name pair"')
12 args = parser.parse_args()
13@@ -311,6 +312,9 @@ try:
14 else:
15 cmd += ['--cves', ','.join(cves)]
16
17+ if args.ignore_released_cves_in_changelog:
18+ cmd += ['--ignore-released-cves-in-changelog']
19+
20 if args.embargoed:
21 cmd += ['--embargoed']
22
23diff --git a/scripts/sis-generate-usn b/scripts/sis-generate-usn
24index de70fba..2089776 100755
25--- a/scripts/sis-generate-usn
26+++ b/scripts/sis-generate-usn
27@@ -33,6 +33,7 @@ opter.add_option("--filter-bins", metavar="REGEX", help="Only include binary pac
28 opter.add_option("--cves", metavar="CVES", help="Comma separated list of CVEs to use instead of the normal *_source.changes autodetection (must be a superset).", default=None)
29 opter.add_option("--add-cves", metavar="CVES", help="Comma separated list of CVEs to use in addition to the normal *_source.changes autodetection.", default=None)
30 opter.add_option("--ignore-cves", metavar="CVES", help="Comma separated list of CVEs to ignore when doing CVE autodetection.", default=None)
31+opter.add_option("--ignore-released-cves-in-changelog", help="Filter out CVEs already marked as released", action='store_true')
32 opter.add_option("--embargoed", help="Include embargoed directory when looking for CVE descriptions", action='store_true')
33 opter.add_option("--include-eol", help="Include EoL releases", action='store_true')
34 opter.add_option("--binaries-json", help="Path to JSON mapping of binary packages to versions (can repeat, default: binaries.json)", action='append', default=[])
35@@ -551,6 +552,21 @@ for json_file in opt.binaries_json:
36 if opt.ignore_cves:
37 CVEs.difference_update(set(opt.ignore_cves.split(',')))
38
39+# filter out CVEs from the changelog that are marked as released
40+# usually needed in kernel USNs that may contain previous changelogs
41+# appended to the current.
42+if opt.ignore_released_cves_in_changelog:
43+ released = set()
44+ for cve_num in CVEs:
45+ cve = cve_lib.load_cve(cve_lib.find_cve(cve_num))
46+ for release in info.keys():
47+ for pkg in info[release].keys():
48+ if pkg in cve["pkgs"].keys():
49+ if cve["pkgs"][pkg][release][0] == "released":
50+ released.add(cve_num)
51+ print("INFO: CVEs '%s' in changelog(s) are already released, ignoring" % (released), file=sys.stderr)
52+ CVEs.difference_update(released)
53+
54 if opt.cves:
55 superset = set(opt.cves.split(','))
56 if not superset.issuperset(CVEs):

Subscribers

People subscribed via source and target branches