Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_sru_check into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. kernel_sru_check
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 19f6026a02381af332241ca001f7b2700fde7046
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_sru_check
Merge into: ubuntu-cve-tracker:master
Diff against target: 136 lines (+130/-0)
1 file modified
scripts/kernel-sru-check (+130/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+458747@code.launchpad.net

Commit message

scripts/kernel-sru-check: move script from UQT to UCT

 replacing the script kernel-sru-check from lp:ubuntu-qa-tools to
 lp:ubuntu-cve-tracker, in the new repository, it should be placed in
 the scripts/ directory.
 the merge preserves the history of the file in
 ubuntu-qa-tools/security-tools/kernel-sru-check

Description of the change

The idea here is to move the kernel-sru-check script from UQT to UCT.
All other related scripts, such as kernel-abi-check are placed in UCT, and
kernel-sru-check was historically placed in UQT we would better move it
for consistency.

Besides moving it to UCT repository, we would like to preserve the history
of the file, so we are applying a series of patches in order to preserve it
This was achieved with the following commands:
  $ cd $UQT/security-tools
  $ git log \
    --pretty=email \
    --patch-with-stat \
    --reverse \
    --full-index \
    --binary \
    -m \
    --first-parent \
    -- kernel-sru-check \
    > /tmp/kernel-sru-check_patch

  $ cd $UCT
  $ git am < /tmp/kernel-sru-check_patch

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for doing this, the resulting commit history LGTM. Merging.

(We'll want to also remove the version in lp:ubuntu-qa-tools.)

review: Approve
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

for the sake of history, the kernel-sru-check script
in lp:ubuntu-qa-tools was removed with commit:
cdaeb558213413d1cf1bcc3a8f7e02d8830672a2

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/kernel-sru-check b/scripts/kernel-sru-check
2new file mode 100755
3index 0000000..495eaa4
4--- /dev/null
5+++ b/scripts/kernel-sru-check
6@@ -0,0 +1,130 @@
7+#!/usr/bin/env python3
8+# Author: Kees Cook <kees@canonical.com>
9+# Copyright (C) 2011 Canonical, Ltd.
10+# License: GPLv3
11+#
12+# Based on https://wiki.ubuntu.com/Kernel/kernel-sru-workflow
13+# this script implements the security team's first step of:
14+#
15+# "When the security team detects that the Security-signoff task is in
16+# the ready-to-start state (status: Confirmed), they change the tasks
17+# state to in-progress (status: In Progress). The task is reassigned
18+# to the individual working the task."
19+#
20+# The rest of the procedure is done manually:
21+#
22+# "They take care of any tasks they deem necessary prior to having an
23+# archive admin copy the release to the security pocket. If there are no
24+# CVEs, the security team sets the Security-signoff task to the not-needed
25+# state (status: Invalid). If there are CVEs in the release and the security
26+# team has signed-off on the release being promoted to the security pocket
27+# (once all testing passes successfully) they change the status of the
28+# Security-signoff task to completed (status: Fix Released)."
29+from __future__ import print_function
30+
31+from collections import defaultdict
32+import httplib2
33+import argparse
34+import re
35+import time
36+
37+KERNEL_TAG_PREFIX='kernel-sru-cycle-'
38+
39+parser = argparse.ArgumentParser()
40+parser.add_argument("--api-version", help="Which LP API Version to use (default: 1.0)", action='store', default='1.0')
41+parser.add_argument("--debug", help="Show HTTP requests", action='store_true', default=False)
42+parser.add_argument("--task", help="which task series to focus on (default: security-signoff)", action='store', default='security-signoff')
43+parser.add_argument("--oneline", help="compressed output, useful for aggregating cron jobs", action='store_true', default=False)
44+parser.add_argument("--cycle", help="only report signoff bugs for a specific kernel cycle tag (default: all)", action='store')
45+args = parser.parse_args()
46+
47+if args.debug:
48+ httplib2.debuglevel = 1
49+import lpl_common
50+
51+class SignoffBug(object):
52+ def __init__(self, task):
53+ bug = task.bug
54+ self.id = bug.id
55+ self.title = task.title
56+ self.release = get_ubuntu_release_from_bug(bug)
57+ self.kernel, self.version = bug.title.split(' ')[0:2]
58+ self.kernel_series = self.version.split('-')[0]
59+
60+ cycle = 'missing'
61+ for tag in bug.tags:
62+ if tag.startswith(KERNEL_TAG_PREFIX):
63+ cycle = tag.split('-', maxsplit=3)[3]
64+ self.cycle = cycle
65+
66+ def emit(self, short_output=False):
67+ print('[%d] %s' % (self.id, self.title))
68+ if not short_output:
69+ print('%s %s %s' % (self.release, self.kernel, self.version))
70+ print('https://launchpad.net/bugs/%d' % (self.id))
71+ print('')
72+
73+
74+def kernel_cmp_key(version_string):
75+ # turns '4.15.0' -> [4, 15, 0] for sorting
76+ return [int(x) for x in version_string.split('.')]
77+
78+count = 10
79+while True:
80+ try:
81+ lp = lpl_common.connect(version=args.api_version)
82+ sec = lp.projects['kernel-sru-workflow'].getSeries(name=args.task)
83+ break
84+ except:
85+ count -= 1
86+ if count <= 0:
87+ raise
88+ time.sleep(5)
89+ pass
90+
91+
92+def get_ubuntu_release_from_bug(signoff_bug):
93+ _kernel = signoff_bug.title.split(':')[0]
94+ # tracking bug reports are now getting RELEASE/ prepended to the
95+ # kernel name, e.g. 'xenial/linux-raspi2:'
96+ kernel = _kernel.split('/').pop()
97+ try:
98+ for task in signoff_bug.bug_tasks:
99+ # look for the task that starts with the kernel source name
100+ # and isn't the devel release (so doesn't have (Ubuntu) in
101+ # the target_name) and is not invalid. For the most current
102+ # supported release, the devel target may stay open.
103+ if (task.bug_target_name.startswith('%s ' % kernel) and
104+ not re.search('\(Ubuntu\)$', task.bug_target_name) and
105+ task.status != 'Invalid'):
106+ # ugh, can't figure out a way to cache the name lookups,
107+ # so the following ends up being a roundtrip to
108+ # launchpad.
109+ return task.target.distroseries.name
110+ except AttributeError:
111+ return "Unknown Release"
112+
113+
114+for task in sec.searchTasks(omit_targeted=False, status="Confirmed"):
115+ task.assignee = lp.me
116+ task.status = "In Progress"
117+ lpl_common.save(task)
118+
119+cycles = defaultdict(dict)
120+
121+# Report stuff in progress as a reminder
122+if args.cycle:
123+ open_tasks = sec.searchTasks(omit_targeted=False, status="In Progress", tags=KERNEL_TAG_PREFIX+args.cycle)
124+else:
125+ open_tasks = sec.searchTasks(omit_targeted=False, status="In Progress")
126+
127+for task in open_tasks:
128+ bug = SignoffBug(task)
129+ cycles[bug.cycle].setdefault(bug.kernel_series, []).append(bug)
130+
131+
132+for cycle in sorted(cycles):
133+ print(f'========== {cycle} cycle ==========')
134+ for kernel_series in sorted(cycles[cycle], key=kernel_cmp_key):
135+ for bug in cycles[cycle][kernel_series]:
136+ bug.emit(short_output=args.oneline)

Subscribers

People subscribed via source and target branches