Ubuntu CVE Tracker

Merge ~sahnaseredini/ubuntu-cve-tracker:amir-dev-oval-pkgcve-imp into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sahnaseredini/ubuntu-cve-tracker
  3. amir-dev-oval-pkgcve-imp
  4. Merge into master
Proposed by Amir Naseredini
Status: Merged
Merged at revision: 125c97eedd4e3c3d03ab57ef30325d1383bb5242
Proposed branch: ~sahnaseredini/ubuntu-cve-tracker:amir-dev-oval-pkgcve-imp
Merge into: ubuntu-cve-tracker:master
Diff against target: 140 lines (+15/-34)
2 files modified
scripts/generate-oval (+13/-22)
scripts/oval_lib.py (+2/-12)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
David Fernandez Gonzalez Approve
Review via email: mp+461623@code.launchpad.net

Commit message

addressing the issues with regards to SEC-3844 and SEC-3846

Description of the change

this update should fix the unexpected results cause from adding `--expand` as
well as having some performance improvements

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Hey Amir, thanks for approaching this! I found an issue:

'--oval-releases esm-apps/bionic esm-infra/bionic bionic --expand' only generates esm-apps because of 'out_releases = set(out_releases) - parent_releases'. If any parent releases are part of the selected output releases, those will be removed.

If expand is provided, whatever releases the user provided in the CLI should be generated, so you could ignore the 'out_releases = set(out_releases) - parent_releases' part completely.

review: Needs Fixing
Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot David. This new commit should fix the issue.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Thanks for the fix! But it has an issue, `out_releases = releases` in line 23 will include the parents since line 21 is `releases = set(releases + list(parent_releases))`.

You can get rid of that entire assign since you are already doing that in line 9.

Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot for your review, David. As discussed on MM(https://chat.canonical.com/canonical/pl/fds3bdieefbh9c6x9uic7zxuty), we can ignore this case and consider the current form as what is intended.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Thanks!

review: Approve
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

since you moved the expand logic into generate-oval itself. Do we still need to pass it to oval_lib?

Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

I believe we still do, since we still need to decide what should be the output file name.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

we discussed this offline and my suggestion won't work with our proposed scenarios for this PR, therefore we should pass expand to oval_lib.

lgtm, thanks!

review: Approve
Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot for the review Eduardo.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/generate-oval b/scripts/generate-oval
2index c555304..cc44ee7 100755
3--- a/scripts/generate-oval
4+++ b/scripts/generate-oval
5@@ -105,16 +105,23 @@ def main():
6 if needs_oval(r):
7 releases.append(r)
8
9+ out_releases = releases
10+
11 # for each release we need to get its parent to also
12 # load their cache data in order to generate a complete
13 # oval for such release
14 parent_releases = set()
15+
16 for release in releases:
17 while(release_parent(release)):
18 release = release_parent(release)
19 parent_releases.add(release)
20
21 releases = set(releases + list(parent_releases))
22+ if args.expand:
23+ out_releases = releases
24+ else:
25+ out_releases = set(out_releases) - parent_releases
26
27 if args.type == 'usn':
28 generate_oval_usn(args.output_dir, args.usn_number, releases,
29@@ -126,9 +133,9 @@ def main():
30 cache.update({release: get_package_cache(args.pkg_cache_dir, release)})
31
32 if args.type == 'pkg':
33- generate_oval_package(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
34+ generate_oval_package(out_releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
35 elif args.type == 'cve':
36- generate_oval_cve(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
37+ generate_oval_cve(out_releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
38
39
40 def warn(message):
41@@ -225,18 +232,6 @@ def generate_oval_usn(outdir, usn, usn_releases, cves, usn_db_dir, no_progress,
42
43 return True
44
45-def filter_releases_for_output(releases, ov):
46- output_releases = []
47- for release in releases:
48- ov._init_ids(release)
49- if ov._eligible_for_output(release):
50- if ov.expand == False and 'esm' in ov.release:
51- output_releases.append(ov.release_codename)
52- else:
53- output_releases.append(release)
54- return output_releases
55-
56-
57 def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
58 if not no_progress:
59 print('[*] Initiating OVAL Generation for PKG')
60@@ -254,10 +249,8 @@ def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_
61 expand=expand
62 )
63
64- output_releases = filter_releases_for_output(releases, ov)
65-
66 if not no_progress:
67- print(f'[*] Generating OVAL PKG for packages in releases {", ".join(output_releases)}')
68+ print(f'[*] Generating OVAL PKG for packages in releases {", ".join(releases)}')
69
70 ov.generate_oval()
71
72@@ -267,7 +260,7 @@ def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_
73 ov.generate_oval()
74
75 if not no_progress:
76- print(f'[X] Done generating OVAL PKG for packages in releases {", ".join(output_releases)}')
77+ print(f'[X] Done generating OVAL PKG for packages in releases {", ".join(releases)}')
78
79 def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
80 if not no_progress:
81@@ -286,10 +279,8 @@ def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_prog
82 expand=expand
83 )
84
85- output_releases = filter_releases_for_output(releases, ov)
86-
87 if not no_progress:
88- print(f'[*] Generating OVAL CVE for packages in releases {", ".join(output_releases)}')
89+ print(f'[*] Generating OVAL CVE for packages in releases {", ".join(releases)}')
90
91 ov.generate_oval()
92
93@@ -299,7 +290,7 @@ def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_prog
94 ov.generate_oval()
95
96 if not no_progress:
97- print(f'[X] Done generating OVAL CVE for packages in releases {", ".join(output_releases)}')
98+ print(f'[X] Done generating OVAL CVE for packages in releases {", ".join(releases)}')
99
100 if __name__ == '__main__':
101 main()
102diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
103index f51dbb1..954634a 100644
104--- a/scripts/oval_lib.py
105+++ b/scripts/oval_lib.py
106@@ -829,14 +829,6 @@ class OvalGenerator:
107 with open(os.path.join(self.output_dir, self.output_filepath), 'w') as file:
108 file.write(xmlstr)
109
110- def _eligible_for_output(self, release):
111- if self.expand == False:
112- if self.release_codename == release and 'LTS' in cve_lib.release_name(release):
113- return False
114- elif 'esm-infra' in release:
115- return False
116- return True
117-
118 # Object generators
119 def _generate_criteria(self) -> etree.Element:
120 criteria = etree.Element("criteria")
121@@ -1523,8 +1515,7 @@ class OvalGeneratorPkg(OvalGenerator):
122 else:
123 self._populate_pkg(all_pkgs[pkg], root_element)
124
125- if self._eligible_for_output(release):
126- self._write_oval_xml(xml_tree, root_element)
127+ self._write_oval_xml(xml_tree, root_element)
128
129 class OvalGeneratorCVE(OvalGenerator):
130 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
131@@ -1773,8 +1764,7 @@ class OvalGeneratorCVE(OvalGenerator):
132 self._set_definition_id(cve_id=all_cves[cve].number)
133 self._generate_elements_from_cve(all_cves[cve], accepted_releases, root_element, running_kernel_id, pkg_cache, fixed_versions)
134
135- if self._eligible_for_output(release):
136- self._write_oval_xml(xml_tree, root_element)
137+ self._write_oval_xml(xml_tree, root_element)
138
139 class OvalGeneratorUSNs(OvalGenerator):
140 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg') -> None:

Subscribers

People subscribed via source and target branches