Ubuntu CVE Tracker

Merge ~sahnaseredini/ubuntu-cve-tracker:amir-dev-oval-pkgcve-imp into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sahnaseredini/ubuntu-cve-tracker
  3. amir-dev-oval-pkgcve-imp
  4. Merge into master
Proposed by Amir Naseredini
Status: Merged
Merged at revision: 125c97eedd4e3c3d03ab57ef30325d1383bb5242
Proposed branch: ~sahnaseredini/ubuntu-cve-tracker:amir-dev-oval-pkgcve-imp
Merge into: ubuntu-cve-tracker:master
Diff against target: 140 lines (+15/-34)
2 files modified
scripts/generate-oval (+13/-22)
scripts/oval_lib.py (+2/-12)
Reviewer Review Type Date Requested Status
Eduardo Barretto Approve
David Fernandez Gonzalez Approve
Review via email: mp+461623@code.launchpad.net

Commit message

addressing the issues with regards to SEC-3844 and SEC-3846

Description of the change

this update should fix the unexpected results cause from adding `--expand` as
well as having some performance improvements

To post a comment you must log in.
Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Hey Amir, thanks for approaching this! I found an issue:

'--oval-releases esm-apps/bionic esm-infra/bionic bionic --expand' only generates esm-apps because of 'out_releases = set(out_releases) - parent_releases'. If any parent releases are part of the selected output releases, those will be removed.

If expand is provided, whatever releases the user provided in the CLI should be generated, so you could ignore the 'out_releases = set(out_releases) - parent_releases' part completely.

review: Needs Fixing
Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot David. This new commit should fix the issue.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Thanks for the fix! But it has an issue, `out_releases = releases` in line 23 will include the parents since line 21 is `releases = set(releases + list(parent_releases))`.

You can get rid of that entire assign since you are already doing that in line 9.

Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot for your review, David. As discussed on MM(https://chat.canonical.com/canonical/pl/fds3bdieefbh9c6x9uic7zxuty), we can ignore this case and consider the current form as what is intended.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Thanks!

review: Approve
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

since you moved the expand logic into generate-oval itself. Do we still need to pass it to oval_lib?

Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

I believe we still do, since we still need to decide what should be the output file name.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

we discussed this offline and my suggestion won't work with our proposed scenarios for this PR, therefore we should pass expand to oval_lib.

lgtm, thanks!

review: Approve
Revision history for this message
Amir Naseredini (sahnaseredini) wrote :

Thanks a lot for the review Eduardo.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/generate-oval b/scripts/generate-oval
index c555304..cc44ee7 100755
--- a/scripts/generate-oval
+++ b/scripts/generate-oval
@@ -105,16 +105,23 @@ def main():
105 if needs_oval(r):105 if needs_oval(r):
106 releases.append(r)106 releases.append(r)
107 107
108 out_releases = releases
109
108 # for each release we need to get its parent to also110 # for each release we need to get its parent to also
109 # load their cache data in order to generate a complete111 # load their cache data in order to generate a complete
110 # oval for such release112 # oval for such release
111 parent_releases = set()113 parent_releases = set()
114
112 for release in releases:115 for release in releases:
113 while(release_parent(release)):116 while(release_parent(release)):
114 release = release_parent(release)117 release = release_parent(release)
115 parent_releases.add(release)118 parent_releases.add(release)
116119
117 releases = set(releases + list(parent_releases))120 releases = set(releases + list(parent_releases))
121 if args.expand:
122 out_releases = releases
123 else:
124 out_releases = set(out_releases) - parent_releases
118125
119 if args.type == 'usn':126 if args.type == 'usn':
120 generate_oval_usn(args.output_dir, args.usn_number, releases,127 generate_oval_usn(args.output_dir, args.usn_number, releases,
@@ -126,9 +133,9 @@ def main():
126 cache.update({release: get_package_cache(args.pkg_cache_dir, release)})133 cache.update({release: get_package_cache(args.pkg_cache_dir, release)})
127134
128 if args.type == 'pkg':135 if args.type == 'pkg':
129 generate_oval_package(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)136 generate_oval_package(out_releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
130 elif args.type == 'cve':137 elif args.type == 'cve':
131 generate_oval_cve(releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)138 generate_oval_cve(out_releases, args.output_dir, args.cves, cache, cve_cache, args.oci, args.no_progress, args.packages, args.fixed_only, args.oci_output_dir, args.expand)
132139
133140
134def warn(message):141def warn(message):
@@ -225,18 +232,6 @@ def generate_oval_usn(outdir, usn, usn_releases, cves, usn_db_dir, no_progress,
225232
226 return True233 return True
227234
228def filter_releases_for_output(releases, ov):
229 output_releases = []
230 for release in releases:
231 ov._init_ids(release)
232 if ov._eligible_for_output(release):
233 if ov.expand == False and 'esm' in ov.release:
234 output_releases.append(ov.release_codename)
235 else:
236 output_releases.append(release)
237 return output_releases
238
239
240def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):235def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
241 if not no_progress:236 if not no_progress:
242 print('[*] Initiating OVAL Generation for PKG')237 print('[*] Initiating OVAL Generation for PKG')
@@ -254,10 +249,8 @@ def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_
254 expand=expand249 expand=expand
255 )250 )
256251
257 output_releases = filter_releases_for_output(releases, ov)
258
259 if not no_progress:252 if not no_progress:
260 print(f'[*] Generating OVAL PKG for packages in releases {", ".join(output_releases)}')253 print(f'[*] Generating OVAL PKG for packages in releases {", ".join(releases)}')
261254
262 ov.generate_oval()255 ov.generate_oval()
263256
@@ -267,7 +260,7 @@ def generate_oval_package(releases, outdir, cves, pkg_cache, cve_cache, oci, no_
267 ov.generate_oval()260 ov.generate_oval()
268261
269 if not no_progress:262 if not no_progress:
270 print(f'[X] Done generating OVAL PKG for packages in releases {", ".join(output_releases)}')263 print(f'[X] Done generating OVAL PKG for packages in releases {", ".join(releases)}')
271264
272def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):265def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_progress, packages, fixed_only, ocioutdir, expand):
273 if not no_progress:266 if not no_progress:
@@ -286,10 +279,8 @@ def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_prog
286 expand=expand279 expand=expand
287 )280 )
288281
289 output_releases = filter_releases_for_output(releases, ov)
290
291 if not no_progress:282 if not no_progress:
292 print(f'[*] Generating OVAL CVE for packages in releases {", ".join(output_releases)}')283 print(f'[*] Generating OVAL CVE for packages in releases {", ".join(releases)}')
293284
294 ov.generate_oval()285 ov.generate_oval()
295286
@@ -299,7 +290,7 @@ def generate_oval_cve(releases, outdir, cves, pkg_cache, cve_cache, oci, no_prog
299 ov.generate_oval()290 ov.generate_oval()
300291
301 if not no_progress:292 if not no_progress:
302 print(f'[X] Done generating OVAL CVE for packages in releases {", ".join(output_releases)}')293 print(f'[X] Done generating OVAL CVE for packages in releases {", ".join(releases)}')
303294
304if __name__ == '__main__':295if __name__ == '__main__':
305 main()296 main()
diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py
index f51dbb1..954634a 100644
--- a/scripts/oval_lib.py
+++ b/scripts/oval_lib.py
@@ -829,14 +829,6 @@ class OvalGenerator:
829 with open(os.path.join(self.output_dir, self.output_filepath), 'w') as file:829 with open(os.path.join(self.output_dir, self.output_filepath), 'w') as file:
830 file.write(xmlstr)830 file.write(xmlstr)
831831
832 def _eligible_for_output(self, release):
833 if self.expand == False:
834 if self.release_codename == release and 'LTS' in cve_lib.release_name(release):
835 return False
836 elif 'esm-infra' in release:
837 return False
838 return True
839
840 # Object generators832 # Object generators
841 def _generate_criteria(self) -> etree.Element:833 def _generate_criteria(self) -> etree.Element:
842 criteria = etree.Element("criteria")834 criteria = etree.Element("criteria")
@@ -1523,8 +1515,7 @@ class OvalGeneratorPkg(OvalGenerator):
1523 else:1515 else:
1524 self._populate_pkg(all_pkgs[pkg], root_element)1516 self._populate_pkg(all_pkgs[pkg], root_element)
15251517
1526 if self._eligible_for_output(release):1518 self._write_oval_xml(xml_tree, root_element)
1527 self._write_oval_xml(xml_tree, root_element)
15281519
1529class OvalGeneratorCVE(OvalGenerator):1520class OvalGeneratorCVE(OvalGenerator):
1530 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:1521 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg', expand=False) -> None:
@@ -1773,8 +1764,7 @@ class OvalGeneratorCVE(OvalGenerator):
1773 self._set_definition_id(cve_id=all_cves[cve].number)1764 self._set_definition_id(cve_id=all_cves[cve].number)
1774 self._generate_elements_from_cve(all_cves[cve], accepted_releases, root_element, running_kernel_id, pkg_cache, fixed_versions)1765 self._generate_elements_from_cve(all_cves[cve], accepted_releases, root_element, running_kernel_id, pkg_cache, fixed_versions)
17751766
1776 if self._eligible_for_output(release):1767 self._write_oval_xml(xml_tree, root_element)
1777 self._write_oval_xml(xml_tree, root_element)
17781768
1779class OvalGeneratorUSNs(OvalGenerator):1769class OvalGeneratorUSNs(OvalGenerator):
1780 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg') -> None:1770 def __init__(self, releases, cve_paths, packages, progress, pkg_cache, usn_database, fixed_only=True, cve_cache=None, outdir='./', oval_format='dpkg') -> None:

Subscribers

People subscribed via source and target branches