lp:~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker

Owned by Steve Beattie
Get this repository:
git clone https://git.launchpad.net/~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker
Only Steve Beattie can upload to this repository. If you are Steve Beattie please log in for upload directions.

Branches

Name Last Modified Last Commit
git-commit-hooks-pre-merge_hook 2023-12-12 03:03:20 UTC
git-hooks: use pre-merge-commit over prepare-commit-msg

Author: Steve Beattie
Author Date: 2023-12-12 03:03:20 UTC

git-hooks: use pre-merge-commit over prepare-commit-msg

Replace/remove the prepare-commit-msg with a pre-merge-commit hook that
invokes the pre-commit infrastructure we already have.

When we originally started using git hooks to perform check-syntax
against UCT, the prepare-commit-msg hook was added (in 2019) because
git's pre-commit hook does not get performed on git merges, and there
were times when we would want to merge branches from people who do
not have enough of a setup for check-syntax to work.

However, git has had a pre-merge-commit hook since git 2.24 [1], and
present since at least Ubuntu 20.04 LTS, so we should make use of that.
Additionally, the prepare-commit-msg hook attempted to duplicate the
pre-commit hook but was never kept in sync, so choose here to use
the default upstream pre-merge-commit hook, which just invokes the
pre-commit hook.

[1] https://github.com/git/git/blob/da72936f544fec5a335e66432610e4cef4430991/Documentation/RelNotes/2.24.0.txt#L38

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

cve_need_retire-accept_cves_as_args 2023-12-08 00:51:52 UTC
cve_need_retire: accept an optional list of CVEs to operate on

Author: Steve Beattie
Author Date: 2023-11-30 21:05:10 UTC

cve_need_retire: accept an optional list of CVEs to operate on

Currently, the cve_need_retire script operates on the entire set of
active CVEs in UCT. However, there are times when it's useful to focus
on a few CVEs for an update one has just released.

This commit adds support for optionally taking CVEs as arguments
(basically accepting whatever the underlying ubuntu-table script
accepts as CVEs to report on).

This has been tested with the following commits in UCT:

  commit 8e5d8601a1a4c78f1f6b7aad331faf415608fa71
  Author: Steve Beattie <steve.beattie@canonical.com>
  Date: Thu Nov 30 12:53:03 2023 -0800

    Retired 1 CVE

    Packages affected:
      xbmc(1) xine-lib(1) xine-lib-1.2(1)

    Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

  commit 96a242723a82be361bde82ef95f9e4e26ce6161c
  Author: Steve Beattie <steve.beattie@canonical.com>
  Date: Thu Nov 30 12:52:39 2023 -0800

    Retired 2 CVEs

    Packages affected:
      chromium-browser(2)

    Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

using the following commands:

  ./scripts/cve_need_retire -uc active/CVE-2023-5997 active/CVE-2023-6112
  ./scripts/cve_need_retire -uc CVE-2017-11119

Also, fix up the shellcheck warning about failing to use read -r
(and silence what would be an added shellcheck warning around
un-quote-protected $cves).

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Alex Murray <alex.murray@canonical.com>
MR: https://code.launchpad.net/~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/456639

publish_cve-add_deletion_option 2023-10-17 06:45:55 UTC
publish-cves-to-website-api.py: add capability to delete cves from website

Author: Steve Beattie
Author Date: 2023-10-17 06:16:25 UTC

publish-cves-to-website-api.py: add capability to delete cves from website

Add command line option to allow deleting one or more CVEs. This
changes the behavior of the script subtly: it now does not require
any (CVE) paths to be passed as arguments; if none are given, no CVEs
will be updated.

Some example invocations:

Delete CVE-2023-42572:
  $ scripts/publish-cves-to-website-api.py --delete CVE-2023-42572

Delete CVE-2023-42572 and CVE-2024-42572, exiting early if the first CVE
is not present on the web endpoint:
  $ scripts/publish-cves-to-website-api.py --stop --delete CVE-2023-42572 --delete CVE-2024-42572

Delete CVE-2023-42572 and update active/CVE-2023-42752, exiting early if
CVE-2023-42572 is not present on the web endpoint; i.e. CVE-2023-42752
will not get updated:
  $ scripts/publish-cves-to-website-api.py --stop --delete CVE-2023-42572 active/CVE-2023-42752

Note that the backend cronjob that runs this script has not been
modified to take advantage of this option; as of now, deleting a CVE
from the website requires a manual invocation of the script. (And
while the json endpoint will be updated immediately, it's not clear
how long the squid proxy will hold the cached version, alas :/ ).

Refactoring out the CVE_regex also fixes a subtle bug; if there was
a CVE with an suffix ID greater than 7 digits, the script would have
skipped updating it.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://code.launchpad.net/~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/453725

publish-cves-notes-test-json 2023-08-10 22:23:02 UTC
publish-cves-to-website-api.py: convert verbose output to valid json

Author: Steve Beattie
Author Date: 2023-08-10 22:19:50 UTC

publish-cves-to-website-api.py: convert verbose output to valid json

Because the pprint module is not guaranteed to generate valid json,
convert the verbose output to be generated by the json module, in
particular for use by the tests for the publish-cves-to-website-api.py
script.

(Note that the resulting output is not actually valid json because a
summary line is also reported that the tests filter from the output.)

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

uct-tests-pytest-3-v2 2023-06-02 07:03:35 UTC
lpci: add missing dependency on python3-macaroonbakery

Author: Steve Beattie
Author Date: 2023-06-02 07:03:35 UTC

lpci: add missing dependency on python3-macaroonbakery

Commit dc51a268ab4 ("Add pytest for publish-cves-to-website-api.py")
added tests for the publish-cve-towebsite-api.py script, but failed to
add the python3-macaroonbakery depndency it relies on to the set of
packages that need to be installed in the lpci environment. Fix that to
unbreak the tests.

MR: https://code.launchpad.net/~pfsmorigo/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/438624
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

uct-tests-pytest-3 2023-05-24 19:12:24 UTC
lpci: add oval_lib unit tests

Author: Steve Beattie
Author Date: 2023-05-24 18:06:43 UTC

lpci: add oval_lib unit tests

Add the oval_lib unit tests from the test/ directory. I don't believe we
can add the functional or end-to-end tests at this time, but it would be
worth extending the test infrastructure to do so.

commit history:
- v1: initial attempt
- v2: add python3-mock dependency for oval unit tests
- v3: learn to speel python3-mock correctly

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

check-cves_ignore_cache 2023-04-08 06:04:25 UTC
check-cves: add a cache of 5 last ignored reasons

Author: Steve Beattie
Author Date: 2022-05-17 06:50:13 UTC

check-cves: add a cache of 5 last ignored reasons

Often times when performing triage I bounce between CVEs of a few
different products from the same vendor that end up being ignored. It's
useful to have roughly a cache of five or so entries, plus the debian
reason if available plus the heuristic guess.

Implement a small cache of previously used reasons for ignoring a cve.
It keeps the ordering the same as before, with the cache entries added
last, orted in most recently used order.

Using this results in things looking like:

   Debian CVE Tracker: NOT-FOR-US: Node sds

  A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [ignore]
  Reason to be ignored?
     a) Node sds
     b) sds from
     c) BlogEngine.NET
     d) InHand Networks InRouter302
     e) OpenClinica
     f) Intel(R) NUCs
     g) Check Point Enterprise Endpoint

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
TODO: unit tests. Sorry.

report-todo-mir_improvements 2022-06-06 23:27:50 UTC
report-todo-mir: add --team-members-only option

Author: Steve Beattie
Author Date: 2022-06-06 23:27:50 UTC

report-todo-mir: add --team-members-only option

Add a --team-members-only option and make this a conflicting option with
--team-only. This option shows the mir audits that have been assigned to
a team member and thus theoretically are in progress.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

report-todo-mir_threading 2022-06-04 20:40:46 UTC
[WIP] report-todo-mir: attempt to use threading to improve perf

Author: Steve Beattie
Author Date: 2022-06-04 20:40:46 UTC

[WIP] report-todo-mir: attempt to use threading to improve perf

Unfortunately, possibly httplib2 and definitely launchpadlib are NOT
thread safe; see:
  https://answers.launchpad.net/ubuntu/+source/python-launchpadlib/+question/157167
  https://bugs.launchpad.net/launchpadlib/+bug/513116

So all this does is cause the script to fail with random errors.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

alternate-rust-built-using 2022-03-01 03:56:54 UTC
report-built-using: add support for Rust cargo tag

Author: Steve Beattie
Author Date: 2022-03-01 03:56:54 UTC

report-built-using: add support for Rust cargo tag

As of now, dh-cargo only includes the rustc compiler in the Built-Using:
tag, and instead adds the build time dependencies in a different tag:

  X-Cargo-Built-Using:

Support querying based on that tag. See the MIR bug for more
discussion.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MIR Bug: https://bugs.launchpad.net/bugs/1957932

oval-fix_timestamps 2021-11-16 16:08:16 UTC
oval_lib: fix timestamps to always be UTC

Author: Steve Beattie
Author Date: 2021-11-16 01:43:57 UTC

oval_lib: fix timestamps to always be UTC

The test/test_oval_lib_unit.py
TestOvalLibUnit::test_create_usn_definition() and
TestOvalLibUnit::test_invalid_priority_usn_definition() tests were
failing for people in timezones where the UTC offset is in the positive
because python by default was importing the timestamp from the USN db in
the tester's timezone, resulting in the date of publication being a day
different.

Fix this by explicitly recording all the dates used in oval_lib as being
in the UTC timezone. Unfortunately, this is a python3 only mechanism.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://code.launchpad.net/~ebarretto/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/411027

check-cves-use_git_urls 2021-08-26 05:27:37 UTC
[WIP] check-cves: use git urls to identify debian pkgs

Author: Steve Beattie
Author Date: 2021-08-23 23:39:51 UTC

[WIP] check-cves: use git urls to identify debian pkgs

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

usn_binary_source 2021-06-21 17:26:12 UTC
publish-usn-to-website-api.py: use source info from allbinaries section

Author: Steve Beattie
Author Date: 2021-06-20 16:47:34 UTC

publish-usn-to-website-api.py: use source info from allbinaries section

With sis-generate-usn.py set to add source name references into the
allbinaries section, adjust the usn publishing script to generate
launchpad source links and version URLs based on this information.
Emit a warning if the referred source name is not found in the sources
section for that release.

Kernel USNs being the extra special things that they are have
binaries listed where the source package has been dropped. In that
case, the versions of the binaries match the version of the source,
so hackishly use the binary version. Additionally, inform the use of
this grotesque hack.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://code.launchpad.net/~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/403924
Bug: https://github.com/canonical/ubuntu-advantage-client/issues/1465

kees-packages-mirror 2020-08-13 07:08:05 UTC
source_map: most archives are xz compressed, work with them

Author: Steve Beattie
Author Date: 2020-08-13 07:08:05 UTC

source_map: most archives are xz compressed, work with them

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

ubuntu-table-py3 2020-07-21 07:05:52 UTC
ubuntu-table: add wrapper script to invoke with appropriate python version

Author: Steve Beattie
Author Date: 2020-07-21 06:00:06 UTC

ubuntu-table: add wrapper script to invoke with appropriate python version

The ubuntu-table script underlies a number of reports and gets run on
legacy systems like ubuntu 12.04 where the support libraries for python3
were not sufficient at the time, but also in situations like ubuntu
20.04 and newer, where the python2 versions of some support libraries
have been removed.

This is addressed by moving the script to ubuntu-table.py and wrapping
it in shell script that invokes it with the appropriate python version
for the environment its being run in.

v2:
  drop use of realpath, realpath not part of coreutils in 12.04

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

ubuntu-table-py3-v2 2020-07-18 16:16:17 UTC
ubuntu-table: add wrapper script to invoke with appropriate python version

Author: Steve Beattie
Author Date: 2020-07-18 16:16:17 UTC

ubuntu-table: add wrapper script to invoke with appropriate python version

The ubuntu-table script underlies a number of reports and gets run on
legacy systems like ubuntu 12.04 where the support libraries for python3
were not sufficient at the time, but also in situations like ubuntu
20.04 and newer, where the python2 versions of some support libraries
have been removed.

This is addressed by moving the script to ubuntu-table.py and wrapping
it in shell script that invokes it with the appropriate python version
for the environment its being run in.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

master 2018-06-26 01:05:43 UTC
git conversion: move .bzrignore to .gitignore

Author: Steve Beattie
Author Date: 2018-06-26 01:05:43 UTC

git conversion: move .bzrignore to .gitignore

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

tmp 2008-10-24 23:27:52 UTC
initial checkin

Author: Ubuntu Security
Author Date: 2008-10-24 23:27:52 UTC

initial checkin

118 of 18 results
This repository contains Public information 
Everyone can see this information.

Subscribers