Ubuntu CVE Tracker

Merge ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:cve_need_retire-accept_cves_as_args into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker
  3. cve_need_retire-accept_cves_as_args
  4. Merge into master
Proposed by Steve Beattie
Status: Merged
Merged at revision: c8e08396db1688bce6db737c4588de44e5d12833
Proposed branch: ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:cve_need_retire-accept_cves_as_args
Merge into: ubuntu-cve-tracker:master
Diff against target: 64 lines (+15/-3)
1 file modified
scripts/cve_need_retire (+15/-3)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+456639@code.launchpad.net

Commit message

    cve_need_retire: accept an optional list of CVEs to operate on

    Currently, the cve_need_retire script operates on the entire set of
    active CVEs in UCT. However, there are times when it's useful to focus
    on a few CVEs for an update one has just released.

    This commit adds support for optionally taking CVEs as arguments
    (basically accepting whatever the underlying ubuntu-table script
    accepts as CVEs to report on).

    This has been tested with the following commits in UCT:

      commit 8e5d8601a1a4c78f1f6b7aad331faf415608fa71
      Author: Steve Beattie <email address hidden>
      Date: Thu Nov 30 12:53:03 2023 -0800

        Retired 1 CVE

        Packages affected:
          xbmc(1) xine-lib(1) xine-lib-1.2(1)

        Signed-off-by: Steve Beattie <email address hidden>

      commit 96a242723a82be361bde82ef95f9e4e26ce6161c
      Author: Steve Beattie <email address hidden>
      Date: Thu Nov 30 12:52:39 2023 -0800

        Retired 2 CVEs

        Packages affected:
          chromium-browser(2)

        Signed-off-by: Steve Beattie <email address hidden>

    using the following commands:

      ./scripts/cve_need_retire -uc active/CVE-2023-5997 active/CVE-2023-6112
      ./scripts/cve_need_retire -uc CVE-2017-11119

    Also, fix up the shellcheck warning about failing to use read -r
    (and silence what would be an added shellcheck warning around
    un-quote-protected $cves).

Description of the change

Add support to scripts/cve_need_retire for optionally taking CVEs as arguments (basically accepting whatever the underlying ubuntu-table script accepts as CVEs to report on).

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM! Thanks Steve.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/cve_need_retire b/scripts/cve_need_retire
2index 1a07359..35bd4be 100755
3--- a/scripts/cve_need_retire
4+++ b/scripts/cve_need_retire
5@@ -4,7 +4,7 @@
6 # Author: Kees Cook <kees@ubuntu.com>
7 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
8 # Author: Steve Beattie <sbeattie@ubuntu.com>
9-# Copyright (C) 2005-2020 Canonical Ltd.
10+# Copyright (C) 2005-2023 Canonical Ltd.
11 #
12 # This script is distributed under the terms and conditions of the GNU General
13 # Public License, Version 2 or later. See http://www.gnu.org/copyleft/gpl.html
14@@ -21,7 +21,7 @@ cvedir="./active"
15
16 help() {
17 cat <<EOM
18-Uasge: cve_need_retire [-f] [-p] [-u]"
19+Uasge: cve_need_retire [-f] [-p] [-u] [CVE list]"
20
21 -f full listing
22 -r report (first) package
23@@ -29,6 +29,8 @@ Uasge: cve_need_retire [-f] [-p] [-u]"
24 -u move the files to retired directory
25 -c commit the changes to git (requires -u)
26 -h this help statement
27+
28+A list of CVEs can be given to operate on a subset of the repo
29 EOM
30 }
31
32@@ -37,6 +39,7 @@ update=
33 commit=
34 path=
35 report_pkg=
36+cves=
37
38 while getopts "fhucpr" opt ; do
39 case "$opt" in
40@@ -49,6 +52,11 @@ while getopts "fhucpr" opt ; do
41 ?) help ; exit 1;;
42 esac
43 done
44+shift $((OPTIND - 1))
45+
46+if [ "$#" -gt 0 ] ; then
47+ cves="$*"
48+fi
49
50 vcs=bzr
51 if [ -d ".git" ]; then
52@@ -62,7 +70,11 @@ if [ -n "${commit}" ] && [ -z "${update}" ] ; then
53 exit 1
54 fi
55
56-./scripts/ubuntu-table -r 2>&1 >/dev/null | grep '^retire: ' | while read junk cve
57+# don't wrap $cves in quotes because we want it to be ignored if there
58+# are none passed, as well as we want the contents to be treated as
59+# individual arguments
60+# shellcheck disable=SC2086
61+./scripts/ubuntu-table -r $cves 2>&1 >/dev/null | grep '^retire: ' | while read -r junk cve
62 do
63 if [ -z "$full" ]; then
64 if [ -z "$update" ]; then

Subscribers

People subscribed via source and target branches