Ubuntu CVE Tracker

Merge ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:cve_need_retire-accept_cves_as_args into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker
  3. cve_need_retire-accept_cves_as_args
  4. Merge into master
Proposed by Steve Beattie
Status: Merged
Merged at revision: c8e08396db1688bce6db737c4588de44e5d12833
Proposed branch: ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:cve_need_retire-accept_cves_as_args
Merge into: ubuntu-cve-tracker:master
Diff against target: 64 lines (+15/-3)
1 file modified
scripts/cve_need_retire (+15/-3)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+456639@code.launchpad.net

Commit message

    cve_need_retire: accept an optional list of CVEs to operate on

    Currently, the cve_need_retire script operates on the entire set of
    active CVEs in UCT. However, there are times when it's useful to focus
    on a few CVEs for an update one has just released.

    This commit adds support for optionally taking CVEs as arguments
    (basically accepting whatever the underlying ubuntu-table script
    accepts as CVEs to report on).

    This has been tested with the following commits in UCT:

      commit 8e5d8601a1a4c78f1f6b7aad331faf415608fa71
      Author: Steve Beattie <email address hidden>
      Date: Thu Nov 30 12:53:03 2023 -0800

        Retired 1 CVE

        Packages affected:
          xbmc(1) xine-lib(1) xine-lib-1.2(1)

        Signed-off-by: Steve Beattie <email address hidden>

      commit 96a242723a82be361bde82ef95f9e4e26ce6161c
      Author: Steve Beattie <email address hidden>
      Date: Thu Nov 30 12:52:39 2023 -0800

        Retired 2 CVEs

        Packages affected:
          chromium-browser(2)

        Signed-off-by: Steve Beattie <email address hidden>

    using the following commands:

      ./scripts/cve_need_retire -uc active/CVE-2023-5997 active/CVE-2023-6112
      ./scripts/cve_need_retire -uc CVE-2017-11119

    Also, fix up the shellcheck warning about failing to use read -r
    (and silence what would be an added shellcheck warning around
    un-quote-protected $cves).

Description of the change

Add support to scripts/cve_need_retire for optionally taking CVEs as arguments (basically accepting whatever the underlying ubuntu-table script accepts as CVEs to report on).

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM! Thanks Steve.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/cve_need_retire b/scripts/cve_need_retire
index 1a07359..35bd4be 100755
--- a/scripts/cve_need_retire
+++ b/scripts/cve_need_retire
@@ -4,7 +4,7 @@
4# Author: Kees Cook <kees@ubuntu.com>4# Author: Kees Cook <kees@ubuntu.com>
5# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>5# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
6# Author: Steve Beattie <sbeattie@ubuntu.com>6# Author: Steve Beattie <sbeattie@ubuntu.com>
7# Copyright (C) 2005-2020 Canonical Ltd.7# Copyright (C) 2005-2023 Canonical Ltd.
8#8#
9# This script is distributed under the terms and conditions of the GNU General9# This script is distributed under the terms and conditions of the GNU General
10# Public License, Version 2 or later. See http://www.gnu.org/copyleft/gpl.html10# Public License, Version 2 or later. See http://www.gnu.org/copyleft/gpl.html
@@ -21,7 +21,7 @@ cvedir="./active"
2121
22help() {22help() {
23 cat <<EOM23 cat <<EOM
24Uasge: cve_need_retire [-f] [-p] [-u]"24Uasge: cve_need_retire [-f] [-p] [-u] [CVE list]"
2525
26 -f full listing26 -f full listing
27 -r report (first) package27 -r report (first) package
@@ -29,6 +29,8 @@ Uasge: cve_need_retire [-f] [-p] [-u]"
29 -u move the files to retired directory29 -u move the files to retired directory
30 -c commit the changes to git (requires -u)30 -c commit the changes to git (requires -u)
31 -h this help statement31 -h this help statement
32
33A list of CVEs can be given to operate on a subset of the repo
32EOM34EOM
33}35}
3436
@@ -37,6 +39,7 @@ update=
37commit=39commit=
38path=40path=
39report_pkg=41report_pkg=
42cves=
4043
41while getopts "fhucpr" opt ; do44while getopts "fhucpr" opt ; do
42 case "$opt" in45 case "$opt" in
@@ -49,6 +52,11 @@ while getopts "fhucpr" opt ; do
49 ?) help ; exit 1;;52 ?) help ; exit 1;;
50 esac53 esac
51done54done
55shift $((OPTIND - 1))
56
57if [ "$#" -gt 0 ] ; then
58 cves="$*"
59fi
5260
53vcs=bzr61vcs=bzr
54if [ -d ".git" ]; then62if [ -d ".git" ]; then
@@ -62,7 +70,11 @@ if [ -n "${commit}" ] && [ -z "${update}" ] ; then
62 exit 170 exit 1
63fi71fi
6472
65./scripts/ubuntu-table -r 2>&1 >/dev/null | grep '^retire: ' | while read junk cve73# don't wrap $cves in quotes because we want it to be ignored if there
74# are none passed, as well as we want the contents to be treated as
75# individual arguments
76# shellcheck disable=SC2086
77./scripts/ubuntu-table -r $cves 2>&1 >/dev/null | grep '^retire: ' | while read -r junk cve
66do78do
67 if [ -z "$full" ]; then79 if [ -z "$full" ]; then
68 if [ -z "$update" ]; then80 if [ -z "$update" ]; then

Subscribers

People subscribed via source and target branches