Ubuntu CVE Tracker

Merge ubuntu-cve-tracker:lp2052658 into ubuntu-cve-tracker:master

  1. Git
  2. lp:ubuntu-cve-tracker
  3. lp2052658
  4. Merge into master
Proposed by Marc Deslauriers
Status: Merged
Merge reported by: Marc Deslauriers
Merged at revision: 0ebeb21c4b812b04ffad263cd60aece2e82593a3
Proposed branch: ubuntu-cve-tracker:lp2052658
Merge into: ubuntu-cve-tracker:master
Diff against target: 32 lines (+1/-9)
2 files modified
scripts/active_edit (+1/-1)
scripts/cve_lib.py (+0/-8)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Review via email: mp+460203@code.launchpad.net

Commit message

Fix active_edit no longer copying statuses from boilerplates (LP: #2052658)

scripts/cve_lib.py: don't drop the package when loading the boilerplates
as we need to have the statuses later on.
scripts/active_edit: check for duplicate by comparing against p, not
against parent. I believe this is a typo as this code is only
reachable when parent is None.

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

I agree on the p/parent typo - not sure on the implications of removing the other section but I agree we need to fix this issue so let's go with it and we'll find out if it causes any other issues as we go.

LGTM! Thanks Marc.

review: Approve
Revision history for this message
Steve Beattie (sbeattie) wrote :

On Thu, Feb 08, 2024 at 12:56:58AM -0000, Alex Murray wrote:
> Review: Approve
>
> I agree on the p/parent typo - not sure on the implications of removing
> the other section but I agree we need to fix this issue so let's go
> with it and we'll find out if it causes any other issues as we go.

I tested active_edit with the package referenced in the comment,
openjdk, along with one of its actual packages, openjdk-8, in the
following situations:

  ./scripts/active_edit -p openjdk -c CVE-1999-123456
  ./scripts/active_edit -p openjdk-8 -c CVE-1999-123456
  ./scripts/active_edit -p openjdk-8 -p openjdk -c CVE-1999-123456
  ./scripts/active_edit -p openjdk -p openjdk-8 -c CVE-1999-123456

(deleting the created file in between each test) both before and after
Marc's commit and could not get any of them to generate an entry for an
'openjdk' source package or duplicate 'openjdk-8' entries.

(An invocation of active_edit on a boilerplate package for an existing
CVE will create duplicate package entries for everything, but this
commit doesn't change that behavior).

So I don't know what the comment on the dropped code snippet was
referring to, but I'm not seeing an issue from it being dropped.
I looked through the commits that dropped the old boilerplate style
to see if it was lifted from anything there, but didn't see anything
really related other than a comment making sure that package stanzas
in boilerplates that were all DNE didn't get added to the created
CVE file, allowing us to have openjdk and gnutls boilerplates that
covered all the versioned source packages. But it looks like the
current code handles this okay.

[For future-Steve reference, since I can never find where the old-style
 00boilerplate code got dropped, the merge commit is 7120fd2d1ee
 ("Merge branch 'noboilerplates-3'") and all the implementation
 commits can be reached from that.]

--
Steve Beattie
<email address hidden>

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the thorough testing Steve - perhaps that comment was always there and based on how I assumed it would work rather than based on experience and so was always incorrect? Either way, thanks to both you and Marc for looking into this and apologies for introducing the bug in the first place.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/active_edit b/scripts/active_edit
2index bd858de..98e7e2b 100755
3--- a/scripts/active_edit
4+++ b/scripts/active_edit
5@@ -159,7 +159,7 @@ def add_pkg(p, fp, fixed, parent, embargoed):
6 if parent is None and p in pkg_db:
7 for pkg in pkg_db[p]["pkgs"]:
8 # don't add the same package twice
9- if pkg != parent:
10+ if pkg != p:
11 # we don't have fixed data for these subpackages
12 add_pkg(pkg, fp, fixed={}, parent=p, embargoed=embargoed)
13
14diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
15index 329e477..b3fa75c 100755
16--- a/scripts/cve_lib.py
17+++ b/scripts/cve_lib.py
18@@ -2568,14 +2568,6 @@ def load_boilerplates():
19 aliases[orig_name].add(name)
20 continue
21 bpdata = parse_boilerplate(filepath)
22- # having a package reference itself as we have in the boilerplates
23- # is redundant - although this is not always the case as we may
24- # have a boilerplate filename like openjdk yet there is no openjdk
25- # package (just openjdk-8 etc) - so ignore any failures here
26- try:
27- del bpdata["pkgs"][name]
28- except KeyError:
29- pass
30 data.setdefault(name, bpdata)
31 for alias in aliases:
32 data[alias]["aliases"] = sorted(list(aliases[alias]))

Subscribers

People subscribed via source and target branches