diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2020-06-04 20:02:34 +0000 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2020-06-04 20:02:34 +0000 |
| commit | 12052760d6f12fd9ec6e3c42afe66449011b01cc (patch) | |
| tree | 7048810cfb8bae504dcad525e825993ccb01bc48 /bin | |
| parent | 5691f3044f636bfacb4b1ec5960a290d105cef59 (diff) | |
| parent | 1b9c4741e886afe5f2bf6a4583d977bac225bdad (diff) | |
Merge branch 'distro-config' into 'master'
Distro config reunification
See merge request security-tracker-team/security-tracker!48
Diffstat (limited to 'bin')
| -rwxr-xr-x | bin/gen-DSA | 30 | ||||
| -rwxr-xr-x | bin/lts-bts | 12 | ||||
| -rwxr-xr-x | bin/lts-cve-triage.py | 19 | ||||
| -rwxr-xr-x | bin/lts-needs-forward-port.py | 33 | ||||
| -rw-r--r-- | bin/tracker_data.py | 22 | ||||
| -rwxr-xr-x | bin/tracker_service.py | 113 |
6 files changed, 117 insertions, 112 deletions
diff --git a/bin/gen-DSA b/bin/gen-DSA index 0a453b6d31..051cccb0da 100755 --- a/bin/gen-DSA +++ b/bin/gen-DSA @@ -27,10 +27,20 @@ case "$(basename "$0")" in ;; esac -OLDOLDSTABLE=jessie -OLDSTABLE=stretch -STABLE=buster -TESTING=bullseye +if ! which jq >/dev/null 2>&1 ; then + echo "error: jq is needed to parse distributions, please install it" + exit 1 +fi + +RELEASES=`jq -r '.distributions | to_entries[] | select(.value.release) | .value.release | ascii_upcase' data/config.json` +CODENAMES=`jq -r '.distributions | to_entries[] | select(.value.release) | .key' data/config.json` + +while read dist; do + read codename + eval $dist=$codename +done << EOF +`jq -r '.distributions | to_entries[] | select(.value.release) | (.value.release | ascii_upcase), .key' data/config.json` +EOF NAME_SPACING=24 DATE_SPACING=22 @@ -335,15 +345,15 @@ setvar PACKAGE setvar CVE "$CVE_LIST" setvar ${IDMODE}ID "$DAID" setvar BUGNUM -setvar OLDOLDSTABLE -setvar OLDSTABLE -setvar STABLE -setvar TESTING setvar SPACEDDATE setvar DATE setvar TEXT "${TEXT:-$IDMODE text goes here}" -for dist in $OLDOLDSTABLE $OLDSTABLE $STABLE $TESTING UNSTABLE; do +for dist in $RELEASES; do + setvar $dist +done + +for dist in $CODENAMES; do version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')" if $save && [ -z "$version" ] && grep -q "${dist}_VERSION" "$tmpf"; then printf "Enter $dist's version [unset]: " @@ -377,7 +387,7 @@ EOF printf "\t{%s}\n" "$CVE" >> $daid_entry fi - for dist in $OLDOLDSTABLE $OLDSTABLE $STABLE; do + for dist in $CODENAMES; do version="$(eval 'printf "%s" "$'"$dist"_VERSION'"')" [ -z "$version" ] || \ printf "\t[%s] - %s %s\n" "$dist" "$PACKAGE" "$version" >> $daid_entry diff --git a/bin/lts-bts b/bin/lts-bts index 98df374c03..da9365721c 100755 --- a/bin/lts-bts +++ b/bin/lts-bts @@ -11,7 +11,15 @@ import sys import tempfile import warnings -from tracker_data import TrackerData, RELEASES +from tracker_data import TrackerData + +def setup_path(): + dirname = os.path.dirname + base = dirname(dirname(os.path.realpath(sys.argv[0]))) + sys.path.insert(0, os.path.join(base, "lib", "python")) + +setup_path() +import config from jinja2 import Template @@ -103,7 +111,7 @@ def main(): cc = 'debian-lts@lists.debian.org' team = 'lts' - release = RELEASES['lts'] + release = config.get_supported_releases()[0] # Basic check instructions = "packages/{}.txt".format(args.package) diff --git a/bin/lts-cve-triage.py b/bin/lts-cve-triage.py index 9cb6306983..2191475a6b 100755 --- a/bin/lts-cve-triage.py +++ b/bin/lts-cve-triage.py @@ -15,13 +15,26 @@ # You should have received a copy of the GNU General Public License # along with this file. If not, see <https://www.gnu.org/licenses/>. +import os import sys import argparse import collections -from tracker_data import TrackerData, RELEASES +from tracker_data import TrackerData from unsupported_packages import UnsupportedPackages, LimitedSupportPackages +def setup_path(): + dirname = os.path.dirname + base = dirname(dirname(os.path.realpath(sys.argv[0]))) + sys.path.insert(0, os.path.join(base, "lib", "python")) + +setup_path() +import config + +RELEASES = { + 'lts': config.get_supported_releases()[0], + 'next_lts': config.get_supported_releases()[1], +} def colored(x, *args, **kwargs): return x @@ -100,8 +113,8 @@ for pkg in tracker.iterate_packages(): continue for issue in tracker.iterate_pkg_issues(pkg): - status_in_lts = issue.get_status('lts') - status_in_next_lts = issue.get_status('next_lts') + status_in_lts = issue.get_status([RELEASES['lts']) + status_in_next_lts = issue.get_status(RELEASES['next_lts']) if status_in_lts.status in ('not-affected', 'resolved'): continue diff --git a/bin/lts-needs-forward-port.py b/bin/lts-needs-forward-port.py index 4277a832bc..7a4d24c1d4 100755 --- a/bin/lts-needs-forward-port.py +++ b/bin/lts-needs-forward-port.py @@ -18,21 +18,33 @@ import argparse import collections +import os import sys -from tracker_data import TrackerData, RELEASES +from tracker_data import TrackerData + +def setup_path(): + dirname = os.path.dirname + base = dirname(dirname(os.path.realpath(sys.argv[0]))) + sys.path.insert(0, os.path.join(base, "lib", "python")) + +setup_path() +import config + +lts = config.get_supported_releases()[0] +next_lts = config.get_supported_releases()[1] +oldstable = config.get_release_codename('oldstable') -# lts is currently jessie, next_lts stretch LIST_NAMES = ( ('needs_fix_in_next_lts', - ('Issues that are unfixed in {next_lts} but fixed in {lts}' - ).format(**RELEASES)), + ('Issues that are unfixed in {} but fixed in {}' + ).format(next_lts, lts)), ('needs_review_in_next_lts', - ('Issues that are no-dsa in {next_lts} but fixed in {lts}' - ).format(**RELEASES)), + ('Issues that are no-dsa in {} but fixed in {}' + ).format(next_lts, lts)), ('fixed_via_pu_in_oldstable', - ('Issues that will be fixed via p-u in {oldstable}' - ).format(**RELEASES)), + ('Issues that will be fixed via p-u in {}' + ).format(oldstable)), ) @@ -55,8 +67,8 @@ def main(): for pkg in tracker.iterate_packages(): for issue in tracker.iterate_pkg_issues(pkg): - status_in_lts = issue.get_status('lts') - status_in_next_lts = issue.get_status('next_lts') + status_in_lts = issue.get_status(lts) + status_in_next_lts = issue.get_status(next_lts) if status_in_lts.status in ('not-affected', 'open'): continue @@ -64,6 +76,7 @@ def main(): if status_in_lts.status == 'resolved': # Package will be updated via the next oldstable # point release + # FIXME: when lts == oldstable, this should look at the stable pu list if (issue.name in tracker.oldstable_point_update and pkg in tracker.oldstable_point_update[issue.name]): add_to_list('fixed_via_pu_in_oldstable', pkg, issue) diff --git a/bin/tracker_data.py b/bin/tracker_data.py index 13eab0f4b8..b5f15c3976 100644 --- a/bin/tracker_data.py +++ b/bin/tracker_data.py @@ -21,27 +21,6 @@ import subprocess import requests import six -RELEASES = { - 'oldoldstable': 'jessie', - 'oldstable': 'stretch', - 'stable': 'buster', - 'testing': 'bullseye', - 'unstable': 'sid', - 'experimental': 'experimental', - # LTS specific aliases - 'lts': 'jessie', - 'next_lts': 'stretch', -} - - -def normalize_release(release): - if release in RELEASES: - return RELEASES[release] - elif release in RELEASES.values(): - return release - else: - raise ValueError("Unknown release: {}".format(release)) - class TrackerData(object): DATA_URL = "https://security-tracker.debian.org/tracker/data/json" @@ -189,7 +168,6 @@ class Issue(object): self.data = data def get_status(self, release): - release = normalize_release(release) data = self.data['releases'].get(release) if data is None: status = 'not-affected' diff --git a/bin/tracker_service.py b/bin/tracker_service.py index d45d83b6a1..44a2186ca1 100755 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -3,6 +3,7 @@ import sys sys.path.insert(0,'../lib/python') import bugs +import config import re import security_db from web_support import * @@ -138,21 +139,24 @@ class TrackerService(webservice_base_class): self.json_data = None # the JSON dump itself self.json_timestamp = None # timestamp of JSON generation self.json_last_modified = None + + self.stable_releases = config.get_supported_releases() + self.stable_releases.remove(config.get_release_codename('testing')) + self.stable_releases.remove('sid') + self.stable_releases.reverse() + self.register('', self.page_home) self.register('*', self.page_object) self.register('redirect/*', self.page_redirect) self.register('source-package/*', self.page_source_package) - self.register('status/release/oldoldstable', - self.page_status_release_oldoldstable) - self.register('status/release/oldstable', - self.page_status_release_oldstable) - self.register('status/release/stable', self.page_status_release_stable) - self.register('status/release/stable-backports', - self.page_status_release_stable_backports) - self.register('status/release/oldstable-backports', - self.page_status_release_oldstable_backports) - self.register('status/release/oldoldstable-backports', - self.page_status_release_oldoldstable_backports) + + for release in self.stable_releases: + alias = config.get_release_alias(release) + self.register('status/release/' + alias, + self.page_status_release_stable_like) + self.register('status/release/' + alias + '-backports', + self.page_status_release_backports_like) + self.register('status/release/testing', self.page_status_release_testing) self.register('status/release/unstable', @@ -213,6 +217,16 @@ class TrackerService(webservice_base_class): else: return RedirectResult(url.scriptRelativeFull(query)) + def gen_stable_links(): + links = [] + for release in self.stable_releases: + alias = config.get_release_alias(release) + links.append(('status/release/' + alias, + 'Vulnerable packages in the ' + alias + ' suite')) + links.append(('status/release/' + alias + '-backports', + 'Vulnerable packages in backports for ' + alias)) + return links + return self.create_page( url, 'Security Bug Tracker', [P( @@ -238,23 +252,12 @@ aware of and/or help us improve the quality of this information by """, NAV(make_menu( url.scriptRelative, - ('status/release/unstable', + *[('status/release/unstable', 'Vulnerable packages in the unstable suite'), ('status/release/testing', - 'Vulnerable packages in the testing suite'), - ('status/release/stable', - 'Vulnerable packages in the stable suite'), - ('status/release/stable-backports', - 'Vulnerable packages in backports for stable'), - ('status/release/oldstable', - 'Vulnerable packages in the oldstable suite'), - ('status/release/oldstable-backports', - 'Vulnerable packages in backports for oldstable'), - ('status/release/oldoldstable', - 'Vulnerable packages in the oldoldstable suite'), - ('status/release/oldoldstable-backports', - 'Vulnerable packages in backports for oldoldstable'), - ('status/dtsa-candidates', "Candidates for DTSAs"), + 'Vulnerable packages in the testing suite')] + + gen_stable_links() + + [('status/dtsa-candidates', "Candidates for DTSAs"), ('status/todo', 'TODO items'), ('status/undetermined', 'Packages that may be vulnerable but need to be checked (undetermined issues)'), ('status/unimportant', 'Packages that have open unimportant issues'), @@ -273,7 +276,7 @@ aware of and/or help us improve the quality of this information by """, 'Covered Debian releases and architectures'), ('data/json', 'All information in JSON format') - )), + ])), self.make_search_button(url), P("""(You can enter CVE names, Debian bug numbers and package @@ -693,8 +696,8 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) replacement='No known security announcements.') ]) - def page_status_release_stable_oldstable_oldoldstable(self, release, params, url): - assert release in ('stable', 'oldstable', 'oldoldstable',) + def page_status_release_stable_like(self, path, params, url): + release = os.path.basename(url.path_info) bf = BugFilter(params) @@ -750,15 +753,6 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) for this vulnerability.'''), self.nvd_text]) - def page_status_release_stable(self, path, params, url): - return self.page_status_release_stable_oldstable_oldoldstable('stable', params, url) - def page_status_release_oldstable(self, path, params, url): - return self.page_status_release_stable_oldstable_oldoldstable('oldstable', - params, url) - def page_status_release_oldoldstable(self, path, params, url): - return self.page_status_release_stable_oldstable_oldoldstable('oldoldstable', - params, url) - def page_status_release_testing(self, path, params, url): bf = BugFilter(params) @@ -878,24 +872,14 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) title='Vulnerable source packages in the unstable suite', rel='sid') - def page_status_release_stable_backports(self, path, params, url): - return self.page_status_release_unstable_like( - path, params, url, - title='Vulnerable source packages among backports for stable', - rel='buster-backports') - - def page_status_release_oldstable_backports(self, path, params, url): - return self.page_status_release_unstable_like( - path, params, url, - title='Vulnerable source packages among backports for oldstable', - rel='stretch-backports') + def page_status_release_backports_like(self, path, params, url): + release = os.path.basename(url.path_info) + release = release.split("-")[0] - def page_status_release_oldoldstable_backports(self, path, params, url): return self.page_status_release_unstable_like( path, params, url, - title='Vulnerable source packages among backports for oldoldstable', - rel='jessie-backports') - + title='Vulnerable source packages among backports for ' + release, + rel=config.get_release_codename(release, '-backports')) def page_status_dtsa_candidates(self, path, params, url): bf = BugFilter(params,nonodsa=True,noignored=True,nopostponed=True) @@ -909,18 +893,19 @@ to improve our documentation and procedures, so feedback is welcome.""")])]) (SELECT testing.version_id < stable.version_id FROM source_packages AS testing, source_packages AS stable WHERE testing.name = testing_status.package - AND testing.release = 'bullseye' + AND testing.release = ? AND testing.subrelease = '' AND testing.archive = testing_status.section AND stable.name = testing_status.package - AND stable.release = 'buster' + AND stable.release = ? AND stable.subrelease = 'security' AND stable.archive = testing_status.section), (SELECT range_remote FROM nvd_data WHERE cve_name = bug) FROM testing_status WHERE (NOT unstable_vulnerable) - AND (NOT testing_security_fixed)"""): + AND (NOT testing_security_fixed)""", + (config.get_release_codename('testing'), config.get_release_codename('stable'))): if bf.urgencyFiltered(urgency, vulnerable): continue if bf.remoteFiltered(remote): @@ -994,14 +979,13 @@ checker to find out why they have not entered testing yet."""), old_pkg = '' old_dsc = '' last_displayed = '' - releases = ('sid', 'bullseye', 'buster', 'stretch', 'jessie') + releases = config.get_supported_releases() for (pkg_name, bug_name, release, desc) in self.db.cursor().execute( """SELECT DISTINCT sp.name, st.bug_name, sp.release, bugs.description FROM source_package_status AS st, source_packages AS sp, bugs WHERE st.vulnerable == 2 AND sp.rowid = st.package - AND ( sp.release = ? OR sp.release = ? OR sp.release = ? - OR sp.release = ? OR sp.release = ? ) + AND sp.release IN (""" + ",".join("?" * len(releases)) + """) AND sp.subrelease = '' AND st.bug_name == bugs.name ORDER BY sp.name, st.bug_name""", releases): @@ -1039,14 +1023,14 @@ checker to find out why they have not entered testing yet."""), old_dsc = '' old_name = '' last_displayed = '' - releases = ('sid', 'bullseye', 'buster', 'stretch', 'jessie') + releases = config.get_supported_releases() for (pkg_name, bug_name, release, desc) in self.db.cursor().execute( """SELECT DISTINCT sp.name, st.bug_name, sp.release, bugs.description FROM source_package_status AS st, source_packages AS sp, bugs WHERE st.vulnerable > 0 AND sp.rowid = st.package - AND ( sp.release = ? OR sp.release = ? OR sp.release = ? - OR sp.release = ? OR sp.release = ? ) AND st.urgency == 'unimportant' + AND sp.release IN (""" + ",".join("?" * len(releases)) + """) + AND st.urgency == 'unimportant' AND sp.subrelease = '' AND st.bug_name == bugs.name ORDER BY sp.name, st.bug_name""", releases): @@ -1325,7 +1309,7 @@ Debian bug number.'''), urgency = defaultdict(lambda: defaultdict(dict)) nodsa = defaultdict(lambda: defaultdict(dict)) nodsa_reason = defaultdict(lambda: defaultdict(dict)) - supported_releases = ('sid', 'bullseye', 'buster', 'stretch', 'jessie') + supported_releases = config.get_supported_releases() for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason) in self.db.cursor().execute( """SELECT sp.name, st.bug_name, (SELECT cve_desc FROM nvd_data @@ -1350,8 +1334,7 @@ Debian bug number.'''), FROM source_package_status AS st, source_packages AS sp, bugs WHERE sp.rowid = st.package AND st.bug_name = bugs.name AND ( st.bug_name LIKE 'CVE-%' OR st.bug_name LIKE 'TEMP-%' ) - AND ( sp.release = ? OR sp.release = ? OR sp.release = ? - OR sp.release = ? OR sp.release = ? ) + AND sp.release IN (""" + ",".join("?" * len(supported_releases)) + """) ORDER BY sp.name, st.bug_name, sp.release, sp.subrelease""" , supported_releases): ### to ease debugging...: |