diff options
author | Holger Levsen <holger@debian.org> | 2014-10-03 07:36:36 +0000 |
---|---|---|
committer | Holger Levsen <holger@debian.org> | 2014-10-03 07:36:36 +0000 |
commit | 3503e4854b10df0f2fac9cb5ad5d5b514b8aea40 (patch) | |
tree | 1c8e506b673fbc069cd90487b0cb339ef5aa0fa8 /lib | |
parent | d23649e92586edd0049104bc0aa714ca31095660 (diff) |
WIP: improve backports support. (this is really WIP: see debian_support.py)
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@29228 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'lib')
-rw-r--r-- | lib/python/bugs.py | 4 | ||||
-rw-r--r-- | lib/python/debian_support.py | 2 | ||||
-rw-r--r-- | lib/python/security_db.py | 127 |
3 files changed, 67 insertions, 66 deletions
diff --git a/lib/python/bugs.py b/lib/python/bugs.py index 7258be720e..92470857f4 100644 --- a/lib/python/bugs.py +++ b/lib/python/bugs.py @@ -374,10 +374,10 @@ class BugFromDB(Bug): def getStatus(self, cursor): """Calculate bug status. - Returns list of tuples (RELEASE, STATUS, REASON).""" + Returns list of tuples (RELEASE, SUBRELEASE, STATUS, REASON).""" return list(cursor.execute( - """SELECT release, status, reason + """SELECT release, subrelease, status, reason FROM bug_status WHERE bug_name = ?""", (self.name,))) diff --git a/lib/python/debian_support.py b/lib/python/debian_support.py index 2c76f2d44d..6f3a1a9480 100644 --- a/lib/python/debian_support.py +++ b/lib/python/debian_support.py @@ -71,7 +71,7 @@ class ParseError(Exception): # This regular expression is used to strip ~bpo1 and ~volatile1 from # version numbers before they are compared. -_version_normalize_regexp = re.compile(r"~(?:bpo|volatile)[0-9.+]+$") +_version_normalize_regexp = re.compile(r"~(?:xxxxxxxxxxxxxxxx|yyyyyyyyyyyyyyyy)[0-9.+]+$") class Version: """Version class which uses the original APT comparison algorithm. diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 5a4f857eb1..ddaa8b6a91 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -271,11 +271,12 @@ class DB: cursor.execute("""CREATE TABLE bug_status (bug_name TEXT NOT NULL, release TEXT NOT NULL, + subrelease TEXT NOT NULL, status TEXT NOT NULL CHECK (status IN ('vulnerable', 'fixed', 'unknown', 'undetermined', 'partially-fixed', 'todo')), reason TEXT NOT NULL, - PRIMARY KEY (bug_name, release))""") + PRIMARY KEY (bug_name, release, subrelease))""") cursor.execute("""CREATE TABLE source_package_status (bug_name TEXT NOT NULL, @@ -1174,24 +1175,24 @@ class DB: pkgs += ("packages %s may be vulnerable but need to be checked." % ', '.join(undetermined_packages)) cursor.execute("""INSERT INTO bug_status - (bug_name, release, status, reason) - VALUES (?, 'unstable', ?, ?)""", (bug_name, status, pkgs)) + (bug_name, release, subrelease, status, reason) + VALUES (?, 'unstable', '', ?, ?)""", (bug_name, status, pkgs)) elif unimportant_packages: if len(unimportant_packages) == 1: pkgs = "package %s is vulnerable; however, the security impact is unimportant." % unimportant_packages[0] else: pkgs = "packages %s are vulnerable; however, the security impact is unimportant." % (', '.join(unimportant_packages)) cursor.execute("""INSERT INTO bug_status - (bug_name, release, status, reason) - VALUES (?, 'unstable', 'fixed', ?)""", (bug_name, pkgs)) + (bug_name, release, subrelease, status, reason) + VALUES (?, 'unstable', '', 'fixed', ?)""", (bug_name, pkgs)) else: if have_something: status = "not vulnerable." else: status = "not known to be vulnerable." cursor.execute("""INSERT INTO bug_status - (bug_name, release, status, reason) - VALUES (?, 'unstable', 'fixed', ?)""", + (bug_name, release, subrelease, status, reason) + VALUES (?, 'unstable', '', 'fixed', ?)""", (bug_name, status)) def _calcTesting(self, cursor, bug_name, suite, nickname): @@ -1201,85 +1202,85 @@ class DB: # note/release/subrelease triple, but we should check that # here. - status = {'' : {}, 'security' : {}, 'lts' : {}, 'backports' : {}} + status = {'' : {}, 'security' : {}, 'lts' : {}, 'backports' : {}} for (package, note, subrelease, vulnerable, urgency) in cursor.execute( """SELECT DISTINCT sp.name, n.id, sp.subrelease, st.vulnerable, n.urgency FROM source_package_status AS st, source_packages AS sp, package_notes AS n WHERE st.bug_name = ? AND sp.rowid = st.package - AND sp.release = ? AND sp.subrelease IN ('', 'security', 'lts', 'backports') + AND sp.release = ? AND n.bug_name = st.bug_name AND n.package = sp.name ORDER BY sp.name""", (bug_name, nickname)): status[subrelease][(package, note)] = (vulnerable,urgency) - - # Check if any packages in plain testing are vulnerable, and - # if all of those have been fixed in the security archive. - fixed_in_security = True - unfixed_pkgs = {} - undet_pkgs = {} - unimp_pkgs = {} - for ((package, note), (vulnerable, urgency)) in status[''].items(): + if package == "bind9": + print package, note, subrelease, vulnerable, urgency + + # Check if any packages in plain testing are vulnerable, and + # if all of those have been fixed in the security archive. + fixed_in_security = False + fixed_in_lts = False + unfixed_pkgs = {} + undet_pkgs = {} + unimp_pkgs = {} if vulnerable == 1: if urgency == 'unimportant': unimp_pkgs[package] = True else: unfixed_pkgs[package] = True if status['security'].get((package, note), True): - fixed_in_security = False + fixed_in_security = True elif status['lts'].get((package, note), True): - fixed_in_security = False - elif status['backports'].get((package, note), True): - fixed_in_security = False + fixed_in_lts = True elif vulnerable == 2: undet_pkgs[package] = True - unfixed_pkgs = unfixed_pkgs.keys() - unfixed_pkgs.sort() - undet_pkgs = undet_pkgs.keys() - undet_pkgs.sort() - unimp_pkgs = unimp_pkgs.keys() - unimp_pkgs.sort() - - pkgs = "" - result = "undetermined" - if len(unfixed_pkgs) == 0 and len(undet_pkgs) == 0: - if len(status[''].keys()) == 0: - pkgs += "not known to be vulnerable." - else: - pkgs += "not vulnerable." - result = "fixed" - if len(unfixed_pkgs) > 0: - if len(unfixed_pkgs) == 1: - pkgs += "package " + unfixed_pkgs[0] + " is " - else: - pkgs += "packages " + ", ".join(unfixed_pkgs) + " are " - if fixed_in_security: - pkgs = "%sfixed in %s-security. " % (pkgs, suite) - if suite == "stable": + unfixed_pkgs = unfixed_pkgs.keys() + unfixed_pkgs.sort() + undet_pkgs = undet_pkgs.keys() + undet_pkgs.sort() + unimp_pkgs = unimp_pkgs.keys() + unimp_pkgs.sort() + + pkgs = "" + result = "undetermined" + if len(unfixed_pkgs) == 0 and len(undet_pkgs) == 0: + if len(status[subrelease].keys()) == 0: + pkgs += "not known to be vulnerable." + else: + pkgs += "not vulnerable." + result = "fixed" + if len(unfixed_pkgs) > 0: + if len(unfixed_pkgs) == 1: + pkgs += "package " + unfixed_pkgs[0] + " is " + else: + pkgs += "packages " + ", ".join(unfixed_pkgs) + " are " + if fixed_in_security: + pkgs = "%sfixed in %s-security. " % (pkgs, suite) + result = "fixed" + elif fixed_in_lts: + pkgs = "%sfixed in %s-lts. " % (pkgs, suite) result = "fixed" else: - result = "partially-fixed" - else: - pkgs += "vulnerable. " - result = "vulnerable" - if len(undet_pkgs) > 0: - if len(undet_pkgs) == 1: - pkgs += "package " + undet_pkgs[0] + " may be vulnerable but needs to be checked." - else: - pkgs += "packages " + ", ".join(undet_pkgs) + " may be vulnerable but need to be checked." - if len(unimp_pkgs) > 0 and len(undet_pkgs) == 0 and len(unfixed_pkgs) == 0: - result = "fixed" - if len(unimp_pkgs) == 1: - pkgs = "package %s is vulnerable; however, the security impact is unimportant." % unimp_pkgs[0] - else: - pkgs = "packages %s are vulnerable; however, the security impact is unimportant." % (', '.join(unimp_pkgs)) + pkgs += "vulnerable. " + result = "vulnerable" + if len(undet_pkgs) > 0: + if len(undet_pkgs) == 1: + pkgs += "package " + undet_pkgs[0] + " may be vulnerable but needs to be checked." + else: + pkgs += "packages " + ", ".join(undet_pkgs) + " may be vulnerable but need to be checked." + if len(unimp_pkgs) > 0 and len(undet_pkgs) == 0 and len(unfixed_pkgs) == 0: + result = "fixed" + if len(unimp_pkgs) == 1: + pkgs = "package %s is vulnerable; however, the security impact is unimportant." % unimp_pkgs[0] + else: + pkgs = "packages %s are vulnerable; however, the security impact is unimportant." % (', '.join(unimp_pkgs)) - cursor.execute("""INSERT INTO bug_status - (bug_name, release, status, reason) - VALUES (?, ?, ?, ?)""", - (bug_name, suite, result, pkgs)) + cursor.execute("""INSERT INTO bug_status + (bug_name, release, subrelease, status, reason) + VALUES (?, ?, ?, ?, ?)""", + (bug_name, suite, '', result, pkgs)) def calculateDebsecan0(self, release): """Create data for the debsecan tool (VERSION 0 format).""" |