From 9b54858ffb6e6aa24b943ff06596f958da4db980 Mon Sep 17 00:00:00 2001 From: wang-guangge Date: Wed, 28 Jun 2023 17:19:44 +0800 Subject: [PATCH] add 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch (cherry picked from commit ce77413dccda30992bbb688ab7282c16f42ba26f) --- ...e-related-hotpatches-when-the-cve-is.patch | 65 +++++++++++++++++++ aops-apollo.spec | 7 +- 2 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch diff --git a/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch b/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch new file mode 100644 index 0000000..11e60a8 --- /dev/null +++ b/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch @@ -0,0 +1,65 @@ +From 4225065c74beb5e66c4d66a4bd3dfca5bcac91bd Mon Sep 17 00:00:00 2001 +From: wang-guangge +Date: Wed, 28 Jun 2023 16:53:10 +0800 +Subject: [PATCH] do not return the related hotpatches when the cve is fixed + +--- + hotpatch/hotpatch_updateinfo.py | 15 ++++++++++++--- + hotpatch/hotupgrade.py | 2 +- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py +index 4b39969..7dc92ce 100644 +--- a/hotpatch/hotpatch_updateinfo.py ++++ b/hotpatch/hotpatch_updateinfo.py +@@ -291,7 +291,7 @@ class HotpatchUpdateInfo(object): + Get hotpatches from specified cve. If there are several hotpatches for the same source package for a cve, only return the + hotpatch with the highest version. + +- Args: ++ Args: + cves: [cve_id_1, cve_id_2] + + Returns: +@@ -307,14 +307,23 @@ class HotpatchUpdateInfo(object): + continue + # find the hotpatch with the highest version for the same source package + mapping_src_pkg_to_hotpatches = dict() ++ # check whether the cve is fixed ++ is_cve_fixed = False + for hotpatch in self.hotpatch_cves[cve_id].hotpatches: ++ if hotpatch.state == self.INSTALLED: ++ is_cve_fixed = True + if hotpatch.state == self.INSTALLABLE: +- mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append([hotpatch.hotpatch_name, hotpatch]) ++ mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append( ++ [hotpatch.hotpatch_name, hotpatch] ++ ) ++ # do not return the releated hotpatches if the cve is fixed ++ if is_cve_fixed: ++ continue + for src_pkg, hotpatches in mapping_src_pkg_to_hotpatches.items(): + # extract the number in HPxxx and sort hotpatches in descending order according to the number + hotpatches = sorted(hotpatches, key=lambda x: int(re.findall("\d+", x[0])[0]), reverse=True) + mapping_cve_hotpatches[cve_id].append(hotpatches[0][1].nevra) +- ++ + return mapping_cve_hotpatches + + def get_hotpatches_from_advisories(self, advisories: list[str]) -> dict(): +diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py +index 2a36312..3bff9a1 100644 +--- a/hotpatch/hotupgrade.py ++++ b/hotpatch/hotupgrade.py +@@ -251,7 +251,7 @@ class HotupgradeCommand(dnf.cli.Command): + cve_hp_dict = updateinfo.get_hotpatches_from_cve(cves) + for cve, hp in cve_hp_dict.items(): + if not hp: +- logger.info(_("The cve's hot patch doesn't exist: %s"), cve) ++ logger.info(_("The cve doesn't exist or cannot be fixed by hotpatch: %s"), cve) + continue + hp_list += hp + return list(set(hp_list)) +-- +2.33.0 + diff --git a/aops-apollo.spec b/aops-apollo.spec index e57c64d..5aee0d7 100644 --- a/aops-apollo.spec +++ b/aops-apollo.spec @@ -1,12 +1,12 @@ Name: aops-apollo Version: v1.2.2 -Release: 2 +Release: 3 Summary: Cve management service, monitor machine vulnerabilities and provide fix functions. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} Source0: %{name}-%{version}.tar.gz Patch0001: 0001-fix-issue-gen-cve-task-failed.patch - +Patch0002: 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch BuildRequires: python3-setuptools Requires: aops-vulcanus >= v1.2.0 @@ -77,6 +77,9 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %{python3_sitelib}/aops_apollo_tool/* %changelog +* Wed Jun 28 2023 wangguangge - v1.2.2-3 +- do not return the related hotpatches when the cve is fixed + * Wed Jun 28 2023 wenxin - v1.2.2-2 - fix issue:gen cve task failed