packages/aops-apollo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!74 [sync] PR-72: 添加patch,调整cve返回热补丁接口,当cve被修复时,不返回该cve相关热补丁

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @Lostwayzxc 
Signed-off-by: @Lostwayzxc
This commit is contained in:
openeuler-ci-bot 2023-06-30 11:47:27 +00:00 committed by Gitee
commit fad0f4a2fe
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 70 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch Normal file
View File

@ -0,0 +1,65 @@
From 4225065c74beb5e66c4d66a4bd3dfca5bcac91bd Mon Sep 17 00:00:00 2001
From: wang-guangge <wangguangge@huawei.com>
Date: Wed, 28 Jun 2023 16:53:10 +0800
Subject: [PATCH] do not return the related hotpatches when the cve is fixed
---
hotpatch/hotpatch_updateinfo.py | 15 ++++++++++++---
hotpatch/hotupgrade.py | 2 +-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py
index 4b39969..7dc92ce 100644
--- a/hotpatch/hotpatch_updateinfo.py
+++ b/hotpatch/hotpatch_updateinfo.py
@@ -291,7 +291,7 @@ class HotpatchUpdateInfo(object):
Get hotpatches from specified cve. If there are several hotpatches for the same source package for a cve, only return the
hotpatch with the highest version.
- Args:
+ Args:
cves: [cve_id_1, cve_id_2]
Returns:
@@ -307,14 +307,23 @@ class HotpatchUpdateInfo(object):
continue
# find the hotpatch with the highest version for the same source package
mapping_src_pkg_to_hotpatches = dict()
+ # check whether the cve is fixed
+ is_cve_fixed = False
for hotpatch in self.hotpatch_cves[cve_id].hotpatches:
+ if hotpatch.state == self.INSTALLED:
+ is_cve_fixed = True
if hotpatch.state == self.INSTALLABLE:
- mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append([hotpatch.hotpatch_name, hotpatch])
+ mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append(
+ [hotpatch.hotpatch_name, hotpatch]
+ )
+ # do not return the releated hotpatches if the cve is fixed
+ if is_cve_fixed:
+ continue
for src_pkg, hotpatches in mapping_src_pkg_to_hotpatches.items():
# extract the number in HPxxx and sort hotpatches in descending order according to the number
hotpatches = sorted(hotpatches, key=lambda x: int(re.findall("\d+", x[0])[0]), reverse=True)
mapping_cve_hotpatches[cve_id].append(hotpatches[0][1].nevra)
-
+
return mapping_cve_hotpatches
def get_hotpatches_from_advisories(self, advisories: list[str]) -> dict():
diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py
index 2a36312..3bff9a1 100644
--- a/hotpatch/hotupgrade.py
+++ b/hotpatch/hotupgrade.py
@@ -251,7 +251,7 @@ class HotupgradeCommand(dnf.cli.Command):
cve_hp_dict = updateinfo.get_hotpatches_from_cve(cves)
for cve, hp in cve_hp_dict.items():
if not hp:
- logger.info(_("The cve's hot patch doesn't exist: %s"), cve)
+ logger.info(_("The cve doesn't exist or cannot be fixed by hotpatch: %s"), cve)
continue
hp_list += hp
return list(set(hp_list))
--
2.33.0

7
aops-apollo.spec
View File

@ -1,12 +1,12 @@
Name: aops-apollo
Version: v1.2.2
Release: 2
Release: 3
Summary: Cve management service, monitor machine vulnerabilities and provide fix functions.
License: MulanPSL2
URL: https://gitee.com/openeuler/%{name}
Source0: %{name}-%{version}.tar.gz
Patch0001: 0001-fix-issue-gen-cve-task-failed.patch
Patch0002: 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch
BuildRequires: python3-setuptools
Requires: aops-vulcanus >= v1.2.0
@ -77,6 +77,9 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/
%{python3_sitelib}/aops_apollo_tool/*
%changelog
* Wed Jun 28 2023 wangguangge<wangguangge@huawei.com> - v1.2.2-3
- do not return the related hotpatches when the cve is fixed
* Wed Jun 28 2023 wenxin<shusheng.wen@outlook.com> - v1.2.2-2
- fix issue:gen cve task failed