diff --git a/0001-modify-return-value-when-no-hotpatch-is-matched.patch b/0001-modify-return-value-when-no-hotpatch-is-matched.patch deleted file mode 100644 index 99bfd7f..0000000 --- a/0001-modify-return-value-when-no-hotpatch-is-matched.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a159ed3c419415e8822a6a2867654dbea01c49e4 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Wed, 31 May 2023 15:40:03 +0800 -Subject: [PATCH] modify the return result when no hot patch is matched -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - ceres/manages/vulnerability_manage.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index 5a475e4..4bb42db 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -350,7 +350,7 @@ class VulnerabilityManage: - - if not hotpatch_list: - log = "No valid hot patch is matched." -- return NOT_PATCH, [dict(cve_id=cve["cve_id"], log=log, result="succeed") for cve in cves] -+ return NOT_PATCH, [dict(cve_id=cve["cve_id"], log=log, result="fail") for cve in cves] - - cmd_execute_result = [] - for base_pkg, hotpatch_cves in hotpatch_list.items(): --- - diff --git a/0002-update-cve-fix-and-cve-scan.patch b/0002-update-cve-fix-and-cve-scan.patch deleted file mode 100644 index ae5b387..0000000 --- a/0002-update-cve-fix-and-cve-scan.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 6012d5edce0affe7303d42de5c1c2dcde78b5341 Mon Sep 17 00:00:00 2001 -From: muyuying1 -Date: Fri, 2 Jun 2023 12:39:59 +0800 -Subject: [PATCH] update cve fix and cve scan -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - ceres/function/schema.py | 3 +- - ceres/function/util.py | 12 ++++ - ceres/manages/vulnerability_manage.py | 88 ++++++++++++++++++++++++--- - 3 files changed, 95 insertions(+), 8 deletions(-) - -diff --git a/ceres/function/schema.py b/ceres/function/schema.py -index 603a588..5200665 100644 ---- a/ceres/function/schema.py -+++ b/ceres/function/schema.py -@@ -122,7 +122,8 @@ CVE_FIX_SCHEMA = { - "required": ["cve_id", "hotpatch"], - "properties": { - "cve_id": {"type": "string", "minLength": 1}, -- "hotpatch": {"enum": [True, False]} -+ "hotpatch": {"enum": [True, False]}, -+ "accepted": {"enum": [True, False]} - } - - } -diff --git a/ceres/function/util.py b/ceres/function/util.py -index 42cebe2..9aa0909 100644 ---- a/ceres/function/util.py -+++ b/ceres/function/util.py -@@ -13,6 +13,7 @@ - import configparser - import json - import os -+import subprocess - from typing import Union, List, Any, Dict, NoReturn - from subprocess import Popen, PIPE, STDOUT - -@@ -25,6 +26,8 @@ from ceres.models.custom_exception import InputError - from ceres.function.schema import STRING_ARRAY - from ceres.function.status import PARAM_ERROR - -+FAIL = 255 -+ - - def load_conf(file_path: str) -> configparser.RawConfigParser: - """ -@@ -94,6 +97,15 @@ def get_shell_data(command_list: List[str], key: bool = True, env=None, - return res - - -+def cmd_output(cmd): -+ try: -+ result = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ result.wait() -+ return result.stdout.read().decode('utf-8'), result.returncode -+ except Exception as e: -+ return str(e), FAIL -+ -+ - def load_gopher_config(gopher_config_path: str) -> AttrDict: - """ - get AttrDict from config file -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index 5a475e4..e605a17 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -28,9 +28,12 @@ from ceres.function.status import ( - StatusCode, - COMMAND_EXEC_ERROR - ) --from ceres.function.util import get_shell_data -+from ceres.function.util import get_shell_data, cmd_output - from ceres.models.custom_exception import InputError - -+SUCCEED = 0 -+FAIL = 255 -+ - - class VulnerabilityManage: - def repo_set(self, data: dict) -> int: -@@ -209,10 +212,11 @@ class VulnerabilityManage: - # CVE-2022-3080 A-1.1-1/HP3 ACTIVED - for hotpatch_fixed in hotpatch_fixed_result.strip().split("\n")[1:]: - hotpatch_fixed_split = hotpatch_fixed.split(" ") -- if hotpatch_fixed_split[-1] in ["ACTIVED", "ACCEPT"]: -+ if hotpatch_fixed_split[-1] in ["ACTIVED", "ACCEPTED"]: - result_dict["fixed_cves"].append({ - "cve_id": hotpatch_fixed_split[0], -- "fixed_by_hp": True -+ "fixed_by_hp": True, -+ "hp_status": hotpatch_fixed_split[-1] - }) - - return SUCCESS, result_dict -@@ -262,8 +266,7 @@ class VulnerabilityManage: - - return SUCCESS, result_list - -- @staticmethod -- def _fix_cve_by_dnf(cve: dict) -> Tuple[bool, str]: -+ def _fix_cve_by_dnf(self, cve: dict) -> Tuple[bool, str]: - """ - Fix CVE by dnf based on repo source named update - -@@ -289,7 +292,13 @@ class VulnerabilityManage: - res = 'Host has no command dnf' - - if hotpatch: -- return "Apply hot patch succeed" in res or "No hot patches marked for install" in res, res -+ hot_pkg = self._hotpatch_list_cve_with_cveid(cve.get('cve_id')) -+ if not hot_pkg: -+ return False, res -+ syscare_res = self._syscare_change_status(hot_pkg, cve.get('accepted')) -+ if not syscare_res: -+ return False, res -+ return "Active/Accept hot patch succeed" in res or "No hot patches marked for install" in res, res - else: - return "Complete" in res, res - -@@ -316,7 +325,8 @@ class VulnerabilityManage: - """ - - if not self._validate_repo_source(REPO_ID_FOR_CVE_MANAGE): -- return REPO_NOT_SET, [dict(cve_id=cve["cve_id"], log=StatusCode.mapping[REPO_NOT_SET]['msg'], result="fail") for cve in cves] -+ return REPO_NOT_SET, [dict(cve_id=cve["cve_id"], log=StatusCode.mapping[REPO_NOT_SET]['msg'], result="fail") -+ for cve in cves] - - return self._cve_rollback(cves) - -@@ -402,6 +412,70 @@ class VulnerabilityManage: - - return hotpatch_list - -+ @staticmethod -+ def _hotpatch_list_cve_with_cveid(cve_id) -> str: -+ """ -+ Run the dnf hotpatch list cve command to query the hotpatch list corresponding to the cve -+ -+ Returns: -+ str -+ e.g. -+ """ -+ # Run the dnf command to query the hotpatch list,e.g -+ # Last metadata expiration check: -+ # CVE-id base-pkg/hotpatch status -+ # CVE-2023-1111 redis-6.2.5-1/HP001 ACTIVED -+ hotpatch_list_output, status_code = cmd_output(["dnf", "hotpatch", "--list", "cves", "--cve", cve_id]) -+ if status_code == FAIL or not re.search("base-pkg/hotpatch", hotpatch_list_output): -+ return None -+ -+ for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]: -+ if not hotpatch_info.startswith("CVE"): -+ continue -+ _, hot_pkg, _, = [info.strip() for info in hotpatch_info.split()] -+ if hot_pkg == "base-pkg/hotpatch": -+ continue -+ return hot_pkg -+ return "" -+ -+ def _syscare_operate(self, operate, patch_name=None): -+ """ -+ -+ """ -+ _, operate_code = cmd_output(["syscare", "save"]) -+ if operate_code == FAIL: -+ LOGGER.error(f"syscare save failed") -+ _, operate_code = cmd_output(["syscare", operate, patch_name]) -+ if operate_code == FAIL: -+ LOGGER.error(f"syscare {operate} {patch_name} failed,start roll back") -+ cmd_output(["syscare", "restore"]) -+ if operate_code == FAIL: -+ LOGGER.error(f"syscare restore failed,status roll back failed") -+ else: -+ LOGGER.info(f"syscare restore success") -+ return False -+ LOGGER.info(f"syscare {operate} {patch_name} success ") -+ return True -+ -+ def _syscare_change_status(self, hot_pkg: str, accepted=False): -+ """ -+ Apply hot patch use syscare accept -+ -+ Args: -+ hot_pkg: cve is rolled back -+ """ -+ res = self._syscare_operate("apply", hot_pkg) -+ if not res: -+ return False -+ res = self._syscare_operate("active", hot_pkg) -+ if not res: -+ return False -+ if accepted: -+ res = self._syscare_operate("accept", hot_pkg) -+ if not res: -+ return False -+ return True -+ - def _hotpatch_rollback(self, base_pkg_hotpatch: str) -> Tuple[bool, str]: - """ - Hot patch is rolled back --- -Gitee diff --git a/0003-fix-issue-cve-fix-result-doesn-t-match-log.patch b/0003-fix-issue-cve-fix-result-doesn-t-match-log.patch deleted file mode 100644 index 827e11a..0000000 --- a/0003-fix-issue-cve-fix-result-doesn-t-match-log.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 0aad5ad09a5860bb43a9a64337cefe5813424288 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Fri, 9 Jun 2023 15:42:42 +0800 -Subject: [PATCH] fix issue: cve fix result doesn't match log - ---- - ceres/manages/vulnerability_manage.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index a395620..c153190 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -298,7 +298,7 @@ class VulnerabilityManage: - syscare_res = self._syscare_change_status(hot_pkg, cve.get('accepted')) - if not syscare_res: - return False, res -- return "Active/Accept hot patch succeed" in res or "No hot patches marked for install" in res, res -+ return "Apply hot patch succeed" in res or "No hot patches marked for install" in res, res - else: - return "Complete" in res, res - --- - diff --git a/0004-update-hotpatch-info-query-func.patch b/0004-update-hotpatch-info-query-func.patch deleted file mode 100644 index 94c9098..0000000 --- a/0004-update-hotpatch-info-query-func.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f198f261309b3f0b01ee1462c896b8d931346bbb Mon Sep 17 00:00:00 2001 -From: gongzt -Date: Tue, 20 Jun 2023 15:07:59 +0800 -Subject: [PATCH] update hostpatch info query func -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - ceres/manages/vulnerability_manage.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index c153190..8547abe 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -406,7 +406,7 @@ class VulnerabilityManage: - if not hotpatch_info.startswith("CVE"): - continue - cve_id, base_pkg, status = [info.strip() for info in hotpatch_info.split()] -- if status != "ACTIVED" and status != "ACCEPT": -+ if status != "ACTIVED" and status != "ACCEPTED": - continue - hotpatch_list[base_pkg].append(cve_id) - --- diff --git a/0005-match-correctly-applied-hotpatchs.patch b/0005-match-correctly-applied-hotpatchs.patch deleted file mode 100644 index e032d38..0000000 --- a/0005-match-correctly-applied-hotpatchs.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 6875f8f6dbe2f7b08cf6a447057bfd4514b83537 Mon Sep 17 00:00:00 2001 -From: gongzhengtang -Date: Fri, 30 Jun 2023 11:09:24 +0000 -Subject: [PATCH] Match the correctly applied hot patches -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: gongzhengtang ---- - ceres/manages/vulnerability_manage.py | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index 8547abe..cfecb60 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -429,14 +429,11 @@ class VulnerabilityManage: - if status_code == FAIL or not re.search("base-pkg/hotpatch", hotpatch_list_output): - return None - -- for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]: -- if not hotpatch_info.startswith("CVE"): -- continue -- _, hot_pkg, _, = [info.strip() for info in hotpatch_info.split()] -- if hot_pkg == "base-pkg/hotpatch": -- continue -- return hot_pkg -- return "" -+ for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line.startswith("CVE")]: -+ _, hot_pkg, status = hotpatch_info.strip().split() -+ if status in ("ACTIVED", "ACCEPTED"): -+ return hot_pkg -+ return None - - def _syscare_operate(self, operate, patch_name=None): - """ --- -Gitee diff --git a/aops-ceres-v1.2.1.tar.gz b/aops-ceres-v1.2.1.tar.gz deleted file mode 100644 index 1b6c500..0000000 Binary files a/aops-ceres-v1.2.1.tar.gz and /dev/null differ diff --git a/aops-ceres-v1.3.0.tar.gz b/aops-ceres-v1.3.0.tar.gz new file mode 100644 index 0000000..8aa4781 Binary files /dev/null and b/aops-ceres-v1.3.0.tar.gz differ diff --git a/aops-ceres.spec b/aops-ceres.spec index a838572..a9fbcfb 100644 --- a/aops-ceres.spec +++ b/aops-ceres.spec @@ -1,15 +1,10 @@ Name: aops-ceres -Version: v1.2.1 -Release: 7 +Version: v1.3.0 +Release: 1 Summary: An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} Source0: %{name}-%{version}.tar.gz -Patch0001: 0001-modify-return-value-when-no-hotpatch-is-matched.patch -Patch0002: 0002-update-cve-fix-and-cve-scan.patch -Patch0003: 0003-fix-issue-cve-fix-result-doesn-t-match-log.patch -Patch0004: 0004-update-hotpatch-info-query-func.patch -Patch0005: 0005-match-correctly-applied-hotpatchs.patch BuildRequires: python3-setuptools @@ -24,7 +19,7 @@ An agent which needs to be adopted in client, it managers some plugins, such as %prep -%autosetup -n %{name}-%{version} -p1 +%autosetup -n %{name}-%{version} # build for aops-ceres @@ -45,6 +40,9 @@ An agent which needs to be adopted in client, it managers some plugins, such as %changelog +* Tue Aug 29 2023 wenxin - v1.3.0-1 +- update vulnerability scanning method and vulnerability fix method + * Fri Jun 30 2023 wenxin - v1.2.1-7 - update release