packages/aops-ceres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 1.3.0

Browse Source 
(cherry picked from commit e900ddbea2871c02c6ea24b0b9d9e36abed51c8f)
This commit is contained in:
rabbitali 2023-08-29 18:53:52 +08:00 committed by openeuler-sync-bot
parent 13f3905f2a
commit f50de60eba
8 changed files with 6 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0001-modify-return-value-when-no-hotpatch-is-matched.patch
View File

@ -1,27 +0,0 @@
From a159ed3c419415e8822a6a2867654dbea01c49e4 Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Wed, 31 May 2023 15:40:03 +0800
Subject: [PATCH] modify the return result when no hot patch is matched
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
ceres/manages/vulnerability_manage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index 5a475e4..4bb42db 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -350,7 +350,7 @@ class VulnerabilityManage:
if not hotpatch_list:
log = "No valid hot patch is matched."
- return NOT_PATCH, [dict(cve_id=cve["cve_id"], log=log, result="succeed") for cve in cves]
+ return NOT_PATCH, [dict(cve_id=cve["cve_id"], log=log, result="fail") for cve in cves]
cmd_execute_result = []
for base_pkg, hotpatch_cves in hotpatch_list.items():
--

205
0002-update-cve-fix-and-cve-scan.patch
View File

@ -1,205 +0,0 @@
From 6012d5edce0affe7303d42de5c1c2dcde78b5341 Mon Sep 17 00:00:00 2001
From: muyuying1 <muyuying1@huawei.com>
Date: Fri, 2 Jun 2023 12:39:59 +0800
Subject: [PATCH] update cve fix and cve scan
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
ceres/function/schema.py | 3 +-
ceres/function/util.py | 12 ++++
ceres/manages/vulnerability_manage.py | 88 ++++++++++++++++++++++++---
3 files changed, 95 insertions(+), 8 deletions(-)
diff --git a/ceres/function/schema.py b/ceres/function/schema.py
index 603a588..5200665 100644
--- a/ceres/function/schema.py
+++ b/ceres/function/schema.py
@@ -122,7 +122,8 @@ CVE_FIX_SCHEMA = {
"required": ["cve_id", "hotpatch"],
"properties": {
"cve_id": {"type": "string", "minLength": 1},
- "hotpatch": {"enum": [True, False]}
+ "hotpatch": {"enum": [True, False]},
+ "accepted": {"enum": [True, False]}
}
}
diff --git a/ceres/function/util.py b/ceres/function/util.py
index 42cebe2..9aa0909 100644
--- a/ceres/function/util.py
+++ b/ceres/function/util.py
@@ -13,6 +13,7 @@
import configparser
import json
import os
+import subprocess
from typing import Union, List, Any, Dict, NoReturn
from subprocess import Popen, PIPE, STDOUT
@@ -25,6 +26,8 @@ from ceres.models.custom_exception import InputError
from ceres.function.schema import STRING_ARRAY
from ceres.function.status import PARAM_ERROR
+FAIL = 255
+
def load_conf(file_path: str) -> configparser.RawConfigParser:
"""
@@ -94,6 +97,15 @@ def get_shell_data(command_list: List[str], key: bool = True, env=None,
return res
+def cmd_output(cmd):
+ try:
+ result = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ result.wait()
+ return result.stdout.read().decode('utf-8'), result.returncode
+ except Exception as e:
+ return str(e), FAIL
+
+
def load_gopher_config(gopher_config_path: str) -> AttrDict:
"""
get AttrDict from config file
diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index 5a475e4..e605a17 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -28,9 +28,12 @@ from ceres.function.status import (
StatusCode,
COMMAND_EXEC_ERROR
)
-from ceres.function.util import get_shell_data
+from ceres.function.util import get_shell_data, cmd_output
from ceres.models.custom_exception import InputError
+SUCCEED = 0
+FAIL = 255
+
class VulnerabilityManage:
def repo_set(self, data: dict) -> int:
@@ -209,10 +212,11 @@ class VulnerabilityManage:
# CVE-2022-3080 A-1.1-1/HP3 ACTIVED
for hotpatch_fixed in hotpatch_fixed_result.strip().split("\n")[1:]:
hotpatch_fixed_split = hotpatch_fixed.split(" ")
- if hotpatch_fixed_split[-1] in ["ACTIVED", "ACCEPT"]:
+ if hotpatch_fixed_split[-1] in ["ACTIVED", "ACCEPTED"]:
result_dict["fixed_cves"].append({
"cve_id": hotpatch_fixed_split[0],
- "fixed_by_hp": True
+ "fixed_by_hp": True,
+ "hp_status": hotpatch_fixed_split[-1]
})
return SUCCESS, result_dict
@@ -262,8 +266,7 @@ class VulnerabilityManage:
return SUCCESS, result_list
- @staticmethod
- def _fix_cve_by_dnf(cve: dict) -> Tuple[bool, str]:
+ def _fix_cve_by_dnf(self, cve: dict) -> Tuple[bool, str]:
"""
Fix CVE by dnf based on repo source named update
@@ -289,7 +292,13 @@ class VulnerabilityManage:
res = 'Host has no command dnf'
if hotpatch:
- return "Apply hot patch succeed" in res or "No hot patches marked for install" in res, res
+ hot_pkg = self._hotpatch_list_cve_with_cveid(cve.get('cve_id'))
+ if not hot_pkg:
+ return False, res
+ syscare_res = self._syscare_change_status(hot_pkg, cve.get('accepted'))
+ if not syscare_res:
+ return False, res
+ return "Active/Accept hot patch succeed" in res or "No hot patches marked for install" in res, res
else:
return "Complete" in res, res
@@ -316,7 +325,8 @@ class VulnerabilityManage:
"""
if not self._validate_repo_source(REPO_ID_FOR_CVE_MANAGE):
- return REPO_NOT_SET, [dict(cve_id=cve["cve_id"], log=StatusCode.mapping[REPO_NOT_SET]['msg'], result="fail") for cve in cves]
+ return REPO_NOT_SET, [dict(cve_id=cve["cve_id"], log=StatusCode.mapping[REPO_NOT_SET]['msg'], result="fail")
+ for cve in cves]
return self._cve_rollback(cves)
@@ -402,6 +412,70 @@ class VulnerabilityManage:
return hotpatch_list
+ @staticmethod
+ def _hotpatch_list_cve_with_cveid(cve_id) -> str:
+ """
+ Run the dnf hotpatch list cve command to query the hotpatch list corresponding to the cve
+
+ Returns:
+ str
+ e.g.
+ """
+ # Run the dnf command to query the hotpatch list,e.g
+ # Last metadata expiration check:
+ # CVE-id base-pkg/hotpatch status
+ # CVE-2023-1111 redis-6.2.5-1/HP001 ACTIVED
+ hotpatch_list_output, status_code = cmd_output(["dnf", "hotpatch", "--list", "cves", "--cve", cve_id])
+ if status_code == FAIL or not re.search("base-pkg/hotpatch", hotpatch_list_output):
+ return None
+
+ for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]:
+ if not hotpatch_info.startswith("CVE"):
+ continue
+ _, hot_pkg, _, = [info.strip() for info in hotpatch_info.split()]
+ if hot_pkg == "base-pkg/hotpatch":
+ continue
+ return hot_pkg
+ return ""
+
+ def _syscare_operate(self, operate, patch_name=None):
+ """
+
+ """
+ _, operate_code = cmd_output(["syscare", "save"])
+ if operate_code == FAIL:
+ LOGGER.error(f"syscare save failed")
+ _, operate_code = cmd_output(["syscare", operate, patch_name])
+ if operate_code == FAIL:
+ LOGGER.error(f"syscare {operate} {patch_name} failed,start roll back")
+ cmd_output(["syscare", "restore"])
+ if operate_code == FAIL:
+ LOGGER.error(f"syscare restore failed,status roll back failed")
+ else:
+ LOGGER.info(f"syscare restore success")
+ return False
+ LOGGER.info(f"syscare {operate} {patch_name} success ")
+ return True
+
+ def _syscare_change_status(self, hot_pkg: str, accepted=False):
+ """
+ Apply hot patch use syscare accept
+
+ Args:
+ hot_pkg: cve is rolled back
+ """
+ res = self._syscare_operate("apply", hot_pkg)
+ if not res:
+ return False
+ res = self._syscare_operate("active", hot_pkg)
+ if not res:
+ return False
+ if accepted:
+ res = self._syscare_operate("accept", hot_pkg)
+ if not res:
+ return False
+ return True
+
def _hotpatch_rollback(self, base_pkg_hotpatch: str) -> Tuple[bool, str]:
"""
Hot patch is rolled back
--
Gitee

24
0003-fix-issue-cve-fix-result-doesn-t-match-log.patch
View File

@ -1,24 +0,0 @@
From 0aad5ad09a5860bb43a9a64337cefe5813424288 Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Fri, 9 Jun 2023 15:42:42 +0800
Subject: [PATCH] fix issue: cve fix result doesn't match log
---
ceres/manages/vulnerability_manage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index a395620..c153190 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -298,7 +298,7 @@ class VulnerabilityManage:
syscare_res = self._syscare_change_status(hot_pkg, cve.get('accepted'))
if not syscare_res:
return False, res
- return "Active/Accept hot patch succeed" in res or "No hot patches marked for install" in res, res
+ return "Apply hot patch succeed" in res or "No hot patches marked for install" in res, res
else:
return "Complete" in res, res
--

26
0004-update-hotpatch-info-query-func.patch
View File

@ -1,26 +0,0 @@
From f198f261309b3f0b01ee1462c896b8d931346bbb Mon Sep 17 00:00:00 2001
From: gongzt <gong_zhengtang@163.com>
Date: Tue, 20 Jun 2023 15:07:59 +0800
Subject: [PATCH] update hostpatch info query func
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
ceres/manages/vulnerability_manage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index c153190..8547abe 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -406,7 +406,7 @@ class VulnerabilityManage:
if not hotpatch_info.startswith("CVE"):
continue
cve_id, base_pkg, status = [info.strip() for info in hotpatch_info.split()]
- if status != "ACTIVED" and status != "ACCEPT":
+ if status != "ACTIVED" and status != "ACCEPTED":
continue
hotpatch_list[base_pkg].append(cve_id)
--

39
0005-match-correctly-applied-hotpatchs.patch
View File

@ -1,39 +0,0 @@
From 6875f8f6dbe2f7b08cf6a447057bfd4514b83537 Mon Sep 17 00:00:00 2001
From: gongzhengtang <gong_zhengtang@163.com>
Date: Fri, 30 Jun 2023 11:09:24 +0000
Subject: [PATCH] Match the correctly applied hot patches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: gongzhengtang <gong_zhengtang@163.com>
---
ceres/manages/vulnerability_manage.py | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index 8547abe..cfecb60 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -429,14 +429,11 @@ class VulnerabilityManage:
if status_code == FAIL or not re.search("base-pkg/hotpatch", hotpatch_list_output):
return None
- for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]:
- if not hotpatch_info.startswith("CVE"):
- continue
- _, hot_pkg, _, = [info.strip() for info in hotpatch_info.split()]
- if hot_pkg == "base-pkg/hotpatch":
- continue
- return hot_pkg
- return ""
+ for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line.startswith("CVE")]:
+ _, hot_pkg, status = hotpatch_info.strip().split()
+ if status in ("ACTIVED", "ACCEPTED"):
+ return hot_pkg
+ return None
def _syscare_operate(self, operate, patch_name=None):
"""
--
Gitee

BIN
aops-ceres-v1.2.1.tar.gz
View File

Binary file not shown.

BIN
aops-ceres-v1.3.0.tar.gz Normal file
View File

Binary file not shown.

14
aops-ceres.spec
View File

@ -1,15 +1,10 @@
Name: aops-ceres Name: aops-ceres
Version: v1.2.1 Version: v1.3.0
Release: 7 Release: 1
Summary: An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on. Summary: An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on.
License: MulanPSL2 License: MulanPSL2
URL: https://gitee.com/openeuler/%{name} URL: https://gitee.com/openeuler/%{name}
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
Patch0001: 0001-modify-return-value-when-no-hotpatch-is-matched.patch
Patch0002: 0002-update-cve-fix-and-cve-scan.patch
Patch0003: 0003-fix-issue-cve-fix-result-doesn-t-match-log.patch
Patch0004: 0004-update-hotpatch-info-query-func.patch
Patch0005: 0005-match-correctly-applied-hotpatchs.patch
BuildRequires: python3-setuptools BuildRequires: python3-setuptools
@ -24,7 +19,7 @@ An agent which needs to be adopted in client, it managers some plugins, such as
%prep %prep
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version}
# build for aops-ceres # build for aops-ceres
@ -45,6 +40,9 @@ An agent which needs to be adopted in client, it managers some plugins, such as
%changelog %changelog
* Tue Aug 29 2023 wenxin<shusheng.wen@outlook.com> - v1.3.0-1
- update vulnerability scanning method and vulnerability fix method
* Fri Jun 30 2023 wenxin<shusheng.wen@outlook.com> - v1.2.1-7 * Fri Jun 30 2023 wenxin<shusheng.wen@outlook.com> - v1.2.1-7
- update release - update release