From 3e8e26b0b1b4b18ab45048069fc2f6a89b852802 Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Tue, 19 Sep 2023 20:02:44 +0800
Subject: [PATCH 1/1] update func about  querying applied hotpatch info

---
 ceres/manages/vulnerability_manage.py | 33 +++++++++++++++------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
index ab10381..1591d74 100644
--- a/ceres/manages/vulnerability_manage.py
+++ b/ceres/manages/vulnerability_manage.py
@@ -806,27 +806,30 @@ class VulnerabilityManage:
                     "CVE-XXXX-XXX": {"patch 1", "patch 2"}
                 }
         """
-        # Run the dnf command to query the hotpatch list,e.g
-        # Last metadata expiration check:
-        # CVE id        base-pkg/hotpatch               status
-        # CVE-1         A-1.1-1/ACC-1-1/binary_file1    ACTIVED
-        # CVE-2         A-1.1-1/ACC-1-1/binary_file2    ACTIVED
-        code, hotpatch_list_output, _ = execute_shell_command(f"dnf hotpatch --list cve")
+        code, stdout, _ = execute_shell_command(f"dnf hot-updateinfo list cves --installed|grep patch")
         if code != CommandExitCode.SUCCEED:
             LOGGER.error(f"Failed to hotpatch list cve.")
             return None
 
-        if not re.search("base-pkg/hotpatch", hotpatch_list_output):
+        all_cve_info = re.findall(r"(CVE-\d{4}-\d+)\s+([\w+/.]+)\s+(\S+|-)\s+(patch\S+)", stdout)
+        if not all_cve_info:
+            LOGGER.error(f"Failed to hotpatch list cve.")
             return None
+
+        applied_hotpatch_info = {}
+        hotpatch_dic = {}
+        for cve_id, _, _, hotpatch in all_cve_info:
+            applied_hotpatch_info[cve_id] = hotpatch
+            hotpatch_dic_key = hotpatch.rsplit("-", 2)[0]
+            if hotpatch_dic_key.endswith("ACC"):
+                hotpatch_dic[hotpatch_dic_key] = max(hotpatch, hotpatch_dic.get(hotpatch_dic_key, hotpatch))
+
+        for cve_id, cmd_output_hotpatch in applied_hotpatch_info.items():
+            applied_hotpatch_info[cve_id] = hotpatch_dic.get(cmd_output_hotpatch.rsplit("-", 2)[0], cmd_output_hotpatch)
+
         hotpatch_list = defaultdict(set)
-        for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]:
-            if not hotpatch_info.startswith("CVE"):
-                continue
-            cve_id, base_pkg, status = [info.strip() for info in hotpatch_info.split()]
-            if status != "ACTIVED" and status != "ACCEPTED":
-                continue
-            hotpatch_name = "patch-%s-%s" % tuple(base_pkg.rsplit("/", 2)[:2])
-            hotpatch_list[cve_id].add(hotpatch_name)
+        for cve_id, hotpatch in applied_hotpatch_info.items():
+            hotpatch_list[cve_id].add(hotpatch)
 
         return hotpatch_list
 
-- 
2.33.0