Bug#951442: debian-security-support: Please allow to exclude specific packages from the check

Sun, 16 Feb 2020 11:53:50 -0800 

Controls: tags -1 confirmed patch

Holger Levsen wrote on Sun, 16 Feb 2020 18:29 +0000:
> On Sun, Feb 16, 2020 at 04:12:46PM +0000, Daniel Shahaf wrote:
> > [...] Thus, in effect, it would let the admin "whitelist"
> > known issues, so only new ones would be printed.
> > 
> > Would this make sense?  
> 
> yes.

Thanks for the quick answer.

> & patches welcome.

Here you go, against current git:

[[[
diff --git a/check-support-status.in b/check-support-status.in
index a5437c4..685e5ac 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -28,6 +28,7 @@ fi
 LIST=
 NOHEADING=
 STATUSDB_FILE=
+EXCEPT=
 TYPE=
 
 NAME="$(basename "$0")"
@@ -37,7 +38,7 @@ TODAY="$(date +"%Y%m%d")"
 TEMP=$( \
     getopt \
     --options h,V \
-    --long help,list:,no-heading,semaphore:,status-db:,type:,version,Version \
+    --long 
help,list:,no-heading,semaphore:,status-db:,except:,type:,version,Version \
     -n "$NAME" \
     -- "$@"
 )
@@ -52,6 +53,7 @@ Options:
   --list FILE                   database of packages under specific support 
conditions
   --no-heading                  skips printing headlines
   --status-db FILE              database about already reported packages
+  --except PACKAGES             exempt given packages (comma-separated list)
   --type SECURITY_SUPPORT_TYPE  earlyend, ended or limited
   -V, --version                 display version and exit"; echo
 }
@@ -86,6 +88,10 @@ while true ; do
             STATUSDB_FILE="$2"
             shift 2
             ;;
+        --except)
+            EXCEPT="$2"
+            shift 2
+            ;;
         --type)
             TYPE="$2"
             shift 2
@@ -104,17 +110,17 @@ done
 case "$TYPE" in
 '')
     if [ -z "$LIST" ] ; then
-        REPORT="$($0 --type ended --list [% ENDED %] --status-db 
"$STATUSDB_FILE" $NOHEADING)"
+        REPORT="$($0 --type ended --list [% ENDED %] --status-db 
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
         if [ -n "$REPORT" ]  ; then
             echo "$REPORT"
             echo
         fi
-        REPORT="$($0 --type limited --list [% LIMITED %] --status-db 
"$STATUSDB_FILE" $NOHEADING)"
+        REPORT="$($0 --type limited --list [% LIMITED %] --status-db 
"$STATUSDB_FILE" --except "$EXCEPT" $NOHEADING)"
         if [ -n "$REPORT" ] ; then
             echo "$REPORT"
             echo
         fi
-        $0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE" 
$NOHEADING
+        $0 --type earlyend --list [% ENDED %] --status-db "$STATUSDB_FILE" 
--except "$EXCEPT" $NOHEADING
         exit 0
     fi
     gettext 'E: Need a --type if --list is given'; echo
@@ -240,6 +246,11 @@ cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
 
     [% AWK %] '($3=="'"$SRC_NAME"'"){print $1" "$2}' "$INSTALLED_LIST" | \
     while read BIN_NAME BIN_VERSION ; do
+        case ",$EXCEPT," in
+            *,"$BIN_NAME",*)
+                continue
+                ;;
+        esac
         # for earlyend and ended, check packages actually affected (if 
TMP_WHEN not null)
         if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then
             if \
diff --git a/man/check-support-status.txt b/man/check-support-status.txt
index a16ef9a..066e042 100644
--- a/man/check-support-status.txt
+++ b/man/check-support-status.txt
@@ -83,6 +83,12 @@ reported only once.
 +
 Default: No records, any affected package will be reported every time.
 
+*--except* 'PACKAGES'::
+
+Do not alert for the given binary packages (comma-separated list).
++
+Default: Alert for all packages (no exceptions).
+
 *--type* 'TYPE'::
 
 One of the following:
diff --git a/t/check-support-status.t b/t/check-support-status.t
index 784d947..dd9c54f 100644
--- a/t/check-support-status.t
+++ b/t/check-support-status.t
@@ -855,6 +855,50 @@ __EOS__
     );
 }
 
+diag ('exempt packages from listing');
+
+foreach my $awk (@AWKs) {
+    diag ("exempt ($awk)");
+
+    my $tb = Testbed->new ($dpkg_version);
+    my ($list_ended, $list_limited, $query_list, $statusdb_file) = $tb->files;
+    my $exe = $tb->exe (
+        $awk,
+        [
+            '--type', 'limited',
+            '--no-heading',
+            '--list', $list_limited,
+            '--status-db', $statusdb_file,
+            '--except', 'hello,php5',
+        ],
+    );
+
+    write_file ($list_limited, <<__EOS__);
+php5    See README.Debian.security for the PHP security policy
+__EOS__
+    mock_query_list (
+        $query_list,
+        [
+            [ 'ioi', 'php5', '5.3.3-7+squeeze19' ],
+        ],
+    );
+
+    # run a first time
+    my $run = Test::Command->new ('cmd' => $exe);
+    $run->run;
+    $run->exit_is_num (0);
+
+    my ($stdout, $stderr) = stdout_n_stderr ($run);
+    $stderr and diag ("stderr:\n" . $stderr);
+    my $expect_stdout = '';
+    eq_or_diff (
+        $stdout,
+        $expect_stdout,
+        'stdout'
+    );
+
+    ok (!-f $statusdb_file, 'status db file was not created');
+}
 done_testing;
 
 exit 0;
]]]

In a sid chroot it works as follows:

[[[
% ./check-support-status
Limited security support for one or more packages

Unfortunately, it has been necessary to limit security support for some 
packages.

The following packages found on this system are affected by this:

* Source:binutils
  Details: Only suitable for trusted content; see 
https://lists.debian.org/msgid-search/87lfqsomtg....@mid.deneb.enyo.de
  Affected binary packages:
  - binutils (installed version: 2.34-2)
  - binutils-common:amd64 (installed version: 2.34-2)
  - binutils-x86-64-linux-gnu (installed version: 2.34-2)
  - libbinutils:amd64 (installed version: 2.34-2)
  - libctf-nobfd0:amd64 (installed version: 2.34-2)
  - libctf0:amd64 (installed version: 2.34-2)

% ./check-support-status 
--except=binutils,binutils-common:amd64,binutils-x86-64-linux-gnu,libbinutils:amd64,libctf0:amd64,libctf-nobfd0:amd64
%  
]]]

I'm not sure if the handling of the ":amd64" architecture suffixes is
ideal.  Thoughts?

Cheers,

Daniel

Reply via email to