Bug#761859: prototype ready
On Sun, 22 Feb 2015 00:37:49 +0100 Holger Levsen wrote: I have a prototype ready, see attached... I noticed that fixed issues are not listed, we need that so people can look up the security history of any package by clicking a 'security' link in the links section. Just an item link: True|False would be enough, True for anything that has any info in the security tracker. I see a bunch of urgency set to high** and medium**, should it be high and medium instead? I think it might be a good idea to include attack range information (local/remote/etc). -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
debsecan now on Gitorious
I've moved the debsecan Git repository to Gitorious. Please speak up if you want to be added to the push ACL. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87385xda3c@mid.deneb.enyo.de
Bug#761859: yaml...
* Holger Levsen: the patch currently creates yaml, not json. Which do you prefer? JSON has less risk of unwanted data execution when deserializing. It is also supported by Python out of the box, so it's more natural for the successor of the custom debsecan format (which I created when Python did not have built-in JSON support). -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87vbit8tff@mid.deneb.enyo.de
Bug#761859: yaml...
Hi, the patch currently creates yaml, not json. Which do you prefer? Also, is the bug description useful in the data? Do you want no data/remote/local or (null|None)/true/false? Anything else? cheers, Holger From 4237fa854c9dc4f1d8ac8de5c8e2030f68bf847b Mon Sep 17 00:00:00 2001 From: Holger Levsen hol...@layer-acht.org Date: Sun, 22 Feb 2015 00:39:00 +0100 Subject: [PATCH] Dump data as .yaml via /tracker/data/yaml (Closes: #761859) --- bin/tracker_service.py | 48 1 file changed, 48 insertions(+) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index ec7cee5..fcc5621 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -138,6 +138,7 @@ class TrackerService(webservice_base_class): self.register('data/funny-versions', self.page_data_funny_versions) self.register('data/fake-names', self.page_data_fake_names) self.register('data/pts/1', self.page_data_pts) +self.register('data/yaml', self.page_yaml) self.register('debsecan/**', self.page_debsecan) self.register('data/report', self.page_report) self.register('style.css', self.page_style_css) @@ -1226,6 +1227,53 @@ Debian bug number.'''), data.append('\n') return BinaryResult(''.join(data),'application/octet-stream') +def page_yaml(self, path, params, url): +data = [] +old_pkg = '' +releases = ('sid', 'jessie', 'wheezy', 'squeeze') +for (pkg, bug, desc, release, subrelease, status, urgency, remote, nodsa) in self.db.cursor().execute( +SELECT sp.name, st.bug_name, bugs.description, +sp.release, sp.subrelease, st.vulnerable, st.urgency, +(SELECT range_remote FROM nvd_data +WHERE cve_name = st.bug_name), +(SELECT comment FROM package_notes_nodsa AS nd +WHERE nd.package = sp.name AND nd.release = sp.release +AND nd.bug_name = st.bug_name) AS nodsa +FROM source_package_status AS st, source_packages AS sp, bugs +WHERE sp.rowid = st.package AND st.bug_name = bugs.name +AND ( sp.release = ? OR sp.release = ? OR sp.release = ? +OR sp.release = ? ) +ORDER BY sp.name, st.bug_name, sp.release, sp.subrelease , releases): + +if old_pkg != pkg: +old_pkg = pkg +old_bug = '' +data.append(pkg+':\n') +if old_bug != bug: +old_bug = bug +data.append(' '+bug+':\n') +data.append('description: '+desc+'\n') +data.append('releases: \n') +if subrelease == '': +my_release = release +else: +my_release = release+'-'+subrelease +data.append(' '+my_release+':\n') +if status 0: +data.append('status: open\n') +else: +data.append('status: resolved\n') +data.append('urgency: '+urgency+'\n') +if str(remote) == 'None': +data.append('range: no data\n') +elif remote == 1: +data.append('range: remote\n') +else: +data.append('range: local\n') +if str(nodsa) != 'None': +data.append('nodsa: '+nodsa+'\n') +return BinaryResult(''.join(data),'application/octet-stream') + def page_debsecan(self, path, params, url): obj = '/'.join(path) data = self.db.getDebsecan(obj) -- 1.9.1 signature.asc Description: This is a digitally signed message part.
Bug#761859: prototype ready
On Sun, 2015-02-22 at 19:00 +0100, Holger Levsen wrote: On Sonntag, 22. Februar 2015, Paul Wise wrote: I see a bunch of urgency set to high** and medium**, should it be high and medium instead? this comes directly from the database, so I don't think it should be modified. Hmm, it appears that these are the default urgency from NVD and the ones without asterisks are ones set by SVN committers. That doesn't appear to be a distinction worth preserving but it is fine to do so. Please ensure that this json is linked to from the front page of the security tracker and from the security tracker documentation so that people building on it can find it easily. It is vastly more friendly to potential consumers than the current output consumed by the PTS and the current output consumed by debsecan. We've already had people looking for JSON and trying to use the debsecan data. I think for other consumers of the data (not distro-tracker), exposing fixed version numbers might be interesting. For instance, someone with 500 machines who aggregates host/package/version information and then correlates that with the list of security issues from the sectracker. I should stop bike-shedding though :) Anyway, the current JSON is good for the distro-tracker from a content perspective (so please deploy) but it doesn't load using the python JSON module so it is probably not valid JSON, I'd suggest using Python's json.dump instead of whatever method you are using now. with open('json') as f: data = json.load(f) ... Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.7/json/__init__.py, line 290, in load **kw) File /usr/lib/python2.7/json/__init__.py, line 338, in loads return _default_decoder.decode(s) File /usr/lib/python2.7/json/decoder.py, line 369, in decode raise ValueError(errmsg(Extra data, s, end, len(s))) ValueError: Extra data: line 1 column 4 - line 428027 column 1 (char 3 - 10590028) -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part