Ian Constantin has proposed merging
~iconstantin/ubuntu-qa-tools:add-embargo-check into ubuntu-qa-tools:master.
Commit message:
Adds a check during the unembargo step of publishing that warns on packages
that have embargoed CVEs
Requested reviews:
Marc Deslauriers (mdeslaur)
For more details, see:
https://code.launchpad.net/~iconstantin/ubuntu-qa-tools/+git/ubuntu-qa-tools/+merge/484496
UQT/security-tools/unembargo does not currently have a check that will catch if
we attempt to unembargo a package with CVEs that are still in the embargo tree.
At this point unembargo does not directly have knowledge of the CVEs that are
being addressed in a package update so we are taking a best effort / safety
first approach to warn the user when they are unembargoing a package that has
at least 1 cve in the embargo tree.
If the user is indeed publishing an update for one of those cves, they can move
them from embargo -> active at which point the warning will disappear on their
next run of unembargo. If the update does not include any of the embargoed
cves, the user will have to use --force to continue. This adds more overhead
but provides an extra layer of protection to ensure that we are handling
embargoed cves correctly.
--
Your team Ubuntu Bug Control is subscribed to branch ubuntu-qa-tools:master.
diff --git a/security-tools/unembargo b/security-tools/unembargo
index e1f0b63..e2d8536 100755
--- a/security-tools/unembargo
+++ b/security-tools/unembargo
@@ -170,6 +170,56 @@ def pending_milestone(ubuntu, release):
return milestone
+def embargo_check():
+ ''' Warns on packages that have CVEs under embargo as a safety measure '''
+
+ potential_embargo = False
+
+ # Grab open and embargoed CVEs from UCT
+
+ # We are using get_cve_list() rather than get_embargoed_cve_list() as the former provides
+ # a warning for cves duplicated in active and embargoed which is appropriate here
+ open_cves, embargoed_cves = cve_lib.get_cve_list()
+
+ # Get detailed cveinfo for embargoed_cves
+ _, _, _, _, embargoed_cveinfo = cve_lib.load_table(embargoed_cves, embargoed_cves)
+
+ # Extract source pkg_names for all of the embargoed_cves -> {pkg_name:[cve, ...], ...}
+ embargoed_pkgs = {}
+
+ for cve in embargoed_cveinfo:
+ pkg_names = embargoed_cveinfo[cve]["pkgs"].keys()
+
+ # If this is a kernel CVE, we will be skipping it as we are excluding the kernel from this check
+ if "linux" in pkg_names:
+ continue
+
+ for pkg_name in pkg_names:
+ if pkg_name not in embargoed_pkgs:
+ embargoed_pkgs[pkg_name] = [cve]
+ else:
+ embargoed_pkgs[pkg_name].append(cve)
+
+ # Check if any of the pkgs that we are publishing have CVEs in embargo (these will require --force to continue publishing, if appropriate)
+ for pkg_name in args:
+ if pkg_name in embargoed_pkgs:
+ potential_embargo = True
+
+ print(f"\nWARNING: {pkg_name} currently has the following embargoed CVEs:", ", ".join(embargoed_pkgs[pkg_name]), sep = "")
+ print(f"\n\tIf you are publishing any of the embargoed CVEs for {pkg_name}, please first move them from embargo to active.")
+
+ return potential_embargo
+
+# As a safety measure, check if any of the packages being published have CVEs under embargo
+potential_embargo = embargo_check()
+
+if potential_embargo:
+ if not opt.force:
+ print("\nIf you have verified that you are not publishing any embargoed CVEs, override this check with --force.", end = "\n\n")
+ sys.exit(1)
+ else:
+ print("\nNOTE: Proceeding to publish packages that have CVEs in embargo (please ensure you have checked that no embargoed CVEs are being published)", end = "\n\n")
+
# don't release security updates on Fridays
if (opt.pocket == SECURITY_POCKET or opt.esm or opt.esm_apps or opt.esm_infra or opt.esm_infra_legacy) and \
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-bugcontrol
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-bugcontrol
More help : https://help.launchpad.net/ListHelp
