-
Notifications
You must be signed in to change notification settings - Fork 2
CVE list: Show only the currently running kernel meta-package #791
CVE list: Show only the currently running kernel meta-package #791
Conversation
@vpetersson Pls provide texts for the new RA |
@rptrchv Please list which distros and kernel packages you've tested. |
Updated the PR description above with this info |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So now we have regexes for kernel packages in agent and in api? Why can't we make this decision in one place?
Also you could simply hide the packages you don't need in CVEView by processing the list in Python. Then you wouldn't need to modify vulnerability scanning and write migrations to remove extra vulnerabilities.
Edit: On second thought, I guess there's no other way, so ignore this comment.
backend/device_registry/models.py
Outdated
1. Every excluded kernel-related package *always* has a meta-package | ||
installed. | ||
2. All kernel meta-packages *always* have the same (including zero) | ||
vulnerabilities as their children kernel-related packages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not true for Debian. Example: linux-image-4.9.0-11-amd64
is vulnerable to CVE-2019-14901 because it's built from linux source package but linux-image-amd64
is not because it's built from linux-latest source package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. Looks like this feature (Show only the currently running kernel meta-package) should not work in Debian at all. Reasons:
- Debian does not have a bunch of kernel-related packages (image, modules, headers), but only one package for everything and one meta-package for it. So there's no many packages to hide
- The kernel package and its meta-package have different vunls, so we need to display both.
@vpetersson WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The kernel package and its meta-package have different vunls, so we need to display both.
Sure, if it's just two, i guess that's fine. Assuming they are prone to different vulns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version-locked package is not updateable and therefore not actionable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Since those packages are not upgradable - we still need to hide them. So I'm leaving everything as it works now.
@@ -701,7 +701,7 @@ def get_context_data(self, **kwargs): | |||
vuln_names = Vulnerability.objects.filter(vuln_query)\ | |||
.values('name').distinct() | |||
vuln_pub_dates_qs = Vulnerability.objects.filter(name__in=vuln_names) \ | |||
.values('name').annotate(pubdate=Max('pub_date')).distinct() | |||
.values('name').distinct().annotate(pubdate=Max('pub_date')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does this change?
backend/recommended_actions.yaml
Outdated
|
||
- title: Reboot required | ||
class: RebootRequiredAction | ||
subtitle: To boot updated kernel please reboot the node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subtitles are not needed for most of the actions (unless explicitly provided by Viktor)
|
||
@classmethod | ||
def _is_affected(cls, device) -> bool: | ||
return device.reboot_required is True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please implement _affected_devices()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The one from the parent class is ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know, but if it can be done with a simple query, then why not
backend/device_registry/models.py
Outdated
@@ -475,9 +495,25 @@ def set_meta_tags(self): | |||
|
|||
@property | |||
def vulnerable_packages(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this method is used anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Forgot to remove it
What are the exact RAs you're looking for? |
See my screenshot and the new RA description above. |
@rptrchv Am I correct in my understanding that meta-packages for Debian kernels are not yet added? |
Yes. I've not finished with this yet. That's why I haven't asked for review |
I had to do that because kernel image package version often is not the same as its meta-package's version.
71b448e
to
3083d7e
Compare
@vpetersson Pls provide texts for the new RA |
RA for Reboot. Title: Reboot required |
Done |
@rptrchv so we don't need kernel_meta_package? |
yes |
backend/device_registry/models.py
Outdated
@@ -24,7 +24,8 @@ | |||
apt_pkg.init() | |||
|
|||
DEBIAN_SUITES = ('jessie', 'stretch', 'buster') # Supported Debian suite names. | |||
UBUNTU_SUITES = ('xenial', 'bionic') # Supported Ubuntu suite names. | |||
UBUNTU_SUITES = ('xenial', 'bionic') # Supported Ubuntu suite (16.04, 18.04) names. | |||
UBUNTU_KERNEL_PACKAGES_RE_PATTERN = r'linux-(?:headers|aws-headers|image|modules)-.+' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also add (gcp|kvm|oem|oem-osp1|azure|azure-edge|oracle|gke|raspi2)-headers
here (see linux-headers)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
closes #750
My solution description:
kernel_meta_package
) Device model's field.My solution is based on few assumptions:
Kernel meta-package has the same package version as its dependant kernel image package.Checked distros: