Skip to content

Commit

Permalink
fix: sets some expected provider warnings to debug (#159)
Browse files Browse the repository at this point in the history
Currently there are a bunch of warnings logged that are expected
behaviour.  This modifies these to be debug level.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
  • Loading branch information
westonsteimel authored Apr 27, 2023
1 parent 01b30b9 commit eddfc1e
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 26 deletions.
2 changes: 1 addition & 1 deletion src/vunnel/providers/nvd/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ def _can_update_incrementally(self, last_updated: datetime.datetime | None) -> b
days_since_last_sync = (now - last_updated).days

if days_since_last_sync >= NvdAPI.max_date_range_days:
self.logger.warning(
self.logger.info(
f"last sync was {days_since_last_sync} days ago (more than {NvdAPI.max_date_range_days} days, the max range value of the NVD API), downloading all data"
)
return False
Expand Down
17 changes: 6 additions & 11 deletions src/vunnel/providers/rhel/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ def _fetch_rhsa_fix_version(self, rhsa_id, platform, package):
[None, None],
)
else:
self.logger.warning(f"{rhsa_id} not found for platform {platform}")
self.logger.debug(f"{rhsa_id} not found for platform {platform}")
except:
self.logger.exception(f"error looking up {package} in {rhsa_id} for {platform}")

Expand Down Expand Up @@ -378,29 +378,24 @@ def _get_name_version(package):
colon_comps = package.split(":", 1)

if colon_comps[0].isdigit(): # epoch in the beginning 1:foo-bar-2.3.4-5.el6_7.8
# logger.warning('compliant rpm name with epoch in the beginning')
name_other_comps = colon_comps[1].rsplit("-", 2) # split name-version-release.arch.rpm into max 3 chunks
name = name_other_comps[0] # only the name matters
if len(name_other_comps) > 1: # defaults to rhsa lookup otherwise
version = colon_comps[0] + ":" + "-".join(name_other_comps[1:]) # join the rest
else:
name_comps = colon_comps[0].rsplit("-", 1)
if len(name_comps) > 1 and name_comps[1].isdigit(): # epoch in the middle foo-bar-1:2.3.4-5.el6_7.8
# logger.warning('compliant rpm name with epoch in the middle')
name = name_comps[0]
version = name_comps[1] + ":" + colon_comps[1]
else: # not compliant with rpm filename spec, could be an app stream
# logger.warning('non-compliant rpm name with colons and hyphens')
name = colon_comps[0] # best guess for name, fall back to rhsa for version lookup

else: # no epoch foo-bar-2.3.4-5.el6_7.8 or something else totally different
if package.count("-") >= 2: #
# logger.warning('may be compliant rpm name without epoch')
name_other_comps = package.rsplit("-", 2) # split name-version-release.arch.rpm into max 3 chunks
name = name_other_comps[0] # only the name matters
version = "-".join(name_other_comps[1:]) # join the rest
else:
# logger.warning('non-compliant rpm name without colons and less than 2 hyphens')
name = package # best guess for name, fall back to rhsa for version lookup

return name, version
Expand Down Expand Up @@ -510,7 +505,7 @@ def _parse_affected_release(self, cve_id, content):
final_m = None

if not ar_obj.name or not final_v:
self.logger.warning(
self.logger.debug(
f"{cve_id}, platform={ar_obj.platform} : skipping affected release record as all attempts to deduce package name and or version were futile"
)
continue
Expand All @@ -521,12 +516,12 @@ def _parse_affected_release(self, cve_id, content):
prev_ar_obj = final_ar_objs.get((ar_obj.name, ar_obj.platform, ar_obj.module), None)
if prev_ar_obj:
if rpm.compare_versions(prev_ar_obj.version, ar_obj.version) < 0:
self.logger.warning(
self.logger.debug(
f"{cve_id}, platform={prev_ar_obj.platform}, package={prev_ar_obj.name}, module={prev_ar_obj.module} : multiple fix versions found, {ar_obj.version} > {prev_ar_obj.version}"
)
final_ar_objs[(ar_obj.name, ar_obj.platform, ar_obj.module)] = ar_obj
else:
self.logger.warning(
self.logger.debug(
f"{cve_id}, platform={prev_ar_obj.platform}, package={prev_ar_obj.name}, module={prev_ar_obj.module} : multiple fix versions found, {ar_obj.version} <= {prev_ar_obj.version}"
)
else:
Expand Down Expand Up @@ -594,7 +589,7 @@ def _parse_package_state(self, cve_id, content):
module = components[0]

if not package_name:
self.logger.warning(f"package state package_name missing for {cve_id} platform {platform}")
self.logger.debug(f"package state package_name missing for {cve_id} platform {platform}")
continue

state = item.get("fix_state", None)
Expand Down Expand Up @@ -718,7 +713,7 @@ def _parse_cve(self, cve_id, content):
item.package,
item.module,
) in platform_package_module_tuples:
self.logger.warning(
self.logger.debug(
f"{cve_id}, platform={item.platform}, package={item.package}, module={item.module} : partial fix found but package is still vulnerable. Ignoring fix version {item.version}"
)
continue
Expand Down
14 changes: 7 additions & 7 deletions src/vunnel/providers/sles/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -109,23 +109,23 @@ def _get_name_and_version_from_test(

test_obj = tests_dict.get(test_id)
if not test_obj:
cls.logger.warning(
cls.logger.debug(
"test reference not found for %s",
test_id,
)
return name, version

name_obj = artifacts_dict.get(test_obj.artifact_id)
if not name_obj:
cls.logger.warning(
cls.logger.debug(
"object reference not found for %s",
test_obj.artifact_id,
)
return name, version

version_obj = versions_dict.get(test_obj.version_id)
if not version_obj:
cls.logger.warning(
cls.logger.debug(
"state reference not found for %s",
test_obj.version_id,
)
Expand Down Expand Up @@ -204,7 +204,7 @@ def _release_resolver(
results.append(result)
continue

cls.logger.warning(
cls.logger.debug(
"multiple unrecognized release names %s for %s, skipping %s for this namespace",
list(release_feed.keys()),
version,
Expand Down Expand Up @@ -255,15 +255,15 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict)

# validate release
if not release_name:
cls.logger.warning(
cls.logger.debug(
"release name is invalid, skipping %s",
vulnerability_obj.name,
)
continue

# validate version is inline with major version
if not release_version or not release_version.startswith(major_version):
cls.logger.warning(
cls.logger.debug(
"%s %s is an unsupported namespace for major version %s, skipping %s for this namespace",
release_name,
release_version,
Expand All @@ -283,7 +283,7 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict)
pkg_version,
) = cls._get_name_and_version_from_test(test_id, tests_dict, artifacts_dict, versions_dict)
if not pkg_name or not pkg_version:
cls.logger.warning(
cls.logger.debug(
"package name and or version invalid, skipping fixed-in for %s",
test_id,
)
Expand Down
6 changes: 3 additions & 3 deletions src/vunnel/providers/ubuntu/git.py
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ def _check(self, destination):
out = self._exec_cmd(cmd, cwd=destination)
self.logger.debug("check for git repository, cmd: {}, output: {}".format(cmd, out.decode()))
except:
self.logger.warning(f"git working tree not found at {destination}")
self.logger.debug(f"git working tree not found at {destination}")
return False

return True
Expand Down Expand Up @@ -112,7 +112,7 @@ def parse_full_cve_revision_history(self, git_log_output: str) -> dict[str, list
return hist

def prepare_cve_revision_history(self):
self.logger.info("building full revision history for all CVEs")
self.logger.info("building full revision history for all CVEs. This may take quite some time.")
self.cve_rev_history = {}
out = self._exec_cmd("git log --name-status --no-merges --format=oneline -- retired/ active/", cwd=self.dest)
self.cve_rev_history = self.parse_full_cve_revision_history(out.decode())
Expand Down Expand Up @@ -332,7 +332,7 @@ def _parse_normalized_commit(self, commit_lines: list[list[str]]) -> GitCommitSu
updated[cve_id] = components[2]
else:
# either not a commit line or an irrelevant file, ignore it
self.logger.warning("encountered unknown change symbol {}".format(components[0]))
self.logger.debug("skipping unknown change symbol {}".format(components[0]))
else:
# not a match
pass
Expand Down
8 changes: 4 additions & 4 deletions src/vunnel/providers/ubuntu/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,7 @@ def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None):
# anchore_engine.services.policy_engine.engine.util.deb.DpkgVersion.from_string(p.get('status'))
pkg.Version = p.version
if pkg.Version is None:
logger.warn(
logger.debug(
'found CVE {} in ubuntu version {} with "released" status for pkg {} but no version for release. Released patches should have version info, but missing in source data. Marking package as not vulnerable'.format(
r.Name, r.NamespaceName, pkg.Name
)
Expand Down Expand Up @@ -641,13 +641,13 @@ def fetch(self, skip_if_exists=False):
self._save_last_processed_rev(current_rev)

# load merged state and map it to vulnerabilities
self.logger.debug("loading processed CVE content and transforming into vulnerabilities")
self.logger.info("loading processed CVE content and transforming into vulnerabilities")

for merged_cve in self._merged_cve_iterator():
yield from map_parsed(merged_cve, self.logger)

def _process_data(self, vc_dir: str, to_rev: str, from_rev: str | None = None):
self.logger.debug(f"processing data from git repository: {vc_dir}, from revision: {from_rev}, to revision: {to_rev}")
self.logger.info(f"processing data from git repository: {vc_dir}, from revision: {from_rev}, to revision: {to_rev}")

self.git_wrapper.prepare_cve_revision_history()

Expand Down Expand Up @@ -783,7 +783,7 @@ def _reprocess_merged_cve(self, cve_id: str, cve_rel_path: str):
saved_state = self._load_merged_cve(cve_id)

if not saved_state:
self.logger.warning(f"no saved state found for {cve_id}")
self.logger.debug(f"no saved state found for {cve_id}")
return

# reprocess only ignored patches
Expand Down

0 comments on commit eddfc1e

Please sign in to comment.