diff --git a/src/vunnel/providers/nvd/manager.py b/src/vunnel/providers/nvd/manager.py index a19ae6a9..cca792ef 100644 --- a/src/vunnel/providers/nvd/manager.py +++ b/src/vunnel/providers/nvd/manager.py @@ -44,7 +44,7 @@ def _can_update_incrementally(self, last_updated: datetime.datetime | None) -> b days_since_last_sync = (now - last_updated).days if days_since_last_sync >= NvdAPI.max_date_range_days: - self.logger.warning( + self.logger.info( f"last sync was {days_since_last_sync} days ago (more than {NvdAPI.max_date_range_days} days, the max range value of the NVD API), downloading all data" ) return False diff --git a/src/vunnel/providers/rhel/parser.py b/src/vunnel/providers/rhel/parser.py index 3e1871a9..a5454f3f 100644 --- a/src/vunnel/providers/rhel/parser.py +++ b/src/vunnel/providers/rhel/parser.py @@ -280,7 +280,7 @@ def _fetch_rhsa_fix_version(self, rhsa_id, platform, package): [None, None], ) else: - self.logger.warning(f"{rhsa_id} not found for platform {platform}") + self.logger.debug(f"{rhsa_id} not found for platform {platform}") except: self.logger.exception(f"error looking up {package} in {rhsa_id} for {platform}") @@ -378,7 +378,6 @@ def _get_name_version(package): colon_comps = package.split(":", 1) if colon_comps[0].isdigit(): # epoch in the beginning 1:foo-bar-2.3.4-5.el6_7.8 - # logger.warning('compliant rpm name with epoch in the beginning') name_other_comps = colon_comps[1].rsplit("-", 2) # split name-version-release.arch.rpm into max 3 chunks name = name_other_comps[0] # only the name matters if len(name_other_comps) > 1: # defaults to rhsa lookup otherwise @@ -386,21 +385,17 @@ def _get_name_version(package): else: name_comps = colon_comps[0].rsplit("-", 1) if len(name_comps) > 1 and name_comps[1].isdigit(): # epoch in the middle foo-bar-1:2.3.4-5.el6_7.8 - # logger.warning('compliant rpm name with epoch in the middle') name = name_comps[0] version = name_comps[1] + ":" + colon_comps[1] else: # not compliant with rpm filename spec, could be an app stream - # logger.warning('non-compliant rpm name with colons and hyphens') name = colon_comps[0] # best guess for name, fall back to rhsa for version lookup else: # no epoch foo-bar-2.3.4-5.el6_7.8 or something else totally different if package.count("-") >= 2: # - # logger.warning('may be compliant rpm name without epoch') name_other_comps = package.rsplit("-", 2) # split name-version-release.arch.rpm into max 3 chunks name = name_other_comps[0] # only the name matters version = "-".join(name_other_comps[1:]) # join the rest else: - # logger.warning('non-compliant rpm name without colons and less than 2 hyphens') name = package # best guess for name, fall back to rhsa for version lookup return name, version @@ -510,7 +505,7 @@ def _parse_affected_release(self, cve_id, content): final_m = None if not ar_obj.name or not final_v: - self.logger.warning( + self.logger.debug( f"{cve_id}, platform={ar_obj.platform} : skipping affected release record as all attempts to deduce package name and or version were futile" ) continue @@ -521,12 +516,12 @@ def _parse_affected_release(self, cve_id, content): prev_ar_obj = final_ar_objs.get((ar_obj.name, ar_obj.platform, ar_obj.module), None) if prev_ar_obj: if rpm.compare_versions(prev_ar_obj.version, ar_obj.version) < 0: - self.logger.warning( + self.logger.debug( f"{cve_id}, platform={prev_ar_obj.platform}, package={prev_ar_obj.name}, module={prev_ar_obj.module} : multiple fix versions found, {ar_obj.version} > {prev_ar_obj.version}" ) final_ar_objs[(ar_obj.name, ar_obj.platform, ar_obj.module)] = ar_obj else: - self.logger.warning( + self.logger.debug( f"{cve_id}, platform={prev_ar_obj.platform}, package={prev_ar_obj.name}, module={prev_ar_obj.module} : multiple fix versions found, {ar_obj.version} <= {prev_ar_obj.version}" ) else: @@ -594,7 +589,7 @@ def _parse_package_state(self, cve_id, content): module = components[0] if not package_name: - self.logger.warning(f"package state package_name missing for {cve_id} platform {platform}") + self.logger.debug(f"package state package_name missing for {cve_id} platform {platform}") continue state = item.get("fix_state", None) @@ -718,7 +713,7 @@ def _parse_cve(self, cve_id, content): item.package, item.module, ) in platform_package_module_tuples: - self.logger.warning( + self.logger.debug( f"{cve_id}, platform={item.platform}, package={item.package}, module={item.module} : partial fix found but package is still vulnerable. Ignoring fix version {item.version}" ) continue diff --git a/src/vunnel/providers/sles/parser.py b/src/vunnel/providers/sles/parser.py index f745ddc7..08173b94 100644 --- a/src/vunnel/providers/sles/parser.py +++ b/src/vunnel/providers/sles/parser.py @@ -109,7 +109,7 @@ def _get_name_and_version_from_test( test_obj = tests_dict.get(test_id) if not test_obj: - cls.logger.warning( + cls.logger.debug( "test reference not found for %s", test_id, ) @@ -117,7 +117,7 @@ def _get_name_and_version_from_test( name_obj = artifacts_dict.get(test_obj.artifact_id) if not name_obj: - cls.logger.warning( + cls.logger.debug( "object reference not found for %s", test_obj.artifact_id, ) @@ -125,7 +125,7 @@ def _get_name_and_version_from_test( version_obj = versions_dict.get(test_obj.version_id) if not version_obj: - cls.logger.warning( + cls.logger.debug( "state reference not found for %s", test_obj.version_id, ) @@ -204,7 +204,7 @@ def _release_resolver( results.append(result) continue - cls.logger.warning( + cls.logger.debug( "multiple unrecognized release names %s for %s, skipping %s for this namespace", list(release_feed.keys()), version, @@ -255,7 +255,7 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict) # validate release if not release_name: - cls.logger.warning( + cls.logger.debug( "release name is invalid, skipping %s", vulnerability_obj.name, ) @@ -263,7 +263,7 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict) # validate version is inline with major version if not release_version or not release_version.startswith(major_version): - cls.logger.warning( + cls.logger.debug( "%s %s is an unsupported namespace for major version %s, skipping %s for this namespace", release_name, release_version, @@ -283,7 +283,7 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict) pkg_version, ) = cls._get_name_and_version_from_test(test_id, tests_dict, artifacts_dict, versions_dict) if not pkg_name or not pkg_version: - cls.logger.warning( + cls.logger.debug( "package name and or version invalid, skipping fixed-in for %s", test_id, ) diff --git a/src/vunnel/providers/ubuntu/git.py b/src/vunnel/providers/ubuntu/git.py index c78caa97..a306606e 100644 --- a/src/vunnel/providers/ubuntu/git.py +++ b/src/vunnel/providers/ubuntu/git.py @@ -69,7 +69,7 @@ def _check(self, destination): out = self._exec_cmd(cmd, cwd=destination) self.logger.debug("check for git repository, cmd: {}, output: {}".format(cmd, out.decode())) except: - self.logger.warning(f"git working tree not found at {destination}") + self.logger.debug(f"git working tree not found at {destination}") return False return True @@ -112,7 +112,7 @@ def parse_full_cve_revision_history(self, git_log_output: str) -> dict[str, list return hist def prepare_cve_revision_history(self): - self.logger.info("building full revision history for all CVEs") + self.logger.info("building full revision history for all CVEs. This may take quite some time.") self.cve_rev_history = {} out = self._exec_cmd("git log --name-status --no-merges --format=oneline -- retired/ active/", cwd=self.dest) self.cve_rev_history = self.parse_full_cve_revision_history(out.decode()) @@ -332,7 +332,7 @@ def _parse_normalized_commit(self, commit_lines: list[list[str]]) -> GitCommitSu updated[cve_id] = components[2] else: # either not a commit line or an irrelevant file, ignore it - self.logger.warning("encountered unknown change symbol {}".format(components[0])) + self.logger.debug("skipping unknown change symbol {}".format(components[0])) else: # not a match pass diff --git a/src/vunnel/providers/ubuntu/parser.py b/src/vunnel/providers/ubuntu/parser.py index ff6cdab7..dbc92161 100644 --- a/src/vunnel/providers/ubuntu/parser.py +++ b/src/vunnel/providers/ubuntu/parser.py @@ -513,7 +513,7 @@ def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None): # anchore_engine.services.policy_engine.engine.util.deb.DpkgVersion.from_string(p.get('status')) pkg.Version = p.version if pkg.Version is None: - logger.warn( + logger.debug( 'found CVE {} in ubuntu version {} with "released" status for pkg {} but no version for release. Released patches should have version info, but missing in source data. Marking package as not vulnerable'.format( r.Name, r.NamespaceName, pkg.Name ) @@ -641,13 +641,13 @@ def fetch(self, skip_if_exists=False): self._save_last_processed_rev(current_rev) # load merged state and map it to vulnerabilities - self.logger.debug("loading processed CVE content and transforming into vulnerabilities") + self.logger.info("loading processed CVE content and transforming into vulnerabilities") for merged_cve in self._merged_cve_iterator(): yield from map_parsed(merged_cve, self.logger) def _process_data(self, vc_dir: str, to_rev: str, from_rev: str | None = None): - self.logger.debug(f"processing data from git repository: {vc_dir}, from revision: {from_rev}, to revision: {to_rev}") + self.logger.info(f"processing data from git repository: {vc_dir}, from revision: {from_rev}, to revision: {to_rev}") self.git_wrapper.prepare_cve_revision_history() @@ -783,7 +783,7 @@ def _reprocess_merged_cve(self, cve_id: str, cve_rel_path: str): saved_state = self._load_merged_cve(cve_id) if not saved_state: - self.logger.warning(f"no saved state found for {cve_id}") + self.logger.debug(f"no saved state found for {cve_id}") return # reprocess only ignored patches