Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GSOC23] - D - Define RPC endpoints for listing the affected packages regarding a CVE #7570

Draft
wants to merge 53 commits into
base: master
Choose a base branch
from

Conversation

HoussemNasri
Copy link
Collaborator

@HoussemNasri HoussemNasri commented Sep 21, 2023

What does this PR change?

Scanning for a CVE from the web UI will give you whether your system is vulnerable or not along with patches to apply. But you don't know what packages need to be patched. This information is not important if Uyuni could apply the patch automatically, but if the patch is unavailable, you'll need to know what packages to patch manually. The goal of this pull request is to provide users with the list of packages to be patched regarding a particular CVE. All from Spacecmd.

GUI diff

No difference.

  • DONE

Documentation

Test coverage

  • No tests: add explanation

  • No tests: already covered

  • Unit tests were added

  • Cucumber tests were added

  • DONE

Links

  • DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

  • No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

  • Re-run test "changelog_test"
  • Re-run test "backend_unittests_pgsql"
  • Re-run test "java_pgsql_tests"
  • Re-run test "schema_migration_test_pgsql"
  • Re-run test "susemanager_unittests"
  • Re-run test "javascript_lint"
  • Re-run test "spacecmd_unittests"

- This is a temporary implementation based on JAXB API which consumes a lot of memory. I plan to rewrite it with StAX for better performance.
- A utility class to access OVAL resources (tests, objects and states) by id and quickly
- Used to parse CPEs found in OVAL files.
- Used to create CPE objects for testing and for when CPE is not available in OVAL, and we need to create or infer our own.
- OVAL files usually encode vulnerable operating systems information as a CPE (Common Platform Enumeration). Therefore, in order to accurately audit client systems we need to store their CPE.
- Kind of migration strategy for minions that are already registered. Instead of re-registering the minion, users could update their package list to get assigned a CPE.
- Added AFFECTED_PARTIAL_PATCH_APPLICABLE and AFFECTED_PARTIAL_PATCH_APPLICABLE
- Also renamed 'AFFECTED_PATCH_APPLICABLE' to 'AFFECTED_FULL_PATCH_APPLICABLE'
- This way when we can't audit a system with OVAL we can fall back to the old code.
- Because we don't need all the information contained in PackageListItem for CVE auditing.
- The idea here is decouple CVEAuditManager from the rest of the code by replacing all calls to CVEAuditManager to CVEAuditManagerOVAL, and make the CVEAuditManagerOVAL#doAuditSystem method fallback to CVEAuditManager#doAuditSystem when the system cannot be audited with OVAL (OVAL not synced or not supported by the system's OS). This way, in the future, when all distributions become supported for performing OVAL-based CVE auditing, we can just delete CVEAuditManager and its test class.

- CVEAuditManager contains also methods for managing CVE channels. For now, we can create the same methods in CVEAuditManagerOVAL and redirect them to their equivalent in CVEAuditManager. But in the future, when we don't need CVEAuditManager anymore, we can move them entirely to CVEAuditManagerOVAL or put them in their own class.

- The upside is that we can keep the tests for CVEAuditManager, which tests the channels-based algorithm, and we make the transition later when we don't need the channels algorithm anymore, easier. The downside is a lot of potential duplication in CVEAuditManagerOVAL tests given that need to maintain both channels and OVAL-based implementations.
- Now, CVEAuditManager is only used by CVEAuditManagerOVAL and CVEAuditManagerTest
- Also, updated the icons and colors of some patch statuses labels
@github-actions
Copy link
Contributor

github-actions bot commented Sep 21, 2023

Suggested tests to cover this Pull Request
  • proxy_cobbler_pxeboot
  • srv_monitoring
  • srv_rename_hostname
  • proxy_branch_network
  • allcli_sanity
  • min_salt_install_with_staging
  • min_check_patches_install
  • srv_scc_user_credentials
  • proxy_register_as_minion_with_script
  • min_salt_formulas
  • min_deblike_salt
  • min_project_lotus
  • srv_docker_cve_audit
  • min_salt_install_package
  • min_rhlike_salt
  • min_salt_openscap_audit
  • min_salt_lock_packages
  • minkvm_guests
  • min_monitoring
  • min_bootstrap_api
  • min_recurring_action
  • min_rhlike_openscap_audit
  • allcli_action_chain
  • min_salt_minions_page
  • min_deblike_salt_install_package
  • min_empty_system_profiles
  • min_salt_user_states
  • min_virthost
  • min_cve_id_new_syntax
  • min_deblike_openscap_audit
  • min_ssh_tunnel
  • min_action_chain
  • buildhost_docker_auth_registry
  • buildhost_osimage_build_image
  • min_move_from_and_to_proxy
  • min_ansible_control_node
  • min_bootstrap_script
  • min_activationkey
  • min_rhlike_monitoring
  • min_bootstrap_reactivation
  • min_salt_pkgset_beacon
  • srv_maintenance_windows
  • proxy_as_pod_basic_tests
  • buildhost_docker_build_image
  • min_cve_audit
  • sle_minion
  • min_deblike_ssh
  • min_salt_mgrcompat_state
  • min_salt_software_states
  • min_rhlike_ssh
  • minssh_action_chain
  • buildhost_bootstrap
  • min_custom_pkg_download_endpoint
  • proxy_retail_pxeboot_and_mass_import
  • min_retracted_patches
  • min_rhlike_salt_install_package_and_patch
  • min_bootstrap_ssh_key
  • min_deblike_monitoring
  • min_deblike_salt_install_with_staging
  • sle_ssh_minion
  • min_salt_migration
  • allcli_overview_systems_details
  • minssh_move_from_and_to_proxy
  • min_deblike_remote_command
  • srv_datepicker
  • min_salt_minion_details
  • srv_restart
  • srv_distro_cobbler
  • srv_custom_system_info
  • srv_power_management_redfish
  • srv_menu
  • allcli_software_channels_dependencies
  • min_config_state_channel
  • srv_reportdb
  • minssh_salt_install_package
  • allcli_reboot
  • minssh_bootstrap_api
  • srv_user_configuration_salt_states
  • srv_cobbler_distro
  • srv_group_union_intersection
  • minssh_ansible_control_node
  • srv_virtual_host_manager
  • min_salt_formulas_advanced
  • min_config_state_channel_api
  • srv_cobbler_profile
  • srv_power_management
  • allcli_config_channel
  • srv_power_management_api
  • min_config_state_channel_subscriptions
  • min_timezone
  • min_bootstrap_negative
  • srv_manage_activationkey
  • srv_advanced_search
  • allcli_software_channels
  • min_rhlike_remote_command
  • allcli_system_group
  • srv_manage_channels_page
  • min_change_software_channel
  • srv_first_settings
  • srv_create_repository
  • allcli_update_activationkeys
  • srv_check_sync_source_packages
  • srv_push_package
  • srv_delete_channel_from_ui
  • srv_check_channels_page
  • srv_clone_channel_npn
  • srv_handle_software_channels_with_ISS_v2

Copy link
Contributor

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Nov 21, 2023
@rjmateus rjmateus removed the Stale label Nov 23, 2023
Copy link
Contributor

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Jan 23, 2024
@HoussemNasri
Copy link
Collaborator Author

@rjmateus Can you please remove the stale label again to prevent closing it?

@mcalmer mcalmer removed the Stale label Jan 23, 2024
@mcalmer
Copy link
Contributor

mcalmer commented Jan 23, 2024

@rjmateus Can you please remove the stale label again to prevent closing it?

Done

Copy link
Contributor

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Mar 24, 2024
Copy link
Contributor

github-actions bot commented Apr 4, 2024

This PR was closed because it has been stalled for 10 days with no activity.

@github-actions github-actions bot closed this Apr 4, 2024
@parlt91
Copy link
Contributor

parlt91 commented Apr 4, 2024

Reopening

@parlt91 parlt91 reopened this Apr 4, 2024
Copy link
Contributor

github-actions bot commented Apr 4, 2024

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕
You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/7570/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/7570/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

@github-actions github-actions bot removed the Stale label Apr 5, 2024
Copy link
Contributor

github-actions bot commented Jun 4, 2024

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Jun 4, 2024
@rjmateus rjmateus removed the Stale label Jun 4, 2024
Copy link
Contributor

github-actions bot commented Aug 4, 2024

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Aug 4, 2024
@rjmateus rjmateus removed the Stale label Aug 5, 2024
@rjmateus
Copy link
Member

rjmateus commented Aug 5, 2024

do not close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants