diff --git a/0001-fix-issue-gen-cve-task-failed.patch b/0001-fix-issue-gen-cve-task-failed.patch deleted file mode 100644 index d2ea7ac3b4a2137f5caa8aab9c13ebe7b05e7b3d..0000000000000000000000000000000000000000 --- a/0001-fix-issue-gen-cve-task-failed.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 614e6462e28c7ab013b669d7a7b2cc9c996a0a3f Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Wed, 28 Jun 2023 11:57:38 +0800 -Subject: [PATCH 1/1] fix issue:gen cve task failed - ---- - apollo/database/proxy/task.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/apollo/database/proxy/task.py b/apollo/database/proxy/task.py -index dd172b8..ed5e858 100644 ---- a/apollo/database/proxy/task.py -+++ b/apollo/database/proxy/task.py -@@ -3224,8 +3224,9 @@ class TaskProxy(TaskMysqlProxy, TaskEsProxy): - """ - - try: -- exists_cve_count = self.session.query(CveHostAssociation).filter( -- CveHostAssociation.cve_id.in_(cve_id)).count() -+ exists_cve_count = self.session.query(CveHostAssociation.cve_id).filter( -+ CveHostAssociation.cve_id.in_(cve_id)).distinct().count() -+ - - return True if exists_cve_count == len(cve_id) else False - except SQLAlchemyError as error: --- -2.33.0 - diff --git a/0001-fix-updateinfo_parse.py-bug.patch b/0001-fix-updateinfo_parse.py-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..75c600a95f0f6b705b3cff5eb79920a087e973bf --- /dev/null +++ b/0001-fix-updateinfo_parse.py-bug.patch @@ -0,0 +1,30 @@ +From 68d4c8cad42960391998868f15e2f99b40daa216 Mon Sep 17 00:00:00 2001 +From: wang-guangge +Date: Tue, 19 Sep 2023 13:58:04 +0800 +Subject: [PATCH] fix updateinfo_parse.py bug + +--- + hotpatch/updateinfo_parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hotpatch/updateinfo_parse.py b/hotpatch/updateinfo_parse.py +index 42e3814..7bfba61 100644 +--- a/hotpatch/updateinfo_parse.py ++++ b/hotpatch/updateinfo_parse.py +@@ -279,12 +279,12 @@ class HotpatchUpdateInfo(object): + hotpatch(Hotpatch) + """ + hotpatch.state = self.UNRELATED ++ is_find_installable_hp = False + for required_pkg_name, required_pkg_vere in hotpatch.required_pkgs_info.items(): + inst_pkgs = self._inst_pkgs_query.filter(name=required_pkg_name) + # check whether the relevant target required package is installed on this machine + if not inst_pkgs: + return +- is_find_installable_hp = False + for inst_pkg in inst_pkgs: + inst_pkg_vere = '%s-%s' % (inst_pkg.version, inst_pkg.release) + if not self.version.larger_than(required_pkg_vere, inst_pkg_vere): +-- +2.33.0 + diff --git a/0002-add-repair-status-of-the-cve-fixed-package.patch b/0002-add-repair-status-of-the-cve-fixed-package.patch new file mode 100644 index 0000000000000000000000000000000000000000..b49e2e03d78c3de19a2a901e7dfb4f5e4199cdfe --- /dev/null +++ b/0002-add-repair-status-of-the-cve-fixed-package.patch @@ -0,0 +1,67 @@ +From 7797ac40d715c9e7d56f1d6c0053b699c42c4ac2 Mon Sep 17 00:00:00 2001 +From: gongzt +Date: Tue, 19 Sep 2023 18:45:38 +0800 +Subject: Added the repair status of the cve fixed package +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + apollo/database/proxy/cve.py | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/apollo/database/proxy/cve.py b/apollo/database/proxy/cve.py +index 95de25c..c6d017e 100644 +--- a/apollo/database/proxy/cve.py ++++ b/apollo/database/proxy/cve.py +@@ -1562,21 +1562,25 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + + cve_fixed_packages = ( + self.session.query( ++ CveHostAssociation.id, + CveHostAssociation.installed_rpm, + CveHostAssociation.fixed_way, + func.count(CveHostAssociation.host_id).label("host_num"), + ) + .filter(*filters) +- .group_by('installed_rpm', 'fixed_way') ++ .group_by('installed_rpm', 'fixed_way', 'id') + .all() + ) + if not cve_fixed_packages: + return NO_DATA, [] ++ cve_fixed_packages_status = ( ++ self.session.query(CveHostAssociation.id, CveHostAssociation.hp_status).filter(*filters).all() ++ ) + +- return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages) ++ return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages, cve_fixed_packages_status) + + @staticmethod +- def _cve_fixed_packages_row2dict(rows): ++ def _cve_fixed_packages_row2dict(rows, cve_fixed_packages_status): + """ + Fixed cve package row data converted to dictionary + Args: +@@ -1586,10 +1590,17 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + list + """ + result = [] ++ cve_fixed_packages_status_dict = { ++ cve_host_match.id: cve_host_match.hp_status for cve_host_match in cve_fixed_packages_status ++ } + for row in rows: ++ status = cve_fixed_packages_status_dict[row.id] if cve_fixed_packages_status_dict[row.id] else "" ++ fixed_way = row.fixed_way ++ if fixed_way != "coldpatch": ++ fixed_way = fixed_way + f" ({status})" + fixed_rpm = { + "installed_rpm": row.installed_rpm, +- "fixed_way": row.fixed_way, ++ "fixed_way": fixed_way, + "host_num": row.host_num, + } + result.append(fixed_rpm) +-- +Gitee + diff --git a/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch b/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch deleted file mode 100644 index 11e60a866e875455d4d6194d509b38b0c5e1ee1e..0000000000000000000000000000000000000000 --- a/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4225065c74beb5e66c4d66a4bd3dfca5bcac91bd Mon Sep 17 00:00:00 2001 -From: wang-guangge -Date: Wed, 28 Jun 2023 16:53:10 +0800 -Subject: [PATCH] do not return the related hotpatches when the cve is fixed - ---- - hotpatch/hotpatch_updateinfo.py | 15 ++++++++++++--- - hotpatch/hotupgrade.py | 2 +- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py -index 4b39969..7dc92ce 100644 ---- a/hotpatch/hotpatch_updateinfo.py -+++ b/hotpatch/hotpatch_updateinfo.py -@@ -291,7 +291,7 @@ class HotpatchUpdateInfo(object): - Get hotpatches from specified cve. If there are several hotpatches for the same source package for a cve, only return the - hotpatch with the highest version. - -- Args: -+ Args: - cves: [cve_id_1, cve_id_2] - - Returns: -@@ -307,14 +307,23 @@ class HotpatchUpdateInfo(object): - continue - # find the hotpatch with the highest version for the same source package - mapping_src_pkg_to_hotpatches = dict() -+ # check whether the cve is fixed -+ is_cve_fixed = False - for hotpatch in self.hotpatch_cves[cve_id].hotpatches: -+ if hotpatch.state == self.INSTALLED: -+ is_cve_fixed = True - if hotpatch.state == self.INSTALLABLE: -- mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append([hotpatch.hotpatch_name, hotpatch]) -+ mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append( -+ [hotpatch.hotpatch_name, hotpatch] -+ ) -+ # do not return the releated hotpatches if the cve is fixed -+ if is_cve_fixed: -+ continue - for src_pkg, hotpatches in mapping_src_pkg_to_hotpatches.items(): - # extract the number in HPxxx and sort hotpatches in descending order according to the number - hotpatches = sorted(hotpatches, key=lambda x: int(re.findall("\d+", x[0])[0]), reverse=True) - mapping_cve_hotpatches[cve_id].append(hotpatches[0][1].nevra) -- -+ - return mapping_cve_hotpatches - - def get_hotpatches_from_advisories(self, advisories: list[str]) -> dict(): -diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py -index 2a36312..3bff9a1 100644 ---- a/hotpatch/hotupgrade.py -+++ b/hotpatch/hotupgrade.py -@@ -251,7 +251,7 @@ class HotupgradeCommand(dnf.cli.Command): - cve_hp_dict = updateinfo.get_hotpatches_from_cve(cves) - for cve, hp in cve_hp_dict.items(): - if not hp: -- logger.info(_("The cve's hot patch doesn't exist: %s"), cve) -+ logger.info(_("The cve doesn't exist or cannot be fixed by hotpatch: %s"), cve) - continue - hp_list += hp - return list(set(hp_list)) --- -2.33.0 - diff --git a/0003-update-condition-under-which-hotpatches-can-be-applied.patch b/0003-update-condition-under-which-hotpatches-can-be-applied.patch deleted file mode 100644 index c74105815da7c469d027c087984e784ad853ad44..0000000000000000000000000000000000000000 --- a/0003-update-condition-under-which-hotpatches-can-be-applied.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 30a0f76f2150f27db79fedde3af4926b36954066 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Fri, 30 Jun 2023 19:07:55 +0800 -Subject: [PATCH] Update the condition under which hot patches can be applied -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - hotpatch/hotpatch_updateinfo.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py -index 7dc92ce..3963867 100644 ---- a/hotpatch/hotpatch_updateinfo.py -+++ b/hotpatch/hotpatch_updateinfo.py -@@ -212,7 +212,7 @@ class HotpatchUpdateInfo(object): - hp_vere = '%s-%s' % (src_pkg_version, src_pkg_release) - if hp_vere != inst_pkg_vere: - continue -- elif self._get_hotpatch_status_in_syscare(hotpatch) == 'ACTIVED': -+ elif self._get_hotpatch_status_in_syscare(hotpatch) in ('ACTIVED', "ACCEPTED"): - hotpatch.state = self.INSTALLED - else: - hotpatch.state = self.INSTALLABLE --- -2.33.0 - diff --git a/aops-apollo-v1.2.2.tar.gz b/aops-apollo-v1.2.2.tar.gz deleted file mode 100644 index fe2a60184f2e3568b50f6ad47fd120b28f56ef95..0000000000000000000000000000000000000000 Binary files a/aops-apollo-v1.2.2.tar.gz and /dev/null differ diff --git a/aops-apollo-v1.3.2.tar.gz b/aops-apollo-v1.3.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b620e7ce09d3fbd2c1f140165e539d3b0aa5e487 Binary files /dev/null and b/aops-apollo-v1.3.2.tar.gz differ diff --git a/aops-apollo.spec b/aops-apollo.spec index 67f85891681603137dd061431d09e88a24b780fb..6c75332d29c614997da1d8b3bd8918d28005bf46 100644 --- a/aops-apollo.spec +++ b/aops-apollo.spec @@ -1,13 +1,10 @@ Name: aops-apollo -Version: v1.2.2 -Release: 4 +Version: v1.3.2 +Release: 3 Summary: Cve management service, monitor machine vulnerabilities and provide fix functions. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} Source0: %{name}-%{version}.tar.gz -Patch0001: 0001-fix-issue-gen-cve-task-failed.patch -Patch0002: 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch -Patch0003: 0003-update-condition-under-which-hotpatches-can-be-applied.patch BuildRequires: python3-setuptools @@ -17,6 +14,8 @@ Requires: python3-sqlalchemy python3-PyMySQL python3-Flask-APScheduler >= 1.11 Requires: python3-PyYAML python3-flask python3-gevent Requires: python3-retrying python3-lxml Provides: aops-apollo +Patch0001: 0001-fix-updateinfo_parse.py-bug.patch +Patch0002: 0002-add-repair-status-of-the-cve-fixed-package.patch %description @@ -50,6 +49,8 @@ popd # install for aops-apollo %py3_install +mkdir -p %{buildroot}/opt/aops/ +cp -r database %{buildroot}/opt/aops/ # install for aops-apollo-tool pushd aops-apollo-tool @@ -63,11 +64,12 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %files %doc README.* %attr(0644,root,root) %{_sysconfdir}/aops/apollo.ini -%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.ini +%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.yml %attr(0755,root,root) %{_bindir}/aops-apollo %attr(0755,root,root) /usr/lib/systemd/system/aops-apollo.service -%{python3_sitelib}/aops_apollo*.egg-info +%{python3_sitelib}/aops_apollo*.egg-info/* %{python3_sitelib}/apollo/* +%attr(0755, root, root) /opt/aops/database/* %files -n dnf-hotpatch-plugin %{python3_sitelib}/dnf-plugins/* @@ -79,6 +81,38 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %{python3_sitelib}/aops_apollo_tool/* %changelog +* Tue Sep 19 2023 gongzhengtang - v1.3.2-3 +- added the repair status of the cve fixed package + +* Tue Sep 19 2023 wangguangge - v1.3.2-2 +- fix the updateinfo_parse.py bug + +* Tue Sep 19 2023 wenxin - v1.3.2-1 +- fix cve scan callback error +- fix cve-fix task generate error when it only contain coldpatches +- add a method to querying fixed cve info for dnf plugin + +* Wed Sep 13 2023 zhuyuncheng -v1.3.1-5 +- fix task_cve_host return all host bug + +* Wed Sep 13 2023 gongzhengtang -v1.3.1-4 +- fixed host ip addresses are not verified in the generation task + +* Mon Sep 11 2023 gongzhengtang -v1.3.1-3 +- fixed several known issues +- fix dnf hot-updateinfo list cves bug +- fixed an error generated after selecting a specific rpm package + +* Tue Sep 5 2023 zhuyuncheng - v1.3.1-2 +- fix bug: delete host id filter when rollback in cve list interface + +* Tue Sep 5 2023 gongzhengtang - v1.3.1-1 +- cve repair tasks support rpm packet granularity + +* Tue Aug 29 2023 wangguangge - v1.3.0-1 +- update the dnf hot-updateinfo, dnf hotpatch and dnf hotupgrade command +- support the mixed management ability for coldpatches and hotpatches + * Fri Jun 30 2023 wenxin - v1.2.2-4 - Update the condition under which hot patches can be applied