diff --git a/0003-fix-hotupgrade.py-bug.patch b/0003-fix-hotupgrade.py-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..2805b334ec16d120e2fd10f7f729826daaef57cb --- /dev/null +++ b/0003-fix-hotupgrade.py-bug.patch @@ -0,0 +1,41 @@ +From ff6903c709ce8f005a4518cc92fb16353e0b817e Mon Sep 17 00:00:00 2001 +From: wang-guangge +Date: Wed, 20 Sep 2023 19:26:49 +0800 +Subject: [PATCH] fix hotupgrade.py bug + +--- + hotpatch/hotupgrade.py | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py +index 25086a6..f61e37f 100644 +--- a/hotpatch/hotupgrade.py ++++ b/hotpatch/hotupgrade.py +@@ -110,21 +110,10 @@ class HotupgradeCommand(dnf.cli.Command): + """ + # syscare need a little bit time to process the installed hot patch + sleep(0.5) +- if not self.base.transaction: +- for hp in self.hp_list: +- self._apply_hp(hp) +- if self.opts.takeover and self.is_need_accept_kernel_hp: +- self._accept_kernel_hp(hp) +- return +- +- for ts_item in self.base.transaction: +- if ts_item.action not in dnf.transaction.FORWARD_ACTIONS: +- continue +- if not str(ts_item.pkg).startswith("patch"): +- continue +- self._apply_hp(str(ts_item.pkg)) ++ for hp in self.hp_list: ++ self._apply_hp(hp) + if self.opts.takeover and self.is_need_accept_kernel_hp: +- self._accept_kernel_hp(str(ts_item.pkg)) ++ self._accept_kernel_hp(hp) + + def _apply_hp(self, hp_full_name): + pkg_info = self._parse_hp_name(hp_full_name) +-- +2.33.0 + diff --git a/0004-add-fixed-and-hp_status-filter.patch b/0004-add-fixed-and-hp_status-filter.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f66ef3b8e5566e9b79ca42e9fe2928496137c92 --- /dev/null +++ b/0004-add-fixed-and-hp_status-filter.patch @@ -0,0 +1,109 @@ +From e542a4421ccc27c2f79afd3ed972a6d20858e1f0 Mon Sep 17 00:00:00 2001 +From: gongzt +Date: Wed, 20 Sep 2023 20:01:47 +0800 +Subject: add fixed and hp_status filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + apollo/database/proxy/cve.py | 30 ++++++++++++++---------------- + apollo/function/schema/cve.py | 2 ++ + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/apollo/database/proxy/cve.py b/apollo/database/proxy/cve.py +index c6d017e..3a6ec01 100644 +--- a/apollo/database/proxy/cve.py ++++ b/apollo/database/proxy/cve.py +@@ -1562,25 +1562,22 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + + cve_fixed_packages = ( + self.session.query( +- CveHostAssociation.id, + CveHostAssociation.installed_rpm, + CveHostAssociation.fixed_way, ++ CveHostAssociation.hp_status, + func.count(CveHostAssociation.host_id).label("host_num"), + ) + .filter(*filters) +- .group_by('installed_rpm', 'fixed_way', 'id') ++ .group_by('installed_rpm', 'fixed_way', "hp_status") + .all() + ) + if not cve_fixed_packages: + return NO_DATA, [] +- cve_fixed_packages_status = ( +- self.session.query(CveHostAssociation.id, CveHostAssociation.hp_status).filter(*filters).all() +- ) + +- return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages, cve_fixed_packages_status) ++ return SUCCEED, self._cve_fixed_packages_row2dict(cve_fixed_packages) + + @staticmethod +- def _cve_fixed_packages_row2dict(rows, cve_fixed_packages_status): ++ def _cve_fixed_packages_row2dict(rows): + """ + Fixed cve package row data converted to dictionary + Args: +@@ -1590,17 +1587,12 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + list + """ + result = [] +- cve_fixed_packages_status_dict = { +- cve_host_match.id: cve_host_match.hp_status for cve_host_match in cve_fixed_packages_status +- } ++ + for row in rows: +- status = cve_fixed_packages_status_dict[row.id] if cve_fixed_packages_status_dict[row.id] else "" +- fixed_way = row.fixed_way +- if fixed_way != "coldpatch": +- fixed_way = fixed_way + f" ({status})" + fixed_rpm = { + "installed_rpm": row.installed_rpm, +- "fixed_way": fixed_way, ++ "fixed_way": row.fixed_way, ++ "hp_status": row.hp_status, + "host_num": row.host_num, + } + result.append(fixed_rpm) +@@ -1619,7 +1611,9 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + "username": "admin", + "cve_id": "CVE-2023-0120", + "available_rpm": "kernel-4.9-ACC"/null, +- "installed_rpm": "kernel-4.9" ++ "installed_rpm": "kernel-4.9", ++ "hp_status": "ACCEPTED/ACTIVED", ++ "fixed": True/False + } + + Returns: +@@ -1651,9 +1645,13 @@ class CveProxy(CveMysqlProxy, CveEsProxy): + filters = { + CveHostAssociation.cve_id == data["cve_id"], + CveHostAssociation.installed_rpm == data["installed_rpm"], ++ CveHostAssociation.fixed == data["fixed"], + } + if data.get("available_rpm"): + filters.add(CveHostAssociation.available_rpm == data["available_rpm"]) ++ ++ if data.get("hp_status"): ++ filters.add(CveHostAssociation.hp_status == data["hp_status"]) + cve_package_host_query = self._query_cve_package_host(filters) + + total_count = cve_package_host_query.count() +diff --git a/apollo/function/schema/cve.py b/apollo/function/schema/cve.py +index 557b5f1..797edb1 100644 +--- a/apollo/function/schema/cve.py ++++ b/apollo/function/schema/cve.py +@@ -121,6 +121,8 @@ class GetGetCvePackageHostSchema(PaginationSchema): + cve_id = fields.String(required=True, validate=lambda s: 0 < len(s) <= 20) + installed_rpm = fields.String(required=True, validate=lambda s: 0 < len(s) <= 100) + available_rpm = fields.String(required=False, validate=lambda s: 0 < len(s) <= 100) ++ hp_status = fields.String(required=False, validate=lambda s: 0 < len(s) <= 20) ++ fixed = fields.Boolean(required=True, default=False, validate=validate.OneOf([True, False])) + + + class ExportCveExcelSchema(Schema): +-- +Gitee + diff --git a/0005-fix-hot_updateinfo.py-bug.patch b/0005-fix-hot_updateinfo.py-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..92a234f853468bfb82a5c7c99ee377d11419f7c7 --- /dev/null +++ b/0005-fix-hot_updateinfo.py-bug.patch @@ -0,0 +1,145 @@ +From 52154b551908abfa90149e3265c2279d57e17043 Mon Sep 17 00:00:00 2001 +From: wang-guangge +Date: Thu, 21 Sep 2023 12:08:40 +0800 +Subject: [PATCH] fix hot_updateinfo.py bug + +--- + hotpatch/hot_updateinfo.py | 44 ++++++++++++++++++++++++++++---------- + 1 file changed, 33 insertions(+), 11 deletions(-) + +diff --git a/hotpatch/hot_updateinfo.py b/hotpatch/hot_updateinfo.py +index 442d98f..3e86721 100644 +--- a/hotpatch/hot_updateinfo.py ++++ b/hotpatch/hot_updateinfo.py +@@ -244,7 +244,7 @@ class HotUpdateinfoCommand(dnf.cli.Command): + """ + is_iterated = False + if ( +- hotpatch.state == self.hp_hawkey.UNINSTALLABLE ++ hotpatch.state in (self.hp_hawkey.UNINSTALLABLE, self.hp_hawkey.UNRELATED) + and (cve_id, hotpatch.required_pkgs_name_str) in iterated_cve_id_and_hotpatch_require_info + ): + is_iterated = True +@@ -282,14 +282,18 @@ class HotUpdateinfoCommand(dnf.cli.Command): + DisplayItem: for display + """ + if self.updateinfo.opts.availability == 'installed': +- display_item = self.get_installed_filtered_display_item(format_lines, installable_cve_id_and_hotpatch) ++ display_item = self.get_installed_filtered_display_item( ++ format_lines, fixed_cve_id_and_hotpatch, installable_cve_id_and_hotpatch ++ ) + return display_item + display_item = self.get_available_filtered_display_item( + format_lines, fixed_cve_id_and_hotpatch, iterated_cve_id_and_hotpatch + ) + return display_item + +- def get_installed_filtered_display_item(self, format_lines: set, installable_cve_id_and_hotpatch: set): ++ def get_installed_filtered_display_item( ++ self, format_lines: set, fixed_cve_id_and_hotpatch: set, installable_cve_id_and_hotpatch: set ++ ): + """ + Get filtered display item by removing installable cve id and hotpatch, and removing iterated cve id + and hotpatch. For hotpatch, only show ones which have been installed and been actived/accepted in +@@ -331,10 +335,13 @@ class HotUpdateinfoCommand(dnf.cli.Command): + hotpatch = '-' + + if isinstance(hotpatch, Hotpatch): +- if hotpatch.state in (self.hp_hawkey.INSTALLABLE, self.hp_hawkey.INSTALLED): ++ if (cve_id, hotpatch) in fixed_cve_id_and_hotpatch or hotpatch.state == self.hp_hawkey.INSTALLED: + hotpatch = hotpatch.nevra +- elif hotpatch.state == self.hp_hawkey.UNINSTALLABLE: +- continue ++ elif hotpatch.state in (self.hp_hawkey.UNINSTALLABLE, self.hp_hawkey.UNRELATED): ++ hotpatch = '-' ++ ++ if coldpatch == '-' and hotpatch == '-': ++ continue + + idw = max(idw, len(cve_id)) + tiw = max(tiw, len(adv_type)) +@@ -409,6 +416,10 @@ class HotUpdateinfoCommand(dnf.cli.Command): + hotpatch = hotpatch.nevra + elif hotpatch.state == self.hp_hawkey.UNINSTALLABLE: + hotpatch = '-' ++ elif hotpatch.state == self.hp_hawkey.UNRELATED and coldpatch == '-': ++ continue ++ elif hotpatch.state == self.hp_hawkey.UNRELATED: ++ hotpatch = '-' + + idw = max(idw, len(cve_id)) + tiw = max(tiw, len(adv_type)) +@@ -484,6 +495,7 @@ class HotUpdateinfoCommand(dnf.cli.Command): + echo_lines = set() + fixed_cve_id_and_hotpatch = set() + installable_cve_id_and_hotpatch = set() ++ uninstallable_cve_id_and_hotpatch = set() + iterated_cve_id_and_hotpatch = set() + + for ((nevra), aupdated), id2type in sorted(mapping_nevra_cve.items(), key=lambda x: x[0]): +@@ -500,26 +512,31 @@ class HotUpdateinfoCommand(dnf.cli.Command): + for hotpatch in self.hp_hawkey.hotpatch_cves[cve_id].hotpatches: + # if cold patch name does not match with hotpatch required pkg name (target fix pkgs) + if pkg_name not in hotpatch._required_pkgs_info.keys(): ++ echo_line = (cve_id, label, coldpatch, '-') ++ echo_lines.add(echo_line) + continue +- if hotpatch.state == self.hp_hawkey.UNRELATED: +- continue +- elif hotpatch.state == self.hp_hawkey.INSTALLED: ++ if hotpatch.state == self.hp_hawkey.INSTALLED: + # record the fixed cve_id and hotpatch, filter the packages that are lower than + # the currently installed package for solving the same cve and target required + # pakcage + fixed_cve_id_and_hotpatch.add((cve_id, hotpatch)) +- # record the iterated cve_id and hotpatch + iterated_cve_id_and_hotpatch.add((cve_id, hotpatch)) + elif hotpatch.state == self.hp_hawkey.INSTALLABLE: + # record the installable cve_id and hotpatch, filter the packages that are bigger + # than the currently installed package + installable_cve_id_and_hotpatch.add((cve_id, hotpatch)) + iterated_cve_id_and_hotpatch.add((cve_id, hotpatch)) ++ elif hotpatch.state == self.hp_hawkey.UNINSTALLABLE: ++ uninstallable_cve_id_and_hotpatch.add((cve_id, hotpatch)) + echo_line = (cve_id, label, coldpatch, hotpatch) + echo_lines.add(echo_line) + + self.add_untraversed_hotpatches( +- echo_lines, fixed_cve_id_and_hotpatch, installable_cve_id_and_hotpatch, iterated_cve_id_and_hotpatch ++ echo_lines, ++ fixed_cve_id_and_hotpatch, ++ installable_cve_id_and_hotpatch, ++ uninstallable_cve_id_and_hotpatch, ++ iterated_cve_id_and_hotpatch, + ) + # lower version ACC hotpatch of fixed ACC hotpatch, is also considered to be fixed + fixed_cve_id_and_hotpatch = self.append_fixed_cve_id_and_hotpatch(fixed_cve_id_and_hotpatch) +@@ -536,6 +553,7 @@ class HotUpdateinfoCommand(dnf.cli.Command): + echo_lines: set, + fixed_cve_id_and_hotpatch: set, + installable_cve_id_and_hotpatch: set, ++ uninstallable_cve_id_and_hotpatch: set, + iterated_cve_id_and_hotpatch: set, + ): + """ +@@ -545,6 +563,8 @@ class HotUpdateinfoCommand(dnf.cli.Command): + Args: + echo_lines(set) + fixed_cve_id_and_hotpatch(set) ++ installable_cve_id_and_hotpatch(set) ++ uninstallable_cve_id_and_hotpatch(set) + iterated_cve_id_and_hotpatch(set) + """ + for cve_id, cve in self.hp_hawkey.hotpatch_cves.items(): +@@ -553,6 +573,8 @@ class HotUpdateinfoCommand(dnf.cli.Command): + continue + if (cve_id, hotpatch) in iterated_cve_id_and_hotpatch: + continue ++ if (cve_id, hotpatch) in uninstallable_cve_id_and_hotpatch: ++ continue + if hotpatch.state == self.hp_hawkey.INSTALLED: + fixed_cve_id_and_hotpatch.add((cve_id, hotpatch)) + iterated_cve_id_and_hotpatch.add((cve_id, hotpatch)) +-- +2.33.0 + diff --git a/aops-apollo.spec b/aops-apollo.spec index 6c75332d29c614997da1d8b3bd8918d28005bf46..e057cafb45cd52867d81b9fc2cbd86758292dc6e 100644 --- a/aops-apollo.spec +++ b/aops-apollo.spec @@ -1,6 +1,6 @@ Name: aops-apollo Version: v1.3.2 -Release: 3 +Release: 6 Summary: Cve management service, monitor machine vulnerabilities and provide fix functions. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} @@ -16,6 +16,9 @@ Requires: python3-retrying python3-lxml Provides: aops-apollo Patch0001: 0001-fix-updateinfo_parse.py-bug.patch Patch0002: 0002-add-repair-status-of-the-cve-fixed-package.patch +Patch0003: 0003-fix-hotupgrade.py-bug.patch +Patch0004: 0004-add-fixed-and-hp_status-filter.patch +Patch0005: 0005-fix-hot_updateinfo.py-bug.patch %description @@ -81,6 +84,15 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %{python3_sitelib}/aops_apollo_tool/* %changelog +* Thu Sep 21 2023 wangguangge - v1.3.2-6 +- fix the hot_updateinfo.py bug + +* Wed Sep 20 2023 gongzhengtang - v1.3.2-5 +- add fixed and hp_status filter + +* Wed Sep 20 2023 wangguangge - v1.3.2-4 +- fix the hotupgrade.py bug + * Tue Sep 19 2023 gongzhengtang - v1.3.2-3 - added the repair status of the cve fixed package