From 2d48c80c1973cc0760cb58b39443b59d703e6e7e Mon Sep 17 00:00:00 2001
From: rabbitali <shusheng.wen@outlook.com>
Date: Sun, 6 Aug 2023 12:38:15 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E6=9C=AA=E4=BF=AE=E5=A4=8DCV?=
 =?UTF-8?q?E=E4=BF=AE=E5=A4=8D=E6=96=B9=E5=BC=8F=E7=9A=84=E5=88=A4?=
 =?UTF-8?q?=E6=96=AD=E9=80=BB=E8=BE=91=E4=B8=8Etyping=E6=B3=A8=E9=87=8A?=
 =?UTF-8?q?=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...d-cve-display-error-and-typing-error.patch | 145 ++++++++++++++++++
 aops-ceres.spec                               |   7 +-
 2 files changed, 150 insertions(+), 2 deletions(-)
 create mode 100644 0006-fix-unfixed-cve-display-error-and-typing-error.patch

diff --git a/0006-fix-unfixed-cve-display-error-and-typing-error.patch b/0006-fix-unfixed-cve-display-error-and-typing-error.patch
new file mode 100644
index 0000000..146594b
--- /dev/null
+++ b/0006-fix-unfixed-cve-display-error-and-typing-error.patch
@@ -0,0 +1,145 @@
+From 400d1fa411bda3a693463091c0e8f97d69e56f68 Mon Sep 17 00:00:00 2001
+From: rabbitali <shusheng.wen@outlook.com>
+Date: Sun, 6 Aug 2023 08:51:09 +0800
+Subject: [PATCH] fix unfixed cve hotpatch field display error and typing error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ ceres/function/command.py             |  4 +-
+ ceres/manages/vulnerability_manage.py | 74 ++++++++++++++++++---------
+ 2 files changed, 53 insertions(+), 25 deletions(-)
+
+diff --git a/ceres/function/command.py b/ceres/function/command.py
+index fa4a849..809dbe8 100644
+--- a/ceres/function/command.py
++++ b/ceres/function/command.py
+@@ -173,8 +173,8 @@ def cve_command_manage(args):
+             exit(1)
+         status_code, cve_scan_info = VulnerabilityManage().cve_scan(data)
+         result = {
+-            "unfixed_cves": cve_scan_info["unfixed_cves"],
+-            "fixed_cves": cve_scan_info["fixed_cves"],
++            "unfixed_cves": cve_scan_info.get("unfixed_cves", []),
++            "fixed_cves": cve_scan_info.get("fixed_cves", []),
+             "os_version": Collect.get_system_info(),
+             "installed_packages": Collect.get_installed_packages()
+         }
+diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py
+index b5a6705..335d48d 100644
+--- a/ceres/manages/vulnerability_manage.py
++++ b/ceres/manages/vulnerability_manage.py
+@@ -132,8 +132,7 @@ class VulnerabilityManage:
+                        f'which repo id is {REPO_ID_FOR_CVE_MANAGE}.')
+         return REPO_NOT_SET, {}
+ 
+-    @staticmethod
+-    def _check_cve_by_dnf(repo_id: str) -> Tuple[int, dict]:
++    def _check_cve_by_dnf(self, repo_id: str) -> Tuple[str, dict]:
+         """
+         Detect which CVEs can be fixed from the update source
+ 
+@@ -160,26 +159,11 @@ class VulnerabilityManage:
+         """
+         result_dict = {"unfixed_cves": [], "fixed_cves": []}
+ 
+-        try:
+-            unfixed_cves = get_shell_data(["dnf", "hot-updateinfo", "list", "cves"])
+-            is_hp_command = True
+-        except InputError:
+-            LOGGER.error("Failed to get cve list from dnf")
++        # get unfixed cve
++        status, unfixed_cves = self.__query_unfixed_cves()
++        if status != SUCCESS:
+             return COMMAND_EXEC_ERROR, result_dict
+-        if "No such command: hotpatch" in unfixed_cves:
+-            unfixed_cves = get_shell_data(["dnf", "updateinfo", "list", "cves", "--repo", repo_id])
+-            is_hp_command = False
+-        # unfixed_cves e.g.
+-        # Last metadata expiration check: 4:31:51 ago on Tue 09 May 2023 05:50:28 AM CST.
+-        # CVE-2021-32675 Low/sec.- -
+-        for scan_info in unfixed_cves.strip().split("\n"):
+-            # The standard data format is CVE-2021-32675 Low/sec. --
+-            if scan_info[:4] == "CVE-":
+-                cve = re.findall(r"CVE-[\d]{4}-[\d]+", scan_info)[0]
+-                result_dict["unfixed_cves"].append({
+-                    "cve_id": cve,
+-                    "support_hp": scan_info[-1] != "-" if is_hp_command else False
+-                })
++        result_dict["unfixed_cves"] = unfixed_cves
+ 
+         # Get fixed CVE
+         # cold patch
+@@ -220,6 +204,50 @@ class VulnerabilityManage:
+                 })
+ 
+         return SUCCESS, result_dict
++    
++    @staticmethod
++    def __query_unfixed_cves():
++        """
++        query unfixed cves by dnf or dnf hotpatch plugin
++
++        Returns:
++            str: status code
++            list: unfixed cve list e.g [{"cve_id": "CVE-XXXX-XXXX", "support_hp": True}] 
++        """
++        try:
++            unfixed_cves = get_shell_data(["dnf", "hot-updateinfo", "list", "cves"])
++            is_hp_command = True
++        except InputError:
++            LOGGER.error("Failed to get cve list from dnf")
++            return COMMAND_EXEC_ERROR, []
++        
++        if "No such command: hotpatch" in unfixed_cves:
++            unfixed_cves = get_shell_data(["dnf", "updateinfo", "list", "cves"])
++            is_hp_command = False
++
++        if is_hp_command:
++            all_cve_info:List[str] = re.findall("(CVE-\d{4}-\d+)\s+([\w+/\.]+)\s+(\S+)\s+(\S+)", unfixed_cves)
++        else:
++            all_cve_info:List[str] = re.findall("(CVE-\d{4}-\d+)\s+([\w+/\.]+)\s+(\S+)", unfixed_cves)
++
++        if not all_cve_info:
++            return SUCCESS, []
++        
++        cve_info_dict = {}
++        for single_cve_info in all_cve_info:
++
++            cve_id = single_cve_info[0]
++            hotpatch = single_cve_info[-1]
++
++            if cve_id not in cve_info_dict:
++                cve_info_dict[cve_id] = {
++                    "cve_id": cve_id,
++                    "support_hp": False
++                }
++            if is_hp_command is True and hotpatch != "-":
++                cve_info_dict[cve_id]["support_hp"] = True
++
++        return SUCCESS, list(cve_info_dict.values())
+ 
+     def cve_fix(self, cves: List[dict]) -> Tuple[int, list]:
+         """
+@@ -302,7 +330,7 @@ class VulnerabilityManage:
+         else:
+             return "Complete" in res, res
+ 
+-    def cve_rollback(self, cves: list[dict]) -> Tuple[str, list]:
++    def cve_rollback(self, cves: List[dict]) -> Tuple[str, list]:
+         """
+         cve rollback 
+ 
+@@ -330,7 +358,7 @@ class VulnerabilityManage:
+ 
+         return self._cve_rollback(cves)
+ 
+-    def _cve_rollback(self, cves: list[dict]) -> Tuple[str, list]:
++    def _cve_rollback(self, cves: List[dict]) -> Tuple[str, list]:
+         """
+         Roll back a restored cve
+ 
+-- 
+2.33.0
+
diff --git a/aops-ceres.spec b/aops-ceres.spec
index a838572..7569d27 100644
--- a/aops-ceres.spec
+++ b/aops-ceres.spec
@@ -1,6 +1,6 @@
 Name:		aops-ceres
 Version:	v1.2.1
-Release:	7
+Release:	8
 Summary:	An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on.
 License:	MulanPSL2
 URL:		https://gitee.com/openeuler/%{name}
@@ -10,7 +10,7 @@ Patch0002:	0002-update-cve-fix-and-cve-scan.patch
 Patch0003:	0003-fix-issue-cve-fix-result-doesn-t-match-log.patch
 Patch0004:	0004-update-hotpatch-info-query-func.patch
 Patch0005:  0005-match-correctly-applied-hotpatchs.patch
-
+Patch0006:	0006-fix-unfixed-cve-display-error-and-typing-error.patch
 
 BuildRequires:  python3-setuptools
 Requires:   python3-requests  python3-jsonschema python3-libconf
@@ -45,6 +45,9 @@ An agent which needs to be adopted in client, it managers some plugins, such as
 
 
 %changelog
+* Sun Aug 06 2023 wenxin<shusheng.wen@outlook.com> - v1.2.1-8
+- fix unfixed cve hotpatch field display error and typing error
+
 * Fri Jun 30 2023 wenxin<shusheng.wen@outlook.com> - v1.2.1-7
 - update release
 
-- 
Gitee