diff --git a/0001-revise-the-query-method-for-installed-kernel-package.patch b/0001-revise-the-query-method-for-installed-kernel-package.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4c1407e44bb973df2b515c4091a515c9e35e95c --- /dev/null +++ b/0001-revise-the-query-method-for-installed-kernel-package.patch @@ -0,0 +1,57 @@ +From 0e84a02e690017f62fc42f3ea1597a4e40c2ec66 Mon Sep 17 00:00:00 2001 +From: wang-guangge +Date: Mon, 23 Oct 2023 21:37:39 +0800 +Subject: [PATCH] revise the query method for installed kernel packages + +--- + hotpatch/updateinfo_parse.py | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/hotpatch/updateinfo_parse.py b/hotpatch/updateinfo_parse.py +index 7395dc6..4322eee 100644 +--- a/hotpatch/updateinfo_parse.py ++++ b/hotpatch/updateinfo_parse.py +@@ -286,8 +286,14 @@ class HotpatchUpdateInfo(object): + # check whether the relevant target required package is installed on this machine + if not inst_pkgs: + return ++ # for kernel rpm, inst_pkgs is based on the kernel version of the current system ++ if required_pkg_name == "kernel": ++ inst_pkgs = [self.get_kernel_version_of_system()] + for inst_pkg in inst_pkgs: +- inst_pkg_vere = '%s-%s' % (inst_pkg.version, inst_pkg.release) ++ if isinstance(inst_pkg, str): ++ inst_pkg_vere = inst_pkg.rsplit(".", 1)[0] ++ else: ++ inst_pkg_vere = '%s-%s' % (inst_pkg.version, inst_pkg.release) + if not self.version.larger_than(required_pkg_vere, inst_pkg_vere): + hotpatch.state = self.UNRELATED + elif required_pkg_vere != inst_pkg_vere: +@@ -304,6 +310,24 @@ class HotpatchUpdateInfo(object): + hotpatch.state = self.INSTALLABLE + return + ++ def get_kernel_version_of_system(self) -> str: ++ """ ++ Get the kernel version of current system, according to the command of 'uname -r'. ++ ++ Returns: ++ str: kernel version ++ """ ++ cmd = ["uname", "-r"] ++ kernel_version = '' ++ kernel_version, return_code = cmd_output(cmd) ++ # 'uname -r' show the kernel version-release.arch of the current system ++ # [root@openEuler hotpatch]# uname -r ++ # 5.10.0-136.12.0.86.oe2203sp1.x86_64 ++ if return_code != SUCCEED: ++ return kernel_version ++ kernel_version = kernel_version.split('\n')[0] ++ return kernel_version ++ + def _parse_and_store_from_xml(self, updateinfoxml: str): + """ + Parse and store hotpatch update information from xxx-updateinfo.xml.gz +-- +2.33.0 + diff --git a/0001-update-func-named-set-hotpatch-status-by-dnf-plugin.patch b/0001-update-func-named-set-hotpatch-status-by-dnf-plugin.patch deleted file mode 100644 index 861f4dc21b17a894b3087c22dd474745e186028a..0000000000000000000000000000000000000000 --- a/0001-update-func-named-set-hotpatch-status-by-dnf-plugin.patch +++ /dev/null @@ -1,64 +0,0 @@ -From d6be0a82ace5d07d31a91a628369f71534834441 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Wed, 13 Sep 2023 10:58:16 +0800 -Subject: [PATCH 1/1] update func named set_hotpatch_status_by_dnf_plugin - ---- - ceres/manages/vulnerability_manage.py | 30 ++++++++++++++++++++------- - 1 file changed, 22 insertions(+), 8 deletions(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index f45c1f2..ab4b41c 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -615,12 +615,11 @@ class VulnerabilityManage: - if not self.takeover and self.accepted: - try: - hotpatch_name = hotpatch_pkg.rsplit(".", 1)[0].split("-", 1)[1] -- status_set_result, log = self._set_hotpatch_status_by_dnf_plugin(hotpatch_name, "accept") -- if not status_set_result: -- stdout += "\n" + log -+ _, log = self._set_hotpatch_status_by_dnf_plugin(hotpatch_name, "accept") -+ stdout += f"\n\n{log}" - except IndexError as error: - LOGGER.error(error) -- stdout += "\n" + "hotpatch status set failed due to can't get correct hotpatch name!" -+ stdout += f"\n\nhotpatch status set failed due to can't get correct hotpatch name!" - - return TaskExecuteRes.SUCCEED, stdout - -@@ -637,12 +636,27 @@ class VulnerabilityManage: - Tuple[bool, str] - a tuple containing two elements (operation result, operation log). - """ -- code, stdout, stderr = execute_shell_command(f"dnf hotpatch --{operation} {hotpatch}") -- if code != CommandExitCode.SUCCEED: -+ -+ # replace -ACC to /ACC or -SGL to /SGL -+ # Example: kernel-5.10.0-153.12.0.92.oe2203sp2-ACC-1-1 >> kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1 -+ wait_to_remove_patch = re.sub(r'-(ACC|SGL)', r'/\1', hotpatch) -+ # Example of command execution result: -+ # Succeed: -+ # [root@openEuler ~]# dnf hotpatch --remove kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1 -+ # Last metadata expiration check: 3:24:16 ago on Wed 13 Sep 2023 08:16:17 AM CST. -+ # Gonna remove this hot patch: kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1 -+ # remove hot patch 'kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1' succeed -+ # Fail: -+ # [root@openEuler ~]# dnf hotpatch --accept kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1 -+ # Last metadata expiration check: 3:25:24 ago on Wed 13 Sep 2023 08:16:17 AM CST. -+ # Gonna accept this hot patch: kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1 -+ # accept hot patch 'kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1' failed, remain original status -+ code, stdout, stderr = execute_shell_command(f"dnf hotpatch --{operation} {wait_to_remove_patch}") -+ if code != CommandExitCode.SUCCEED or 'failed' in stdout: - LOGGER.error(f"hotpatch {hotpatch} set status failed!") -- return False, stderr -+ return False, stdout + stderr - -- return True, stdout -+ return True, stdout + stderr - - def cve_rollback(self, cves: List[dict]) -> Tuple[str, list]: - """ --- -2.33.0 - diff --git a/0002-update-query-installed-rpm-func.patch b/0002-update-query-installed-rpm-func.patch new file mode 100644 index 0000000000000000000000000000000000000000..26a33e7641115dbfa51448d9b30a317794351c89 --- /dev/null +++ b/0002-update-query-installed-rpm-func.patch @@ -0,0 +1,55 @@ +From 6d64fbb6c5645b582d7d84f81719abe66a6e021e Mon Sep 17 00:00:00 2001 +From: rabbitali +Date: Tue, 24 Oct 2023 16:30:33 +0800 +Subject: [PATCH 1/1] update query_installed_rpm func + +--- + ceres/manages/vulnerability_manage.py | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py +index 983451c..c41a7fa 100644 +--- a/ceres/manages/vulnerability_manage.py ++++ b/ceres/manages/vulnerability_manage.py +@@ -150,26 +150,25 @@ class VulnerabilityManage: + """ + rpm_info = {} + # Example of command execution result: +- # "kernel-tools":"kernel-tools-5.10.0-60.92.0.116.oe2203.aarch64", +- # "kernel-headers":"kernel-headers-5.10.0-60.92.0.116.oe2203.aarch64", +- # "kernel-devel":"kernel-devel-5.10.0-60.92.0.116.oe2203.aarch64", +- # "kernel":"kernel-5.10.0-60.92.0.116.oe2203.aarch64", ++ # openldap:openldap-2.4.50-6.oe1.x86_64 ++ # kernel:kernel-4.19.90-2310.3.0.0222.oe1.x86_64 ++ # systemtap-runtime:systemtap-runtime-4.3-2.oe1.x86_64 ++ # perl-Net-SSLeay:perl-Net-SSLeay-1.88-5.oe1.x86_64 ++ # powertop:powertop-2.9-12.oe1.x86_64 ++ # libusbx:libusbx-1.0.23-1.oe1.x86_64 + code, stdout, _ = execute_shell_command( + """ +- rpm -qa --queryformat '"%{NAME}":"%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}",' ++ rpm -qa --queryformat '%{NAME}:%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' + """ + ) +- if code != CommandExitCode.SUCCEED: +- LOGGER.error("query installed packages info failed!") +- return rpm_info +- +- try: +- rpm_info = json.loads(f"{{{stdout[:-1]}}}") +- except json.decoder.JSONDecodeError as error: +- LOGGER.error(error) ++ if code != CommandExitCode.SUCCEED or not stdout: + LOGGER.error("query installed packages info failed!") + return rpm_info + ++ for line in stdout.splitlines(): ++ rpm_name, new_rpm_info = line.split(":",1) ++ old_rpm_info = rpm_info.get(rpm_name, "") ++ rpm_info[rpm_name] = new_rpm_info if new_rpm_info > old_rpm_info else old_rpm_info + LOGGER.debug("query installed rpm package info succeed!") + return rpm_info + +-- +2.33.0 + diff --git a/0002-add-file-sync-func.patch b/0003-add-get-file-list-cmd.patch similarity index 44% rename from 0002-add-file-sync-func.patch rename to 0003-add-get-file-list-cmd.patch index f66775798214c02b48d71fdc485c4e6af55963d2..e95a3f740050bd43e53eb1085554331d9d881167 100644 --- a/0002-add-file-sync-func.patch +++ b/0003-add-get-file-list-cmd.patch @@ -1,100 +1,94 @@ -From b0f71927a3bdb3096757ca8cdedb233d2b886a4d Mon Sep 17 00:00:00 2001 -From: smjiao -Date: Thu, 7 Sep 2023 16:28:49 +0800 -Subject: [PATCH] add file sync func +From d85928700624569b72278815a77ca82346926fd8 Mon Sep 17 00:00:00 2001 +From: 13525411755 +Date: Mon, 30 Oct 2023 15:12:36 +0800 +Subject: [PATCH] add get file list cmd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- - ceres/__main__.py | 6 ++++ - ceres/function/command.py | 11 ++++++++ - ceres/function/schema.py | 12 ++++++++ - ceres/manages/sync_manage.py | 55 ++++++++++++++++++++++++++++++++++++ - 4 files changed, 84 insertions(+) - create mode 100644 ceres/manages/sync_manage.py + ceres/__main__.py | 6 ++++ + ceres/function/command.py | 12 ++++++- + ceres/function/schema.py | 4 +++ + ceres/manages/list_file_manage.py | 53 +++++++++++++++++++++++++++++++ + 4 files changed, 74 insertions(+), 1 deletion(-) + create mode 100644 ceres/manages/list_file_manage.py diff --git a/ceres/__main__.py b/ceres/__main__.py -index d1bbee3..a93ec49 100644 +index a93ec49..07f7e7a 100644 --- a/ceres/__main__.py +++ b/ceres/__main__.py -@@ -17,6 +17,7 @@ from ceres.function.command import ( - cve_command_manage, +@@ -18,6 +18,7 @@ from ceres.function.command import ( plugin_command_manage, register_on_manager, -+ sync_conf_manage, + sync_conf_manage, ++ list_file_manage ) from ceres.function.log import LOGGER -@@ -55,6 +56,11 @@ def main(): - cve_group.add_argument("--rollback", type=str) - subparsers_cve.set_defaults(function=cve_command_manage) +@@ -61,6 +62,11 @@ def main(): + sync_group.add_argument("--conf", type=str) + subparsers_sync.set_defaults(function=sync_conf_manage) -+ subparsers_sync = subparsers.add_parser("sync", help='sync conf file') -+ sync_group = subparsers_sync.add_mutually_exclusive_group(required=True) -+ sync_group.add_argument("--conf", type=str) -+ subparsers_sync.set_defaults(function=sync_conf_manage) ++ subparsers_list = subparsers.add_parser("ragdoll", help='list pam.d file') ++ list_group = subparsers_list.add_mutually_exclusive_group(required=True) ++ list_group.add_argument("--list", type=str) ++ subparsers_list.set_defaults(function=list_file_manage) + args = parser.parse_args() try: args.function(args) diff --git a/ceres/function/command.py b/ceres/function/command.py -index e4d367a..7324f23 100644 +index 7324f23..11a5f25 100644 --- a/ceres/function/command.py +++ b/ceres/function/command.py -@@ -25,11 +25,13 @@ from ceres.function.schema import ( +@@ -25,12 +25,13 @@ from ceres.function.schema import ( HOST_INFO_SCHEMA, REPO_SET_SCHEMA, STRING_ARRAY, -+ CONF_SYNC_SCHEMA, +- CONF_SYNC_SCHEMA, ++ CONF_SYNC_SCHEMA, DIRECTORY_FILE_SCHEMA, ) from ceres.function.status import SUCCESS, StatusCode from ceres.function.util import convert_string_to_json, get_dict_from_file, plugin_status_judge, validate_data from ceres.manages import plugin_manage from ceres.manages.collect_manage import Collect -+from ceres.manages.sync_manage import SyncManage ++from ceres.manages.list_file_manage import ListFileManage + from ceres.manages.sync_manage import SyncManage from ceres.manages.vulnerability_manage import VulnerabilityManage - -@@ -191,3 +193,12 @@ def cve_command_manage(args): - else: - print("Please check the input parameters!") - exit(1) +@@ -202,3 +203,12 @@ def sync_conf_manage(args): + exit(1) + res = StatusCode.make_response_body(SyncManage.sync_contents_to_conf(config)) + print(json.dumps(res)) + + -+def sync_conf_manage(args): -+ if args.conf: -+ config = convert_string_to_json(args.conf) -+ if not validate_data(config, CONF_SYNC_SCHEMA): ++def list_file_manage(args): ++ if args.list: ++ if not validate_data(args.list, DIRECTORY_FILE_SCHEMA): + exit(1) -+ res = StatusCode.make_response_body(SyncManage.sync_contents_to_conf(config)) ++ status, response = ListFileManage.list_file(args.list) ++ res = StatusCode.make_response_body((status, response)) + print(json.dumps(res)) diff --git a/ceres/function/schema.py b/ceres/function/schema.py -index ada35c3..794152d 100644 +index 794152d..581df46 100644 --- a/ceres/function/schema.py +++ b/ceres/function/schema.py -@@ -113,3 +113,15 @@ CVE_ROLLBACK_SCHEMA = { - } - }, +@@ -125,3 +125,7 @@ CONF_SYNC_SCHEMA = { + "content": {"type": "string", "minLength": 1} + } } + -+CONF_SYNC_SCHEMA = { -+ "type": "object", -+ "required": [ -+ "file_path", -+ "content" -+ ], -+ "properties": { -+ "file_path": {"type": "string", "minLength": 1}, -+ "content": {"type": "string", "minLength": 1} -+ } ++DIRECTORY_FILE_SCHEMA = { ++ "type": "string" +} -diff --git a/ceres/manages/sync_manage.py b/ceres/manages/sync_manage.py +\ No newline at end of file +diff --git a/ceres/manages/list_file_manage.py b/ceres/manages/list_file_manage.py new file mode 100644 -index 0000000..9be2a47 +index 0000000..3d7fd21 --- /dev/null -+++ b/ceres/manages/sync_manage.py -@@ -0,0 +1,55 @@ ++++ b/ceres/manages/list_file_manage.py +@@ -0,0 +1,53 @@ +#!/usr/bin/python3 +# ****************************************************************************** +# Copyright (c) Huawei Technologies Co., Ltd. 2022-2022. All rights reserved. @@ -111,45 +105,43 @@ index 0000000..9be2a47 +# Description: default +# Date: 2023/6/14 16:31 +import os ++import subprocess ++ +from ceres.function.log import LOGGER +from ceres.function.status import ( -+ FILE_NOT_FOUND, + UNKNOWN_ERROR, + SUCCESS +) ++from ceres.function.util import execute_shell_command + + -+class SyncManage: ++class ListFileManage: + """ -+ Sync managed conf to the host ++ list directory file + """ + + @staticmethod -+ def sync_contents_to_conf(config: dict) -> str: ++ def list_file(directory_path: str): + """ -+ Write conf into file ++ list the pam.d file + Args: -+ config(dict): filepath and content for file sync, only. eg: -+ { -+ "file_path" = "/tmp/test" -+ "content" = "contents for this file" -+ } ++ directory_path: the path of directory + Returns: + str: status code + """ -+ file_path = config.get('file_path') -+ -+ contents = config.get('content') -+ lines = contents.split('\n') ++ file_list_res = [] + try: -+ with open(file_path, "w", encoding="utf-8") as file: -+ for line in lines: -+ file.write(line + "\n") ++ command = "ls -l " + directory_path + " | awk '{print $9}'" ++ _, stdout, _ = execute_shell_command(command) ++ file_list = stdout.split("\n") ++ for file in file_list: ++ if file: ++ file_path_res = os.path.join(directory_path, file) ++ file_list_res.append(file_path_res) ++ return SUCCESS, {"resp": file_list_res} + except Exception as e: -+ LOGGER.error("write sync content to conf failed, with msg{}".format(e)) -+ return UNKNOWN_ERROR -+ -+ return SUCCESS ++ LOGGER.error("list the pam.d file failed, with msg{}".format(e)) ++ return UNKNOWN_ERROR, {"resp": list()} -- Gitee diff --git a/0003-update-method-of-querying-fixed-cves-by-dnf-plugin.patch b/0003-update-method-of-querying-fixed-cves-by-dnf-plugin.patch deleted file mode 100644 index 5675379112242c85351c6f734a1895d7e2b97bab..0000000000000000000000000000000000000000 --- a/0003-update-method-of-querying-fixed-cves-by-dnf-plugin.patch +++ /dev/null @@ -1,153 +0,0 @@ -From f947f2b46c52bc453858bf4e030ec9388c29b52d Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Mon, 18 Sep 2023 17:31:06 +0800 -Subject: [PATCH 1/1] update method of querying fixed cves by dnf plugin - ---- - ceres/manages/vulnerability_manage.py | 80 ++++++++++++++++++++------- - 1 file changed, 60 insertions(+), 20 deletions(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index ab4b41c..ab10381 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -132,7 +132,7 @@ class VulnerabilityManage: - { - "check_items": items_check_log, - "unfixed_cves": self._query_unfixed_cves_by_dnf_plugin() or self._query_unfixed_cves_by_dnf(), -- "fixed_cves": self._query_fixed_cves(), -+ "fixed_cves": self._query_fixed_cves_by_dnf_plugin() or self._query_fixed_cves_by_dnf(), - } - ) - return SUCCESS, cve_scan_result -@@ -339,7 +339,7 @@ class VulnerabilityManage: - - return cve_info_list - -- def _query_fixed_cves(self) -> list: -+ def _query_fixed_cves_by_dnf(self) -> list: - """ - parse the fixed kernel vulnerability info by dnf - -@@ -348,7 +348,6 @@ class VulnerabilityManage: - list: cve info e.g - [ - {"cve_id": "CVE-XXXX-XXXX","installed_rpm": "kernel-version-release.arch", "fix_way":"coldpatch"}, -- {"cve_id": "CVE-XXXX-XXXX","installed_rpm": "xxxx", "fix_way": "hotpatch", "hp_status": "ACCEPTED"} - ] - - """ -@@ -380,17 +379,70 @@ class VulnerabilityManage: - fixed_cves.append( - {"cve_id": cve_id, "installed_rpm": self.installed_rpm_info.get(rpm_name), "fix_way": "coldpatch"} - ) -- fixed_cves.extend(self._query_applied_hotpatch()) - return fixed_cves - -- def _query_applied_hotpatch(self) -> list: -+ def _query_fixed_cves_by_dnf_plugin(self) -> list: - """ -- parse kernel hotpatch info which has been applied by dnf hotpatch plugin (hotpatch) -+ parse the fixed kernel vulnerability info by dnf plugin - - Return: - list: hotpatch info list. e.g - [{"cve_id": "CVE-XXXX-XXXX", "fix_way": "hotpatch", "hp_status": "ACCEPTED", "installed_rpm":"xxxx"}] - -+ """ -+ # Example of command execution result: -+ # Last metadata expiration check: 0:31:50 ago on Mon 07 Aug 2023 10:26:32 AM CST. -+ # CVE-2023-1981 Moderate/Sec. avahi-libs-0.8-9.oe1.x86_64 - -+ # CVE-2021-42574 Important/Sec. binutils-2.34-19.oe1.x86_64 - -+ # CVE-2023-1513 Important/Sec. kernel-4.19.90-2304.1.0.0196.oe1.x86_64 patch-kernel-4.19.90-2112... -+ -+ code, stdout, stderr = execute_shell_command("dnf hot-updateinfo list cves --installed") -+ if code != CommandExitCode.SUCCEED: -+ LOGGER.error("query unfixed cve info failed by dnf!") -+ LOGGER.error(stderr) -+ return [] -+ -+ # Example of regex matching result: -+ # [ -+ # ("CVE-2023-1513", "Important/Sec.", "kernel-4.19.90-2304.1.0.0196.oe1.x86_64", "patch-kernel-4.19.90-2112.."), -+ # ("CVE-2021-xxxx", "Important/Sec.", "-", "patch-redis-6.2.5-1-SGL_CVE_2023_1111_CVE_2023_1112-1-1.x86_64") -+ # ] -+ hotpatch_status = self._query_applied_hotpatch_status() -+ all_cve_info = re.findall(r"(CVE-\d{4}-\d+)\s+([\w+/.]+)\s+(kernel\S+|-)\s+(patch-kernel\S+|-)", stdout) -+ -+ cve_info_fixed_by_coldpatch, cve_info_fixed_by_hotpatch, hotpatch_dic = [], [], defaultdict(str) -+ for cve_id, _, coldpatch, hotpatch in all_cve_info: -+ if hotpatch == "-": -+ cve_info_fixed_by_coldpatch.append( -+ { -+ "cve_id": cve_id, -+ "installed_rpm": self.installed_rpm_info.get(coldpatch.rsplit("-", 2)[0]), -+ "fix_way": "coldpatch", -+ } -+ ) -+ else: -+ cve_info_fixed_by_hotpatch.append({"cve_id": cve_id, "fix_way": "hotpatch", "installed_rpm": hotpatch}) -+ -+ hotpatch_dic_key = hotpatch.rsplit("-", 2)[0] -+ if hotpatch_dic_key.endswith("ACC"): -+ hotpatch_dic[hotpatch_dic_key] = max(hotpatch, hotpatch_dic.get(hotpatch_dic_key, hotpatch)) -+ -+ for cve_info in cve_info_fixed_by_hotpatch: -+ hotpatch_dic_key = cve_info["installed_rpm"].rsplit("-", 2)[0] -+ -+ if hotpatch_dic_key in hotpatch_dic: -+ cve_info["installed_rpm"] = hotpatch_dic[hotpatch_dic_key] -+ cve_info["hp_status"] = hotpatch_status.get(cve_info["installed_rpm"].rsplit(".", 1)[0], "") -+ -+ return cve_info_fixed_by_coldpatch + cve_info_fixed_by_hotpatch -+ -+ def _query_applied_hotpatch_status(self) -> Dict[str, str]: -+ """ -+ query applied hotpatch with its status -+ -+ Return: -+ dict: key is hotpatch name, value is its status. e.g {"patch-redis-6.2.5-1-ACC-1-3": "ACTIVED"} -+ - """ - # Example of command execution result: - # Last metadata expiration check: 0:28:36 ago on Mon 07 Aug 2023 10:26:32 AM CST. -@@ -409,7 +461,7 @@ class VulnerabilityManage: - # CVE-2023-1112 redis-6.2.5-1/SGL_CVE_2023_1111_CVE_2023_1112-1-1/redis-cli NOT-APPLIED - # CVE-2023-1111 redis-6.2.5-1/SGL_CVE_2023_1111_CVE_2023_1112-1-1/redis-server NOT-APPLIED - # CVE-2023-1112 redis-6.2.5-1/SGL_CVE_2023_1111_CVE_2023_1112-1-1/redis-server NOT-APPLIED -- result = [] -+ result = {} - code, stdout, stderr = execute_shell_command("dnf hotpatch --list cves") - if code != CommandExitCode.SUCCEED: - LOGGER.error("query applied hotpatch info failed!") -@@ -426,11 +478,6 @@ class VulnerabilityManage: - if not applied_hotpatch_info_list: - return result - -- code, arch, _ = execute_shell_command("uname -m") -- if code != CommandExitCode.SUCCEED: -- LOGGER.debug("Failed to query host arch info!") -- arch = "unknown_arch" -- - record_key_set = set() - for cve_id, patch_name, hotpatch_status in applied_hotpatch_info_list: - rpm = patch_name.split("-", 1)[0] -@@ -445,14 +492,7 @@ class VulnerabilityManage: - and (hotpatch_status in ("ACTIVED", "ACCEPTED")) - and record_key not in record_key_set - ): -- result.append( -- { -- "cve_id": cve_id, -- "installed_rpm": f"patch-{patch_name.rsplit('/',1)[0].replace('/','-')}.{arch}", -- "fix_way": "hotpatch", -- "hp_status": hotpatch_status, -- } -- ) -+ result[f"patch-{patch_name.rsplit('/',1)[0].replace('/','-')}"] = hotpatch_status - record_key_set.add(record_key) - return result - --- -2.33.1.windows.1 - diff --git a/0004-optimize-import.patch b/0004-optimize-import.patch new file mode 100644 index 0000000000000000000000000000000000000000..878e88134793764b3b217eac04299d5446b86f5c --- /dev/null +++ b/0004-optimize-import.patch @@ -0,0 +1,77 @@ +From 94afbbf6c1cdef9e0ee427429401f0c72b3c9300 Mon Sep 17 00:00:00 2001 +From: xuyongliang_01 +Date: Wed, 18 Oct 2023 05:54:25 +0000 +Subject: [PATCH 1/3] update ceres/tests/manages/test_collect_manage.py. + +Signed-off-by: xuyongliang_01 +--- + ceres/tests/manages/test_collect_manage.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ceres/tests/manages/test_collect_manage.py b/ceres/tests/manages/test_collect_manage.py +index 243aa4c..b6b552a 100644 +--- a/ceres/tests/manages/test_collect_manage.py ++++ b/ceres/tests/manages/test_collect_manage.py +@@ -11,7 +11,6 @@ + # See the Mulan PSL v2 for more details. + # ******************************************************************************/ + import grp +-import json + import os + import pwd + import unittest +-- +Gitee + + +From 754dd7cb48ff52541e685034dc269731c67fb9dd Mon Sep 17 00:00:00 2001 +From: xuyongliang_01 +Date: Wed, 18 Oct 2023 05:55:47 +0000 +Subject: [PATCH 2/3] update ceres/manages/collect_manage.py. + +Signed-off-by: xuyongliang_01 +--- + ceres/manages/collect_manage.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ceres/manages/collect_manage.py b/ceres/manages/collect_manage.py +index 452b972..ffc82e3 100644 +--- a/ceres/manages/collect_manage.py ++++ b/ceres/manages/collect_manage.py +@@ -11,7 +11,6 @@ + # See the Mulan PSL v2 for more details. + # ******************************************************************************/ + import grp +-import json + import os + import pwd + import re +-- +Gitee + + +From 266da235746eb0e1d7c9784c955261cc67d57f0c Mon Sep 17 00:00:00 2001 +From: xuyongliang_01 +Date: Wed, 18 Oct 2023 05:56:32 +0000 +Subject: [PATCH 3/3] update ceres/function/register.py. + +Signed-off-by: xuyongliang_01 +--- + ceres/function/register.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ceres/function/register.py b/ceres/function/register.py +index a20dd25..6a0d65f 100644 +--- a/ceres/function/register.py ++++ b/ceres/function/register.py +@@ -11,7 +11,6 @@ + # See the Mulan PSL v2 for more details. + # ******************************************************************************/ + import json +-from typing import Dict + + import requests + +-- +Gitee + diff --git a/0004-update-func-about-querying-applied-hotpatch-info.patch b/0004-update-func-about-querying-applied-hotpatch-info.patch deleted file mode 100644 index 9567cc270b6c9495241086e895cc11ece6e2d10e..0000000000000000000000000000000000000000 --- a/0004-update-func-about-querying-applied-hotpatch-info.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 3e8e26b0b1b4b18ab45048069fc2f6a89b852802 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Tue, 19 Sep 2023 20:02:44 +0800 -Subject: [PATCH 1/1] update func about querying applied hotpatch info - ---- - ceres/manages/vulnerability_manage.py | 33 +++++++++++++++------------ - 1 file changed, 18 insertions(+), 15 deletions(-) - -diff --git a/ceres/manages/vulnerability_manage.py b/ceres/manages/vulnerability_manage.py -index ab10381..1591d74 100644 ---- a/ceres/manages/vulnerability_manage.py -+++ b/ceres/manages/vulnerability_manage.py -@@ -806,27 +806,30 @@ class VulnerabilityManage: - "CVE-XXXX-XXX": {"patch 1", "patch 2"} - } - """ -- # Run the dnf command to query the hotpatch list,e.g -- # Last metadata expiration check: -- # CVE id base-pkg/hotpatch status -- # CVE-1 A-1.1-1/ACC-1-1/binary_file1 ACTIVED -- # CVE-2 A-1.1-1/ACC-1-1/binary_file2 ACTIVED -- code, hotpatch_list_output, _ = execute_shell_command(f"dnf hotpatch --list cve") -+ code, stdout, _ = execute_shell_command(f"dnf hot-updateinfo list cves --installed|grep patch") - if code != CommandExitCode.SUCCEED: - LOGGER.error(f"Failed to hotpatch list cve.") - return None - -- if not re.search("base-pkg/hotpatch", hotpatch_list_output): -+ all_cve_info = re.findall(r"(CVE-\d{4}-\d+)\s+([\w+/.]+)\s+(\S+|-)\s+(patch\S+)", stdout) -+ if not all_cve_info: -+ LOGGER.error(f"Failed to hotpatch list cve.") - return None -+ -+ applied_hotpatch_info = {} -+ hotpatch_dic = {} -+ for cve_id, _, _, hotpatch in all_cve_info: -+ applied_hotpatch_info[cve_id] = hotpatch -+ hotpatch_dic_key = hotpatch.rsplit("-", 2)[0] -+ if hotpatch_dic_key.endswith("ACC"): -+ hotpatch_dic[hotpatch_dic_key] = max(hotpatch, hotpatch_dic.get(hotpatch_dic_key, hotpatch)) -+ -+ for cve_id, cmd_output_hotpatch in applied_hotpatch_info.items(): -+ applied_hotpatch_info[cve_id] = hotpatch_dic.get(cmd_output_hotpatch.rsplit("-", 2)[0], cmd_output_hotpatch) -+ - hotpatch_list = defaultdict(set) -- for hotpatch_info in [line for line in hotpatch_list_output.split(os.linesep) if line]: -- if not hotpatch_info.startswith("CVE"): -- continue -- cve_id, base_pkg, status = [info.strip() for info in hotpatch_info.split()] -- if status != "ACTIVED" and status != "ACCEPTED": -- continue -- hotpatch_name = "patch-%s-%s" % tuple(base_pkg.rsplit("/", 2)[:2]) -- hotpatch_list[cve_id].add(hotpatch_name) -+ for cve_id, hotpatch in applied_hotpatch_info.items(): -+ hotpatch_list[cve_id].add(hotpatch) - - return hotpatch_list - --- -2.33.0 - diff --git a/aops-ceres-v1.3.1.tar.gz b/aops-ceres-v1.3.1.tar.gz deleted file mode 100644 index 5c66c47dd98931edffd25903b25fef80de94f1df..0000000000000000000000000000000000000000 Binary files a/aops-ceres-v1.3.1.tar.gz and /dev/null differ diff --git a/aops-ceres-v1.3.3.tar.gz b/aops-ceres-v1.3.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..d4d5ef633f240d7c3a8973805265a985bb085099 Binary files /dev/null and b/aops-ceres-v1.3.3.tar.gz differ diff --git a/aops-ceres.spec b/aops-ceres.spec index 6551fac9d3d50a361edfce32578eef651ccb727d..bd2be64af9914d420cee5e871aa530253204466b 100644 --- a/aops-ceres.spec +++ b/aops-ceres.spec @@ -1,14 +1,14 @@ Name: aops-ceres -Version: v1.3.1 -Release: 5 +Version: v1.3.3 +Release: 4 Summary: An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} Source0: %{name}-%{version}.tar.gz -Patch0001: 0001-update-func-named-set-hotpatch-status-by-dnf-plugin.patch -Patch0002: 0002-add-file-sync-func.patch -Patch0003: 0003-update-method-of-querying-fixed-cves-by-dnf-plugin.patch -Patch0004: 0004-update-func-about-querying-applied-hotpatch-info.patch +Patch0001: 0001-revise-the-query-method-for-installed-kernel-package.patch +Patch0002: 0002-update-query-installed-rpm-func.patch +Patch0003: 0003-add-get-file-list-cmd.patch +Patch0004: 0004-optimize-import.patch BuildRequires: python3-setuptools @@ -22,6 +22,15 @@ Conflicts: aops-agent An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on. +%package -n dnf-hotpatch-plugin +Summary: dnf hotpatch plugin +Requires: python3-hawkey python3-dnf syscare >= 1.1.0 + + +%description -n dnf-hotpatch-plugin +dnf hotpatch plugin, it's about hotpatch query and fix + + %prep %autosetup -n %{name}-%{version} -p1 @@ -34,6 +43,10 @@ An agent which needs to be adopted in client, it managers some plugins, such as %py3_install +# install for aops-dnf-plugin +cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ + + %files %doc README.* %attr(0644,root,root) %{_sysconfdir}/aops/ceres.conf @@ -43,7 +56,27 @@ An agent which needs to be adopted in client, it managers some plugins, such as %{_bindir}/aops-ceres +%files -n dnf-hotpatch-plugin +%{python3_sitelib}/dnf-plugins/* + + %changelog +* Fri Nov 03 2023 wenxin - v1.3.3-4 +- add get file list cmd +- + +* Tue Oct 24 2023 wenxin - v1.3.3-3 +- update query_installed_rpm func + +* Mon Oct 23 2023 wangguangge - v1.3.3-2 +- revise the query method for installed kernel packages + +* Wed Oct 11 2023 wenxin - v1.3.3-1 +- add hotpatch plugin + +* Wed Sep 20 2023 wenxin - v1.3.2-1 +- fix query fixed cves info error by dnf + * Tue Sep 19 2023 wenxin - v1.3.1-5 - update func about querying applied hotpatch info