[Secure-testing-commits] r1969 - lib/python

Tue Sep 13 21:27:09 UTC 2005

Author: fw
Date: 2005-09-13 21:27:08 +0000 (Tue, 13 Sep 2005)
New Revision: 1969

Modified:
   lib/python/security_db.py
Log:
Ignore bugs which apply to packages which no longer exist.  With proper
package annotations (future patch, needs release hints), this allows us
to ignore kernel bugs which are no longer relevant.

lib/python/security_db.py (DB.releaseContainsPackage):
  New.
(DB.calculateVulnerabilities):
  Vulnerabilities which do not apply to any package are no longer
  relevant.  Ignore not-for-us DSAs.
(test):
  Update.


Modified: lib/python/security_db.py
===================================================================

--- lib/python/security_db.py	2005-09-13 21:21:44 UTC (rev 1968)
+++ lib/python/security_db.py	2005-09-13 21:27:08 UTC (rev 1969)
@@ -406,6 +406,18 @@
         
         return None
 
+    def releaseContainsPackage(self, cursor, release, package):
+        """Returns True if the source or binary package exists in release."""
+        for (c,) in cursor.execute(
+            """SELECT version FROM binary_packages
+            WHERE package = ? AND release = ?""", (package, release)):
+            return True
+        for (c,) in cursor.execute(
+            """SELECT version FROM source_packages
+            WHERE package = ? AND release = ?""", (package, release)):
+            return True
+        return False
+
     def calculateVulnerabilities(self, cursor):
         """Calculate vulnerable packages.
 
@@ -426,7 +438,7 @@
 
             for n in bug.notes:
                 # ignore all notes conditioned on releases.
-                if n.release is not None:
+                if n.release is not None: # assumes 'etch'
                     continue
                 note_found = True
                 v = self.getVersion(cursor, 'etch', n.package)
@@ -443,8 +455,19 @@
                 vulnerable = True
                 markVulnerable(b, 'etch', 0, 'TODO items present')
             elif not note_found:
-                vulnerable = True
-                markVulnerable(b, 'etch', 0, 'status is unclear')
+                # We found no matching note.  Maybe all packages have
+                # been removed?
+                if bug.notes:
+                    for n in bug.notes:
+                        if self.releaseContainsPackage \
+                               (cursor, 'etch', n.package):
+                            markVulnerable(b, 'etch', 0,
+                                'applicable package note for %s missing'
+                                           % n.package)
+                            vulnerable = True
+                else:
+                    vulnerable = True
+                    markVulnerable(b, 'etch', 0, 'status is unclear')
 
             return vulnerable
 
@@ -452,7 +475,8 @@
         # for CAN/CVE below).
 
         bug_names = list(cursor.execute(
-            "SELECT name FROM bugs WHERE name LIKE 'DSA-%'"))
+            """SELECT name FROM bugs
+            WHERE name LIKE 'DSA-%' AND NOT not_for_us"""))
         DSA_status = {}
         for (bug_name,) in bug_names:
             b = bugs.BugFromDB(cursor, bug_name)
@@ -606,5 +630,7 @@
         else:
             assert False
 
+    assert bugs.BugFromDB(cursor, 'DSA-311').isKernelOnly()
+
 if __name__ == "__main__":
     test()


