[Secure-testing-commits] r14304 - lib/python

Michael Gilbert gilbert-guest at alioth.debian.org
Sat Mar 20 01:02:49 UTC 2010 

Author: gilbert-guest
Date: 2010-03-20 01:02:45 +0000 (Sat, 20 Mar 2010)
New Revision: 14304

Modified:
   lib/python/security_db.py
Log:
clarify unimportant status to reduce confusion (as seen in a recent mailing list thread)

Modified: lib/python/security_db.py
===================================================================
--- lib/python/security_db.py	2010-03-19 22:47:04 UTC (rev 14303)
+++ lib/python/security_db.py	2010-03-20 01:02:45 UTC (rev 14304)
@@ -1198,20 +1198,23 @@
         
         vulnerable_packages = []
         undetermined_packages = []
+        unimportant_packages = []
         have_something = False
-        for (package, vulnerable) in cursor.execute(
-            """SELECT DISTINCT sp.name, st.vulnerable
+        for (package, vulnerable, urgency) in cursor.execute(
+            """SELECT DISTINCT sp.name, st.vulnerable, n.urgency
             FROM source_package_status AS st,
             source_packages AS sp, package_notes AS n
             WHERE st.bug_name = ? AND sp.rowid = st.package
             AND sp.release = 'sid'
             AND n.bug_name = st.bug_name AND n.package = sp.name
-            AND n.urgency <> 'unimportant'
             ORDER BY sp.name""",
             (bug_name,)):
             have_something = True
             if vulnerable == 1:
-                vulnerable_packages.append(package)
+                if urgency == 'unimportant':
+                    unimportant_packages.append( package )
+                else:
+                    vulnerable_packages.append(package)
             elif vulnerable == 2:
                 undetermined_packages.append(package)
 
@@ -1234,6 +1237,14 @@
             cursor.execute("""INSERT INTO bug_status
                 (bug_name, release, status, reason)
                 VALUES (?, 'unstable', ?, ?)""", (bug_name, status, pkgs))
+        elif unimportant_packages:
+            if len(unimportant_packages) == 1:
+                pkgs = "package %s is vulnerable; however, the security impact is unimportant." % unimportant_packages[0]
+            else:
+                pkgs = "packages %s are vulnerable; however, the security impact is unimportant." % (', '.join(unimportant_packages))
+            cursor.execute("""INSERT INTO bug_status
+                (bug_name, release, status, reason)
+                VALUES (?, 'unstable', 'fixed', ?)""", (bug_name, pkgs))
         else:
             if have_something:
                 status = "not vulnerable."
@@ -1252,27 +1263,30 @@
         # here.
 
         status = {'' : {}, 'security' : {}}
-        for (package, note, subrelease, vulnerable) in cursor.execute(
+        for (package, note, subrelease, vulnerable, urgency) in cursor.execute(
             """SELECT DISTINCT sp.name, n.id, sp.subrelease,
-            st.vulnerable
+            st.vulnerable, n.urgency
             FROM source_package_status AS st,
             source_packages AS sp, package_notes AS n
             WHERE st.bug_name = ? AND sp.rowid = st.package
             AND sp.release = ? AND sp.subrelease IN ('', 'security')
             AND n.bug_name = st.bug_name AND n.package = sp.name
-            AND n.urgency <> 'unimportant'
             ORDER BY sp.name""",
             (bug_name, nickname)):
-            status[subrelease][(package, note)] = vulnerable
+            status[subrelease][(package, note)] = (vulnerable,urgency)
 
         # Check if any packages in plain testing are vulnerable, and
         # if all of those have been fixed in the security archive.
         fixed_in_security = True
         unfixed_pkgs = {}
         undet_pkgs = {}
-        for ((package, note), vulnerable) in status[''].items():
+        unimp_pkgs = {}
+        for ((package, note), (vulnerable, urgency)) in status[''].items():
             if vulnerable == 1:
-                unfixed_pkgs[package] = True
+                if urgency == 'unimportant':
+                    unimp_pkgs[package] = True
+                else:
+                    unfixed_pkgs[package] = True
                 if status['security'].get((package, note), True):
                     fixed_in_security = False
             elif vulnerable == 2:
@@ -1282,14 +1296,16 @@
         unfixed_pkgs.sort()
         undet_pkgs = undet_pkgs.keys()
         undet_pkgs.sort()
+        unimp_pkgs = unimp_pkgs.keys()
+        unimp_pkgs.sort()
 
         pkgs = ""
         result = "undetermined"
         if len(unfixed_pkgs) == 0 and len(undet_pkgs) == 0:
             if len(status[''].keys()) == 0:
-                pkgs += "not known to be vulnerable"
+                pkgs += "not known to be vulnerable."
             else:
-                pkgs += "not vulnerable"
+                pkgs += "not vulnerable."
             result = "fixed"
         if len(unfixed_pkgs) > 0:
             if len(unfixed_pkgs) == 1:
@@ -1310,6 +1326,12 @@
                 pkgs += "package " + undet_pkgs[0] + " may be vulnerable but needs to be checked."
             else:
                 pkgs += "packages " + ", ".join(undet_pkgs) + " may be vulnerable but need to be checked."
+        if len(unimp_pkgs) > 0 and len(undet_pkgs) == 0 and len(unfixed_pkgs) == 0:
+            result = "fixed"
+            if len(unimp_pkgs) == 1:
+                pkgs = "package %s is vulnerable; however, the security impact is unimportant." % unimp_pkgs[0]
+            else:
+                pkgs = "packages %s are vulnerable; however, the security impact is unimportant." % (', '.join(unimp_pkgs))
 
         cursor.execute("""INSERT INTO bug_status
         (bug_name, release, status, reason)

More information about the Secure-testing-commits mailing list