[Git][security-tracker-team/security-tracker][master] 2 commits: tracker_service: display CVE entries using natural sort order [#76]

Salvatore Bonaccorso carnil at debian.org
Sat Feb 27 15:15:19 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d2f3228e by Sylvain Beucler at 2021-02-12T17:09:54+01:00
tracker_service: display CVE entries using natural sort order [#76]
to avoid annoying confusions with the default incorrect sort due to
e.g. CVE-2021-3392 considered higher than CVE-2021-20203

Approach:

- use 'COLLATE natorder' [1]; however, we'd have to leave the bug
  unfixed for a few years, until this feature is merged and packaged
  in stable sqlite3
  [1] https://sqlite.org/forum/forumpost/e4dc6f3331

- sort at the Python level; AFAICS this breaks the current code global
  logic that delegates the sort to the database, so we'd need to
  revamp the Python code or introduce ad-hoc logic

- use a size-bounded sort at the SQL level (current patch) using a
  reasonable max size (10 digits / 32-bits), until 1) is available.
  (variable-length is feasible but impacts readability and performance)

- - - - -
f72d124e by Salvatore Bonaccorso at 2021-02-27T16:14:00+01:00
Merge branch 'beuc/security-tracker-natsort'

tracker_service: display CVE entries using natural sort order

See merge request security-tracker-team/security-tracker!76

- - - - -


1 changed file:

- lib/python/security_db.py


Changes:

=====================================
lib/python/security_db.py
=====================================
@@ -138,7 +138,14 @@ BugsForSourcePackage_query = \
   JOIN source_packages sp ON (st.package = sp.rowid)
   WHERE sp.name = ?
   AND (bugs.name LIKE 'CVE-%' OR bugs.name LIKE 'TEMP-%')
-  ORDER BY bugs.name DESC, sp.release"""
+  ORDER BY
+    -- 'COLLATE natorder' emulation, using 0-padding (MR#76)
+    -- e.g. CVE-2016-1000393 -> CVE-2016-0001000393
+    CASE substr(bugs.name,1,3)
+      WHEN 'CVE' THEN
+        substr(bugs.name,1,9) || substr("0000000000"||substr(bugs.name, 10, 10), -10)
+      ELSE bugs.name
+    END DESC, sp.release"""
 # Sort order is important for the groupby operation below.
 
 def getBugsForSourcePackage(cursor, pkg):



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b46bca4dc6f2fe204db071906e5c462b7171c9ae...f72d124e15df4d654960854613ae06d46eecdba6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b46bca4dc6f2fe204db071906e5c462b7171c9ae...f72d124e15df4d654960854613ae06d46eecdba6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210227/2caa7a29/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list