Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package

To: Salvatore Bonaccorso <carnil@debian.org>, 727534@bugs.debian.org
Cc: luciano@debian.org
Subject: Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
From: Antonio Terceiro <terceiro@debian.org>
Date: Tue, 11 Feb 2014 19:05:21 -0300
Message-id: <[🔎] 20140211220521.GA27847@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 727534@bugs.debian.org
In-reply-to: <[🔎] 20140211190045.GA22114@debian.org>
References: <20131024043615.3084.25242.reportbug@lorien.valinor.li> <20131024124919.GC19558@debian.org> <[🔎] 20140208103127.GA23612@eldamar.local> <[🔎] 20140211190045.GA22114@debian.org>

Control: tag -1 + patch

On Tue, Feb 11, 2014 at 04:00:45PM -0300, Antonio Terceiro wrote:
> On Sat, Feb 08, 2014 at 11:31:27AM +0100, Salvatore Bonaccorso wrote:
> > Hi Antonio,
> > 
> > On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote:
> > > It would be nice if someone familiar with the codebase could write up
> > > instructions on how to do that.
> > 
> > Actually at the Security Team meeting we are working now on this.
> > Mainly if you want to set up a testinstance of the security tracker is
> > doing the three steps:
> > 
> > make update-packages
> > make all
> > make serve
> 
> that worked just fine, thanks! :-)

now the patches :-)

the first one just sets some whitespace right in bin/tracker_service.py,
and the second one is the actual implementation of a "Vulnerability
summary" for a given source package.

-- 
Antonio Terceiro <terceiro@debian.org>

From d3ac0a9682ebc1538a083fb92c5b7101a53646ca Mon Sep 17 00:00:00 2001
From: Antonio Terceiro <terceiro@softwarelivre.org>
Date: Tue, 11 Feb 2014 16:13:44 -0300
Subject: [PATCH 1/2] tracker_service: remove spurious whitespace

---
 bin/tracker_service.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 455ea9b..c0879a0 100644
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -93,7 +93,8 @@ h3 { font-size : 100%; }
 
 table { padding-left : 1.5em }
 td, th { text-align : left;
-	 padding-left : 0.25em;
+         padding-left : 0.25em;
+         padding-left : 0.25em;
          padding-right : 0.25em; }
 td { vertical-align: baseline }
 span.red { color: red; }
@@ -1174,9 +1175,9 @@ Debian bug number.'''),
                              "Testing Security Team"),
                     " - ", A(url.absolute("http://www.debian.org/security/";),
                              "Debian Security"),
-		    " - ", A(url.absolute("http://anonscm.debian.org/viewvc/secure-testing/bin/tracker_service.py?view=markup";),
-		             "Source"),
-		    " ", A(url.absolute("svn://anonscm.debian.org/secure-testing"), "(SVN)"),
+                    " - ", A(url.absolute("http://anonscm.debian.org/viewvc/secure-testing/bin/tracker_service.py?view=markup";),
+                             "Source"),
+                    " ", A(url.absolute("svn://anonscm.debian.org/secure-testing"), "(SVN)"),
                     ))
         if search_in_page:
             on_load = "selectSearch()"
@@ -1324,7 +1325,8 @@ Debian bug number.'''),
         return SPAN(contents, _class="red")
 
     def make_purple(self, contents):
-	return SPAN(contents, _class="purple")
+        return SPAN(contents, _class="purple")
+        return SPAN(contents, _class="purple")
 
     def make_dangerous(self, contents):
         return SPAN(contents, _class="dangerous")
-- 
1.9.0.rc3

From 8d31c637e78a9c224426e2baef5a7d094a6857c0 Mon Sep 17 00:00:00 2001
From: Antonio Terceiro <terceiro@softwarelivre.org>
Date: Tue, 11 Feb 2014 18:55:27 -0300
Subject: [PATCH 2/2] Vulnerabitily summary for packages

---
 bin/tracker_service.py | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index c0879a0..5df25ba 100644
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -99,6 +99,7 @@ td, th { text-align : left;
 td { vertical-align: baseline }
 span.red { color: red; }
 span.purple { color: purple; }
+span.green { color: green; }
 span.dangerous { color: rgb(191,127,0); }
 """), SCRIPT('''var old_query_value = "";
 
@@ -546,6 +547,34 @@ to improve our documentation and procedures, so feedback is welcome.""")])])
             for (bug, description) in lst:
                 yield self.make_xref(url, bug), description
 
+        suites = ()
+        for (releases, version) in self.db.getSourcePackageVersions(
+            self.db.cursor(), pkg):
+            for r in releases:
+                if r not in suites:
+                    suites = suites + (r,)
+
+        def gen_summary(bugs):
+            for (bug, description) in bugs:
+                status = {}
+                for (package, releases, version, vulnerable) \
+                        in self.db.getSourcePackages(self.db.cursor(), bug):
+                    for release in releases:
+                        if package == pkg:
+                            if vulnerable == 1:
+                                status[release] = self.make_red('vulnerable')
+                            elif vulnerable == 2:
+                                status[release] = self.make_purple('undetermined')
+                            else:
+                                status[release] = self.make_green('fixed')
+                status_row = ()
+                for release in suites:
+                    if release in status:
+                        status_row = status_row + (status[release],)
+                    else:
+                        status_row = status_row + (self.make_purple('unknown'),)
+                yield (self.make_xref(url, bug),) + status_row
+
         return self.create_page(
             url, 'Information on source package ' + pkg,
             [make_menu(lambda x: x,
@@ -558,6 +587,17 @@ to improve our documentation and procedures, so feedback is welcome.""")])])
              H2('Available versions'),
              make_table(gen_versions(), caption=('Release', 'Version')),
 
+             H2('Vulnerability summary'),
+
+             make_table(
+                 gen_summary(
+                     # open issues
+                     self.db.getBugsForSourcePackage(
+                         self.db.cursor(), pkg, True, False),
+                 ),
+                 caption=('CVE',) + suites
+             ),
+
              H2('Open issues'),
              make_table(gen_bug_list(self.db.getBugsForSourcePackage
                                      (self.db.cursor(), pkg, True, False)),
@@ -1328,6 +1368,9 @@ Debian bug number.'''),
         return SPAN(contents, _class="purple")
         return SPAN(contents, _class="purple")
 
+    def make_green(self, contents):
+        return SPAN(contents, _class="green")
+
     def make_dangerous(self, contents):
         return SPAN(contents, _class="dangerous")
 
-- 
1.9.0.rc3

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
  - From: Luciano Bello <luciano@debian.org>

References:
- Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
  - From: Antonio Terceiro <terceiro@debian.org>

Prev by Date: Processed: Re: Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Next by Date: External check
Previous by thread: Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Next by thread: Processed: Re: Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Index(es):
- Date
- Thread