diff --git a/cve-vulner-manager/conf/app.conf b/cve-vulner-manager/conf/app.conf index 4cdcc5ff9fb9878dcaf9ae5017bdb6e5cbc004ca..26177ef2777436fcc5c305a823d4a06533f18830 100644 --- a/cve-vulner-manager/conf/app.conf +++ b/cve-vulner-manager/conf/app.conf @@ -227,4 +227,4 @@ download_cvrf_dir = "cvrf/" upload_updateinfo_dir = "cve-manager-updateinfo/" [cveagency] -url = "http://cve-manager-agent.cve-manager-agent.svc.cluster.local" \ No newline at end of file +url = "http://cve-manager-agent.cve-manager-agent.svc.cluster.local/v1/cve/track" \ No newline at end of file diff --git a/cve-vulner-manager/conf/product_app.conf b/cve-vulner-manager/conf/product_app.conf index 8538aacdd6af80fb66e0b5635cdf2d11703f1aad..837e842f54658748c7eb40965d5af48ad59ff837 100644 --- a/cve-vulner-manager/conf/product_app.conf +++ b/cve-vulner-manager/conf/product_app.conf @@ -217,4 +217,4 @@ download_cvrf_dir = "cvrf/" upload_updateinfo_dir = "cve-manager-updateinfo/" [cveagency] -url = "http://cve-manager-agent.cve-manager-agent.svc.cluster.local" \ No newline at end of file +url = "http://cve-manager-agent.cve-manager-agent.svc.cluster.local/v1/cve/track" \ No newline at end of file diff --git a/cve-vulner-manager/controllers/hook.go b/cve-vulner-manager/controllers/hook.go index 80da76973405a09c743813364df0add1ab1b869a..c36af76ef0e74105b7ca647db85fb7782352f6e3 100644 --- a/cve-vulner-manager/controllers/hook.go +++ b/cve-vulner-manager/controllers/hook.go @@ -74,6 +74,7 @@ const ( CommentReviewRemindMaintainer = "@%v 经过 cve-manager 解析 openEuler评分 已改变 需要等待安全组成员审核通过以后, 才能进行后续操作." CIssueType = "CVE和安全问题" HasCreateIssue = "@%v 当前CVE:%v 已经创建过对应的ISSUE, 请不要重复创建ISSUE, cve-manager 只会识别之前的ISSUE,不会对当前ISSUE进行处理." + CommentCheckVersion = "@%v 请确认分支: %v 受影响/不受影响." ) var comLock sync.Mutex @@ -329,6 +330,23 @@ func getMaintainer(path, prSender, assignee string) string { func gaussCloseIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueTemplate, token, owner, fixed, unFix, path string, cveCenter *models.VulnCenter) { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, cveCenter.OrganizationID) + if len(unFixList) > 0 { + //send comment to issue + issueTmp.IssueStatus = 1 + issueTmp.IssueLabel = unFix + issueTmp.StatusName = "open" + _, issueErr := taskhandler.UpdateIssueToGit(token, owner, issueTmp.Repo, + *cveCenter, *issueTmp) + if issueErr == nil { + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, issueHook.Sender.UserName, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + content := fmt.Sprintf("%v 仓库的CVE和安全问题的ISSUE,CVE编号: %v,", issueTmp.Repo, issueTmp.CveNum) + taskhandler.SendPrivateLetters(token, content, issueHook.Sender.UserName) + } + return + } if _, tb, ok := checkGaussIssueClosedAnalysisComplete(issueTmp); !ok { //send comment to issue issueTmp.IssueStatus = 1 @@ -338,7 +356,7 @@ func gaussCloseIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueT *cveCenter, *issueTmp) if issueErr == nil { na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" - cc := fmt.Sprintf(ContentReview, issueTmp.Assignee) + tb + na + cc := fmt.Sprintf(ContentReview, "@"+issueHook.Sender.UserName) + tb + na taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, token) } } else { @@ -373,44 +391,61 @@ func gaussCloseIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueT func sporeCloseIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueTemplate, token, owner, fixed, unFix, path string, cveCenter *models.VulnCenter) { - if _, tb, ok := checkSporeIssueClosedAnalysisComplete(issueTmp); !ok { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, cveCenter.OrganizationID) + if len(unFixList) > 0 { //send comment to issue issueTmp.IssueStatus = 1 issueTmp.IssueLabel = unFix issueTmp.StatusName = "open" - _, issueErr := taskhandler.UpdateIssueToGit(token, owner, path, + _, issueErr := taskhandler.UpdateIssueToGit(token, owner, issueTmp.Repo, *cveCenter, *issueTmp) if issueErr == nil { - na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" - cc := fmt.Sprintf(ContentReview, issueTmp.Assignee) + tb + na - taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, token) + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, issueHook.Sender.UserName, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + content := fmt.Sprintf("%v 仓库的CVE和安全问题的ISSUE,CVE编号: %v,", issueTmp.Repo, issueTmp.CveNum) + taskhandler.SendPrivateLetters(token, content, issueHook.Sender.UserName) } } else { - issueTmp.IssueLabel = unFix - issueTmp.StatusName = "open" - issueTmp.Status = 1 - assignee := "@" + issueTmp.Assignee - issuePrFlag := VerifyIssueAsPr(issueTmp, *cveCenter, false, - assignee, issueHook.Sender.UserName) - if issuePrFlag { - //1. change issue status - issueTmp.IssueStatus = 2 - //issueTmp.Status = 3 - cveCenter.IsExport = 3 - issueTmp.StatusName = issueHook.Issue.StateName - issueTmp.Status = 3 - if isNormalCloseIssue(issueTmp.CveId, issueTmp.IssueStatus) { + if _, tb, ok := checkSporeIssueClosedAnalysisComplete(issueTmp); !ok { + //send comment to issue + issueTmp.IssueStatus = 1 + issueTmp.IssueLabel = unFix + issueTmp.StatusName = "open" + _, issueErr := taskhandler.UpdateIssueToGit(token, owner, path, + *cveCenter, *issueTmp) + if issueErr == nil { + na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(ContentReview, "@"+issueHook.Sender.UserName) + tb + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, token) + } + } else { + issueTmp.IssueLabel = unFix + issueTmp.StatusName = "open" + issueTmp.Status = 1 + assignee := "@" + issueTmp.Assignee + issuePrFlag := VerifyIssueAsPr(issueTmp, *cveCenter, false, + assignee, issueHook.Sender.UserName) + if issuePrFlag { + //1. change issue status issueTmp.IssueStatus = 2 + //issueTmp.Status = 3 cveCenter.IsExport = 3 - issueTmp.IssueLabel = fixed + issueTmp.StatusName = issueHook.Issue.StateName + issueTmp.Status = 3 + if isNormalCloseIssue(issueTmp.CveId, issueTmp.IssueStatus) { + issueTmp.IssueStatus = 2 + cveCenter.IsExport = 3 + issueTmp.IssueLabel = fixed + } else { + issueTmp.IssueStatus = 6 + cveCenter.IsExport = 2 + issueTmp.IssueLabel = unFix + } } else { - issueTmp.IssueStatus = 6 - cveCenter.IsExport = 2 - issueTmp.IssueLabel = unFix + issueTmp.IssueStatus = 1 + cveCenter.IsExport = 0 } - } else { - issueTmp.IssueStatus = 1 - cveCenter.IsExport = 0 } } } @@ -436,7 +471,8 @@ func closeIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueTempla sigReviewSend(issueHook, issueTmp, token, owner, fixed, unFix, assignee, cveCenter) } if openScoreFlag { - if msg, tb, ok := checkIssueClosedAnalysisComplete(issueTmp); !ok { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, cveCenter.OrganizationID) + if len(unFixList) > 0 { //send comment to issue issueTmp.IssueStatus = 1 issueTmp.IssueLabel = unFix @@ -444,52 +480,68 @@ func closeIssueProc(issueHook *models.IssuePayload, issueTmp *models.IssueTempla _, issueErr := taskhandler.UpdateIssueToGit(token, owner, issueTmp.Repo, *cveCenter, *issueTmp) if issueErr == nil { - na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" - cc := fmt.Sprintf(ContentReview, assignee) + tb + na + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, issueHook.Sender.UserName, strings.Join(unFixList, ",")) + na taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) content := fmt.Sprintf("%v 仓库的CVE和安全问题的ISSUE,CVE编号: %v,", issueTmp.Repo, issueTmp.CveNum) - taskhandler.SendPrivateLetters(token, content+msg, issueHook.Sender.UserName) + taskhandler.SendPrivateLetters(token, content, issueHook.Sender.UserName) } } else { - //1. change issue status - issueTmp.IssueStatus = 2 - //issueTmp.Status = 3 - cveCenter.IsExport = 3 - if issueTmp.MtAuditFlag == 0 { + if msg, tb, ok := checkIssueClosedAnalysisComplete(issueTmp); !ok { + //send comment to issue issueTmp.IssueStatus = 1 - issueTmp.Status = 1 - cveCenter.IsExport = 0 issueTmp.IssueLabel = unFix issueTmp.StatusName = "open" _, issueErr := taskhandler.UpdateIssueToGit(token, owner, issueTmp.Repo, *cveCenter, *issueTmp) if issueErr == nil { - na := "\n**issue关闭前,请确认模板分析内容的准确性与完整性,确认无误后,请在评论区输入: /approve, 否则无法关闭当前issue.**" - cc := fmt.Sprintf(ContentReview, assignee) + tb + na + na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(ContentReview, "@"+issueHook.Sender.UserName) + tb + na taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + content := fmt.Sprintf("%v 仓库的CVE和安全问题的ISSUE,CVE编号: %v,", issueTmp.Repo, issueTmp.CveNum) + taskhandler.SendPrivateLetters(token, content+msg, issueHook.Sender.UserName) } - return - } - issueTmp.IssueLabel = unFix - issueTmp.StatusName = "open" - issueTmp.Status = 1 - issuePrFlag := VerifyIssueAsPr(issueTmp, *cveCenter, false, - assignee, issueHook.Sender.UserName) - if issuePrFlag { - issueTmp.StatusName = issueHook.Issue.StateName - issueTmp.Status = 3 - if isNormalCloseIssue(issueTmp.CveId, issueTmp.IssueStatus) { - issueTmp.IssueStatus = 2 - cveCenter.IsExport = 3 - issueTmp.IssueLabel = fixed - } else { - issueTmp.IssueStatus = 6 - cveCenter.IsExport = 2 + } else { + //1. change issue status + issueTmp.IssueStatus = 2 + //issueTmp.Status = 3 + cveCenter.IsExport = 3 + if issueTmp.MtAuditFlag == 0 { + issueTmp.IssueStatus = 1 + issueTmp.Status = 1 + cveCenter.IsExport = 0 issueTmp.IssueLabel = unFix + issueTmp.StatusName = "open" + _, issueErr := taskhandler.UpdateIssueToGit(token, owner, issueTmp.Repo, + *cveCenter, *issueTmp) + if issueErr == nil { + na := "\n**issue关闭前,请确认模板分析内容的准确性与完整性,确认无误后,请在评论区输入: /approve, 否则无法关闭当前issue.**" + cc := fmt.Sprintf(ContentReview, assignee) + tb + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + } + return + } + issueTmp.IssueLabel = unFix + issueTmp.StatusName = "open" + issueTmp.Status = 1 + issuePrFlag := VerifyIssueAsPr(issueTmp, *cveCenter, false, + assignee, issueHook.Sender.UserName) + if issuePrFlag { + issueTmp.StatusName = issueHook.Issue.StateName + issueTmp.Status = 3 + if isNormalCloseIssue(issueTmp.CveId, issueTmp.IssueStatus) { + issueTmp.IssueStatus = 2 + cveCenter.IsExport = 3 + issueTmp.IssueLabel = fixed + } else { + issueTmp.IssueStatus = 6 + cveCenter.IsExport = 2 + issueTmp.IssueLabel = unFix + } + } else { + issueTmp.IssueStatus = 1 + cveCenter.IsExport = 0 } - } else { - issueTmp.IssueStatus = 1 - cveCenter.IsExport = 0 } } } @@ -631,7 +683,6 @@ func VerifyIssueAsPr(issueTmp *models.IssueTemplate, cveCenter models.VulnCenter token := "" owner := "" path := "" - prRepoSlice := []string{} if cveCenter.OrganizationID == 3 { affectedBranchs = beego.AppConfig.String("mindspore::mindspore_version") owner = beego.AppConfig.String("mindspore::mindspore_owner") @@ -649,7 +700,6 @@ func VerifyIssueAsPr(issueTmp *models.IssueTemplate, cveCenter models.VulnCenter logs.Info("GetMindSporeYaml, sporeErr: ", sporeErr) } } - prRepoSlice = append(prRepoSlice, path) if sn.AffectProduct != "" && len(sn.AffectProduct) > 1 { tmpTagList := make([]string, 0) affectProductSlice := strings.Split(sn.AffectProduct, "/") @@ -672,15 +722,13 @@ func VerifyIssueAsPr(issueTmp *models.IssueTemplate, cveCenter models.VulnCenter token = beego.AppConfig.String("opengauss::git_gauss_token") owner = beego.AppConfig.String("opengauss::gauss_owner") issuePath := beego.AppConfig.String("opengauss::gauss_issue_path") - prRepo := beego.AppConfig.String("opengauss::pr_repo") - prRepoSlice = strings.Split(prRepo, ",") - prRepoSlice = append(prRepoSlice, issuePath) + //prRepo := beego.AppConfig.String("opengauss::pr_repo") + //prRepoSlice = strings.Split(prRepo, ",") path = issuePath } else { affectedBranchs = beego.AppConfig.String("cve::affected_branchs") token = beego.AppConfig.String("gitee::git_token") owner = beego.AppConfig.String("gitee::owner") - prRepoSlice = append(prRepoSlice, issueTmp.Repo) path = issueTmp.Repo } if affectedBranchs != "" && len(affectedBranchs) > 0 { @@ -689,24 +737,40 @@ func VerifyIssueAsPr(issueTmp *models.IssueTemplate, cveCenter models.VulnCenter if sn.AffectProduct != "" && len(sn.AffectProduct) > 1 { issueTmp.SaAuditFlag = 0 affectProductList := strings.Split(sn.AffectProduct, "/") - var branchMaps = make(map[string]bool) + branchMaps := make(map[string]bool) for _, brands := range affectProductList { brands = common.BranchVersionRep(brands) if len(affectBranchsxList) > 0 { + keyBandList := []string{} for _, affectBranch := range affectBranchsxList { if affectBranch == brands { - branchMaps[brands] = false - for _, prRepo := range prRepoSlice { - prList := getRepoIssueAllPR(affectBranch, token, owner, prRepo, *issueTmp) - if len(prList) > 0 { - branchMaps[brands] = true - break + keyBandList = append(keyBandList, affectBranch) + } + } + if len(keyBandList) > 0 { + prList := getRepoIssueAllPR(keyBandList, token, owner, path, *issueTmp) + for _, brh := range keyBandList { + if len(prList) == 0 { + branchMaps[brh] = false + } else { + for _, prl := range prList { + if brh == prl.Branch { + branchMaps[brh] = prl.BrFlag + break + } } } + if _, ok := branchMaps[brh]; !ok { + branchMaps[brh] = false + } } } } } + if len(branchMaps) == 0 { + logs.Info("sn.AffectProduct: ", sn.AffectProduct, ",There is no branch to follow to associate with pr") + return true + } brandStr := "" //logs.Info("branchMaps===> ", branchMaps) for brand, bv := range branchMaps { @@ -935,7 +999,7 @@ func isLegallyIssue(i models.HookIssue) (pri models.PullRequestIssue, ok bool) { } // Get the pr associated with a single repo -func getRepoIssueAllPR(affectBranch, token, owner, repo string, isTemp models.IssueTemplate) (prList []models.PullRequestIssue) { +func getRepoIssueAllPR(affectBranch []string, token, owner, repo string, isTemp models.IssueTemplate) (prList []models.PullRequestIssue) { url := fmt.Sprintf("https://gitee.com/api/v5/repos/%v/issues/%v/pull_requests", owner, isTemp.IssueNum) req, err := http.NewRequest(http.MethodGet, url, nil) if err != nil { @@ -966,24 +1030,35 @@ func getRepoIssueAllPR(affectBranch, token, owner, repo string, isTemp models.Is return } logs.Info("issuePr: ", issuePr) - for _, v := range issuePr { - if _, ok := v["id"]; !ok { - continue - } + for _, brh := range affectBranch { pr := models.PullRequestIssue{} - if v["state"].(string) == "merged" && v["mergeable"].(bool) { - if v["base"].(map[string]interface{})["label"].(string) == affectBranch { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { - pr.Id = int64(v["id"].(float64)) - pr.Number = isTemp.IssueNum - pr.CveNumber = isTemp.CveNum - pr.Repo = repo - prList = append(prList, pr) - } + pr.Branch = brh + pr.BrFlag = false + for _, v := range issuePr { + if _, ok := v["id"]; !ok { + continue + } + if v["state"].(string) == "merged" && v["mergeable"].(bool) { + if v["base"].(map[string]interface{})["label"].(string) == brh { + //if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { + // if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { + // pr.Id = int64(v["id"].(float64)) + // pr.Number = isTemp.IssueNum + // pr.CveNumber = isTemp.CveNum + // pr.Repo = repo + // prList = append(prList, pr) + // } + //} + pr.Id = int64(v["id"].(float64)) + pr.Number = isTemp.IssueNum + pr.CveNumber = isTemp.CveNum + pr.Repo = repo + pr.BrFlag = true + break } } } + prList = append(prList, pr) } } else { resp.Body.Close() @@ -1204,6 +1279,13 @@ func openEulerScoreReview(issueTmp *models.IssueTemplate, cuAccount, owner, toke func gaussMaintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed, path string, cveCenter models.VulnCenter) { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, cveCenter.OrganizationID) + if len(unFixList) > 0 { + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, cuAccount, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, token) + return + } if _, tb, ok := checkGaussIssueClosedAnalysisComplete(issueTmp); !ok { //send comment to issue na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" @@ -1257,6 +1339,13 @@ func gaussMaintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, to func sporeMaintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed, path string, cveCenter models.VulnCenter) { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, cveCenter.OrganizationID) + if len(unFixList) > 0 { + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, cuAccount, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, token) + return + } if _, tb, ok := checkSporeIssueClosedAnalysisComplete(issueTmp); !ok { //send comment to issue na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" @@ -1305,7 +1394,14 @@ func sporeMaintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, to } } -func maintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed string) { +func maintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed string, organizationID int8) { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, organizationID) + if len(unFixList) > 0 { + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, cuAccount, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + return + } if _, tb, ok := checkIssueClosedAnalysisComplete(issueTmp); !ok { //send comment to issue na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" @@ -1359,7 +1455,14 @@ func maintainerApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, } } -func securityApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed string) { +func securityApprove(issueTmp *models.IssueTemplate, cuAccount, owner, token, fixed, unfixed string, organizationID int8) { + unFixList := taskhandler.CheckAffectVerComplete(issueTmp.AffectedVersion, organizationID) + if len(unFixList) > 0 { + na := "\n**请确认分支信息是否填写完整,否则将无法关闭当前issue.**" + cc := fmt.Sprintf(CommentCheckVersion, cuAccount, strings.Join(unFixList, ",")) + na + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, issueTmp.Repo, token) + return + } if _, tb, ok := checkIssueClosedAnalysisComplete(issueTmp); !ok { //send comment to issue na := "\n**请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.**" @@ -1543,11 +1646,11 @@ func handleIssueComment(payload models.CommentPayload) { } if mtAuditFlag { comLock.Lock() - maintainerApprove(&issueTmp, cuAccount, owner, accessToken, fixed, unfixed) + maintainerApprove(&issueTmp, cuAccount, owner, accessToken, fixed, unfixed, vc.OrganizationID) comLock.Unlock() } else { comLock.Lock() - securityApprove(&issueTmp, cuAccount, owner, accessToken, fixed, unfixed) + securityApprove(&issueTmp, cuAccount, owner, accessToken, fixed, unfixed, vc.OrganizationID) comLock.Unlock() } } @@ -2731,7 +2834,7 @@ func AddGitIssue(issueHook *models.IssuePayload, desc, product string) error { if checkRes { logs.Error("Cve has created an issue, please process the previous issue first, ", item.CveNumber, repoPath, ", organizationID: ", organizationID) - taskhandler.AddCommentToIssue(fmt.Sprintf(HasCreateIssue, issueHook.Assignee.Login, item.CveNumber), + taskhandler.AddCommentToIssue(fmt.Sprintf(HasCreateIssue, issueHook.Assignee.UserName, item.CveNumber), issueNumber, owner, repoPath, accessToken) return errors.New("Ignore the current issue") } @@ -2854,7 +2957,7 @@ func gitAddIssueProc(issueHook *models.IssuePayload) error { logs.Error("Failed to synchronize issue data of cve, err: ", createErr) } comErr := AddIssueComment(token, owner, path, issueHook.Issue.Number, - issueHook.Issue.User.Login, issueHook.Issue.Id) + issueHook.Issue.User.UserName, issueHook.Issue.Id) logs.Info("CreateIssueToGit, Issue comment creation result, err: ", comErr) return createErr } diff --git a/cve-vulner-manager/cve-py/tabletask/supplement_cve.py b/cve-vulner-manager/cve-py/tabletask/supplement_cve.py index 0f341641df61bb1ea3be466618f324f18012c3d9..1a83db1d360b4bb1c10e58dd980937be50fcaac0 100644 --- a/cve-vulner-manager/cve-py/tabletask/supplement_cve.py +++ b/cve-vulner-manager/cve-py/tabletask/supplement_cve.py @@ -19,72 +19,55 @@ import time import datetime -def query_cve_all_data(mysql): +def query_cve_all_data(mysql, days): """ Find cve with missing necessary fields """ before_date = (datetime.date.today() - - datetime.timedelta(days=10)).strftime("%Y-%m-%d %H:%M:%S") + datetime.timedelta(days=days)).strftime("%Y-%m-%d %H:%M:%S") score_sql = "select cve_id,cve_num from cve_score " \ - "where nvd_score = 0 and create_time >= %s order by create_time desc" + "where nvd_score = 0 and update_time >= %s order by update_time desc" val = (before_date,) cve_list = [] + cve_id_list = [] score_result = mysql.getMany(score_sql, val) if score_result and len(score_result) > 0: for sc in score_result: - center_sql = "select cve_num, pack_name, cve_version," \ - "cve_desc,repair_time,cve_status,cve_id from " \ - "cve_vuln_center where cve_id = %s and " \ - "cve_num = %s order by cve_id desc" - center_val = (sc["cve_id"], sc["cve_num"]) - center_result = mysql.getOne(center_sql, center_val) - if center_result: - cve_list.append(center_result) - cve_desc_sql = "select cve_num, pack_name, cve_version," \ - "cve_desc,repair_time,cve_status,cve_id from " \ + if sc and sc not in cve_id_list: + cve_id_list.append(sc) + + cve_desc_sql = "select cve_id,cve_num " \ "cve_vuln_center where (cve_desc = %s or " \ - "repair_time = %s) and create_time >= %s " \ + "repair_time = %s) and update_time >= %s " \ "order by cve_id desc" center_val = ("", "", before_date) center_result = mysql.getMany(cve_desc_sql, center_val) if center_result and len(center_result) > 0: for ce in center_result: - cve_list.append(ce) - return cve_list + if ce and ce not in cve_id_list: + cve_id_list.append(ce) + cve_template_sql = "select cve_id,cve_num from " \ + "cve_issue_template where (nvd_score = %s or " \ + "nvd_vector = %s or cve_brief = %s) and update_time >= %s " \ + "order by cve_id desc" + template_val = (0, "", "", before_date) + template_result = mysql.getMany(cve_template_sql, template_val) + if template_result and len(template_result) > 0: + for ct in template_result: + if ct and ct not in cve_id_list: + cve_id_list.append(ct) -def query_cve_data(mysql): - """ - Find cve with missing necessary fields - """ - before_date = (datetime.date.today() - - datetime.timedelta(days=300)).strftime("%Y-%m-%d %H:%M:%S") - score_sql = "select cve_id,cve_num from cve_score " \ - "where nvd_score = 0 and create_time >= %s " \ - "order by create_time desc" - val = (before_date,) - cve_list = [] - score_result = mysql.getMany(score_sql, val) - if score_result and len(score_result) > 0: - for sc in score_result: + if cve_id_list and len(cve_id_list) > 0: + for ci in cve_id_list: center_sql = "select cve_num, pack_name, cve_version," \ "cve_desc,repair_time,cve_status,cve_id from " \ "cve_vuln_center where cve_id = %s and " \ "cve_num = %s order by cve_id desc" - center_val = (sc["cve_id"], sc["cve_num"]) + center_val = (ci["cve_id"], ci["cve_num"]) center_result = mysql.getOne(center_sql, center_val) if center_result: cve_list.append(center_result) - cve_desc_sql = "select cve_num, pack_name, cve_version," \ - "cve_desc,repair_time,cve_status,cve_id from " \ - "cve_vuln_center where (cve_desc = %s or " \ - "repair_time = %s) and create_time >= %s " \ - "order by cve_id desc" - center_val = ("", "", before_date) - center_result = mysql.getMany(cve_desc_sql, center_val) - if center_result and len(center_result) > 0: - for ce in center_result: - cve_list.append(ce) return cve_list @@ -187,14 +170,16 @@ def update_cve_vuln(url, cve, mysql): else: repair_times = listx[3] sql = "update cve_vuln_center set repair_time = %s,update_time=%s," \ - "cve_status=%s where cve_id=%s and cve_status=%s" - val = (repair_times, update_time, cve_statux, cve_id, cve_status) - mysql.insertOne(sql, val) + "cve_status=%s where cve_id=%s" + val = (repair_times, update_time, cve_statux, cve_id) + mysql.update(sql, val) + mysql.dispose() if listx[2] is not None and len(listx[2]) > 2 and cve_desc == "": sql = "update cve_vuln_center set cve_desc = %s,update_time=%s," \ - "cve_status=%s where cve_id=%s and cve_status=%s" - val = (listx[2], update_time, cve_statux, cve_id, cve_status) - mysql.insertOne(sql, val) + "cve_status=%s where cve_id=%s" + val = (listx[2], update_time, cve_statux, cve_id) + mysql.update(sql, val) + mysql.dispose() if listx[0] is not None and float(listx[0]) > 0: if listx[16] == "v3.0": score_type = "v3" @@ -217,6 +202,37 @@ def update_cve_vuln(url, cve, mysql): listx[10], listx[11], listx[12], listx[13], listx[14], listx[15], update_time, score_type, nvd_result["id"]) mysql.update(sql, val) + mysql.dispose() + cve_template_sql = "select template_id,nvd_score,nvd_vector,cve_brief from " \ + "cve_issue_template where (nvd_score = %s or " \ + "nvd_vector = %s or cve_brief = %s) and cve_id = %s and cve_num = %s" + template_val = (0, "", "", cve_id, cve_num) + template_result = mysql.getOne(cve_template_sql, template_val) + if template_result and len(template_result) > 0: + flag = False + if template_result["nvd_score"] == 0 and listx[0] and float(listx[0]) > 0: + temp_update_sql = "update cve_issue_template set nvd_score = %s,update_time=%s where template_id = %s" + val = (listx[0], update_time, template_result["template_id"]) + mysql.update(temp_update_sql, val) + mysql.dispose() + flag = True + if (not template_result["nvd_vector"] or len(template_result["nvd_vector"]) < 2) and (listx[4] and len(listx[4]) > 2): + temp_update_sql = "update cve_issue_template set nvd_vector = %s,update_time=%s where template_id = %s" + val = (listx[4], update_time, template_result["template_id"]) + mysql.update(temp_update_sql, val) + mysql.dispose() + flag = True + if (not template_result["cve_brief"] or len(template_result["cve_brief"]) < 2) and (listx[2] and len(listx[2]) > 2): + temp_update_sql = "update cve_issue_template set cve_brief = %s,update_time=%s where template_id = %s" + val = (listx[2], update_time, template_result["template_id"]) + mysql.update(temp_update_sql, val) + mysql.dispose() + flag = True + if flag: + sql = "update cve_vuln_center set update_time=%s," \ + "cve_status=%s where cve_id=%s" + val = (update_time, cve_statux, cve_id) + mysql.update(sql, val) mysql.dispose() except IndexError as e: print("Subscript out of bounds", e) @@ -231,7 +247,7 @@ def supplement_cve(): return None """ mysql = Mysql() - cve_list = query_cve_data(mysql) + cve_list = query_cve_all_data(mysql, 3) if cve_list is not None and len(cve_list) > 0: for cve in cve_list: print(cve) @@ -262,7 +278,7 @@ def long_supplement_cve(): return None """ mysql = Mysql() - cve_list = query_cve_all_data(mysql) + cve_list = query_cve_all_data(mysql, 15) if cve_list is not None and len(cve_list) > 0: for cve in cve_list: print(cve) diff --git a/cve-vulner-manager/models/hookevent.go b/cve-vulner-manager/models/hookevent.go index 9a0982ed91755f3c9903079a25ce208144de4a01..318cc98324cba8c7726977531d8646b8530b0e32 100644 --- a/cve-vulner-manager/models/hookevent.go +++ b/cve-vulner-manager/models/hookevent.go @@ -48,14 +48,14 @@ type IssueLabel struct { //HookRepository gitee repository model type HookRepository struct { - Id int64 - FullName string `json:"full_name"` - Url string `json:"url"` - Path string `json:"path"` - Name string - Owner HookUser - Private bool - public bool + Id int64 + FullName string `json:"full_name"` + Url string `json:"url"` + Path string `json:"path"` + Name string + Owner HookUser + Private bool + public bool } //HookIssueRepository gitee repository model @@ -175,6 +175,8 @@ type PullRequestIssue struct { Number string Repo string CveNumber string + Branch string + BrFlag bool } //GetLabelsStr labels slice to string diff --git a/cve-vulner-manager/models/issue.go b/cve-vulner-manager/models/issue.go index 8560234c5e2eee3dd4c7a5b11be3f6a6e8a068d6..9251a64019a41553f10b5d7eb6839a949021bcea 100644 --- a/cve-vulner-manager/models/issue.go +++ b/cve-vulner-manager/models/issue.go @@ -589,9 +589,9 @@ func QueryIssueTemplateByLink(beforeTime string, prcnum int, o := orm.NewOrm() var it []IssueTemplate num, err := o.Raw("select *"+ - " from cve_issue_template where create_time >= ? and status = ? "+ + " from cve_issue_template where sec_link = '' and status = ? "+ "and template_id > ? "+ - "order by template_id asc limit ?", beforeTime, status, templateId, prcnum).QueryRows(&it) + "order by template_id asc limit ?", status, templateId, prcnum).QueryRows(&it) if err == nil && num > 0 { return it, nil } diff --git a/cve-vulner-manager/taskhandler/excel.go b/cve-vulner-manager/taskhandler/excel.go index 6900379b8e5c639f498c7bd15b576aeff2619f91..90db3b5b6f2daf66533cd01409073f8e33b68774 100644 --- a/cve-vulner-manager/taskhandler/excel.go +++ b/cve-vulner-manager/taskhandler/excel.go @@ -1308,15 +1308,22 @@ func getRepoIssueAllPR(affectBranch, token, owner, repo string, startTime, } if pt >= startTime && pt <= releaseTime { if v["base"].(map[string]interface{})["label"].(string) == affectBranch { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { - pr.Id = int64(v["id"].(float64)) - pr.Number = isTemp.IssueNum - pr.CveNumber = isTemp.CveNum - pr.Repo = repo - prList = append(prList, pr) - } - } + //if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { + // if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { + // pr.Id = int64(v["id"].(float64)) + // pr.Number = isTemp.IssueNum + // pr.CveNumber = isTemp.CveNum + // pr.Repo = repo + // prList = append(prList, pr) + // } + //} + pr.Id = int64(v["id"].(float64)) + pr.Number = isTemp.IssueNum + pr.CveNumber = isTemp.CveNum + pr.Repo = repo + pr.BrFlag = true + pr.Branch = affectBranch + prList = append(prList, pr) } } } diff --git a/cve-vulner-manager/taskhandler/gauss.go b/cve-vulner-manager/taskhandler/gauss.go index fd2653513e8b26f786a892dda3ee26ed2f7c65c9..8a90fe7b3430df901b1b8aa263be107fa90572c8 100644 --- a/cve-vulner-manager/taskhandler/gauss.go +++ b/cve-vulner-manager/taskhandler/gauss.go @@ -742,9 +742,6 @@ func GuassGetDateByGite(pkgList []models.GaussExcelTag, c chan<- []IssueAndPkg, token := beego.AppConfig.String("opengauss::git_gauss_token") owner := beego.AppConfig.String("opengauss::gauss_owner") gaussIssuePath := beego.AppConfig.String("opengauss::gauss_issue_path") - prRepo := beego.AppConfig.String("opengauss::pr_repo") - prRepoSlice := strings.Split(prRepo, ",") - prRepoSlice = append(prRepoSlice, gaussIssuePath) st := util.TimeStrToInt(startTime, "2006-01-02") chData := make([]IssueAndPkg, 0) for _, v := range pkgList { @@ -758,12 +755,7 @@ func GuassGetDateByGite(pkgList []models.GaussExcelTag, c chan<- []IssueAndPkg, for _, isTemp := range issueTemp { //logs.Info("isTemp===>", isTemp) var prList []models.PullRequestIssue - for _, rPath := range prRepoSlice { - prList = getGaussRepoIssueAllPR(affectBranch, token, owner, rPath, st, rt, isTemp) - if len(prList) > 0 { - break - } - } + prList = getGaussRepoIssueAllPR(affectBranch, token, owner, gaussIssuePath, st, rt, isTemp) //prList := getGaussRepoIssueAllPR(affectBranch, token, owner, gaussIssuePath, st, rt, isTemp) //get pull request related issue repoIssue := make(map[int64]models.PullRequestIssue, 0) @@ -834,25 +826,14 @@ func getGaussRepoIssueAllPR(affectBranch, token, owner, repo string, startTime, } if pt >= startTime && pt <= releaseTime { if v["base"].(map[string]interface{})["label"].(string) == affectBranch { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { - if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { - pr.Id = int64(v["id"].(float64)) - pr.Number = isTemp.IssueNum - pr.CveNumber = isTemp.CveNum - pr.Repo = repo - prList = append(prList, pr) - } - } + pr.Id = int64(v["id"].(float64)) + pr.Number = isTemp.IssueNum + pr.CveNumber = isTemp.CveNum + pr.Repo = repo + pr.Branch = affectBranch + pr.BrFlag = true + prList = append(prList, pr) } - //if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["path"] == repo { - // if v["base"].(map[string]interface{})["repo"].(map[string]interface{})["namespace"].(map[string]interface{})["path"] == owner { - // pr.Id = int64(v["id"].(float64)) - // pr.Number = isTemp.IssueNum - // pr.CveNumber = isTemp.CveNum - // pr.Repo = repo - // prList = append(prList, pr) - // } - //} } } } diff --git a/cve-vulner-manager/taskhandler/hook.go b/cve-vulner-manager/taskhandler/hook.go index 1b0eb7d94dcb61455697eefb4b4e4c7c2b8f339c..f88dc72e13d825a97cff9eec64486601a3a6753d 100644 --- a/cve-vulner-manager/taskhandler/hook.go +++ b/cve-vulner-manager/taskhandler/hook.go @@ -1,6 +1,7 @@ package taskhandler import ( + "cvevulner/common" "cvevulner/models" "cvevulner/util" "encoding/json" @@ -10,6 +11,7 @@ import ( "github.com/astaxie/beego/logs" "io/ioutil" "net/http" + "strings" "sync" ) @@ -224,3 +226,56 @@ func CreateHookEvent(hookurl, owner, accessToken, pwd, gaussOwner, gitGaussToken } return nil } + +func CheckAffectVerComplete(affectedVersion string, organizateId int8) []string { + affectBranchsxList := make([]string, 0) + affectProductList := make([]string, 0) + unFixValue := make([]string, 0) + affectedBranchs := "" + if organizateId == 1 { + affectedBranchs = beego.AppConfig.String("cve::affected_branchs") + } else if organizateId == 2 { + affectedBranchs = beego.AppConfig.String("opengauss::gauss_version") + } else if organizateId == 3 { + affectedBranchs = beego.AppConfig.String("mindspore::mindspore_version") + } + if affectedBranchs != "" && len(affectedBranchs) > 0 { + affectBranchsxList = strings.Split(affectedBranchs, ",") + } + if affectedVersion != "" && len(affectedVersion) > 1 { + affectProductList = strings.Split(affectedVersion, ",") + } + if len(affectBranchsxList) > 0 { + if len(affectProductList) == 0 { + unFixValue = append(unFixValue, affectBranchsxList...) + } else { + for _, abl := range affectBranchsxList { + flag := false + for _, apl := range affectProductList { + branchSlice := []string{} + if strings.Contains(apl, ":") { + branchSlice = strings.Split(apl, ":") + } else if strings.Contains(apl, ":") { + branchSlice = strings.Split(apl, ":") + } else { + branchSlice = append(branchSlice, apl) + } + if len(branchSlice) == 2 { + affBrand := common.BranchVersionRep(branchSlice[0]) + if strings.TrimSpace(affBrand) == abl { + if len(strings.TrimSpace(branchSlice[1])) > 1 { + if (strings.TrimSpace(branchSlice[1]) == "受影响") || (strings.TrimSpace(branchSlice[1]) == "不受影响"){ + flag = true + } + } + } + } + } + if !flag { + unFixValue = append(unFixValue, abl) + } + } + } + } + return unFixValue +} diff --git a/cve-vulner-manager/util/http.go b/cve-vulner-manager/util/http.go index 9ce22d04eb0e410f4d09d498d0fd35d77aa3b30e..ff6516bbb44749ac93f054e9546cf12a053f54b5 100644 --- a/cve-vulner-manager/util/http.go +++ b/cve-vulner-manager/util/http.go @@ -11,7 +11,6 @@ import ( "net/url" "strconv" "strings" - "unsafe" ) //RequestInfo http request information @@ -289,12 +288,12 @@ func HTTPPut(url string, requestBody string) ([]map[string]interface{}, error) { } func HTTPPostCom(req map[string]interface{}, url string) { + logs.Info("post req_body: ", req) bytesData, err := json.Marshal(req) if err != nil { logs.Error(err.Error()) return } - fmt.Println(bytesData) reader := bytes.NewReader(bytesData) request, err := http.NewRequest("POST", url, reader) defer request.Body.Close() @@ -314,7 +313,5 @@ func HTTPPostCom(req map[string]interface{}, url string) { logs.Error("url", url, ",req: ", req, ",err: ", err.Error()) return } - //byte数组直接转成string,优化内存 - str := (*string)(unsafe.Pointer(&respBytes)) - logs.Info("respBytes", *str) + logs.Info("respBytes", string(respBytes)) } diff --git a/git b/git deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000