From b9c7e51b977f0d7b32a5df4715f8d6e29a6f4af7 Mon Sep 17 00:00:00 2001 From: zhangjianjun Date: Mon, 21 Feb 2022 16:06:43 +0800 Subject: [PATCH] For cves that are found by both the upstream system and manual work and do not meet the conditions, the manual can create special processing of issues separately --- .../cve-py/config_yaml/deployment.yaml | 44 +++++++++++++++++++ .../cve-py/config_yaml/kustomization.yaml | 17 +++++++ .../cve-py/config_yaml/namespace.yaml | 6 +++ .../cve-py/config_yaml/secrets.yaml | 20 +++++++++ .../cve-py/config_yaml/service.yaml | 14 ++++++ .../cve-py/controller/timertaskcontroller.py | 2 +- cve-vulner-manager/task/issuetask.go | 33 +++++++++----- 7 files changed, 123 insertions(+), 13 deletions(-) create mode 100644 cve-vulner-manager/cve-py/config_yaml/deployment.yaml create mode 100644 cve-vulner-manager/cve-py/config_yaml/kustomization.yaml create mode 100644 cve-vulner-manager/cve-py/config_yaml/namespace.yaml create mode 100644 cve-vulner-manager/cve-py/config_yaml/secrets.yaml create mode 100644 cve-vulner-manager/cve-py/config_yaml/service.yaml diff --git a/cve-vulner-manager/cve-py/config_yaml/deployment.yaml b/cve-vulner-manager/cve-py/config_yaml/deployment.yaml new file mode 100644 index 0000000..646ce9c --- /dev/null +++ b/cve-vulner-manager/cve-py/config_yaml/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: cve-manager-analysis + name: cve-manager-analysis +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: cve-manager-analysis + template: + metadata: + labels: + app: cve-manager-analysis + spec: + containers: + - env: + - name: DB_PWDPY + valueFrom: + secretKeyRef: + name: cve-secrets-py + key: db-pwdpy + - name: DB_URI + valueFrom: + secretKeyRef: + name: cve-secrets-py + key: db-uri + - name: CVE_EMAIL_SENDADDR + valueFrom: + secretKeyRef: + name: cve-secrets-py + key: cve-email-sendaddr + - name: CVE_EMAIL_PASSWORD + valueFrom: + secretKeyRef: + name: cve-secrets-py + key: cve-email-password + - name: TZ + value: Asia/Shanghai + image: swr.cn-north-4.myhuaweicloud.com/opensourceway/openeuler/cve-manager-analysis:1cb6af4c1d428074cb8e54db23adf1efaab75639 + imagePullPolicy: IfNotPresent + name: cve-manager-analysis diff --git a/cve-vulner-manager/cve-py/config_yaml/kustomization.yaml b/cve-vulner-manager/cve-py/config_yaml/kustomization.yaml new file mode 100644 index 0000000..9684b1e --- /dev/null +++ b/cve-vulner-manager/cve-py/config_yaml/kustomization.yaml @@ -0,0 +1,17 @@ +resources: +- namespace.yaml +- deployment.yaml +- service.yaml +- secrets.yaml +commonLabels: + app: cve-manager-analysis + owner: zhangjianjun +commonAnnotations: + email: 841670711@qq.com + owner: zhangjianjun +namespace: cve-manager +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: swr.cn-north-4.myhuaweicloud.com/opensourceway/openeuler/cve-manager-analysis + newTag: 89281957eaa42c6a7c8cd048b1374dccdf68fd96 diff --git a/cve-vulner-manager/cve-py/config_yaml/namespace.yaml b/cve-vulner-manager/cve-py/config_yaml/namespace.yaml new file mode 100644 index 0000000..09d5c2b --- /dev/null +++ b/cve-vulner-manager/cve-py/config_yaml/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: cve-manager-analysis + name: cve-manager-analysis diff --git a/cve-vulner-manager/cve-py/config_yaml/secrets.yaml b/cve-vulner-manager/cve-py/config_yaml/secrets.yaml new file mode 100644 index 0000000..eb2c021 --- /dev/null +++ b/cve-vulner-manager/cve-py/config_yaml/secrets.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: secrets-manager.tuenti.io/v1alpha1 +kind: SecretDefinition +metadata: + name: cve-secrets-py +spec: + name: cve-secrets-py + keysMap: + db-pwdpy: + path: secrets/data/openeuler/cve-manager + key: db-pwdpy + db-uri: + path: secrets/data/openeuler/cve-manager + key: db-uri + cve-email-sendaddr: + path: secrets/data/openeuler/cve-manager + key: cve-email-sendaddr + cve-email-password: + path: secrets/data/openeuler/cve-manager + key: cve-email-password diff --git a/cve-vulner-manager/cve-py/config_yaml/service.yaml b/cve-vulner-manager/cve-py/config_yaml/service.yaml new file mode 100644 index 0000000..5d38198 --- /dev/null +++ b/cve-vulner-manager/cve-py/config_yaml/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: cve-manager-analysis-service + namespace: cve-manager-analysis +spec: + ports: + - name: cve-manager-analysis + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: cve-manager-analysis + type: ClusterIP diff --git a/cve-vulner-manager/cve-py/controller/timertaskcontroller.py b/cve-vulner-manager/cve-py/controller/timertaskcontroller.py index bf23945..429e6e2 100644 --- a/cve-vulner-manager/cve-py/controller/timertaskcontroller.py +++ b/cve-vulner-manager/cve-py/controller/timertaskcontroller.py @@ -44,7 +44,7 @@ def timertask(): # Parse the issue statistics recipient list # scheduler.add_job(taskcontroller.issue_statistics_email_task, 'cron', day_of_week='0-6', hour=5, minute=30) # Complete the template information of the issue with the data on the CVE official website - scheduler.add_job(taskcontroller.supplement_cve_task, 'interval', minutes=27) + scheduler.add_job(taskcontroller.supplement_cve_task, 'interval', minutes=33) scheduler.add_job(taskcontroller.long_supplement_cve_task, 'cron', day_of_week='0-6', hour=1, minute=30) # Parse opengauss yaml file scheduler.add_job(taskcontroller.parse_opengauss_yaml_task, 'cron', day_of_week='0-6', hour=2, minute=30) diff --git a/cve-vulner-manager/task/issuetask.go b/cve-vulner-manager/task/issuetask.go index cb5fd51..609acf8 100644 --- a/cve-vulner-manager/task/issuetask.go +++ b/cve-vulner-manager/task/issuetask.go @@ -223,6 +223,13 @@ func addUnlimitedIssue(beforeTime string, prcnum, years, toolYears, manYears, fl continue } } + var it models.IssueTemplate + it.CveId = issueValue.CveId + it.CveNum = issueValue.CveNum + templateErr := models.GetIssueTemplateByColName(&it, "CveId", "CveNum") + if templateErr != nil { + logs.Warn("addUnlimitedIssue, templateErr:", templateErr, ", CveNum: ", issueValue.CveNum) + } // Import cve as data after 2018 cveNumList := strings.Split(issueValue.CveNum, "-") if cveNumList != nil && len(cveNumList) > 1 { @@ -234,21 +241,23 @@ func addUnlimitedIssue(beforeTime string, prcnum, years, toolYears, manYears, fl years = manYears } if cveYears <= years { - models.UpdateIssueStatus(issueValue, 4) - logs.Info("addUnlimitedIssue, cve: ", issueValue.CveNum, ",Need to be greater than: ", - years, ",Otherwise, there is no need to submit an issue on git, cveData: ", issueValue) - ErrorCveStatistics("CVE年限受限", issueValue, 2) - continue + yearFlag := false + if it.TemplateId > 0 && len(it.IssueNum) > 0 { + issueErr, issueBody := taskhandler.GetGiteeIssue(accessToken, owner, issueValue.PackName, it.IssueNum) + if issueErr == nil && len(issueBody) > 0 { + yearFlag = true + } + } + if !yearFlag { + models.UpdateIssueStatus(issueValue, 4) + logs.Info("addUnlimitedIssue, cve: ", issueValue.CveNum, ",Need to be greater than: ", + years, ",Otherwise, there is no need to submit an issue on git, cveData: ", issueValue) + ErrorCveStatistics("CVE年限受限", issueValue, 2) + continue + } } } } - var it models.IssueTemplate - it.CveId = issueValue.CveId - it.CveNum = issueValue.CveNum - templateErr := models.GetIssueTemplateByColName(&it, "CveId", "CveNum") - if templateErr != nil { - logs.Warn("addUnlimitedIssue, templateErr:", templateErr, ", CveNum: ", issueValue.CveNum) - } // Process each piece of cve data if issueValue.Status == 0 || len(it.IssueNum) < 2 { issueValue.Status = 2 -- Gitee