diff --git a/cve-vulner-manager/Dockerfile b/cve-vulner-manager/Dockerfile
index c7614074f920238f186588dc011c1df77bc0b489..ba1d7bcd3ed6f3e63e1119b79ba585cf06aa49ba 100644
--- a/cve-vulner-manager/Dockerfile
+++ b/cve-vulner-manager/Dockerfile
@@ -15,7 +15,6 @@ RUN dnf -y update && \
useradd -u 1000 -g manager -s /bin/bash -m manager
COPY --chown=manager ./conf/product_app.conf /opt/app/conf/app.conf
-COPY --chown=manager ./sh/epoch.sh /opt/app/epoch.sh
COPY --chown=manager --from=BUILDER /go/src/gitee.com/openeuler/cve-manager/cve-manager /opt/app/cve-manager
USER manager
diff --git a/cve-vulner-manager/common/analysis.go b/cve-vulner-manager/common/analysis.go
index 07ba5cccc562ccaab75d1705e0de7ce07d893841..d2bb73e35ecf49f401b254f753ca9087b8e29b50 100644
--- a/cve-vulner-manager/common/analysis.go
+++ b/cve-vulner-manager/common/analysis.go
@@ -17,7 +17,7 @@ const (
TypeAffected = "Affected"
TypeUnaffected = "Unaffected"
- TypeUnderInvestigation = "UnderInvestigation"
+ TypeUnderInvestigation = "Under Investigation"
)
var AnalysisUnaffected = map[string]struct{}{
diff --git a/cve-vulner-manager/conf/product_app.conf b/cve-vulner-manager/conf/product_app.conf
index c446f9afece8a9fe782c4f987d7677bd1413b972..f5e401ef409774e5fc31f52d28ff6080df423fbb 100644
--- a/cve-vulner-manager/conf/product_app.conf
+++ b/cve-vulner-manager/conf/product_app.conf
@@ -285,6 +285,9 @@ api_token = "${MAJUN_API_TOKEN||xxx}"
app_id = "${MAJUN_APP_ID||xxx}"
secret_key = "${MAJUN_SECRET_KEY||xxx}"
+[testResult]
+host = https://dailybuild.openeuler.openatom.cn
+
[metrics]
AVN = 0.85
AVA = 0.62
diff --git a/cve-vulner-manager/controllers/hook.go b/cve-vulner-manager/controllers/hook.go
index 8ed47936e5bafed9d4376ec4b5e2f9e3fe79f586..3113497082cc19e526c9ea6cd943405fda353300 100644
--- a/cve-vulner-manager/controllers/hook.go
+++ b/cve-vulner-manager/controllers/hook.go
@@ -1959,6 +1959,8 @@ func notifyAuditorReview(payload *models.CommentPayload, issueTmp models.IssueTe
}
msg := fmt.Sprintf(CommentReviewTpl, strings.Join(ns, ","))
taskhandler.AddCommentToIssue(msg, issueTmp.IssueNum, owner, path, accessToken)
+ msg = fmt.Sprintf("@%s ,请给出NVD评分和openEuler评分不一致的理由", payload.Comment.User.Login)
+ taskhandler.AddCommentToIssue(msg, issueTmp.IssueNum, owner, path, accessToken)
}
func changeOpenEulerScoreStatus(cveID int64, status int8) error {
diff --git a/cve-vulner-manager/cve-ddd/app/bulletin.go b/cve-vulner-manager/cve-ddd/app/bulletin.go
index 569224feeaf3009bca66eda5030f126b08936994..0c5b514526d2a53b024db52ddee32fb24d208a5f 100644
--- a/cve-vulner-manager/cve-ddd/app/bulletin.go
+++ b/cve-vulner-manager/cve-ddd/app/bulletin.go
@@ -20,6 +20,7 @@ import (
"cvevulner/cve-ddd/domain/majun"
"cvevulner/cve-ddd/domain/obs"
"cvevulner/cve-ddd/domain/repository"
+ "cvevulner/cve-ddd/domain/service"
"cvevulner/cve-ddd/domain/testresult"
"cvevulner/cve-ddd/domain/updateinfo"
)
@@ -29,6 +30,8 @@ const (
fileIndex = "index.txt"
fileUpdateFixed = "update_fixed.txt"
+
+ updateinfoRootDir = "earlyupdateinfo/"
)
type BulletinService interface {
@@ -148,7 +151,7 @@ func (b *bulletinService) GenerateBulletins(cveNum []string, date string) (strin
updateFixedFiles = append(updateFixedFiles, v.PathAppendToIndexFile())
- b.uploadUpdateInfoFile(&v)
+ service.UploadUpdateInfoFile(b.obs, b.updateinfo, b.log, &v, date, updateinfoRootDir)
}
b.uploadIndexAndFixed(uploadDir, indexContent, updateFixedFiles)
@@ -156,33 +159,6 @@ func (b *bulletinService) GenerateBulletins(cveNum []string, date string) (strin
return uploadDir, nil
}
-func (b *bulletinService) uploadUpdateInfoFile(bulletin *domain.SecurityBulletin) {
- for _, branch := range bulletin.AffectedVersion {
- filePath := domain.UpdateinfoRootDir + branch + "/updateinfo.xml"
- downloadBys, err := b.obs.Download(filePath)
- if err != nil {
- b.log.Error(err)
- continue
- }
-
- data, err := b.updateinfo.UploadUpdateInfoXml(domain.UpdateParam{
- Sb: bulletin,
- Branch: branch,
- DownloadBys: downloadBys,
- })
-
- if err != nil {
- b.log.Error(err)
- continue
- }
-
- if err = b.obs.Upload(filePath, data); err != nil {
- b.log.Error(err)
- continue
- }
- }
-}
-
func (b *bulletinService) uploadIndexAndFixed(uploadDir, indexContent string, updateFixedFiles []string) {
updateFixedContent := strings.TrimSpace(strings.Join(updateFixedFiles, EOF))
newIndexContent := strings.TrimSpace(indexContent) + EOF + updateFixedContent
diff --git a/cve-vulner-manager/cve-ddd/app/refactor_hotpatch.go b/cve-vulner-manager/cve-ddd/app/refactor_hotpatch.go
index 0ca2a85d5b0aca1f737f59688cc97054ccb83c52..fe52ee1b9cfba36a98b159a57e731b30e1a3ae2f 100644
--- a/cve-vulner-manager/cve-ddd/app/refactor_hotpatch.go
+++ b/cve-vulner-manager/cve-ddd/app/refactor_hotpatch.go
@@ -13,15 +13,18 @@ import (
"cvevulner/cve-ddd/domain/hotpatch"
"cvevulner/cve-ddd/domain/obs"
"cvevulner/cve-ddd/domain/repository"
+ "cvevulner/cve-ddd/domain/service"
"cvevulner/cve-ddd/domain/updateinfo"
)
const (
fileHotPatch = "update_hot_patch.txt"
+
+ hotPatchUpdateInfoDir = "hotpatch-early-updateinfo/"
)
type RefactorHotPatchService interface {
- GenerateBulletins(string) error
+ GenerateBulletins(uploadDir, date string) error
}
func NewRefactorHotPatchService(
@@ -31,6 +34,7 @@ func NewRefactorHotPatchService(
u updateinfo.UpdateInfo,
h hotpatch.HotPatch,
l *logrus.Entry,
+
) *refactorHotPatchService {
return &refactorHotPatchService{
repository: r,
@@ -52,7 +56,7 @@ type refactorHotPatchService struct {
log *logrus.Entry
}
-func (h *refactorHotPatchService) GenerateBulletins(uploadDir string) error {
+func (h *refactorHotPatchService) GenerateBulletins(uploadDir, date string) error {
issues, err := h.hotPatch.GetIssueInfo()
if err != nil {
return err
@@ -66,14 +70,19 @@ func (h *refactorHotPatchService) GenerateBulletins(uploadDir string) error {
return fmt.Errorf("get %s failed: %w", fileIndex, err)
}
- maxHotPatchId, err := domain.ParseMaxIdFromIndexTxt(indexContent, domain.BulletinTypeHotPatch)
+ maxHotPatchId, err := h.hotPatch.MaxHotPatchID()
if err != nil {
return fmt.Errorf("parse max id failed: %w", err)
}
for _, issue := range issues {
- if exist := h.repository.IssueNumExist(issue.HotIssueNum); exist {
- h.log.Errorf("issue num %s exists", issue.HotIssueNum)
+ isPublished, err1 := h.hotPatch.IsPublished(issue.CveNum[0], issue.Component)
+ if err1 != nil {
+ h.log.Errorf("check hotpatch is published, occurred error: %s", err1.Error())
+ return err
+ }
+
+ if isPublished {
continue
}
@@ -83,7 +92,7 @@ func (h *refactorHotPatchService) GenerateBulletins(uploadDir string) error {
Component: issue.Component,
})
if err1 != nil {
- h.log.Errorf("find cve %s, error %s", issue.CveNum, err.Error())
+ h.log.Errorf("find cve %s, error %s", issue.CveNum, err1.Error())
return err
}
if len(cves) == 0 {
@@ -106,13 +115,13 @@ func (h *refactorHotPatchService) GenerateBulletins(uploadDir string) error {
xmlData, err2 := h.bulletin.GenerateHotPatch(&b)
if err2 != nil {
- h.log.Errorf("component: %s, to xml error: %s", b.Component, err.Error())
+ h.log.Errorf("component: %s, to xml error: %s", b.Component, err2.Error())
continue
}
path := uploadDir + b.CvrfFileName()
if err2 = h.obs.Upload(path, xmlData); err2 != nil {
- h.log.Errorf("component: %s, upload to obs error: %s", b.Component, err.Error())
+ h.log.Errorf("component: %s, upload to obs error: %s", b.Component, err2.Error())
continue
}
@@ -120,10 +129,8 @@ func (h *refactorHotPatchService) GenerateBulletins(uploadDir string) error {
uploadFileName = append(uploadFileName, b.PathAppendToIndexFile())
cvesForUpdateInfo = append(cvesForUpdateInfo, b.Cves...)
- }
- if err = h.repository.SaveIssueNum(issue.HotIssueNum); err != nil {
- h.log.Errorf("save issue num %s error %s", issue.HotIssueNum, err.Error())
+ service.UploadUpdateInfoFile(h.obs, h.updateInfo, h.log, &b, date, hotPatchUpdateInfoDir)
}
}
diff --git a/cve-vulner-manager/cve-ddd/controller/cve.go b/cve-vulner-manager/cve-ddd/controller/cve.go
index 6a19efd2361c2c7303ff2e397334d4d744a455ae..f48a68a98e13f6ef13fd3c8d2b149cf8b42d0b6b 100644
--- a/cve-vulner-manager/cve-ddd/controller/cve.go
+++ b/cve-vulner-manager/cve-ddd/controller/cve.go
@@ -98,7 +98,7 @@ func (c *CveController) Generate() {
if err1 != nil {
c.BulletinLog.Errorf("generate security bulletins failed: %s", err1.Error())
} else {
- err1 = c.HotPatchService.GenerateBulletins(uploadDir)
+ err1 = c.HotPatchService.GenerateBulletins(uploadDir, request.Date)
if err1 != nil {
c.HotPatchBulletinLog.Errorf("generate hot patch security bulletins failed: %s", err1.Error())
}
diff --git a/cve-vulner-manager/cve-ddd/domain/bulletins.go b/cve-vulner-manager/cve-ddd/domain/bulletins.go
index 291ffcbe267a0c2715e604f516707b49b40dc90c..ddf93e6a458eff7af70371567d12cfe5d1394ca3 100644
--- a/cve-vulner-manager/cve-ddd/domain/bulletins.go
+++ b/cve-vulner-manager/cve-ddd/domain/bulletins.go
@@ -11,8 +11,14 @@ import (
const (
BulletinTypeSA = "SA"
- BulletinTypeBa = "BA"
+ BulletinTypeBA = "BA"
BulletinTypeHotPatch = "HotPatchSA"
+
+ // NoticeTypeCVE is the type for CVE notices
+ NoticeTypeCVE = "cve"
+
+ // NoticeTypeBug is the type for bug notices
+ NoticeTypeBug = "bug"
)
var (
@@ -38,6 +44,28 @@ type Product struct {
IsEpol bool
}
+// IsCveNotice returns whether the security bulletin is a CVE notice.
+func (s *SecurityBulletin) IsCveNotice() bool {
+ return s.GenNoticeType() == NoticeTypeCVE
+}
+
+// GenNoticeType returns the type of the security bulletin.
+func (s *SecurityBulletin) GenNoticeType() string {
+ if strings.Contains(s.Identification, BulletinTypeBA) {
+ return NoticeTypeBug
+ }
+
+ if strings.Contains(s.Identification, BulletinTypeHotPatch) {
+ return NoticeTypeCVE
+ }
+
+ if strings.Contains(s.Identification, BulletinTypeSA) {
+ return NoticeTypeCVE
+ }
+
+ return ""
+}
+
func (s *SecurityBulletin) SetIdentificationOfColdPatch(id int) {
s.Identification = fmt.Sprintf("openEuler-SA-%d-%d", util.Year(), id)
}
diff --git a/cve-vulner-manager/cve-ddd/domain/hotpatch/hotpatch.go b/cve-vulner-manager/cve-ddd/domain/hotpatch/hotpatch.go
index 1493d8c55fb666c200fb4394e1195db2dd315290..962f399083409a7c99bf25bc904df9300692913a 100644
--- a/cve-vulner-manager/cve-ddd/domain/hotpatch/hotpatch.go
+++ b/cve-vulner-manager/cve-ddd/domain/hotpatch/hotpatch.go
@@ -4,4 +4,6 @@ import "cvevulner/cve-ddd/domain"
type HotPatch interface {
GetIssueInfo() ([]domain.HotPatchIssue, error)
+ MaxHotPatchID() (int, error)
+ IsPublished(cveId, packageName string) (bool, error)
}
diff --git a/cve-vulner-manager/cve-ddd/domain/repository/cve.go b/cve-vulner-manager/cve-ddd/domain/repository/cve.go
index dea77434876128689a1215a496dc9e0fc493849f..fc38100e27a74194a1e714f45de6624a9d06cd5c 100644
--- a/cve-vulner-manager/cve-ddd/domain/repository/cve.go
+++ b/cve-vulner-manager/cve-ddd/domain/repository/cve.go
@@ -10,8 +10,6 @@ type Option struct {
type CveRepository interface {
FindCves(option Option) (domain.Cves, error)
MaxBulletinID() (string, error)
- IssueNumExist(num string) bool
- SaveIssueNum(num string) error
GetAllIssue() (data domain.CollectedDataSlice, err error)
SetIgnoreStatus(id int64) error
GetAllPackage() (list []string, err error)
diff --git a/cve-vulner-manager/cve-ddd/domain/service/service.go b/cve-vulner-manager/cve-ddd/domain/service/service.go
new file mode 100644
index 0000000000000000000000000000000000000000..c56af6897d3eeb3f7bc968b59646b74c6925d916
--- /dev/null
+++ b/cve-vulner-manager/cve-ddd/domain/service/service.go
@@ -0,0 +1,41 @@
+// Package service provides the security bulletin service
+package service
+
+import (
+ "github.com/sirupsen/logrus"
+
+ "cvevulner/cve-ddd/domain"
+ "cvevulner/cve-ddd/domain/obs"
+ "cvevulner/cve-ddd/domain/updateinfo"
+)
+
+// UploadUpdateInfoFile upload updateinfo file
+func UploadUpdateInfoFile(obs obs.OBS, updateinfo updateinfo.UpdateInfo,
+ log *logrus.Entry, bulletin *domain.SecurityBulletin, date, UpdateInfoDir string,
+) {
+ for _, branch := range bulletin.AffectedVersion {
+ filePath := UpdateInfoDir + branch + "/updateinfo.xml"
+ downloadBys, err := obs.Download(filePath)
+ if err != nil {
+ log.Errorf("download %s failed: %s", filePath, err.Error())
+ continue
+ }
+
+ data, err := updateinfo.UploadUpdateInfoXml(domain.UpdateParam{
+ Sb: bulletin,
+ Date: date,
+ Branch: branch,
+ DownloadBys: downloadBys,
+ })
+
+ if err != nil {
+ log.Errorf("update updateinfo of %s failed: %s", bulletin.Identification, err.Error())
+ continue
+ }
+
+ if err = obs.Upload(filePath, data); err != nil {
+ log.Errorf("upload %s failed: %s", filePath, err.Error())
+ continue
+ }
+ }
+}
diff --git a/cve-vulner-manager/cve-ddd/domain/updateinfo.go b/cve-vulner-manager/cve-ddd/domain/updateinfo.go
index bf5dfea84fe7f3da161c0c6562f9bac2c808f214..3f6b880a91bde538dd87172edb887f8c56ca465f 100644
--- a/cve-vulner-manager/cve-ddd/domain/updateinfo.go
+++ b/cve-vulner-manager/cve-ddd/domain/updateinfo.go
@@ -1,31 +1,8 @@
package domain
-import (
- "regexp"
-)
-
-const (
- UpdateinfoRootDir = "earlyupdateinfo/"
- NoticeTypeCVE = "cve"
- NoticeTypeBug = "bug"
- CveUrlPrefix = "https://nvd.nist.gov/vuln/detail/"
- PkgUrl = "https://repo.openeuler.org/%s/update/%s/Packages/%s"
- ScriptPath = "/opt/app/epoch.sh"
-)
-
-var (
- Severity = map[string]string{
- "critical": "Critical",
- "high": "Important",
- "medium": "Moderate",
- "low": "Low",
- }
-
- Num = regexp.MustCompile(`\d+`)
-)
-
type UpdateParam struct {
Sb *SecurityBulletin
+ Date string
Branch string
DownloadBys []byte
}
diff --git a/cve-vulner-manager/cve-ddd/infrastructure/hotpatchimpl/impl.go b/cve-vulner-manager/cve-ddd/infrastructure/hotpatchimpl/impl.go
index d7d0838d89dc2e5479fdfff4e819c7fba275fb8d..46893738137300eb9d2b3ed3d4a9c0c8885d42db 100644
--- a/cve-vulner-manager/cve-ddd/infrastructure/hotpatchimpl/impl.go
+++ b/cve-vulner-manager/cve-ddd/infrastructure/hotpatchimpl/impl.go
@@ -6,6 +6,7 @@ import (
"fmt"
"net/http"
"regexp"
+ "strconv"
"strings"
"time"
@@ -17,15 +18,21 @@ import (
"cvevulner/util"
)
-const hotPatchIssue = "https://gitee.com/api/v5/repos/openeuler/hotpatch_meta/issues?" +
- "access_token=%s&state=closed&labels=%s&sort=created&direction=desc&page=%d&per_page=20&created_at=%s"
+const (
+ hotPatchIssue = "https://gitee.com/api/v5/repos/openeuler/hotpatch_meta/issues?" +
+ "access_token=%s&state=closed&labels=%s&sort=created&direction=desc&page=%d&per_page=20&created_at=%s"
+ endpoint = "https://api-cve.openeuler.org"
+ defaultClientTimeout = 3
+ defaultMaxId = 1000
+)
var (
- RegexpCve = regexp.MustCompile(`(?s:(.*?))`)
- RegexpRPM = regexp.MustCompile(`热补丁路径[::](?s:(.*?))热补丁信息[::]`)
- RegexpMeta = regexp.MustCompile(`热补丁元数据[::](?s:(.*?))热补丁路径[::]`)
- RegexpType = regexp.MustCompile(`问题类别[::](?s:(.*?))热补丁元数据[::]`)
- RegexpInfo = regexp.MustCompile(`热补丁信息[::](?s:(.*?))$`)
+ regexpCve = regexp.MustCompile(`(?s:(.*?))`)
+ regexpRPM = regexp.MustCompile(`热补丁路径[::](?s:(.*?))热补丁信息[::]`)
+ regexpMeta = regexp.MustCompile(`热补丁元数据[::](?s:(.*?))热补丁路径[::]`)
+ regexpType = regexp.MustCompile(`问题类别[::](?s:(.*?))热补丁元数据[::]`)
+ regexpInfo = regexp.MustCompile(`热补丁信息[::](?s:(.*?))$`)
+ regepHotPatch = regexp.MustCompile(`openEuler-HotPatchSA-(\d{4})-(\d{4,5})`)
)
func NewHotPatchImpl(log *logrus.Entry) *hotPatchImpl {
@@ -104,13 +111,13 @@ func (impl hotPatchImpl) getIssues() ([]Issue, error) {
}
func (impl hotPatchImpl) toPatchIssue(body string) (v domain.HotPatchIssue, err error) {
- t := RegexpType.FindAllStringSubmatch(body, -1)
+ t := regexpType.FindAllStringSubmatch(body, -1)
if len(t) == 0 {
return v, errors.New("parse type failed")
}
v.Type = strings.TrimSpace(t[0][1])
- meta := RegexpMeta.FindAllStringSubmatch(body, -1)
+ meta := regexpMeta.FindAllStringSubmatch(body, -1)
if len(meta) == 0 {
return v, errors.New("parse metadata failed")
}
@@ -118,13 +125,13 @@ func (impl hotPatchImpl) toPatchIssue(body string) (v domain.HotPatchIssue, err
v.Branch = split[len(split)-4]
v.Component = split[len(split)-3]
- p := RegexpRPM.FindAllStringSubmatch(body, -1)
+ p := regexpRPM.FindAllStringSubmatch(body, -1)
if len(p) == 0 {
return v, errors.New("parse rpm failed")
}
v.PatchUrl = strings.Split(strings.TrimSpace(p[0][1]), "\n")
- info := RegexpInfo.FindAllStringSubmatch(body, -1)
+ info := regexpInfo.FindAllStringSubmatch(body, -1)
if len(info) == 0 {
return v, errors.New("parse info failed")
}
@@ -135,7 +142,7 @@ func (impl hotPatchImpl) toPatchIssue(body string) (v domain.HotPatchIssue, err
continue
}
- if cve := RegexpCve.FindAllStringSubmatch(string(bys), -1); len(cve) > 0 {
+ if cve := regexpCve.FindAllStringSubmatch(string(bys), -1); len(cve) > 0 {
v.CveNum = strings.Split(cve[0][1], ",")
break
}
@@ -147,3 +154,110 @@ func (impl hotPatchImpl) toPatchIssue(body string) (v domain.HotPatchIssue, err
return
}
+
+type maxIdResult struct {
+ Code int `json:"code"`
+ Result string `json:"result"`
+ Msg string `json:"msg"`
+}
+
+func (impl hotPatchImpl) MaxHotPatchID() (maxId int, err error) {
+ cli := utils.NewHttpClient(defaultClientTimeout)
+
+ url := fmt.Sprintf("%s/cve-security-notice-server/securitynotice/getMaxHotPatchId", endpoint)
+
+ request, err := http.NewRequest(http.MethodGet, url, nil)
+ if err != nil {
+ return
+ }
+
+ r, _, err := cli.Download(request)
+ if err != nil {
+ return
+ }
+
+ var res maxIdResult
+ if err = json.Unmarshal(r, &res); err != nil {
+ return
+ }
+
+ if res.Code != 0 {
+ err = errors.New(res.Msg)
+
+ return
+ }
+
+ // init id
+ if res.Result == "" {
+ return defaultMaxId, nil
+ }
+
+ match := regepHotPatch.FindAllStringSubmatch(res.Result, -1)
+ if len(match) == 0 {
+ err = errors.New("invalid bulletin id")
+
+ return
+ }
+
+ // reset id to 1000 at new year
+ if match[0][1] != strconv.Itoa(time.Now().Year()) {
+ return defaultMaxId, nil
+ }
+
+ return strconv.Atoi(match[0][2])
+}
+
+type cveProductPackageResult struct {
+ Code int `json:"code"`
+ Result []cveProductPackage `json:"result"`
+ Msg string `json:"msg"`
+}
+
+type cveProductPackage struct {
+ Id int64 `json:"id"`
+ CveId string `json:"cveId"`
+ PackageName string `json:"packageName"`
+ ProductName string `json:"productName"`
+ Status string `json:"status"`
+ Reason string `json:"reason"`
+ SecurityNoticeNo string `json:"securityNoticeNo"`
+ ReleaseTime string `json:"releaseTime"`
+ Updateime string `json:"updateTime"`
+ CreateTime time.Time `json:"createTime"`
+}
+
+func (impl hotPatchImpl) IsPublished(cveId, packageName string) (bool, error) {
+ cli := utils.NewHttpClient(defaultClientTimeout)
+
+ url := fmt.Sprintf("%s/cve-security-notice-server/cvedatabase/getCVEProductPackageList?cveId=%s&packageName=%s",
+ endpoint, cveId, packageName)
+
+ request, err := http.NewRequest(http.MethodGet, url, nil)
+ if err != nil {
+ return false, err
+ }
+
+ r, _, err := cli.Download(request)
+ if err != nil {
+ return false, err
+ }
+
+ var res cveProductPackageResult
+ if err = json.Unmarshal(r, &res); err != nil {
+ return false, err
+ }
+
+ if res.Code != 0 {
+ err = errors.New(res.Msg)
+
+ return false, err
+ }
+
+ for _, v := range res.Result {
+ if strings.Contains(v.SecurityNoticeNo, domain.BulletinTypeHotPatch) {
+ return true, nil
+ }
+ }
+
+ return false, nil
+}
diff --git a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go
index 995717b352b46ce056dd7b925f92ebc0b40eeea8..5aeebb3b76b6f2d4599104032b97089b208b5f15 100644
--- a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go
+++ b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go
@@ -4,7 +4,6 @@ import (
"errors"
"fmt"
"strings"
- "time"
"github.com/astaxie/beego/orm"
@@ -31,7 +30,6 @@ join cve_issue_template b on a.cve_id=b.cve_id
join cve_security_notice c on a.cve_id=c.cve_id
where a.cve_num in (%s)
and a.cve_status = 2
-and a.is_export in (0,3)
and a.organizate_id = 1
and b.status < 4
`
@@ -92,34 +90,6 @@ func (impl repositoryImpl) MaxBulletinID() (string, error) {
return saFileRecord.FileName, nil
}
-func (impl repositoryImpl) IssueNumExist(num string) bool {
- hotPatch := models.HotPatch{
- IssueNum: num,
- }
-
- o := orm.NewOrm()
- if err := o.Read(&hotPatch, "issue_num"); err != nil {
- return false
- }
-
- return true
-}
-
-func (impl repositoryImpl) SaveIssueNum(num string) error {
- now := time.Now().Format(time.RFC3339)
-
- hotPatch := models.HotPatch{
- IssueNum: num,
- CreateTime: now,
- UpdateTime: now,
- }
-
- o := orm.NewOrm()
- _, err := o.Insert(&hotPatch)
-
- return err
-}
-
type list struct {
models.IssueTemplate
AffectProduct string `orm:"column(affect_product)"`
diff --git a/cve-vulner-manager/cve-ddd/infrastructure/testresultimpl/impl.go b/cve-vulner-manager/cve-ddd/infrastructure/testresultimpl/impl.go
index 624495da1b28c0736095d4bfb04339dbe0b3d5c8..45af6a1411ac037d6c0e3edbf345efa58dd75209 100644
--- a/cve-vulner-manager/cve-ddd/infrastructure/testresultimpl/impl.go
+++ b/cve-vulner-manager/cve-ddd/infrastructure/testresultimpl/impl.go
@@ -8,16 +8,13 @@ import (
"net/http"
"strings"
+ "github.com/astaxie/beego"
"github.com/opensourceways/server-common-lib/utils"
"github.com/sirupsen/logrus"
"cvevulner/cve-ddd/domain"
)
-const (
- testRepoBaseUrl = "https://dailybuild.openeuler.openatom.cn"
-)
-
func NewTestResultImpl(log *logrus.Entry) *testResultImpl {
return &testResultImpl{
log: log,
@@ -39,7 +36,9 @@ type rpm struct {
}
func (impl *testResultImpl) getCsvOfRpmByBranch(branch, date string) []byte {
- url := fmt.Sprintf("%s/repo.openeuler.org/%s/%s/%s.csv", testRepoBaseUrl, branch, date, branch)
+ url := fmt.Sprintf("%s/repo.openeuler.org/%s/%s/%s.csv",
+ beego.AppConfig.String("testResult::host"), branch, date, branch,
+ )
req, _ := http.NewRequest(http.MethodGet, url, nil)
@@ -53,7 +52,9 @@ func (impl *testResultImpl) getCsvOfRpmByBranch(branch, date string) []byte {
}
func (impl *testResultImpl) getCsvOfRpmInEpolByBranch(branch, date string) []byte {
- epolUrl := fmt.Sprintf("%s/repo.openeuler.org/%s/EPOL/%s/main/%s.csv", testRepoBaseUrl, branch, date, branch)
+ epolUrl := fmt.Sprintf("%s/repo.openeuler.org/%s/EPOL/%s/main/%s.csv",
+ beego.AppConfig.String("testResult::host"), branch, date, branch,
+ )
req, _ := http.NewRequest(http.MethodGet, epolUrl, nil)
diff --git a/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/generate_updateinfoxml.go b/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/generate_updateinfoxml.go
index 10c55765c5ad912eb60edbbd104b371cd30e9c0d..ba4e1ae9262c538fcaa08421a7dc9b693b18419c 100644
--- a/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/generate_updateinfoxml.go
+++ b/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/generate_updateinfoxml.go
@@ -1,16 +1,10 @@
package updateinfoimpl
import (
- "bytes"
"encoding/xml"
"fmt"
- "path/filepath"
"sort"
- "strconv"
"strings"
- "time"
-
- libutils "github.com/opensourceways/server-common-lib/utils"
"cvevulner/cve-ddd/domain"
"cvevulner/cve-ddd/domain/dp"
@@ -18,16 +12,37 @@ import (
"cvevulner/util"
)
+const (
+ src = "src"
+ x8664 = "x86_64"
+ aarch64 = "aarch64"
+ noarch = "noarch"
+
+ // CveUrlPrefix is the prefix for CVE URLs
+ CveUrlPrefix = "https://nvd.nist.gov/vuln/detail/"
+)
+
+var (
+ severity = map[string]string{
+ "critical": "Critical",
+ "high": "Important",
+ "medium": "Moderate",
+ "low": "Low",
+ }
+)
+
func (impl updateInfoImpl) UploadUpdateInfoXml(param domain.UpdateParam) (data []byte, err error) {
- var u Updates
+ up, err := impl.updateXml(param.Sb, param.Branch, param.Date)
+ if err != nil {
+ return nil, err
+ }
+ var u Updates
err = xml.Unmarshal(param.DownloadBys, &u)
if err != nil {
return nil, err
}
- up := impl.updateXml(param.Sb, param.Branch)
-
i := impl.numberIndex(&u, param.Sb.Identification)
if i == -1 {
u.Updatex = append(u.Updatex, up)
@@ -56,7 +71,7 @@ func (impl updateInfoImpl) UploadUpdateInfoXml(param domain.UpdateParam) (data [
return headerBytes, nil
}
-func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string) Update {
+func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch, date string) (Update, error) {
var cveNums []string
var description string
var highestLevelIndex int
@@ -88,7 +103,7 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
title := introduction + branch
- if impl.IsCveNotice(sb.Identification) {
+ if sb.IsCveNotice() {
if i := strings.Index(description, "Security Fix(es):"); i > 0 {
descr = util.TrimStringNR(description[i+17:])
}
@@ -102,7 +117,7 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
Status: "stable",
Id: sb.Identification,
Title: title,
- Severity: domain.Severity[strings.ToLower(dp.SequenceSeverityLevel[highestLevelIndex])],
+ Severity: severity[strings.ToLower(dp.SequenceSeverityLevel[highestLevelIndex])],
Release: "openEuler",
Issued: &Issued{Date: sb.Date},
Description: descr,
@@ -111,7 +126,7 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
var ref []Reference
for _, s := range cveNums {
ref = append(ref, Reference{
- Href: domain.CveUrlPrefix + s,
+ Href: CveUrlPrefix + s,
Id: s,
Title: s,
Type: "cve",
@@ -122,10 +137,20 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
var pack []Package
for arch, pl := range sb.ProductTree {
- if arch == "src" {
+ if arch == src {
continue
}
+ // noarch的包在aarch64目录和x8664目录都存在,采用和官网一致的逻辑,从aarch64目录取
+ if arch == noarch {
+ arch = aarch64
+ }
+
+ epochOfRpm, err := impl.getEpochOfRpm(branch, date, arch)
+ if err != nil {
+ return Update{}, err
+ }
+
for _, productPackage := range pl {
var pe Package
pe.Filename = productPackage.FullName
@@ -142,9 +167,9 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
}
if !strings.Contains(pe.Filename, "kernel") {
- epoch, err := impl.findEpoch(domain.ScriptPath, branch, pe.Filename, pe.Arch, 1)
- if err == nil && len(epoch) > 0 {
- pe.Epoch = string(epoch)
+ epoch, ok := epochOfRpm[pe.Filename]
+ if ok {
+ pe.Epoch = epoch
}
}
@@ -154,7 +179,7 @@ func (impl updateInfoImpl) updateXml(sb *domain.SecurityBulletin, branch string)
up.Pkglist = &Pkglist{Collection: &Collection{Name: "openEuler", Package: pack}}
- return up
+ return up, nil
}
func (impl updateInfoImpl) numberIndex(u *Updates, securityNumber string) (index int) {
@@ -168,56 +193,3 @@ func (impl updateInfoImpl) numberIndex(u *Updates, securityNumber string) (index
return
}
-
-func (impl updateInfoImpl) IsCveNotice(securityNoticeNo string) bool {
- return impl.GenNoticeType(securityNoticeNo) == domain.NoticeTypeCVE
-}
-
-func (impl updateInfoImpl) GenNoticeType(securityNoticeNo string) string {
- if strings.Contains(securityNoticeNo, "BA") {
- return domain.NoticeTypeBug
- }
-
- if strings.Contains(securityNoticeNo, "HotPatchSA") {
- return domain.NoticeTypeCVE
- }
-
- if strings.Contains(securityNoticeNo, "SA") {
- return domain.NoticeTypeCVE
- }
-
- return ""
-}
-
-func (impl updateInfoImpl) findEpoch(script, branch, filename, arch string, i int) ([]byte, error) {
- var archs = []string{arch}
- if arch == "noarch" {
- archs = []string{"aarch64", "x86_64"}
- }
- for _, a := range archs {
- epoch, err, _ := libutils.RunCmd(
- script,
- filepath.Join("/opt/app/", branch, strconv.Itoa(i), time.Now().Format("150405.999")),
- fmt.Sprintf(domain.PkgUrl, branch, a, filename),
- )
-
- if err != nil {
- return nil, fmt.Errorf("failed to get epoch, pkgUrl is %s", fmt.Sprintf(domain.PkgUrl, branch, a, filename))
- }
-
- if err == nil {
- if strings.Contains(string(epoch), "404") || strings.Contains(string(epoch), "502") {
- continue
- }
- if ix := bytes.Index(epoch, []byte("NOKEY")); ix > 0 {
- epoch = bytes.TrimSpace(epoch[ix+5:])
- } else {
- epoch = bytes.TrimSpace(epoch)
- }
-
- return domain.Num.Find(epoch), nil
- }
- }
-
- return nil, nil
-}
diff --git a/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/repodata.go b/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/repodata.go
new file mode 100644
index 0000000000000000000000000000000000000000..cac9c28aa1534bc2ebc756c0be3f6a51193cf161
--- /dev/null
+++ b/cve-vulner-manager/cve-ddd/infrastructure/updateinfoimpl/repodata.go
@@ -0,0 +1,103 @@
+package updateinfoimpl
+
+import (
+ "bytes"
+ "compress/gzip"
+ "encoding/xml"
+ "errors"
+ "fmt"
+ "io"
+ "net/http"
+ "regexp"
+ "strings"
+
+ "github.com/astaxie/beego"
+ "github.com/opensourceways/server-common-lib/utils"
+)
+
+var primaryRegexp = regexp.MustCompile(`title="(\w+-primary.xml.gz)"`)
+
+type PrimaryXml struct {
+ XMLName xml.Name `xml:"metadata,omitempty"`
+ Package []PrimaryPackage `xml:"package,omitempty"`
+}
+
+type PrimaryPackage struct {
+ XMLName xml.Name `xml:"package,omitempty"`
+ Type string `xml:"type,attr"`
+ Version Version `xml:"version,omitempty"`
+ Location Location `xml:"location,omitempty"`
+}
+
+type Version struct {
+ XMLName xml.Name `xml:"version,omitempty"`
+ Epoch string `xml:"epoch,attr"`
+}
+
+type Location struct {
+ XMLName xml.Name `xml:"location,omitempty"`
+ Href string `xml:"href,attr"`
+}
+
+func (impl updateInfoImpl) getEpochOfRpm(branch, date, arch string) (map[string]string, error) {
+ primaryXmlContent, err := impl.getPrimaryXmlOfRepoData(branch, date, arch)
+ if err != nil {
+ return nil, err
+ }
+
+ var primaryXml PrimaryXml
+ if err = xml.Unmarshal(primaryXmlContent, &primaryXml); err != nil {
+ return nil, err
+ }
+
+ epochOfRpm := make(map[string]string)
+ for _, v := range primaryXml.Package {
+ rpmName := strings.Trim(v.Location.Href, "Packages/")
+ epochOfRpm[rpmName] = v.Version.Epoch
+ }
+
+ return epochOfRpm, nil
+}
+
+func (impl updateInfoImpl) getPrimaryXmlOfRepoData(branch, date, arch string) (content []byte, err error) {
+ urlOfDir := fmt.Sprintf("%s/repo.openeuler.org/%s/%s/%s/repodata",
+ beego.AppConfig.String("testResult::host"),
+ branch, date, arch,
+ )
+
+ client := utils.NewHttpClient(3)
+ req, err := http.NewRequest(http.MethodGet, urlOfDir, nil)
+ if err != nil {
+ return
+ }
+
+ t, _, err := client.Download(req)
+ if err != nil {
+ err = fmt.Errorf("list dir %s failed: %s", urlOfDir, err.Error())
+ return
+ }
+
+ match := primaryRegexp.FindAllStringSubmatch(string(t), -1)
+ if len(match) == 0 {
+ err = errors.New("not match primary xml")
+ return
+ }
+
+ primaryFile := match[0][1]
+ urlOfPrimaryFile := urlOfDir + "/" + primaryFile
+
+ req, err = http.NewRequest(http.MethodGet, urlOfPrimaryFile, nil)
+ fileContent, _, err := client.Download(req)
+ if err != nil {
+ err = fmt.Errorf("download file %s failed: %s", urlOfPrimaryFile, err.Error())
+ return
+ }
+
+ gz, err := gzip.NewReader(bytes.NewBuffer(fileContent))
+ if err != nil {
+ err = fmt.Errorf("read file %s failed: %s", urlOfPrimaryFile, err.Error())
+ return
+ }
+
+ return io.ReadAll(gz)
+}
diff --git a/cve-vulner-manager/models/cve_web.go b/cve-vulner-manager/models/cve_web.go
index f873f29fe2302e97351f8a0e1dac051e6005a254..170ce1d83f1b4b33c23b64c69cf028510545709d 100644
--- a/cve-vulner-manager/models/cve_web.go
+++ b/cve-vulner-manager/models/cve_web.go
@@ -9,11 +9,16 @@ type RespCommon struct {
type CveDetail struct {
Id int64 `json:"id"`
CveId string `json:"cveId"`
+ Status string `json:"status"`
AffectedProduct string `json:"affectedProduct"`
UpdateTime string `json:"updateTime"`
CreateTime string `json:"announcementTime"`
}
+func (d CveDetail) IsFixed() bool {
+ return d.Status == "Fixed"
+}
+
type RespCveDetail struct {
RespCommon
Result *CveDetail
diff --git a/cve-vulner-manager/sh/epoch.sh b/cve-vulner-manager/sh/epoch.sh
deleted file mode 100644
index 2c796ca811d42ea9ac97726dab09f040e7f669b6..0000000000000000000000000000000000000000
--- a/cve-vulner-manager/sh/epoch.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-repo=$1
-url=$2
-
-if [ ! -d "$repo" ]; then
- mkdir -p "$repo"
-fi
-
-cd "$repo"
-
-curl -LO -s "$url"
-
-v=$(rpm -qpi *.rpm | grep Epoch | awk {'print $3'})
-
-i=$?
-
-cd .. && rm -rf "$repo"
-
-if [ "$i" != 0 ]; then
-exit 1
-fi
-
-echo "$v"
\ No newline at end of file
diff --git a/cve-vulner-manager/task/issuetask.go b/cve-vulner-manager/task/issuetask.go
index 64244ec637624d62fbbbeb056a217cdc4269f801..2fc1021f1f9b373042d9b6b9af72457ad6c472cb 100644
--- a/cve-vulner-manager/task/issuetask.go
+++ b/cve-vulner-manager/task/issuetask.go
@@ -207,8 +207,8 @@ func addUnlimitedIssue(beforeTime string, prcnum, years, toolYears, manYears, fl
continue
}
// Determine whether cve has been processed
- issueExist, _ := taskhandler.GetCveSecurityNotice(issueValue.CveNum, issueValue.PackName, true)
- if issueExist {
+ exist, detail := taskhandler.GetCveSecurityNotice(issueValue.CveNum, issueValue.PackName, true)
+ if exist && detail.Result.IsFixed() {
models.UpdateIssueStatus(issueValue, 2)
logs.Info("addUnlimitedIssue, The cve data has been displayed on the official website, "+
"no need to submit an issue on git, cveData: ", issueValue)
@@ -356,8 +356,8 @@ func addLimitedIssue(beforeTime string, prcnum int, years, toolYears, manYears i
continue
}
// Determine whether cve has been processed
- issueExist, _ := taskhandler.GetCveSecurityNotice(issueValue.CveNum, issueValue.PackName, true)
- if issueExist {
+ exist, detail := taskhandler.GetCveSecurityNotice(issueValue.CveNum, issueValue.PackName, true)
+ if exist && detail.Result.IsFixed() {
models.UpdateIssueStatus(issueValue, 2)
logs.Info("addLimitedIssue, The cve data has been displayed on the official website, "+
"no need to submit an issue on git, cveData: ", issueValue)
diff --git a/cve-vulner-manager/taskhandler/check.go b/cve-vulner-manager/taskhandler/check.go
index 6f2e64645632336516a508a76b2f02f6516ac935..5900f1c463c1f7f56aef7a17e7f16494f790a631 100644
--- a/cve-vulner-manager/taskhandler/check.go
+++ b/cve-vulner-manager/taskhandler/check.go
@@ -97,6 +97,36 @@ func CheckIssueAnalysisComplete(i *models.IssueTemplate, organizationID int8) (m
analysisReasonResult = util.TrimStringNR(i.AnalysisVersion)
}
+ if i.AffectedVersion != "" && i.AnalysisVersion != "" {
+ var notMatchBranch []string
+
+ for _, b := range affectBranchsxList {
+ getResult := func(item string) string {
+ for _, v := range strings.Split(item, ",") {
+ row := strings.Split(v, ":")
+ if row[0] == b {
+ return row[1]
+ }
+ }
+
+ return ""
+ }
+
+ affectR := getResult(i.AffectedVersion)
+ analysisR := getResult(i.AnalysisVersion)
+
+ _, exist := common.AnalysisUnaffected[analysisR]
+ if (affectR == "不受影响" && !exist) || (affectR == "受影响" && exist) {
+ notMatchBranch = append(notMatchBranch, b)
+ }
+ }
+
+ if len(notMatchBranch) > 0 {
+ msg = fmt.Sprintf("受影响/不受影响和原因分析不匹配,分支: %v", notMatchBranch)
+ return
+ }
+ }
+
tbStr = fmt.Sprintf(tb,
"已分析", "1.影响性分析说明", util.TrimStringNR(i.CveAnalysis),
"已分析", "2.openEulerScore", i.OpenEulerScore,
diff --git a/cve-vulner-manager/taskhandler/cve.go b/cve-vulner-manager/taskhandler/cve.go
index 05b3d718f230ae5987b8dddb5f9a90521e2ff617..ecedbda9a3ddab2caa3401f05046fc1056e9b696 100644
--- a/cve-vulner-manager/taskhandler/cve.go
+++ b/cve-vulner-manager/taskhandler/cve.go
@@ -2642,8 +2642,8 @@ func FilterCveExported() {
ewg.Add(1)
go func(center models.VulnCenter) {
defer ewg.Done()
- issueExist, result := GetCveSecurityNotice(center.CveNum, center.PackName, true)
- if issueExist {
+ exist, result := GetCveSecurityNotice(center.CveNum, center.PackName, true)
+ if exist && result.Result.IsFixed() {
// 1640966400 -- 2022-01-01
if t := util.TimeStrToInt(result.Result.UpdateTime, ""); t != 0 && t <= 1640966400 {
dbLock.Lock()
diff --git a/cve-vulner-manager/taskhandler/excel.go b/cve-vulner-manager/taskhandler/excel.go
index e768c2271f59a13d40a359bf419dcd0d11877fe0..830c9369ae2e6704b29ccbfedf4ae13e3a0c5843 100644
--- a/cve-vulner-manager/taskhandler/excel.go
+++ b/cve-vulner-manager/taskhandler/excel.go
@@ -1306,8 +1306,8 @@ func affectIssueProc(v IssueAndPkg, affectBranch string, cvexml *[]CveXml,
continue
}
// Check whether the cve data has been released sa
- issueExist, _ := GetCveSecurityNotice(tpl.CveNum, tpl.Repo, true)
- if issueExist {
+ exist, detail := GetCveSecurityNotice(tpl.CveNum, tpl.Repo, true)
+ if exist && detail.Result.IsFixed() {
if IsProductFixed(tpl.CveNum, v.Repo, affectBranch) {
continue
}
diff --git a/cve-vulner-manager/taskhandler/issuestatistics.go b/cve-vulner-manager/taskhandler/issuestatistics.go
index 5a8c5838913e791f2b9ae928569a12f5ee699663..a6f29de41805e3f1e3a5b60e52793bcb24a7871c 100644
--- a/cve-vulner-manager/taskhandler/issuestatistics.go
+++ b/cve-vulner-manager/taskhandler/issuestatistics.go
@@ -325,8 +325,8 @@ func ProcSecLinkTemplate(beforeDate, prcnum int, owner, accessToken string) erro
continue
}
// Determine whether cve has been processed
- issueExist, saData := GetCveSecurityNotice(temp.CveNum, temp.Repo, true)
- if issueExist && len(saData.Result.AffectedProduct) > 2 {
+ exist, saData := GetCveSecurityNotice(temp.CveNum, temp.Repo, true)
+ if exist && saData.Result.IsFixed() && len(saData.Result.AffectedProduct) > 2 {
// Update sa release time
UpdateSAReleaseTime(saData.Result.AffectedProduct, saData.Result.CreateTime, temp.TemplateId)
secLink := secLinkConfig + "/zh/security/safety-bulletin/detail/?id=" + saData.Result.AffectedProduct