Skip to content

Commit

Permalink
feat(manager): inherit global CVE status in case CVE-system override …
Browse files Browse the repository at this point in the history 
…is not set

RHINENG-2381
  • Loading branch information
@jdobes @psegedy
jdobes authored and psegedy committed Feb 26, 2024
1 parent 7222df6 commit 3c672b2
Show file tree
Hide file tree
Showing 5 changed files with 68 additions and 59 deletions.
1 change: 0 additions & 1 deletion manager/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@
IDENTITY_HEADER = "x-rh-identity"
DEFAULT_PAGE_SIZE = 20
DEFAULT_BUSINESS_RISK = "Not Defined"
DEFAULT_STATUS = "Not Reviewed"
CVE_SYNOPSIS_SORT = [fn.SUBSTRING(SQL("cve_name"), r"-(\d+)-").cast("integer"),
fn.SUBSTRING(SQL("cve_name"), r"-(\d+)$").cast("integer")]

Expand Down
68 changes: 41 additions & 27 deletions manager/cve_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
from .base import cyndi_join
from .base import DEFAULT_BUSINESS_RISK
from .base import DEFAULT_REMEDIATION_FILTER
from .base import DEFAULT_STATUS
from .base import get_account_data
from .base import get_or_create_account
from .base import get_remediation_filter
Expand All @@ -33,6 +32,7 @@
from .base import parse_tags
from .base import PatchRequest
from .base import reporter
from .base import STATUS_CACHE
from .base import transform_ids
from .base import transform_names
from .base import unique_bool_list
Expand All @@ -57,7 +57,6 @@
from common.peewee_model import InsightsRule
from common.peewee_model import InventoryHosts
from common.peewee_model import RHAccount
from common.peewee_model import Status
from common.peewee_model import SystemCveData
from common.peewee_model import SystemPlatform
from common.peewee_model import SystemVulnerabilities
Expand Down Expand Up @@ -112,7 +111,6 @@ def __init__(self, account_data, synopsis, list_args, parsed_args, uri, ids_only
query.c.stale_warning_timestamp,
query.c.culled_timestamp,
query.c.status_id,
query.c.status_name,
query.c.status_text,
query.c.rule_hit_details,
query.c.when_mitigated,
Expand Down Expand Up @@ -220,9 +218,10 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte
SystemPlatform.stale_timestamp,
SystemPlatform.stale_warning_timestamp,
SystemPlatform.culled_timestamp,
fn.COALESCE(Status.id, 0).alias("status_id"),
fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"),
SystemCveData.status_text.alias("status_text"),
fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.COALESCE(SystemCveData.status_text,
CveAccountData.status_text).alias("status_text"),
SystemVulnerabilities.rule_hit_details,
SystemVulnerabilities.when_mitigated,
SystemVulnerabilities.first_reported,
Expand Down Expand Up @@ -251,7 +250,6 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id)
& (CveMetadata.id == CveAccountData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
Expand Down Expand Up @@ -282,9 +280,10 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters):
SystemPlatform.stale_timestamp,
SystemPlatform.stale_warning_timestamp,
SystemPlatform.culled_timestamp,
fn.COALESCE(Status.id, 0).alias("status_id"),
fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"),
SystemCveData.status_text.alias("status_text"),
fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.COALESCE(SystemCveData.status_text,
CveAccountData.status_text).alias("status_text"),
Value(None).alias("rule_hit_details"),
Value(datetime.min).alias("when_mitigated"),
SystemVulnerablePackage.first_reported,
Expand Down Expand Up @@ -312,9 +311,8 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters):
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
(CveMetadata.id == CveAccountData.cve_id)))
.where(CveMetadata.cve == synopsis)
.where(system_is_active(rh_account_id=rh_account_id, edge=None))
.where(SystemVulnerablePackage.rh_account_id == rh_account_id))
Expand All @@ -336,8 +334,10 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter=
SystemPlatform.last_upload,
SystemPlatform.advisor_evaluated.alias("rules_evaluation"),
InsightsRule.name.alias("rule_id"),
fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
SystemCveData.status_text.alias("status_text"),
fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.COALESCE(SystemCveData.status_text,
CveAccountData.status_text).alias("status_text"),
SystemVulnerabilities.first_reported,
SystemVulnerabilities.advisories,
SystemVulnerabilities.mitigation_reason,
Expand All @@ -355,6 +355,8 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter=
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerabilities.rh_account_id == rh_account_id)
Expand All @@ -379,8 +381,10 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters):
SystemPlatform.last_upload,
SystemPlatform.advisor_evaluated.alias("rules_evaluation"),
Value(None).alias("rule_id"),
fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
SystemCveData.status_text.alias("status_text"),
fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.COALESCE(SystemCveData.status_text,
CveAccountData.status_text).alias("status_text"),
SystemVulnerablePackage.first_reported,
Value(None).alias("advisories"),
Value(None).alias("mitigation_reason"),
Expand All @@ -400,6 +404,8 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters):
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerablePackage.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=None)))
Expand Down Expand Up @@ -460,26 +466,24 @@ def _cve_details(cls, synopsis, advisory_available):
cve_details = (CveAccountData.select(BusinessRisk.name.alias("risk"),
CveAccountData.business_risk_id.alias("risk_id"),
CveAccountData.business_risk_text.alias("risk_text"),
Status.name.alias("status"),
CveAccountData.status_id.alias("status_id"),
CveAccountData.status_text.alias("status_text"))
.join(BusinessRisk, on=(CveAccountData.business_risk_id == BusinessRisk.id))
.join(Status, on=(CveAccountData.status_id == Status.id))
.join(CveMetadata, on=(CveAccountData.cve_id == CveMetadata.id))
.where(CveAccountData.rh_account_id == rh_account_id)
.where(CveMetadata.cve == synopsis)).dicts()
if cve_details.count():
retval["business_risk"] = cve_details[0]["risk"]
retval["business_risk_id"] = cve_details[0]["risk_id"]
retval["business_risk_text"] = cve_details[0]["risk_text"]
retval["status"] = cve_details[0]["status"]
retval["status"] = STATUS_CACHE[cve_details[0]["status_id"]]
retval["status_id"] = cve_details[0]["status_id"]
retval["status_text"] = cve_details[0]["status_text"]
else:
retval["business_risk"] = DEFAULT_BUSINESS_RISK
retval["business_risk_id"] = 0
retval["business_risk_text"] = None
retval["status"] = DEFAULT_STATUS
retval["status"] = STATUS_CACHE[0]
retval["status_id"] = 0
retval["status_text"] = None

Expand All @@ -506,35 +510,45 @@ def _cve_details(cls, synopsis, advisory_available):
remediation_filter, return_only_first_subq = get_remediation_filter(advisory_available)

status_detail_fixed = (SystemVulnerabilities
.select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems"))
.select(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0))).alias("systems"))
.join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id))
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerabilities.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=None))
.where(system_is_vulnerable())
.group_by(fn.COALESCE(SystemCveData.status_id, 0))
.group_by(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)))
.dicts())
if remediation_filter:
status_detail_fixed = status_detail_fixed.where(SystemVulnerabilities.remediation_type_id << remediation_filter)
status_detail_fixed = cyndi_join(status_detail_fixed)

status_detail_unfixed = (SystemVulnerablePackage
.select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems"))
.select(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0))).alias("systems"))
.join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id))
.join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id))
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerablePackage.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=None))
.group_by(fn.COALESCE(SystemCveData.status_id, 0))
.group_by(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)))
.dicts())
status_detail_unfixed = cyndi_join(status_detail_unfixed)

Expand Down Expand Up @@ -673,7 +687,7 @@ def _build_attributes(sys, advisories_list=None):
record["display_name"] = sys["display_name"]
record["mitigation_reason"] = sys["mitigation_reason"]
record["status_id"] = sys["status_id"]
record["status_name"] = sys["status_name"]
record["status_name"] = STATUS_CACHE[sys["status_id"]]
record["status_text"] = sys["status_text"]
record["last_evaluation"] = sys["last_evaluation"].isoformat() if sys["last_evaluation"] else ""
record["rules_evaluation"] = sys["rules_evaluation"].isoformat() if sys["rules_evaluation"] else None
Expand Down
3 changes: 2 additions & 1 deletion manager/filters.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,7 +331,8 @@ def _filter_system_cve_by_status(query, args, _kwargs):
object: Modified query with system CVE status filter applied
"""
if "status_id" in args and args["status_id"]:
query = query.where(fn.COALESCE(SystemCveData.status_id, 0) << args["status_id"])
query = query.where(fn.COALESCE(SystemCveData.status_id,
fn.COALESCE(CveAccountData.status_id, 0)) << args["status_id"])
return query


Expand Down
Loading

0 comments on commit 3c672b2

Please sign in to comment.