ubuntu-bugcontrol team mailing list archive

[Ian Constantin <mp+484496@xxxxxxxxxxxxxxxxxx>]

Ian Constantin has proposed merging ~iconstantin/ubuntu-qa-tools:add-embargo-check into ubuntu-qa-tools:master.

Commit message:
Adds a check during the unembargo step of publishing that warns on packages that have embargoed CVEs

Requested reviews:
  Marc Deslauriers (mdeslaur)

For more details, see:
https://code.launchpad.net/~iconstantin/ubuntu-qa-tools/+git/ubuntu-qa-tools/+merge/484496

UQT/security-tools/unembargo does not currently have a check that will catch if we attempt to unembargo a package with CVEs that are still in the embargo tree. At this point unembargo does not directly have knowledge of the CVEs that are being addressed in a package update so we are taking a best effort / safety first approach to warn the user when they are unembargoing a package that has at least 1 cve in the embargo tree.

If the user is indeed publishing an update for one of those cves, they can move them from embargo -> active at which point the warning will disappear on their next run of unembargo. If the update does not include any of the embargoed cves, the user will have to use --force to continue. This adds more overhead but provides an extra layer of protection to ensure that we are handling embargoed cves correctly.
-- 
Your team Ubuntu Bug Control is subscribed to branch ubuntu-qa-tools:master.

diff --git a/security-tools/unembargo b/security-tools/unembargo
index e1f0b63..e2d8536 100755
--- a/security-tools/unembargo
+++ b/security-tools/unembargo
@@ -170,6 +170,56 @@ def pending_milestone(ubuntu, release):
 
     return milestone
 
+def embargo_check():
+    ''' Warns on packages that have CVEs under embargo as a safety measure '''
+
+    potential_embargo = False
+
+    # Grab open and embargoed CVEs from UCT
+
+    # We are using get_cve_list() rather than get_embargoed_cve_list() as the former provides
+    # a warning for cves duplicated in active and embargoed which is appropriate here
+    open_cves, embargoed_cves = cve_lib.get_cve_list()
+
+    # Get detailed cveinfo for embargoed_cves
+    _, _, _, _, embargoed_cveinfo = cve_lib.load_table(embargoed_cves, embargoed_cves)
+
+    # Extract source pkg_names for all of the embargoed_cves -> {pkg_name:[cve, ...], ...}
+    embargoed_pkgs = {}
+
+    for cve in embargoed_cveinfo:
+        pkg_names = embargoed_cveinfo[cve]["pkgs"].keys()
+
+        # If this is a kernel CVE, we will be skipping it as we are excluding the kernel from this check
+        if "linux" in pkg_names:
+            continue
+
+        for pkg_name in pkg_names:
+            if pkg_name not in embargoed_pkgs:
+                embargoed_pkgs[pkg_name] = [cve]
+            else:
+                embargoed_pkgs[pkg_name].append(cve)
+
+    # Check if any of the pkgs that we are publishing have CVEs in embargo (these will require --force to continue publishing, if appropriate)
+    for pkg_name in args:
+        if pkg_name in embargoed_pkgs:
+            potential_embargo = True
+
+            print(f"\nWARNING: {pkg_name} currently has the following embargoed CVEs:", ", ".join(embargoed_pkgs[pkg_name]), sep = "")
+            print(f"\n\tIf you are publishing any of the embargoed CVEs for {pkg_name}, please first move them from embargo to active.")
+
+    return potential_embargo
+
+# As a safety measure, check if any of the packages being published have CVEs under embargo
+potential_embargo = embargo_check()
+
+if potential_embargo:
+    if not opt.force:
+        print("\nIf you have verified that you are not publishing any embargoed CVEs, override this check with --force.", end = "\n\n")
+        sys.exit(1)
+    else:
+        print("\nNOTE: Proceeding to publish packages that have CVEs in embargo (please ensure you have checked that no embargoed CVEs are being published)", end = "\n\n")
+
 
 # don't release security updates on Fridays
 if (opt.pocket == SECURITY_POCKET or opt.esm or opt.esm_apps or opt.esm_infra or opt.esm_infra_legacy) and \