Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Merge branch 'beuc/security-tracker-natsort' | Salvatore Bonaccorso | 2021-02-27 | 1 | -1/+8 |
|\ | | | | | | | | | | | tracker_service: display CVE entries using natural sort order See merge request security-tracker-team/security-tracker!76 | ||||
| * | tracker_service: display CVE entries using natural sort order [#76] | Sylvain Beucler | 2021-02-12 | 1 | -1/+8 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to avoid annoying confusions with the default incorrect sort due to e.g. CVE-2021-3392 considered higher than CVE-2021-20203 Approach: - use 'COLLATE natorder' [1]; however, we'd have to leave the bug unfixed for a few years, until this feature is merged and packaged in stable sqlite3 [1] https://sqlite.org/forum/forumpost/e4dc6f3331 - sort at the Python level; AFAICS this breaks the current code global logic that delegates the sort to the database, so we'd need to revamp the Python code or introduce ad-hoc logic - use a size-bounded sort at the SQL level (current patch) using a reasonable max size (10 digits / 32-bits), until 1) is available. (variable-length is feasible but impacts readability and performance) | ||||
* | | Fix CVE10k problem for CVE with more than 4 numbers | Carles Pina i Estany | 2021-02-15 | 2 | -1/+78 |
|/ | | | | | | | It had no consequences in security-tracker: the next-oldstable-point-update.txt file is empty and the next-point-update.txt CVEs are not used yet for what I can see via this code path. | ||||
* | sectracker.parsers: rename version to kind in package_pseudo | Emilio Pozuelo Monfort | 2020-12-04 | 1 | -6/+6 |
| | | | | | | The version is tracked in package_version, here we have a <tag> assigned to the kind variable of the PackageAnnotation, so let's call it kind to make it less confusing. | ||||
* | sectracker.parsers: fix innerdispatch callback | Emilio Pozuelo Monfort | 2020-12-04 | 1 | -1/+1 |
| | | | | The signature no longer includes a bugs list. | ||||
* | sectracker.parsers: there's no 'bug filed' urgency | Emilio Pozuelo Monfort | 2020-12-04 | 1 | -2/+1 |
| | | | | That may have been used once upon a time, but it's not used anymore. | ||||
* | sectracker.parsers: use _sortedtuple | Emilio Pozuelo Monfort | 2020-12-04 | 1 | -3/+1 |
| | |||||
* | sectracker.parsers: unconditionally import intern | Emilio Pozuelo Monfort | 2020-12-04 | 1 | -5/+1 |
| | | | | We no longer support Python 2. | ||||
* | sectracker.parsers: add function to write the file back | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -0/+60 |
| | | | | | This change and the previous ones based on work by Brian with additional fixes and adaptations by me. | ||||
* | sectracker.parsers: be explicit when building PackageAnnotations | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -6/+27 |
| | | | | | In some cases we are intentionally passing versions as kinds or kinds as versions, and making it explicit makes it less confusing. | ||||
* | sectracker.parsers: include TEMP issues in the CVE regex | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -1/+1 |
| | | | | In order to support extended CVE files. | ||||
* | sectracker.parsers: do not uniquify CVE names | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -14/+1 |
| | | | | | | | | | We need the original name (basically the year) in order to write it back later. Besides the function was taking the line number rather than a hash of the description, so it was buggy anyway. If something needs the unique name at some point, we can add it in an additional field. | ||||
* | sectracker.parsers: don't sort the xrefs | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -1/+1 |
| | | | | | Take them as they come, as our sorting is different than the one in the file. | ||||
* | sectracker.parsers: don't wrap and deref the arguments | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -4/+4 |
| | | | | We are no longer concatenating tuples. | ||||
* | sectracker.parsers: better parse annotations | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -35/+27 |
| | |||||
* | sectracker.parsers: keep the parenthesis in the description | Emilio Pozuelo Monfort | 2020-12-02 | 1 | -4/+0 |
| | | | | We need them in order to write the file back. | ||||
* | Remove checks for apt_pkg.version_compare | Emilio Pozuelo Monfort | 2020-11-10 | 2 | -17/+7 |
| | | | | | The rename happened too long ago, and VersionCompare is long gone. We assume it exists in security_db anyway. | ||||
* | sectracker: remove future imports | Emilio Pozuelo Monfort | 2020-11-10 | 5 | -8/+0 |
| | |||||
* | sectracker/repo.py: compare data to a bytes object | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -1/+1 |
| | | | | Otherwise we'll run into an endless loop under Python 3. | ||||
* | sectracker/repo.py: fix calls to urllib under python3 | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -3/+3 |
| | |||||
* | sectracker/repo.py: don't look for sha1 fields | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -1/+0 |
| | | | | Release files no longer contain them. | ||||
* | sectracker_test/run.py: run tests under python3 | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -1/+1 |
| | |||||
* | test_xpickle.py: encode data before writing | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -2/+2 |
| | | | | The tempfile is opened in binary mode. | ||||
* | test_regexpcase.py: use assertEqual, assertEquals is deprecated | Emilio Pozuelo Monfort | 2020-11-10 | 1 | -1/+1 |
| | |||||
* | bugs.py: add some checks for package notes | Emilio Pozuelo Monfort | 2020-11-05 | 1 | -10/+48 |
| | |||||
* | config.py: raise an error on invalid distributions | Emilio Pozuelo Monfort | 2020-10-06 | 1 | -1/+1 |
| | |||||
* | Reenable the backport releases | Emilio Pozuelo Monfort | 2020-09-30 | 1 | -4/+1 |
| | |||||
* | debian_support: updateFile: support .xz files | Emilio Pozuelo Monfort | 2020-09-30 | 1 | -21/+31 |
| | | | | https://bugs.debian.org/931533 | ||||
* | secmaster.py: move to bin/ | Emilio Pozuelo Monfort | 2020-08-13 | 1 | -59/+0 |
| | |||||
* | web_support: fix memory leak with Python 3 | Emilio Pozuelo Monfort | 2020-08-11 | 1 | -1/+1 |
| | | | | | | | ThreadingMixIn keeps a list of all non-deamon threads since Python 3.7, which prevents all the resources from being freed. Daemonize them so that we don't keep their resources forever, eventually causing OOM. | ||||
* | security_db: don't encode debsecan data | Emilio Pozuelo Monfort | 2020-08-06 | 1 | -1/+1 |
| | | | | It's already a bytes object. | ||||
* | security_db: remove leftover print statement | Emilio Pozuelo Monfort | 2020-08-06 | 1 | -1/+0 |
| | |||||
* | web_support: make_list requires a list argument | Emilio Pozuelo Monfort | 2020-08-06 | 1 | -1/+1 |
| | |||||
* | test_parsers.py: compare using isinstance | Emilio Pozuelo Monfort | 2020-08-06 | 1 | -1/+1 |
| | |||||
* | sectracker.parsers: fix intern under py3 | Emilio Pozuelo Monfort | 2020-08-05 | 1 | -0/+5 |
| | |||||
* | sectracker.repo: use standard json module | Emilio Pozuelo Monfort | 2020-08-05 | 1 | -2/+2 |
| | |||||
* | sectracker.xpickle: open file in binary mode | Emilio Pozuelo Monfort | 2020-08-05 | 1 | -1/+1 |
| | |||||
* | security_db: don't use cmp to compare versions | Emilio Pozuelo Monfort | 2020-08-05 | 1 | -4/+2 |
| | |||||
* | sectracker.diagnostics: use isstring for py3 compatibility | Emilio Pozuelo Monfort | 2020-08-05 | 1 | -1/+3 |
| | |||||
* | Revert "secmaster.py: update security-master hostname" | Emilio Pozuelo Monfort | 2020-08-04 | 1 | -1/+1 |
| | | | | This reverts commit 0b98406d0c7c6adddf23b22609a881ea3d39ebec. | ||||
* | secmaster.py: update security-master hostname | Emilio Pozuelo Monfort | 2020-08-04 | 1 | -1/+1 |
| | |||||
* | security_db: add missing import | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -0/+2 |
| | |||||
* | debian_support: remove PseudoEnum.__cmp__ | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -2/+0 |
| | | | | | | It uses cmp, which is no longer available in python3. But that's fine, as we are now comparing using pure key functions. So let's remove the cmp helper rather then reintroducing cmp(). | ||||
* | Add comparison functions required for Python3 | Brian May | 2020-07-29 | 1 | -0/+25 |
| | |||||
* | bugs.py: sort using Release's sort | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -1/+1 |
| | | | | | string sort doesn't work here, as buster < jessie < stretch. However Release's sort will dtrt. | ||||
* | bugs.py: make PackageNoteNoDSA.release a Release object | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -1/+4 |
| | | | | Like in the other PackageNote objects | ||||
* | bugs.py: sort using a lambda key function | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -9/+2 |
| | |||||
* | debian_support: decode lines when necessary | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -3/+11 |
| | | | | | | | | | We sometimes get passed lines as bytes, which we need to decode under python3. We should probably add an argument to PackageFile's constructor for when we get a fileObj argument, but let's do that when we no longer have to worry about py2 and py3 compatibility. | ||||
* | security_db: encode data before passing it to base64 | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -3/+3 |
| | | | | In python3, base64 takes bytes. | ||||
* | security_db: use pickle's dumps and loads | Emilio Pozuelo Monfort | 2020-07-29 | 1 | -5/+3 |
| | | | | | | | Rather than using StringIO in py2 and BytesIO in py3 and porting away from buffer which is also gone in py3, let's just use dumps and loads and let the pickle library handle the memory representation for us. |