/[secure-testing]/bin/tracker_service.py

Diff of /bin/tracker_service.py

Parent Directory | Revision Log | View Patch Patch

-revision 2489 by fw,
Thu Oct 20 09:03:51 2005 UTC
+revision 12985 by fw,
Sun Oct 11 12:04:15 2009 UTC
 Line 2
  import sys
  sys.path.insert(0,'../lib/python')
- if len(sys.argv) <> 3:
-     print "usage: python tracker_serivce.py SOCKET-PATH DATABASE-PATH"
-     sys.exit(1)
- socket_name = sys.argv[1]
- db_name = sys.argv[2]
  import bugs
  import re
  import security_db
  from web_support import *
- class TrackerService(WebService):
+ if len(sys.argv) not in (3, 5):
+     print "usage: python tracker_service.py SOCKET-PATH DATABASE-PATH"
+     print "       python tracker_service.py URL HOST PORT DATABASE-PATH"
+     sys.exit(1)
+ if len(sys.argv) == 3:
+     socket_name = sys.argv[1]
+     db_name = sys.argv[2]
+     webservice_base_class = WebService
+ else:
+     server_base_url = sys.argv[1]
+     server_address = sys.argv[2]
+     server_port = int(sys.argv[3])
+     socket_name = (server_base_url, server_address, server_port)
+     db_name = sys.argv[4]
+     webservice_base_class = WebServiceHTTP
+ class BugFilter:
+     default_action_list = [("hide_medium_urgency", "lower urgencies"),
+                            ("hide_non_remote", "local vulnerabilities")]
+     def __init__(self, params, action_list=None):
+         if action_list is None:
+             self.action_list = self.default_action_list
+         else:
+             self.action_list = action_list
+         self.params = {}
+         for (prop, desc) in self.action_list:
+             self.params[prop] = int(params.get(prop, (0,))[0])
+     def actions(self, url):
+         """Returns a HTML snippet which can be used to change the filter."""
+         l = []
+         for (prop, desc) in self.action_list:
+             if self.params[prop]:
+                 a = A(url.updateParamsDict({prop : None}),
+                       'Show ' + desc)
+             else:
+                 a = A(url.updateParamsDict({prop : '1'}),
+                       'Hide ' + desc)
+             l.append(a)
+             l.append(' ')
+         return apply(P, l[:-1])
+     def urgencyFiltered(self, urg):
+         """Returns True if the urgency urg is filtered."""
+         return self.params['hide_medium_urgency'] \
+                and urg not in ("high", "unknown", "")
+     def remoteFiltered(self, remote):
+         """Returns True if the attack range is filtered."""
+         return remote is not None and self.params['hide_non_remote'] \
+                and not remote
+ class BugFilterNoDSA(BugFilter):
+     def __init__(self, params):
+         BugFilter.__init__(self, params, self.default_action_list
+             + [('hide_nodsa', 'non-DSA vulnerabilities')])
+         self.hide_nodsa = int(params.get('hide_nodsa',(0,))[0])
+     def nodsaFiltered(self, nodsa):
+         """Returns True if no DSA will be issued for the bug."""
+         return nodsa and self.params['hide_nodsa']
+ class TrackerService(webservice_base_class):
      head_contents = compose(STYLE(
          """h1 { font-size : 144%; }
  h2 { font-size : 120%; }
-Line 46 
 function onSearch(query) {
+Line 103 
 function onSearch(query) {
  ''')).toHTML()
      def __init__(self, socket_name, db_name):
-         WebService.__init__(self, socket_name)
+         webservice_base_class.__init__(self, socket_name)
          self.db = security_db.DB(db_name)
          self.register('', self.page_home)
          self.register('*', self.page_object)
          self.register('redirect/*', self.page_redirect)
          self.register('source-package/*', self.page_source_package)
          self.register('binary-package/*', self.page_binary_package)
+         self.register('status/release/oldstable',
+                       self.page_status_release_oldstable)
          self.register('status/release/stable', self.page_status_release_stable)
+         self.register('status/release/stable-backports',
+                       self.page_status_release_stable_backports)
+         self.register('status/release/oldstable-backports',
+                       self.page_status_release_oldstable_backports)
          self.register('status/release/testing',
                        self.page_status_release_testing)
          self.register('status/release/unstable',
-Line 64 
 function onSearch(query) {
+Line 127 
 function onSearch(query) {
          self.register('status/itp', self.page_status_itp)
          self.register('data/unknown-packages', self.page_data_unknown_packages)
          self.register('data/missing-epochs', self.page_data_missing_epochs)
+         self.register('data/latently-vulnerable',
+                       self.page_data_latently_vulnerable)
          self.register('data/releases', self.page_data_releases)
          self.register('data/funny-versions', self.page_data_funny_versions)
+         self.register('data/fake-names', self.page_data_fake_names)
+         self.register('debsecan/**', self.page_debsecan)
+         self.register('data/report', self.page_report)
      def page_home(self, path, params, url):
          query = params.get('query', ('',))[0]
-Line 78 
 function onSearch(query) {
+Line 146 
 function onSearch(query) {
          return self.create_page(
              url, 'Security Bug Tracker',
              [P(
-             """This is the experimental issue tracker for Debian's testing
+             """The data in this tracker comes solely from the bug database maintained
- security team.  Keep in mind that this is merely a prototype.
+ by Debian's security team located in the testing-security Subversion """,
- Please report any problems to """,
+             A("http://svn.debian.org/wsvn/secure-testing/data", "repository"),
-             A("mailto:fw@deneb.enyo.de", "Florian Weimer"),
+             """.  The data represented here is derived from: """,
-             """.Note that some of the data presented here is known
+             A("http://www.debian.org/security/#DSAS", "DSAs"),
- to be wrong (see below), but the data for the testing suite
+             """ issued by the Security Team; issues tracked in the """,
- should be fine."""),
+             A("http://cve.mitre.org/cve/", "CVE database"),
-                                  make_menu(
+             """, issues tracked in the """,
+             A("http://nvd.nist.gov/", "National Vulnerability Database"),
+             """ (NVD), maintained by NIST; and security issues
+ discovered in Debian packages as reported in the BTS."""),
+              P("""All external data (including Debian bug reports and official Debian
+ security advisories) must be added to this database before it appears
+ here. Please help us keep this information up-to-date by """,
+                A(url.scriptRelative("data/report"), "reporting"),
+                """ any discrepancies or change of states that you are
+ aware of and/or help us improve the quality of this information by """,
+                A(url.scriptRelative("data/report"), "participating"),
+                "."),
+             make_menu(
              url.scriptRelative,
-             ('status/release/stable',
-              'Vulnerable packages in the stable suite'),
-             ('status/release/testing',
-              'Vulnerable packages in the testing suite'),
              ('status/release/unstable',
               'Vulnerable packages in the unstable suite'),
+             ('status/release/testing',
+              'Vulnerable packages in the testing suite'),
+             ('status/release/stable',
+              'Vulnerable packages in the stable suite'),
+             ('status/release/oldstable',
+              'Vulnerable packages in the old stable suite'),
+             ('status/release/stable-backports',
+              'Vulnerable packages in backports for stable'),
+             ('status/release/oldstable-backports',
+              'Vulnerable packages in backports for oldstable'),
              ('status/dtsa-candidates', "Candidates for DTSAs"),
              ('status/todo', 'TODO items'),
              ('status/itp', 'ITPs with potential security issues'),
              ('data/unknown-packages',
               'Packages names not found in the archive'),
+             ('data/fake-names', 'Tracked issues without a CVE name'),
              ('data/missing-epochs',
               'Package versions which might lack an epoch'),
+             ('data/latently-vulnerable',
+              'Packages which are latently vulnerable in unstable'),
              ('data/funny-versions',
               'Packages with strange version numbers'),
              ('data/releases',
               'Covered Debian releases and architectures (slow)'),
              self.make_search_button(url)),
-              P("""(You can enter CAN/CVE names, Debian bug numbers and package
+              P("""(You can enter CVE names, Debian bug numbers and package
  names in the search forms.)"""),
-              H2("Data sources"),
-              P("""Data in this tracker comes solely from the bug database
- which is maintained by Debian's testing security team in their
- Subversion repository.  All external data (this includes
- Debian bug reports and official Debian security advisories)
- must be added to this database before it appears here, and there
- can be some delay before this happens."""),
-              P("""At the moment, the database only contains information which is
- relevant for tracking the security status of the stable, testing and
- unstable suites.  This means that data for oldstable is likely wrong."""),
-              P('Data marked "NVD" comes from the ',
-                A(url.absolute('http://nvd.nist.gov/'),
-                  'National Vulnerability Database'),
-                ' maintained by NIST.'),
               H2("External interfaces"),
               P("""If you want to automatically open a relevant web page for
  some object, use the """,
-Line 146 
 data source.""")],
+Line 220 
 data source.""")],
          if not obj:
              # Redirect to start page.
              return RedirectResult(url.scriptRelativeFull(""))
-         if 'A' <= obj[0] <= 'Z':
-             # Bug names start with a capital letter.
-             return self.page_bug(url, obj, redirect)
+         # Attempt to decode a bug number.  TEMP-nnn bugs (but not
+         # TEMP-nnn-mmm bugs) are treated as bug references, too.
          bugnumber = 0
+         fake_bug = False
          try:
-             bugnumber = int(obj)
+             if obj[0:5] == 'FAKE-' or obj[0:5] == 'TEMP-':
+                 bugnumber = int(obj[5:])
+                 fake_bug = True
+             else:
+                 bugnumber = int(obj)
          except ValueError:
              pass
          if bugnumber:
              buglist = list(self.db.getBugsFromDebianBug(c, bugnumber))
              if buglist:
-                 return self.page_debian_bug(url, bugnumber, buglist)
+                 return self.page_debian_bug(url, bugnumber, buglist, fake_bug)
              if redirect:
                  return RedirectResult(self.url_debian_bug(url, str(bugnumber)),
                                        permanent=False)
+         if 'A' <= obj[0] <= 'Z':
+             # Bug names start with a capital letter.
+             return self.page_bug(url, obj, redirect)
          if self.db.isSourcePackage(c, obj):
              return RedirectResult(self.url_source_package(url, obj, full=True))
          if  self.db.isBinaryPackage(c, obj):
-Line 172 
 data source.""")],
+Line 253 
 data source.""")],
          return self.page_not_found(url, obj)
      def page_bug(self, url, name, redirect):
+         # FIXME: Normalize CAN-* to CVE-* when redirecting.  Too many
+         # people still use CAN.
+         if redirect and name[0:4] == 'CAN-':
+             name = 'CVE-' + name[4:]
          cursor = self.db.cursor()
          try:
              bug = bugs.BugFromDB(cursor, name)
          except ValueError:
              if redirect:
-                 if name[0:4] in ('CAN-', 'CVE-'):
+                 if name[0:4] == 'CVE-':
                      return RedirectResult(self.url_cve(url, name),
                                            permanent=False)
              return self.page_not_found(url, name)
-Line 191 
 data source.""")],
+Line 277 
 data source.""")],
              yield B("Name"), bug.name
              source = bug.name.split('-')[0]
-             if source in ('CAN', 'CVE'):
+             if source == 'CVE':
                  source_xref = compose(self.make_cve_ref(url, bug.name, 'CVE'),
                                        " (",
                                        self.make_nvd_ref(url, bug.name,
-Line 201 
 data source.""")],
+Line 287 
 data source.""")],
                  source_xref = self.make_dsa_ref(url, bug.name, 'Debian')
              elif source == 'DTSA':
                  source_xref = 'Debian Testing Security Team'
-             elif source == 'FAKE':
+             elif source == 'TEMP':
                  source_xref = (
          'Automatically generated temporary name.  Not for external reference.')
              else:
-Line 210 
 data source.""")],
+Line 296 
 data source.""")],
              if source_xref:
                  yield B("Source"), source_xref
-             if bug.description:
+             nvd = self.db.getNVD(cursor, bug.name)
+             if nvd and nvd.cve_desc:
+                 yield B("Description"), nvd.cve_desc
+             elif bug.description:
                  yield B("Description"), bug.description
              xref = list(self.db.getBugXrefs(cursor, bug.name))
              if xref:
                  yield B("References"), self.make_xref_list(url, xref)
-             nvd = self.db.getNVD(cursor, bug.name)
              if nvd:
-                 if nvd.severity:
-                     yield B("NVD severity"), nvd.severity.lower()
                  nvd_range = nvd.rangeString()
-                 if nvd_range:
+                 if nvd.severity:
-                     yield B("NVD attack range"), nvd_range
+                     nvd_severity = nvd.severity.lower()
+                     if nvd_range:
+                         nvd_severity = "%s (attack range: %s)" \
+                                        % (nvd_severity, nvd_range)
+                     yield B("NVD severity"), nvd_severity
              debian_bugs = bug.getDebianBugs(cursor)
              if debian_bugs:
-Line 234 
 data source.""")],
+Line 325 
 data source.""")],
                  for (release, status, reason) in bug.getStatus(cursor):
                      if status <> 'fixed':
                          reason = self.make_red(reason)
-                     yield B('Status of %s' % release), reason
+                     yield B('Debian/%s' % release), reason
          page.append(make_table(gen_header()))
-Line 344 
 data source.""")],
+Line 435 
 data source.""")],
          return self.create_page(url, bug.name, page)
-     def page_debian_bug(self, url, bugnumber, buglist):
+     def page_debian_bug(self, url, bugnumber, buglist, fake_bug):
+         if fake_bug:
+             new_buglist = []
+             for b in buglist:
+                 (bug_name, urgency, description) = b
+                 if bug_name[0:5] == 'FAKE-' or bug_name[0:5] == 'TEMP-':
+                     new_buglist.append(b)
+             if len(new_buglist) > 0:
+                 # Only replace the bug list if there are still fake
+                 # bug reports.
+                 buglist = new_buglist
          if len(buglist) == 1:
              # Single issue, redirect.
              return RedirectResult(url.scriptRelativeFull(buglist[0][0]))
-Line 355 
 data source.""")],
+Line 457 
 data source.""")],
                      urgency = ""
                  yield self.make_xref(url, name), urgency, description
+         if fake_bug:
+             intro = """The URL you used contained a non-stable name
+ based on a Debian bug number.  This name cannot be mapped to a specific
+ issue. """
+         else:
+             intro = ""
          return self.create_page(
              url, "Information related to Debian bug #%d" % bugnumber,
-             [P("The following issues reference to Debian bug ",
+             [P(intro + "The following issues reference to Debian bug ",
                 self.make_debian_bug(url, bugnumber), ":"),
               make_table(gen(),
                          caption=("Name", "Urgency", "Description"))])
-Line 369 
 data source.""")],
+Line 478 
 data source.""")],
                                     ' matched no results.')],
                                  status=404)
+     def page_report(self, path, params, url):
+         return self.create_page(
+             url, 'Reporting discrepancies in the data',
+             [P("""The data in this tracker is always in flux, as bugs are fixed and new
+ issues disclosed, the data contained herein is updated. We strive to
+ maintain complete and accurate state information, and appreciate any
+ updates in status, information or new issues."""),
+              P("There are three ways that you can report updates to this information:"),
+              make_numbered_list(
+             [P("""IRC: We can be found at """,
+                CODE("irc.oftc.net"),
+                ", ",
+                CODE("#debian-security"),
+     """. If you have information to report, please go ahead and join
+ the channel and tell us.  Please feel free to state the issue,
+ regardless if there is someone who has acknowledged you. Many of us
+ idle on this channel and may not be around when you join, but we read
+ the backlog and will see what you have said. If you require a
+ response, do not forget to let us know how to get a hold of you."""),
+              P("Mailing list: Our mailing list is: ",
+                A("mailto:debian-security-tracker@lists.debian.org",
+                  "debian-security-tracker@lists.debian.org")),
+              P("""Helping out: We welcome people who wish to join us in tracking
+ issues. The process is designed to be easy to learn and participate,
+ please read our """,
+                A("http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0",
+                  "Introduction"),
+                """ to get familiar with how things work.  Join us on
+ our mailing list, and on IRC and request to be added to the Alioth """,
+                A("http://alioth.debian.org/projects/secure-testing/", "project"),
+                """. We are really quite friendly. If you have a
+ question about how things work, don't be afraid to ask, we would like
+ to improve our documentation and procedures, so feedback is welcome.""")])])
      def page_source_package(self, path, params, url):
          pkg = path[0]
-Line 458 
 architecture is currently not tracked.""
+Line 601 
 architecture is currently not tracked.""
                      replacement="""No known issues which do not affect
  this package, but still reference it.""")])
-     def page_status_release_stable(self, path, params, url):
+     def page_status_release_stable_oldstable(self, release, params, url):
+         assert release in ('stable', 'oldstable')
+         bf = BugFilterNoDSA(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, archive, urgency, remote) in \
+             for (pkg_name, bug_name, archive, urgency, remote, no_dsa) in \
                      self.db.cursor().execute(
-                 """SELECT package, bug, section, urgency, remote
+                 """SELECT package, bug, section, urgency, remote, no_dsa
-                 FROM stable_status"""):
+                 FROM %s_status""" % release):
+                 if bf.urgencyFiltered(urgency):
+                     continue
+                 if bf.remoteFiltered(remote):
+                     continue
+                 if bf.nodsaFiltered(no_dsa):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
                  else:
-Line 480 
 this package, but still reference it."""
+Line 634 
 this package, but still reference it."""
                      remote = 'no'
                  if urgency == 'unknown':
-                     urgency = ''
+                     if no_dsa:
+                         urgency = 'no DSA'
+                     else:
+                         urgency = ''
                  elif urgency == 'high':
                      urgency = self.make_red(urgency)
+                 else:
+                     if no_dsa:
+                         urgency = urgency + '*'
                  yield pkg_name, self.make_xref(url, bug_name), urgency, remote
          return self.create_page(
-             url, 'Vulnerable source packages in the stable suite',
+             url, 'Vulnerable source packages in the %s suite' % release,
-             [make_table(gen(), caption=("Package", "Bug", "Urgency",
+             [bf.actions(url),
-                                         "Remote"))])
+              make_table(gen(), caption=("Package", "Bug", "Urgency",
+                                         "Remote")),
+              P('''(If a "*" is included in the urgency field, no DSA is planned
+ for this vulnerability.)''')])
+     def page_status_release_stable(self, path, params, url):
+         return self.page_status_release_stable_oldstable('stable', params, url)
+     def page_status_release_oldstable(self, path, params, url):
+         return self.page_status_release_stable_oldstable('oldstable',
+                                                          params, url)
      def page_status_release_testing(self, path, params, url):
+         bf = BugFilterNoDSA(params)
          def gen():
              old_pkg_name = ''
              for (pkg_name, bug_name, archive, urgency,
-                  sid_vulnerable, ts_fixed, remote) in self.db.cursor().execute(
+                  sid_vulnerable, ts_fixed, remote, no_dsa) \
+                  in self.db.cursor().execute(
                  """SELECT package, bug, section, urgency, unstable_vulnerable,
-                 testing_security_fixed, remote
+                 testing_security_fixed, remote, no_dsa
                  FROM testing_status"""):
+                 if bf.urgencyFiltered(urgency):
+                     continue
+                 if bf.remoteFiltered(remote):
+                     continue
+                 if bf.nodsaFiltered(no_dsa):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
                  else:
-Line 531 
 this package, but still reference it."""
+Line 710 
 this package, but still reference it."""
              url, 'Vulnerable source packages in the testing suite',
              [make_menu(url.scriptRelative,
                         ("status/dtsa-candidates", "Candidates for DTSAs")),
+              bf.actions(url),
               make_table(gen(), caption=("Package", "Bug", "Urgency",
                                          "Remote"))])
-     def page_status_release_unstable(self, path, params, url):
+     def page_status_release_unstable_like(self, path, params, url,
+                                           rel, title):
+         bf = BugFilter(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, section, urgency) \
+             for (pkg_name, bug_name, section, urgency, remote) \
                      in self.db.cursor().execute(
                  """SELECT DISTINCT sp.name, st.bug_name,
-                 sp.archive, st.urgency
+                 sp.archive, st.urgency,
+                 (SELECT range_remote FROM nvd_data
+                  WHERE cve_name = st.bug_name)
                  FROM source_package_status AS st, source_packages AS sp
                  WHERE st.vulnerable AND st.urgency <> 'unimportant'
-                 AND sp.rowid = st.package AND sp.release = 'sid'
+                 AND sp.rowid = st.package AND sp.release = ?
                  AND sp.subrelease = ''
-                 ORDER BY sp.name, st.bug_name"""):
+                 ORDER BY sp.name, st.bug_name""", (rel,)):
+                 if bf.urgencyFiltered(urgency):
+                     continue
+                 if bf.remoteFiltered(remote):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
                  else:
-Line 555 
 this package, but still reference it."""
+Line 745 
 this package, but still reference it."""
                      else:
                          pkg_name = self.make_xref(url, pkg_name)
+                 if remote is None:
+                     remote = ''
+                 elif remote:
+                     remote = 'yes'
+                 else:
+                     remote = 'no'
                  if urgency == 'unknown':
                      urgency = ''
                  elif urgency == 'high':
                      urgency = self.make_red(urgency)
-                 yield pkg_name, self.make_xref(url, bug_name), urgency
+                 yield pkg_name, self.make_xref(url, bug_name), urgency, remote
          return self.create_page(
-             url, 'Vulnerable source packages in the testing suite',
+             url, title,
              [P("""Note that the list below is based on source packages.
              This means that packages are not listed here once a new,
              fixed source version has been uploaded to the archive, even
              if there are still some vulnerably binary packages present
              in the archive."""),
-              make_table(gen(), caption=('Package', 'Bug', 'Urgency'))])
+              bf.actions(url),
+              make_table(gen(), caption=('Package', 'Bug', 'Urgency',
+                                         'Remote'))])
+     def page_status_release_unstable(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages in the unstable suite',
+             rel='sid')
+     def page_status_release_stable_backports(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages among backports for stable',
+             rel='lenny-backports')
+     def page_status_release_oldstable_backports(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages among backports for oldstable',
+             rel='etch-backports')
      def page_status_dtsa_candidates(self, path, params, url):
+         bf = BugFilter(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, archive, urgency, stable_later) \
+             for (pkg_name, bug_name, archive, urgency, stable_later,
+                  remote) \
                      in self.db.cursor().execute(
                  """SELECT package, bug, section, urgency,
                  (SELECT testing.version_id < stable.version_id
                   FROM source_packages AS testing, source_packages AS stable
                   WHERE testing.name = testing_status.package
-                  AND testing.release = 'etch'
+                  AND testing.release = 'squeeze'
                   AND testing.subrelease = ''
                   AND testing.archive = testing_status.section
                   AND stable.name = testing_status.package
-                  AND stable.release = 'sarge'
+                  AND stable.release = 'lenny'
                   AND stable.subrelease = 'security'
-                  AND stable.archive = testing_status.section)
+                  AND stable.archive = testing_status.section),
+                 (SELECT range_remote FROM nvd_data
+                  WHERE cve_name = bug)
                  FROM testing_status
                  WHERE (NOT unstable_vulnerable)
                  AND (NOT testing_security_fixed)"""):
+                 if bf.urgencyFiltered(urgency):
+                     continue
+                 if bf.remoteFiltered(remote):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
                      migration = ''
-Line 603 
 this package, but still reference it."""
+Line 828 
 this package, but still reference it."""
                      else:
                          pkg_name = self.make_source_package_ref(url, pkg_name)
+                 if remote is None:
+                     remote = ''
+                 elif remote:
+                     remote = 'yes'
+                 else:
+                     remote = 'no'
                  if urgency == 'unknown':
                      urgency = ''
                  elif urgency == 'high':
-Line 614 
 this package, but still reference it."""
+Line 846 
 this package, but still reference it."""
                      notes = ''
                  yield (pkg_name, migration, self.make_xref(url, bug_name),
-                        urgency, notes)
+                        urgency, remote, notes)
          return self.create_page(
              url, "Candidates for DTSAs",
              [P("""The table below lists packages which are fixed
  in unstable, but unfixed in testing.  Use the testing migration
- return web_supporttracker to find out why they have not entered
+ checker to find out why they have not entered testing yet."""),
- return web_supporttesting yet."""),
               make_menu(url.scriptRelative,
                         ("status/release/testing",
                          "List of vulnerable packages in testing")),
+              bf.actions(url),
               make_table(gen(),
-                         caption=("Package", "Migration", "Bug", "Urgency"))])
+                         caption=("Package", "Migration", "Bug", "Urgency",
+                                  "Remote"))])
      def page_status_todo(self, path, params, url):
+         hide_check = params.get('hide_check', False)
+         if hide_check:
+             flags = A(url.updateParamsDict({'hide_check' : None}),
+                       'Show "check" TODOs')
+         else:
+             flags = A(url.updateParamsDict({'hide_check' : '1'}),
+                   'Hide "check" TODOs')
          def gen():
-             for (bug, description) in self.db.getTODOs():
+             for (bug, description) in self.db.getTODOs(hide_check=hide_check):
                  yield self.make_xref(url, bug), description
          return self.create_page(
              url, "Bugs with TODO items",
-             [make_table(gen(),
+             [P(flags),
+              make_table(gen(),
                          caption=("Bug", "Description"))])
      def page_status_itp(self, path, params, url):
-Line 660 
 return web_supporttesting yet."""),
+Line 902 
 return web_supporttesting yet."""),
              url, "Unknown packages",
              [P("""Sometimes, a package referenced in a bug report
  cannot be found in the database.  This can be the result of a spelling
- return web_supporterror, or a historic entry refers to a
+ error, or a historic entry refers to a
- return web_supportpackage which is no longer in the archive."""),
+ package which is no longer in the archive."""),
               make_table(gen(), caption=("Package", "Bugs"),
          replacement="No unknown packages are referenced in the database.")])
-Line 699 
 return web_supportpackage which is no lo
+Line 941 
 return web_supportpackage which is no lo
                  caption=("Bug", "Package", "Version 1", "Version 2"),
                  replacement="No source package version with missing epochs.")])
+     def page_data_latently_vulnerable(self, path, params, url):
+         def gen():
+             for pkg, bugs in self.db.cursor().execute(
+                 """SELECT package, string_set(bug_name)
+                 FROM package_notes AS p1
+                 WHERE release <> ''
+                 AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
+                 AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND release = '')
+                 AND EXISTS (SELECT 1 FROM source_packages
+                            WHERE name = p1.package AND release = 'sid')
+                 GROUP BY package
+                 ORDER BY package"""):
+                 pkg = self.make_source_package_ref(url, pkg)
+                 bugs = bugs.split(',')
+                 yield pkg, self.make_xref_list(url, bugs)
+         def gen_unimportant():
+             for pkg, bugs in self.db.cursor().execute(
+                 """SELECT package, string_set(bug_name)
+                 FROM package_notes AS p1
+                 WHERE release <> ''
+                 AND urgency <> 'unimportant'
+                 AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
+                 AND EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND release = '')
+                 AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND urgency <> 'unimportant'
+                                 AND release = '')
+                 AND EXISTS (SELECT 1 FROM source_packages
+                            WHERE name = p1.package AND release = 'sid')
+                 GROUP BY package
+                 ORDER BY package"""):
+                 pkg = self.make_source_package_ref(url, pkg)
+                 bugs = bugs.split(',')
+                 yield pkg, self.make_xref_list(url, bugs)
+         return self.create_page(
+             url, "Latently vulnerable packages in unstable",
+             [P(
+ """A package is latently vulnerable in unstable if it is vulnerable in
+ any release, and there is no package note for the same vulnerability
+ and package in unstable (and the package is still available in
+ unstable, of course)."""),
+              make_table(gen(),
+                 caption=("Package", "Bugs"),
+                 replacement="No latently vulnerable packages were found."),
+              P(
+ """The next table lists issues which are marked unimportant for
+ unstable, but for which release-specific annotations exist which are
+ not unimportant."""),
+              make_table(gen_unimportant(),
+                 caption=("Package", "Bugs"),
+                 replacement=
+     "No packages with unimportant latent vulnerabilities were found."),
+             ])
      def page_data_releases(self, path, params, url):
          def gen():
              for (rel, subrel, archive, sources, archs) \
-Line 743 
 but it makes version-based bug tracking
+Line 1048 
 but it makes version-based bug tracking
               long as none of the binary packages carries the same name as the
               source package, most confusion is avoided or can be easily
               explained.""")])
+     def page_data_fake_names(self, path, params, url):
+         def gen():
+             for (bug, description) in self.db.getFakeBugs():
+                 yield self.make_xref(url, bug), description
+         return self.create_page(
+             url, "Automatically generated issue names",
+             [P("""Some issues have not been assigned CVE names, but are still
+ tracked by this database.  In this case, the system automatically assigns
+ a unique name.  These names are not stable and can change when the database
+ is updated, so they should not be used in external references."""),
+              P('''The automatically generated names come in two flavors:
+ the first kind starts with the string "''', CODE("TEMP-000000-"),
+                '''".  This means that no Debian bug has been assigned to this
+ issue (or a bug has been created and is not recorded in this database).
+ In the second kind of names, there is a Debian bug for the issue, and the "''',
+                CODE("000000"), '''"part of the name is replaced with the
+ Debian bug number.'''),
+              make_table(gen(),
+                         caption=("Bug", "Description"))])
+     def page_debsecan(self, path, params, url):
+         obj = '/'.join(path)
+         data = self.db.getDebsecan(obj)
+         if data:
+             return BinaryResult(data)
+         else:
+             return self.create_page(
+                 url, "Object not found",
+                 [P("The requested debsecan object has not been found.")],
+                 status=404)
      def create_page(self, url, title, body, search_in_page=False, status=200):
          append = body.append
-Line 774 
 but it makes version-based bug tracking
+Line 1109 
 but it makes version-based bug tracking
                            onkeyup="onSearch(this.value)",
                            onmousemove="onSearch(this.value)"),
                      INPUT(type='submit', value='Go'),
+                     ' ',
+                     A(url.scriptRelative("data/report"), "Reporting problems"),
                      method='get',
                      action=url.scriptRelative(''))
-Line 781 
 but it makes version-based bug tracking
+Line 1118 
 but it makes version-based bug tracking
          return url.absolute("http://cve.mitre.org/cgi-bin/cvename.cgi",
                              name=name)
      def url_nvd(self, url, name):
-         return url.absolute("http://nvd.nist.gov/nvd.cfm",
+         return url.absolute("http://web.nvd.nist.gov/view/vuln/detail",
-                             cvename=name)
+                             vulnId=name)
      def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')):
          match = re_dsa.match(dsa)
-Line 806 
 but it makes version-based bug tracking
+Line 1143 
 but it makes version-based bug tracking
          return url.absolute("http://packages.qa.debian.org/common/index.html",
                              src=package)
      def url_testing_status(self, url, package):
-         return url.absolute("http://bjorn.haxx.se/debian/testing.pl",
+         return url.absolute("http://release.debian.org/migration/testing.pl",
                              package=package)
      def url_source_package(self, url, package, full=False):
          if full:

 Legend:



Removed from v.2489
 


changed lines


 
Added in v.12985
 Legend:



Removed from v.2489
 


changed lines


 
Added in v.12985
-Removed from v.2489
+Added in v.12985

	ViewVC Help
Powered by ViewVC 1.1.5