/[secure-testing]/bin/tracker_service.py

Diff of /bin/tracker_service.py

Parent Directory | Revision Log | View Patch Patch

-revision 3014 by fw,
Mon Dec 12 15:28:39 2005 UTC
+revision 14909 by geissert,
Sun Jun 27 04:03:20 2010 UTC
 Line 2
  import sys
  sys.path.insert(0,'../lib/python')
- if len(sys.argv) <> 3:
-     print "usage: python tracker_serivce.py SOCKET-PATH DATABASE-PATH"
-     sys.exit(1)
- socket_name = sys.argv[1]
- db_name = sys.argv[2]
  import bugs
  import re
  import security_db
  from web_support import *
+ if len(sys.argv) not in (3, 5):
+     print "usage: python tracker_service.py SOCKET-PATH DATABASE-PATH"
+     print "       python tracker_service.py URL HOST PORT DATABASE-PATH"
+     sys.exit(1)
+ if len(sys.argv) == 3:
+     socket_name = sys.argv[1]
+     db_name = sys.argv[2]
+     webservice_base_class = WebService
+ else:
+     server_base_url = sys.argv[1]
+     server_address = sys.argv[2]
+     server_port = int(sys.argv[3])
+     socket_name = (server_base_url, server_address, server_port)
+     db_name = sys.argv[4]
+     webservice_base_class = WebServiceHTTP
  class BugFilter:
-     def __init__(self, params):
+     default_action_list = [('show_high_urgency', 'only high urgencies'),
-         self.hide_medium_urgency = int(params.get('hide_medium_urgency',
+                            ('show_medium_urgency', 'only medium and high urgencies'),
-                                                   (0,))[0])
+                            ('show_undetermined_urgency', 'issues that may be vulnerable but need to be checked (shown in purple)'),
-         self.hide_non_remote = int(params.get('hide_non_remote',
+                            ('show_unimportant_urgency', 'unimportant issues'),
-                                               (0,))[0])
+                            ('show_remote_only', 'only remote vulnerabilities')]
+     def __init__(self, params, action_list=None):
+         if action_list is None:
+             self.action_list = self.default_action_list
+         else:
+             self.action_list = action_list
+         self.params = {}
+         for (prop, desc) in self.action_list:
+             self.params[prop] = int(params.get(prop, (0,))[0])
      def actions(self, url):
          """Returns a HTML snippet which can be used to change the filter."""
-         if self.hide_medium_urgency:
-             urg = A(url.updateParams(hide_medium_urgency=None),
+         l = []
-                     'Show lower urgencies')
+         for (prop, desc) in self.action_list:
-         else:
+             if self.params[prop]:
-             urg = A(url.updateParams(hide_medium_urgency='1'),
+                 if self.params['show_medium_urgency'] and prop == 'show_medium_urgency':
-                     'Hide lower urgencies')
+                     note = 'Restore lower than medium urgencies'
-         if self.hide_non_remote:
+                 elif self.params['show_high_urgency'] and prop == 'show_high_urgency':
-             rem = A(url.updateParams(hide_non_remote=None),
+                     note = 'Restore lower than high urgencies'
-                     'Show local vulnerabilities')
+                 elif self.params['show_remote_only'] and prop == 'show_remote_only':
-         else:
+                     note = 'Restore local vulnerabilities'
-             rem = A(url.updateParams(hide_non_remote='1'),
+                 else:
-                     'Hide local vulnerabilities')
+                     note = 'Hide ' + desc
-         return P(urg, ' ', rem)
+                 l.append(TR(TD(A(url.updateParamsDict({prop : None}), note))))
+             else:
-     def urgencyFiltered(self, urg):
+                 note = 'Show ' + desc
-         """Returns True if the urgency urg is filtered."""
+                 l.append(TR(TD(A(url.updateParamsDict({prop : '1'}), note))))
-         return self.hide_medium_urgency and urg not in ("high", "unknown", "")
+         return TABLE(l)
+     def urgencyFiltered(self, urg, vuln):
+         """Returns True for urgencies that should be filtered."""
+         filterlow = self.params['show_medium_urgency'] and \
+                     urg in ('low', 'low**', 'unimportant',
+                     'undetermined', 'not yet assigned')
+         filtermed = self.params['show_high_urgency'] and \
+                     urg in ('medium', 'medium**', 'low', 'low**',
+                     'unimportant', 'undetermined', 'not yet assigned')
+         filterund = not self.params['show_undetermined_urgency'] and vuln == 2
+         filteruni = not self.params['show_unimportant_urgency'] \
+                     and urg == 'unimportant'
+         return filterlow or filtermed or filterund or filteruni
      def remoteFiltered(self, remote):
-         """Returns True if the attack range is filtered."""
+         """Returns True for only remote flaws if filtered."""
-         return remote is not None and self.hide_non_remote and not remote
+         return self.params['show_remote_only'] and not remote and not remote is None
+ class BugFilterNoDSA(BugFilter):
+     def __init__(self, params):
+         BugFilter.__init__(self, params, self.default_action_list
+             + [('show_nodsa', 'issues that are not severe enough to warrant a DSA')])
- class TrackerService(WebService):
+     def nodsaFiltered(self, nodsa):
+         """Returns True for no DSA issues if filtered."""
+         return nodsa and not self.params['show_nodsa']
+ class TrackerService(webservice_base_class):
      head_contents = compose(STYLE(
          """h1 { font-size : 144%; }
  h2 { font-size : 120%; }
-Line 57 
 td, th { text-align : left;
+Line 97 
 td, th { text-align : left;
           padding-right : 0.25em; }
  td { vertical-align: baseline }
  span.red { color: red; }
+ span.purple { color: purple; }
  span.dangerous { color: rgb(191,127,0); }
  """), SCRIPT('''var old_query_value = "";
-Line 76 
 function onSearch(query) {
+Line 117 
 function onSearch(query) {
  }
  ''')).toHTML()
+     nvd_text =  P('''If a "**" is included, the urgency field was automatically
+         assigned by the NVD (National Vulnerability Database). Note that this
+         rating is automatically derived from a set of known factors about the
+         issue (such as access complexity, confidentiality impact, exploitability,
+         remediation level, and others). Human intervention is involved in
+         determining the values of these factors, but the rating itself comes
+         from a fully automated formula.''')
      def __init__(self, socket_name, db_name):
-         WebService.__init__(self, socket_name)
+         webservice_base_class.__init__(self, socket_name)
          self.db = security_db.DB(db_name)
          self.register('', self.page_home)
          self.register('*', self.page_object)
          self.register('redirect/*', self.page_redirect)
          self.register('source-package/*', self.page_source_package)
-         self.register('binary-package/*', self.page_binary_package)
+         self.register('status/release/oldstable',
+                       self.page_status_release_oldstable)
          self.register('status/release/stable', self.page_status_release_stable)
+         self.register('status/release/stable-backports',
+                       self.page_status_release_stable_backports)
+         self.register('status/release/oldstable-backports',
+                       self.page_status_release_oldstable_backports)
          self.register('status/release/testing',
                        self.page_status_release_testing)
          self.register('status/release/unstable',
-Line 92 
 function onSearch(query) {
+Line 146 
 function onSearch(query) {
          self.register('status/dtsa-candidates',
                        self.page_status_dtsa_candidates)
          self.register('status/todo', self.page_status_todo)
+         self.register('status/undetermined', self.page_status_undetermined)
+         self.register('status/unimportant', self.page_status_unimportant)
          self.register('status/itp', self.page_status_itp)
          self.register('data/unknown-packages', self.page_data_unknown_packages)
          self.register('data/missing-epochs', self.page_data_missing_epochs)
+         self.register('data/latently-vulnerable',
+                       self.page_data_latently_vulnerable)
          self.register('data/releases', self.page_data_releases)
          self.register('data/funny-versions', self.page_data_funny_versions)
          self.register('data/fake-names', self.page_data_fake_names)
+         self.register('data/pts/1', self.page_data_pts)
+         self.register('debsecan/**', self.page_debsecan)
+         self.register('data/report', self.page_report)
      def page_home(self, path, params, url):
          query = params.get('query', ('',))[0]
-Line 110 
 function onSearch(query) {
+Line 171 
 function onSearch(query) {
          return self.create_page(
              url, 'Security Bug Tracker',
              [P(
-             """This is the experimental issue tracker for Debian's testing
+             """The data in this tracker comes solely from the bug database maintained
- security team.  Keep in mind that this is merely a prototype.
+ by Debian's security team located in the testing-security Subversion """,
- Please report any problems to """,
+             A("http://svn.debian.org/wsvn/secure-testing/data/", "repository"),
-             A("mailto:fw@deneb.enyo.de", "Florian Weimer"),
+             """.  The data represented here is derived from: """,
-             """.Note that some of the data presented here is known
+             A("http://www.debian.org/security/#DSAS", "DSAs"),
- to be wrong (see below), but the data for the testing suite
+             """ issued by the Security Team; issues tracked in the """,
- should be fine."""),
+             A("http://cve.mitre.org/cve/", "CVE database"),
-                                  make_menu(
+             """, issues tracked in the """,
+             A("http://nvd.nist.gov/", "National Vulnerability Database"),
+             """ (NVD), maintained by NIST; and security issues
+ discovered in Debian packages as reported in the BTS."""),
+              P("""All external data (including Debian bug reports and official Debian
+ security advisories) must be added to this database before it appears
+ here. Please help us keep this information up-to-date by """,
+                A(url.scriptRelative("data/report"), "reporting"),
+                """ any discrepancies or change of states that you are
+ aware of and/or help us improve the quality of this information by """,
+                A(url.scriptRelative("data/report"), "participating"),
+                "."),
+             make_menu(
              url.scriptRelative,
-             ('status/release/stable',
-              'Vulnerable packages in the stable suite'),
-             ('status/release/testing',
-              'Vulnerable packages in the testing suite'),
              ('status/release/unstable',
               'Vulnerable packages in the unstable suite'),
+             ('status/release/testing',
+              'Vulnerable packages in the testing suite'),
+             ('status/release/stable',
+              'Vulnerable packages in the stable suite'),
+             ('status/release/oldstable',
+              'Vulnerable packages in the old stable suite'),
+             ('status/release/stable-backports',
+              'Vulnerable packages in backports for stable'),
+             ('status/release/oldstable-backports',
+              'Vulnerable packages in backports for oldstable'),
              ('status/dtsa-candidates', "Candidates for DTSAs"),
              ('status/todo', 'TODO items'),
+             ('status/undetermined', 'Packages that may be vulnerable but need to be checked (undetermined issues)'),
+             ('status/unimportant', 'Packages that have open unimportant issues'),
              ('status/itp', 'ITPs with potential security issues'),
              ('data/unknown-packages',
               'Packages names not found in the archive'),
              ('data/fake-names', 'Tracked issues without a CVE name'),
              ('data/missing-epochs',
               'Package versions which might lack an epoch'),
+             ('data/latently-vulnerable',
+              'Packages which are latently vulnerable in unstable'),
              ('data/funny-versions',
               'Packages with strange version numbers'),
              ('data/releases',
-Line 141 
 should be fine."""),
+Line 224 
 should be fine."""),
               P("""(You can enter CVE names, Debian bug numbers and package
  names in the search forms.)"""),
-              H2("Data sources"),
-              P("""Data in this tracker comes solely from the bug database
- which is maintained by Debian's testing security team in their
- Subversion repository.  All external data (this includes
- Debian bug reports and official Debian security advisories)
- must be added to this database before it appears here, and there
- can be some delay before this happens."""),
-              P("""At the moment, the database only contains information which is
- relevant for tracking the security status of the stable, testing and
- unstable suites.  This means that data for oldstable is likely wrong."""),
-              P('Data marked "NVD" comes from the ',
-                A(url.absolute('http://nvd.nist.gov/'),
-                  'National Vulnerability Database'),
-                ' maintained by NIST.'),
               H2("External interfaces"),
               P("""If you want to automatically open a relevant web page for
  some object, use the """,
-Line 170 
 data source.""")],
+Line 238 
 data source.""")],
          return self.page_object_or_redirect(url, obj, False)
      def page_redirect(self, path, params, url):
-         obj = path[0]
+         if path == ():
+             obj = ''
+         else:
+             obj = path[0]
          return self.page_object_or_redirect(url, obj, True)
      def page_object_or_redirect(self, url, obj, redirect):
-Line 179 
 data source.""")],
+Line 250 
 data source.""")],
          if not obj:
              # Redirect to start page.
              return RedirectResult(url.scriptRelativeFull(""))
-         if 'A' <= obj[0] <= 'Z':
-             # Bug names start with a capital letter.
-             return self.page_bug(url, obj, redirect)
+         # Attempt to decode a bug number.  TEMP-nnn bugs (but not
+         # TEMP-nnn-mmm bugs) are treated as bug references, too.
          bugnumber = 0
+         fake_bug = False
          try:
-             bugnumber = int(obj)
+             if obj[0:5] == 'FAKE-' or obj[0:5] == 'TEMP-':
+                 bugnumber = int(obj[5:])
+                 fake_bug = True
+             else:
+                 bugnumber = int(obj)
          except ValueError:
              pass
          if bugnumber:
              buglist = list(self.db.getBugsFromDebianBug(c, bugnumber))
              if buglist:
-                 return self.page_debian_bug(url, bugnumber, buglist)
+                 return self.page_debian_bug(url, bugnumber, buglist, fake_bug)
              if redirect:
                  return RedirectResult(self.url_debian_bug(url, str(bugnumber)),
                                        permanent=False)
+         if 'A' <= obj[0] <= 'Z':
+             # Bug names start with a capital letter.
+             return self.page_bug(url, obj, redirect)
          if self.db.isSourcePackage(c, obj):
              return RedirectResult(self.url_source_package(url, obj, full=True))
-         if  self.db.isBinaryPackage(c, obj):
-             return RedirectResult(self.url_binary_package(url ,obj, full=True))
          return self.page_not_found(url, obj)
-Line 231 
 data source.""")],
+Line 307 
 data source.""")],
              source = bug.name.split('-')[0]
              if source == 'CVE':
                  source_xref = compose(self.make_cve_ref(url, bug.name, 'CVE'),
-                                       " (",
+                                       " (at ",
                                        self.make_nvd_ref(url, bug.name,
-                                                         'in NVD'),
+                                                         'NVD'),
+                                       "; ",
+                                       self.make_rhbug_ref(url, bug.name,
+                                                         'RH'),
                                        ")")
              elif source == 'DSA':
                  source_xref = self.make_dsa_ref(url, bug.name, 'Debian')
              elif source == 'DTSA':
                  source_xref = 'Debian Testing Security Team'
-             elif source == 'FAKE':
+             elif source == 'TEMP':
                  source_xref = (
          'Automatically generated temporary name.  Not for external reference.')
              else:
-Line 248 
 data source.""")],
+Line 327 
 data source.""")],
              if source_xref:
                  yield B("Source"), source_xref
-             if bug.description:
+             nvd = self.db.getNVD(cursor, bug.name)
+             if nvd and nvd.cve_desc:
+                 yield B("Description"), nvd.cve_desc
+             elif bug.description:
                  yield B("Description"), bug.description
              xref = list(self.db.getBugXrefs(cursor, bug.name))
              if xref:
                  yield B("References"), self.make_xref_list(url, xref)
-             nvd = self.db.getNVD(cursor, bug.name)
              if nvd:
-                 if nvd.severity:
-                     yield B("NVD severity"), nvd.severity.lower()
                  nvd_range = nvd.rangeString()
-                 if nvd_range:
+                 if nvd.severity:
-                     yield B("NVD attack range"), nvd_range
+                     nvd_severity = nvd.severity.lower()
+                     if nvd_range:
+                         nvd_severity = "%s (attack range: %s)" \
+                                        % (nvd_severity, nvd_range)
+                     yield B("NVD severity"), nvd_severity
              debian_bugs = bug.getDebianBugs(cursor)
              if debian_bugs:
-Line 270 
 data source.""")],
+Line 354 
 data source.""")],
              if not bug.not_for_us:
                  for (release, status, reason) in bug.getStatus(cursor):
-                     if status <> 'fixed':
+                     if status == 'undetermined':
+                         reason = self.make_purple(reason)
+                     elif status <> 'fixed':
                          reason = self.make_red(reason)
-                     yield B('Status of %s' % release), reason
+                     yield B('Debian/%s' % release), reason
          page.append(make_table(gen_header()))
-Line 290 
 data source.""")],
+Line 376 
 data source.""")],
                          package = compose(
                              self.make_source_package_ref(url, package),
                              " (", self.make_pts_ref(url, package, 'PTS'), ")")
-                     if vulnerable:
+                     if vulnerable == 1:
                          vuln = self.make_red('vulnerable')
                          version = self.make_red(version)
+                     elif vulnerable == 2:
+                         vuln = self.make_purple('undetermined')
+                         version = self.make_purple(version)
                      else:
                          vuln = 'fixed'
-Line 302 
 data source.""")],
+Line 391 
 data source.""")],
      caption=("Source Package", "Release", "Version", "Status"),
      introduction=P('The table below lists information on source packages.')))
-             def gen_binary():
-                 old_pkg = ''
-                 for (packages, releases, version, archs, vulnerable) \
-                     in self.db.getBinaryPackages(cursor, bug.name):
-                     pkg = ', '.join(packages)
-                     if pkg == old_pkg:
-                         packages = ''
-                     else:
-                         old_pkg = pkg
-                         packages = self.make_binary_packages_ref(url, packages)
-                     if vulnerable:
-                         vuln = self.make_red('vulnerable')
-                         version = self.make_red(version)
-                     else:
-                         vuln = 'fixed'
-                     yield (packages,
-                            ', '.join(releases),
-                            version, vuln,
-                            ', '.join(archs))
-             page.append(make_table(gen_binary(),
-         caption=("Binary Package", "Release", "Version", "Status",
-                  "Architecures"),
-         introduction=P("The next table lists affected binary packages.")))
              def gen_data():
                  notes_sorted = bug.notes[:]
                  notes_sorted.sort(lambda a, b: cmp(a.package, b.package))
-Line 344 
 data source.""")],
+Line 407 
 data source.""")],
                              urgency = ''
                      else:
                          ver = self.make_red('(unfixed)')
+                     if urgency == 'not yet assigned':
+                         urgency = ''
                      pkg = n.package
                      pkg_kind = n.package_kind
                      if pkg_kind == 'source':
                          pkg = self.make_source_package_ref(url, pkg)
-                     elif pkg_kind == 'binary':
-                         pkg = self.make_binary_package_ref(url, pkg)
                      elif pkg_kind == 'itp':
                          pkg_kind = 'ITP'
                          rel = ''
-Line 382 
 data source.""")],
+Line 445 
 data source.""")],
          return self.create_page(url, bug.name, page)
-     def page_debian_bug(self, url, bugnumber, buglist):
+     def page_debian_bug(self, url, bugnumber, buglist, fake_bug):
+         if fake_bug:
+             new_buglist = []
+             for b in buglist:
+                 (bug_name, urgency, description) = b
+                 if bug_name[0:5] == 'FAKE-' or bug_name[0:5] == 'TEMP-':
+                     new_buglist.append(b)
+             if len(new_buglist) > 0:
+                 # Only replace the bug list if there are still fake
+                 # bug reports.
+                 buglist = new_buglist
          if len(buglist) == 1:
              # Single issue, redirect.
              return RedirectResult(url.scriptRelativeFull(buglist[0][0]))
-Line 393 
 data source.""")],
+Line 467 
 data source.""")],
                      urgency = ""
                  yield self.make_xref(url, name), urgency, description
+         if fake_bug:
+             intro = """The URL you used contained a non-stable name
+ based on a Debian bug number.  This name cannot be mapped to a specific
+ issue. """
+         else:
+             intro = ""
          return self.create_page(
              url, "Information related to Debian bug #%d" % bugnumber,
-             [P("The following issues reference to Debian bug ",
+             [P(intro + "The following issues reference to Debian bug ",
                 self.make_debian_bug(url, bugnumber), ":"),
               make_table(gen(),
                          caption=("Name", "Urgency", "Description"))])
-Line 407 
 data source.""")],
+Line 488 
 data source.""")],
                                     ' matched no results.')],
                                  status=404)
+     def page_report(self, path, params, url):
+         return self.create_page(
+             url, 'Reporting discrepancies in the data',
+             [P("""The data in this tracker is always in flux, as bugs are fixed and new
+ issues disclosed, the data contained herein is updated. We strive to
+ maintain complete and accurate state information, and appreciate any
+ updates in status, information or new issues."""),
+              P("There are three ways that you can report updates to this information:"),
+              make_numbered_list(
+             [P("""IRC: We can be found at """,
+                CODE("irc.oftc.net"),
+                ", ",
+                CODE("#debian-security"),
+     """. If you have information to report, please go ahead and join
+ the channel and tell us.  Please feel free to state the issue,
+ regardless if there is someone who has acknowledged you. Many of us
+ idle on this channel and may not be around when you join, but we read
+ the backlog and will see what you have said. If you require a
+ response, do not forget to let us know how to get a hold of you."""),
+              P("Mailing list: Our mailing list is: ",
+                A("mailto:debian-security-tracker@lists.debian.org",
+                  "debian-security-tracker@lists.debian.org")),
+              P("""Helping out: We welcome people who wish to join us in tracking
+ issues. The process is designed to be easy to learn and participate,
+ please read our """,
+                A("http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0",
+                  "Introduction"),
+                """ to get familiar with how things work.  Join us on
+ our mailing list, and on IRC and request to be added to the Alioth """,
+                A("http://alioth.debian.org/projects/secure-testing/", "project"),
+                """. We are really quite friendly. If you have a
+ question about how things work, don't be afraid to ask, we would like
+ to improve our documentation and procedures, so feedback is welcome.""")])])
      def page_source_package(self, path, params, url):
          pkg = path[0]
-Line 414 
 data source.""")],
+Line 529 
 data source.""")],
              for (releases, version) in self.db.getSourcePackageVersions(
                  self.db.cursor(), pkg):
                  yield ', '.join(releases), version
-         def gen_binary():
-             for (packages, releases, archs, version) \
-                     in self.db.getBinaryPackagesForSource(
-                 self.db.cursor(), pkg):
-                 yield (self.make_binary_packages_ref(url, packages),
-                        ', '.join(releases), version, ', '.join(archs))
          def gen_bug_list(lst):
              for (bug, description) in lst:
                  yield self.make_xref(url, bug), description
-Line 436 
 data source.""")],
+Line 545 
 data source.""")],
               H2("Available versions"),
               make_table(gen_versions(), caption=("Release", "Version")),
-              H2("Available binary packages"),
-              make_table(gen_binary(),
-             caption=('Package', 'Release', 'Version', 'Architectures'),
-             replacement="""No binary packages are recorded in this database.
- This probably means that the package is architecture-specific, and the
- architecture is currently not tracked."""),
               H2("Open issues"),
               make_table(gen_bug_list(self.db.getBugsForSourcePackage
                                       (self.db.cursor(), pkg, True)),
-Line 455 
 architecture is currently not tracked.""
+Line 557 
 architecture is currently not tracked.""
                          caption=('Bug', 'Description'),
                          replacement='No known resolved issues.')])
-     def page_binary_package(self, path, params, url):
+     def page_status_release_stable_oldstable(self, release, params, url):
-         pkg = path[0]
+         assert release in ('stable', 'oldstable')
-         def gen_versions():
+         bf = BugFilterNoDSA(params)
-             for (releases, source, version, archs) \
-                     in self.db.getBinaryPackageVersions(self.db.cursor(), pkg):
-                 yield (', '.join(releases),
-                        self.make_source_package_ref(url, source),
-                        version, ', '.join(archs))
-         def gen_bug_list(lst):
-             for (bug, description) in lst:
-                 yield self.make_xref(url, bug), description
-         return self.create_page(
-             url, "Information on binary package " + pkg,
-             [make_menu(lambda x: x,
-                        (self.url_debian_bug_pkg(url, pkg),
-                         pkg + ' in the Bug Tracking System')),
-              H2("Available versions"),
-              make_table(gen_versions(),
-                 caption=("Release", "Source", "Version", "Architectures")),
-              H2("Open issues"),
-              make_table(gen_bug_list(self.db.getBugsForBinaryPackage
-                                      (self.db.cursor(), pkg, True)),
-                         caption=('Bug', 'Description'),
-                         replacement='No known open issues.'),
-              H2("Resolved issues"),
-              make_table(gen_bug_list(self.db.getBugsForBinaryPackage
-                                      (self.db.cursor(), pkg, False)),
-                         caption=('Bug', 'Description'),
-                         replacement='No known resolved issues.'),
-              H2("Non-issues"),
-                 make_table(gen_bug_list(self.db.getNonBugsForBinaryPackage
-                                         (self.db.cursor(), pkg)),
-                     caption=('Bug', 'Description'),
-                     replacement="""No known issues which do not affect
- this package, but still reference it.""")])
-     def page_status_release_stable(self, path, params, url):
-         bf = BugFilter(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, archive, urgency, remote) in \
+             for (pkg_name, bug_name, archive, urgency, vulnerable, remote, no_dsa) in \
                      self.db.cursor().execute(
-                 """SELECT package, bug, section, urgency, remote
+                 """SELECT package, bug, section, urgency, vulnerable, remote, no_dsa
-                 FROM stable_status"""):
+                 FROM %s_status""" % release):
-                 if bf.urgencyFiltered(urgency):
+                 if bf.urgencyFiltered(urgency, vulnerable):
                      continue
                  if bf.remoteFiltered(remote):
                      continue
+                 if bf.nodsaFiltered(no_dsa):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
                  else:
-Line 518 
 this package, but still reference it."""
+Line 583 
 this package, but still reference it."""
                          pkg_name = "%s (%s)" % (pkg_name, archive)
                  if remote is None:
-                     remote = ''
+                     remote = '???'
                  elif remote:
                      remote = 'yes'
                  else:
                      remote = 'no'
-                 if urgency == 'unknown':
+                 if urgency.startswith('high'):
-                     urgency = ''
-                 elif urgency == 'high':
                      urgency = self.make_red(urgency)
+                 elif vulnerable == 2:
+                     urgency = self.make_purple(urgency)
+                 else:
+                     if no_dsa:
+                         urgency = urgency + '*'
                  yield pkg_name, self.make_xref(url, bug_name), urgency, remote
          return self.create_page(
-             url, 'Vulnerable source packages in the stable suite',
+             url, 'Vulnerable source packages in the %s suite' % release,
-             [bf.actions(url),
+             [bf.actions(url), BR(),
-              make_table(gen(), caption=("Package", "Bug", "Urgency",
+              make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote")),
-                                         "Remote"))])
+              P('''If a "*" is included in the urgency field, no DSA is planned
+                   for this vulnerability.'''),
+              self.nvd_text])
+     def page_status_release_stable(self, path, params, url):
+         return self.page_status_release_stable_oldstable('stable', params, url)
+     def page_status_release_oldstable(self, path, params, url):
+         return self.page_status_release_stable_oldstable('oldstable',
+                                                          params, url)
      def page_status_release_testing(self, path, params, url):
-         bf = BugFilter(params)
+         bf = BugFilterNoDSA(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, archive, urgency,
+             for (pkg_name, bug_name, archive, urgency, vulnerable,
-                  sid_vulnerable, ts_fixed, remote) in self.db.cursor().execute(
+                  sid_vulnerable, ts_fixed, remote, no_dsa) \
-                 """SELECT package, bug, section, urgency, unstable_vulnerable,
+                  in self.db.cursor().execute(
-                 testing_security_fixed, remote
+                 """SELECT package, bug, section, urgency, vulnerable,
+                 unstable_vulnerable, testing_security_fixed, remote, no_dsa
                  FROM testing_status"""):
-                 if bf.urgencyFiltered(urgency):
+                 if bf.urgencyFiltered(urgency, vulnerable):
                      continue
                  if bf.remoteFiltered(remote):
                      continue
+                 if bf.nodsaFiltered(no_dsa):
+                     continue
                  if pkg_name == old_pkg_name:
                      pkg_name = ''
-Line 560 
 this package, but still reference it."""
+Line 639 
 this package, but still reference it."""
                          pkg_name = "%s (%s)" % (pkg_name, archive)
                  if remote is None:
-                     remote = ''
+                     remote = '???'
                  elif remote:
                      remote = 'yes'
                  else:
-Line 574 
 this package, but still reference it."""
+Line 653 
 this package, but still reference it."""
                      else:
                          status = self.make_dangerous('fixed in unstable')
-                 if urgency == 'unknown':
+                 if urgency.startswith('high'):
-                     urgency = ''
+                     urgency = self.make_red(urgency)
+                 elif vulnerable == 2:
+                     urgency = self.make_purple(urgency)
                  yield (pkg_name, self.make_xref(url, bug_name),
                         urgency, remote, status)
-Line 584 
 this package, but still reference it."""
+Line 665 
 this package, but still reference it."""
              url, 'Vulnerable source packages in the testing suite',
              [make_menu(url.scriptRelative,
                         ("status/dtsa-candidates", "Candidates for DTSAs")),
-              bf.actions(url),
+              bf.actions(url), BR(),
-              make_table(gen(), caption=("Package", "Bug", "Urgency",
+              make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote")),
-                                         "Remote"))])
+              self.nvd_text])
-     def page_status_release_unstable(self, path, params, url):
+     def page_status_release_unstable_like(self, path, params, url,
+                                           rel, title):
          bf = BugFilter(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, section, urgency, remote) \
+             for (pkg_name, bug_name, section, urgency, vulnerable, remote) \
                      in self.db.cursor().execute(
                  """SELECT DISTINCT sp.name, st.bug_name,
-                 sp.archive, st.urgency,
+                 sp.archive, st.urgency, st.vulnerable,
                  (SELECT range_remote FROM nvd_data
                   WHERE cve_name = st.bug_name)
                  FROM source_package_status AS st, source_packages AS sp
-                 WHERE st.vulnerable AND st.urgency <> 'unimportant'
+                 WHERE st.vulnerable AND sp.rowid = st.package
-                 AND sp.rowid = st.package AND sp.release = 'sid'
+                 AND sp.release = ?  AND sp.subrelease = ''
-                 AND sp.subrelease = ''
+                 ORDER BY sp.name, st.bug_name""", (rel,)):
-                 ORDER BY sp.name, st.bug_name"""):
+                 if bf.urgencyFiltered(urgency, vulnerable):
-                 if bf.urgencyFiltered(urgency):
                      continue
                  if bf.remoteFiltered(remote):
                      continue
-Line 619 
 this package, but still reference it."""
+Line 700 
 this package, but still reference it."""
                          pkg_name = self.make_xref(url, pkg_name)
                  if remote is None:
-                     remote = ''
+                     remote = '???'
                  elif remote:
                      remote = 'yes'
                  else:
                      remote = 'no'
-                 if urgency == 'unknown':
+                 if urgency.startswith('high'):
-                     urgency = ''
-                 elif urgency == 'high':
                      urgency = self.make_red(urgency)
+                 elif vulnerable == 2:
+                     urgency = self.make_purple(urgency)
                  yield pkg_name, self.make_xref(url, bug_name), urgency, remote
          return self.create_page(
-             url, 'Vulnerable source packages in the unstable suite',
+             url, title,
              [P("""Note that the list below is based on source packages.
              This means that packages are not listed here once a new,
              fixed source version has been uploaded to the archive, even
              if there are still some vulnerably binary packages present
              in the archive."""),
-              bf.actions(url),
+              bf.actions(url), BR(),
-              make_table(gen(), caption=('Package', 'Bug', 'Urgency',
+              make_table(gen(), caption=('Package', 'Bug', 'Urgency', 'Remote')),
-                                         'Remote'))])
+              self.nvd_text])
+     def page_status_release_unstable(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages in the unstable suite',
+             rel='sid')
+     def page_status_release_stable_backports(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages among backports for stable',
+             rel='lenny-backports')
+     def page_status_release_oldstable_backports(self, path, params, url):
+         return self.page_status_release_unstable_like(
+             path, params, url,
+             title='Vulnerable source packages among backports for oldstable',
+             rel='etch-backports')
      def page_status_dtsa_candidates(self, path, params, url):
          bf = BugFilter(params)
          def gen():
              old_pkg_name = ''
-             for (pkg_name, bug_name, archive, urgency, stable_later,
+             for (pkg_name, bug_name, archive, urgency, vulnerable,
-                  remote) \
+                  stable_later, remote) \
                      in self.db.cursor().execute(
-                 """SELECT package, bug, section, urgency,
+                 """SELECT package, bug, section, urgency, vulnerable,
                  (SELECT testing.version_id < stable.version_id
                   FROM source_packages AS testing, source_packages AS stable
                   WHERE testing.name = testing_status.package
-                  AND testing.release = 'etch'
+                  AND testing.release = 'squeeze'
                   AND testing.subrelease = ''
                   AND testing.archive = testing_status.section
                   AND stable.name = testing_status.package
-                  AND stable.release = 'sarge'
+                  AND stable.release = 'lenny'
                   AND stable.subrelease = 'security'
                   AND stable.archive = testing_status.section),
                  (SELECT range_remote FROM nvd_data
-Line 668 
 this package, but still reference it."""
+Line 766 
 this package, but still reference it."""
                  FROM testing_status
                  WHERE (NOT unstable_vulnerable)
                  AND (NOT testing_security_fixed)"""):
-                 if bf.urgencyFiltered(urgency):
+                 if bf.urgencyFiltered(urgency, vulnerable):
                      continue
                  if bf.remoteFiltered(remote):
                      continue
-Line 686 
 this package, but still reference it."""
+Line 784 
 this package, but still reference it."""
                          pkg_name = self.make_source_package_ref(url, pkg_name)
                  if remote is None:
-                     remote = ''
+                     remote = '???'
                  elif remote:
                      remote = 'yes'
                  else:
                      remote = 'no'
-                 if urgency == 'unknown':
+                 if urgency.startswith('high'):
-                     urgency = ''
-                 elif urgency == 'high':
                      urgency = self.make_red(urgency)
+                 elif vulnerable == 2:
+                     urgency = self.make_purple(urgency)
                  if stable_later:
                      notes = "(fixed in stable?)"
-Line 713 
 checker to find out why they have not en
+Line 811 
 checker to find out why they have not en
               make_menu(url.scriptRelative,
                         ("status/release/testing",
                          "List of vulnerable packages in testing")),
-              bf.actions(url),
+              bf.actions(url), BR(),
               make_table(gen(),
                          caption=("Package", "Migration", "Bug", "Urgency",
                                   "Remote"))])
      def page_status_todo(self, path, params, url):
+         hide_check = params.get('hide_check', False)
+         if hide_check:
+             flags = A(url.updateParamsDict({'hide_check' : None}),
+                       'Show "check" TODOs')
+         else:
+             flags = A(url.updateParamsDict({'hide_check' : '1'}),
+                   'Hide "check" TODOs')
          def gen():
-             for (bug, description) in self.db.getTODOs():
+             for (bug, description) in self.db.getTODOs(hide_check=hide_check):
                  yield self.make_xref(url, bug), description
          return self.create_page(
              url, "Bugs with TODO items",
-             [make_table(gen(),
+             [P(flags), make_table(gen(), caption=("Bug", "Description"))])
-                         caption=("Bug", "Description"))])
+     def page_status_undetermined(self, path, params, url):
+         def gen():
+             outrel = []
+             old_bug = ''
+             old_pkg = ''
+             old_dsc = ''
+             last_displayed = ''
+             releases = ('sid', 'squeeze', 'lenny', 'etch')
+             for (pkg_name, bug_name, release, desc) in self.db.cursor().execute(
+                     """SELECT DISTINCT sp.name, st.bug_name, sp.release,
+                     bugs.description
+                     FROM source_package_status AS st, source_packages AS sp, bugs
+                     WHERE st.vulnerable == 2 AND sp.rowid = st.package
+                     AND ( sp.release = ? OR sp.release = ? OR sp.release = ?
+                     OR sp.release = ? )
+                     AND sp.subrelease = '' AND st.bug_name == bugs.name
+                     ORDER BY sp.name, st.bug_name""", releases):
+                 if old_bug == '':
+                     old_bug = bug_name
+                     old_pkg = pkg_name
+                     old_dsc = desc
+                 elif old_bug != bug_name:
+                     if old_pkg == last_displayed:
+                         to_display = ''
+                     else:
+                         to_display = old_pkg
+                     yield to_display, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
+                     last_displayed = old_pkg
+                     old_bug = bug_name
+                     old_pkg = pkg_name
+                     old_dsc = desc
+                     outrel = []
+                 outrel.append( release )
+             yield old_pkg, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
+         return self.create_page(url, 'Packages that may be vulnerable but need to be checked      (undetermined issues)',
+             [P("""This page lists packages that may or may not be affected
+             by known issues.  This means that some additional work needs to
+             be done to determined whether the package is actually
+             vulnerable or not.  This list is a good area for new
+             contributors to make quick and meaningful contributions."""),
+             make_table(gen(), caption=('Package', 'Bug', 'Description', 'Releases'))])
+     def page_status_unimportant(self, path, params, url):
+         def gen():
+             outrel = []
+             old_bug = ''
+             old_pkg = ''
+             old_dsc = ''
+             old_name = ''
+             last_displayed = ''
+             releases = ('sid', 'squeeze', 'lenny', 'etch')
+             for (pkg_name, bug_name, release, desc) in self.db.cursor().execute(
+                     """SELECT DISTINCT sp.name, st.bug_name, sp.release,
+                     bugs.description
+                     FROM source_package_status AS st, source_packages AS sp, bugs
+                     WHERE st.vulnerable > 0 AND sp.rowid = st.package
+                     AND ( sp.release = ? OR sp.release = ? OR sp.release = ?
+                     OR sp.release = ? ) AND st.urgency == 'unimportant'
+                     AND sp.subrelease = '' AND st.bug_name == bugs.name
+                     ORDER BY sp.name, st.bug_name""", releases):
+                 if old_bug == '':
+                     old_bug = bug_name
+                     old_pkg = pkg_name
+                     old_dsc = desc
+                 elif old_bug != bug_name:
+                     if old_pkg == last_displayed:
+                         to_display = ''
+                     else:
+                         to_display = old_pkg
+                     yield to_display, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
+                     last_displayed = old_pkg
+                     old_bug = bug_name
+                     old_pkg = pkg_name
+                     old_dsc = desc
+                     outrel = []
+                 outrel.append( release )
+             yield old_pkg, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
+         return self.create_page(url, 'Packages that have open unimportant issues',
+             [P("""This page lists packages that are affected by issues
+             that are considered unimportant from a security perspective.
+             These issues are thought to be unexploitable or uneffective
+             in most situations (for example, browser denial-of-services)."""),
+             make_table(gen(), caption=('Package', 'Bug', 'Description', 'Releases'))])
      def page_status_itp(self, path, params, url):
          def gen():
-Line 750 
 checker to find out why they have not en
+Line 943 
 checker to find out why they have not en
              url, "Unknown packages",
              [P("""Sometimes, a package referenced in a bug report
  cannot be found in the database.  This can be the result of a spelling
- return web_supporterror, or a historic entry refers to a
+ error, or a historic entry refers to a
- return web_supportpackage which is no longer in the archive."""),
+ package which is no longer in the archive."""),
               make_table(gen(), caption=("Package", "Bugs"),
          replacement="No unknown packages are referenced in the database.")])
-Line 789 
 return web_supportpackage which is no lo
+Line 982 
 return web_supportpackage which is no lo
                  caption=("Bug", "Package", "Version 1", "Version 2"),
                  replacement="No source package version with missing epochs.")])
+     def page_data_latently_vulnerable(self, path, params, url):
+         def gen():
+             for pkg, bugs in self.db.cursor().execute(
+                 """SELECT package, string_set(bug_name)
+                 FROM package_notes AS p1
+                 WHERE release <> ''
+                 AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
+                 AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND release = '')
+                 AND EXISTS (SELECT 1 FROM source_packages
+                            WHERE name = p1.package AND release = 'sid')
+                 GROUP BY package
+                 ORDER BY package"""):
+                 pkg = self.make_source_package_ref(url, pkg)
+                 bugs = bugs.split(',')
+                 yield pkg, self.make_xref_list(url, bugs)
+         def gen_unimportant():
+             for pkg, bugs in self.db.cursor().execute(
+                 """SELECT package, string_set(bug_name)
+                 FROM package_notes AS p1
+                 WHERE release <> ''
+                 AND urgency <> 'unimportant'
+                 AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
+                 AND EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND release = '')
+                 AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
+                                 WHERE p2.bug_name = p1.bug_name
+                                 AND p2.package = p1.package
+                                 AND urgency <> 'unimportant'
+                                 AND release = '')
+                 AND EXISTS (SELECT 1 FROM source_packages
+                            WHERE name = p1.package AND release = 'sid')
+                 GROUP BY package
+                 ORDER BY package"""):
+                 pkg = self.make_source_package_ref(url, pkg)
+                 bugs = bugs.split(',')
+                 yield pkg, self.make_xref_list(url, bugs)
+         return self.create_page(
+             url, "Latently vulnerable packages in unstable",
+             [P(
+ """A package is latently vulnerable in unstable if it is vulnerable in
+ any release, and there is no package note for the same vulnerability
+ and package in unstable (and the package is still available in
+ unstable, of course)."""),
+              make_table(gen(),
+                 caption=("Package", "Bugs"),
+                 replacement="No latently vulnerable packages were found."),
+              P(
+ """The next table lists issues which are marked unimportant for
+ unstable, but for which release-specific annotations exist which are
+ not unimportant."""),
+              make_table(gen_unimportant(),
+                 caption=("Package", "Bugs"),
+                 replacement=
+     "No packages with unimportant latent vulnerabilities were found."),
+             ])
      def page_data_releases(self, path, params, url):
          def gen():
              for (rel, subrel, archive, sources, archs) \
-Line 845 
 tracked by this database.  In this case,
+Line 1101 
 tracked by this database.  In this case,
  a unique name.  These names are not stable and can change when the database
  is updated, so they should not be used in external references."""),
               P('''The automatically generated names come in two flavors:
- the first kind starts with the string "''', CODE("FAKE-000000-"),
+ the first kind starts with the string "''', CODE("TEMP-000000-"),
                 '''".  This means that no Debian bug has been assigned to this
  issue (or a bug has been created and is not recorded in this database).
  In the second kind of names, there is a Debian bug for the issue, and the "''',
-Line 854 
 Debian bug number.'''),
+Line 1110 
 Debian bug number.'''),
               make_table(gen(),
                          caption=("Bug", "Description"))])
+     def page_data_pts(self, path, params, url):
+         data = []
+         for pkg, bugs in self.db.cursor().execute(
+                 """SELECT package, COUNT(DISTINCT bug) FROM
+                 (SELECT package, bug, urgency FROM stable_status
+                  UNION ALL SELECT package, bug, urgency FROM oldstable_status
+                  UNION ALL SELECT DISTINCT sp.name, st.bug_name, st.urgency
+                    FROM source_package_status AS st, source_packages AS sp
+                    WHERE st.vulnerable AND st.urgency <> 'unimportant'
+                    AND sp.rowid = st.package AND sp.release = 'sid'
+                    AND sp.subrelease = '') x WHERE urgency <> 'unimportant'
+                 GROUP BY package ORDER BY package"""):
+             data.append(pkg)
+             data.append(':')
+             data.append(str(bugs))
+             data.append('\n')
+         return BinaryResult(''.join(data))
+     def page_debsecan(self, path, params, url):
+         obj = '/'.join(path)
+         data = self.db.getDebsecan(obj)
+         if data:
+             return BinaryResult(data)
+         else:
+             return self.create_page(
+                 url, "Object not found",
+                 [P("The requested debsecan object has not been found.")],
+                 status=404)
      def create_page(self, url, title, body, search_in_page=False, status=200):
          append = body.append
          append(HR())
-Line 883 
 Debian bug number.'''),
+Line 1168 
 Debian bug number.'''),
                            onkeyup="onSearch(this.value)",
                            onmousemove="onSearch(this.value)"),
                      INPUT(type='submit', value='Go'),
+                     ' ',
+                     A(url.scriptRelative("data/report"), "Reporting problems"),
                      method='get',
                      action=url.scriptRelative(''))
-Line 890 
 Debian bug number.'''),
+Line 1177 
 Debian bug number.'''),
          return url.absolute("http://cve.mitre.org/cgi-bin/cvename.cgi",
                              name=name)
      def url_nvd(self, url, name):
-         return url.absolute("http://nvd.nist.gov/nvd.cfm",
+         return url.absolute("http://web.nvd.nist.gov/view/vuln/detail",
-                             cvename=name)
+                             vulnId=name)
+     def url_rhbug(self, url, name):
+         return url.absolute("https://bugzilla.redhat.com/show_bug.cgi",
+                             id=name)
      def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')):
          match = re_dsa.match(dsa)
-Line 915 
 Debian bug number.'''),
+Line 1205 
 Debian bug number.'''),
          return url.absolute("http://packages.qa.debian.org/common/index.html",
                              src=package)
      def url_testing_status(self, url, package):
-         return url.absolute("http://bjorn.haxx.se/debian/testing.pl",
+         return url.absolute("http://release.debian.org/migration/testing.pl",
                              package=package)
      def url_source_package(self, url, package, full=False):
          if full:
              return url.scriptRelativeFull("source-package/" + package)
          else:
              return url.scriptRelative("source-package/" + package)
-     def url_binary_package(self, url, package, full=False):
-         if full:
-             return url.scriptRelativeFull("binary-package/" + package)
-         else:
-             return url.scriptRelative("binary-package/" + package)
      def make_xref(self, url, name):
          return A(url.scriptRelative(name), name)
-Line 948 
 Debian bug number.'''),
+Line 1233 
 Debian bug number.'''),
          if name is None:
              name = cve
          return A(self.url_nvd(url, cve), name)
+     def make_rhbug_ref(self, url, cve, name=None):
+         if name is None:
+             name = cve
+         return A(self.url_rhbug(url, cve), name)
      def make_dsa_ref(self, url, dsa, name=None):
          if name is None:
-Line 967 
 Debian bug number.'''),
+Line 1257 
 Debian bug number.'''),
          if title is None:
              title = pkg
          return A(self.url_source_package(url, pkg), title)
-     def make_binary_package_ref(self, url, pkg, title=None):
-         if title is None:
-             title = pkg
-         return A(self.url_binary_package(url, pkg), title)
-     def make_binary_packages_ref(self, url, lst):
-         assert type(lst) <> types.StringType
-         return make_list(map(lambda x: self.make_binary_package_ref(url, x),
-                              lst))
      def make_red(self, contents):
          return SPAN(contents, _class="red")
+     def make_purple(self, contents):
+         return SPAN(contents, _class="purple")
      def make_dangerous(self, contents):
          return SPAN(contents, _class="dangerous")

 Legend:



Removed from v.3014
 


changed lines


 
Added in v.14909
 Legend:



Removed from v.3014
 


changed lines


 
Added in v.14909
-Removed from v.3014
+Added in v.14909

	ViewVC Help
Powered by ViewVC 1.1.5