Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
On Tuesday 11 February 2014 19:05:21 Antonio Terceiro wrote: now the patches :-) This is great! Let me take a look and I will push them (probably during the weekend) officially. Thanks! /luciano signature.asc Description: This is a digitally signed message part.
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
On Sat, Feb 08, 2014 at 11:31:27AM +0100, Salvatore Bonaccorso wrote: Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of the security tracker is doing the three steps: make update-packages make all make serve that worked just fine, thanks! :-) But Luciano is working on adding a section for this to the documentation. FYI if you want to document the dependencies, these are the packages I had to install to make it run on a clean chroot: make python python-apt python-apsw -- Antonio Terceiro terce...@debian.org signature.asc Description: Digital signature
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Control: tag -1 + patch On Tue, Feb 11, 2014 at 04:00:45PM -0300, Antonio Terceiro wrote: On Sat, Feb 08, 2014 at 11:31:27AM +0100, Salvatore Bonaccorso wrote: Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of the security tracker is doing the three steps: make update-packages make all make serve that worked just fine, thanks! :-) now the patches :-) the first one just sets some whitespace right in bin/tracker_service.py, and the second one is the actual implementation of a Vulnerability summary for a given source package. -- Antonio Terceiro terce...@debian.org From d3ac0a9682ebc1538a083fb92c5b7101a53646ca Mon Sep 17 00:00:00 2001 From: Antonio Terceiro terce...@softwarelivre.org Date: Tue, 11 Feb 2014 16:13:44 -0300 Subject: [PATCH 1/2] tracker_service: remove spurious whitespace --- bin/tracker_service.py | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 455ea9b..c0879a0 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -93,7 +93,8 @@ h3 { font-size : 100%; } table { padding-left : 1.5em } td, th { text-align : left; - padding-left : 0.25em; + padding-left : 0.25em; + padding-left : 0.25em; padding-right : 0.25em; } td { vertical-align: baseline } span.red { color: red; } @@ -1174,9 +1175,9 @@ Debian bug number.'''), Testing Security Team), - , A(url.absolute(http://www.debian.org/security/;), Debian Security), - - , A(url.absolute(http://anonscm.debian.org/viewvc/secure-testing/bin/tracker_service.py?view=markup;), - Source), - , A(url.absolute(svn://anonscm.debian.org/secure-testing), (SVN)), + - , A(url.absolute(http://anonscm.debian.org/viewvc/secure-testing/bin/tracker_service.py?view=markup;), + Source), + , A(url.absolute(svn://anonscm.debian.org/secure-testing), (SVN)), )) if search_in_page: on_load = selectSearch() @@ -1324,7 +1325,8 @@ Debian bug number.'''), return SPAN(contents, _class=red) def make_purple(self, contents): - return SPAN(contents, _class=purple) +return SPAN(contents, _class=purple) +return SPAN(contents, _class=purple) def make_dangerous(self, contents): return SPAN(contents, _class=dangerous) -- 1.9.0.rc3 From 8d31c637e78a9c224426e2baef5a7d094a6857c0 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro terce...@softwarelivre.org Date: Tue, 11 Feb 2014 18:55:27 -0300 Subject: [PATCH 2/2] Vulnerabitily summary for packages --- bin/tracker_service.py | 43 +++ 1 file changed, 43 insertions(+) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index c0879a0..5df25ba 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -99,6 +99,7 @@ td, th { text-align : left; td { vertical-align: baseline } span.red { color: red; } span.purple { color: purple; } +span.green { color: green; } span.dangerous { color: rgb(191,127,0); } ), SCRIPT('''var old_query_value = ; @@ -546,6 +547,34 @@ to improve our documentation and procedures, so feedback is welcome.)])]) for (bug, description) in lst: yield self.make_xref(url, bug), description +suites = () +for (releases, version) in self.db.getSourcePackageVersions( +self.db.cursor(), pkg): +for r in releases: +if r not in suites: +suites = suites + (r,) + +def gen_summary(bugs): +for (bug, description) in bugs: +status = {} +for (package, releases, version, vulnerable) \ +in self.db.getSourcePackages(self.db.cursor(), bug): +for release in releases: +if package == pkg: +if vulnerable == 1: +status[release] = self.make_red('vulnerable') +elif vulnerable == 2: +status[release] = self.make_purple('undetermined') +else: +status[release] = self.make_green('fixed') +status_row = () +for release in suites: +if release in status: +status_row = status_row + (status[release],) +else: +status_row = status_row + (self.make_purple('unknown'),) +yield (self.make_xref(url, bug),) +
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of the security tracker is doing the three steps: make update-packages make all make serve But Luciano is working on adding a section for this to the documentation. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
On Thu, Oct 24, 2013 at 06:36:15AM +0200, Salvatore Bonaccorso wrote: Package: security-tracker Severity: wishlist Hi On last DebConf Antonio Terceiro brought up the following idea for an additional view for a source package in the security-tracker. I'm opening the bugreport to not forget about it. It would be nice to have for a given source package a report/view listing in a table each (in at least a suite open) CVE, with collumns marking if fixed in the given suite. srpkg: +---+---++---+-+---+---+ | CVE | oldstable | oldstable-security | stable| stable-security | testing | unstable | +---+---++---+-+---+---+ | CVE-1234-5678 | unfixed | 1.2-3+squeeze1 | unfixed | 1.3-4+deb7u1 | unfixed | 1.5 | | CVE-5678-1234 | unfixed | unfixed | unfixed | unfixed | unfixed | unfixed | +---+---++---+-+---+---+ Im principle it should look like an aggregated view of each CVE page, for a queried source package. Thanks for opening a bug about this, Salvatore! :-) I am actually willing to write the code for this. Unfortunately I tried setting up a local instance of the security-tracker and failed miserably. It would be nice if someone familiar with the codebase could write up instructions on how to do that. -- Antonio Terceiro terce...@debian.org signature.asc Description: Digital signature
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Package: security-tracker Severity: wishlist Hi On last DebConf Antonio Terceiro brought up the following idea for an additional view for a source package in the security-tracker. I'm opening the bugreport to not forget about it. It would be nice to have for a given source package a report/view listing in a table each (in at least a suite open) CVE, with collumns marking if fixed in the given suite. srpkg: +---+---++---+-+---+---+ | CVE | oldstable | oldstable-security | stable| stable-security | testing | unstable | +---+---++---+-+---+---+ | CVE-1234-5678 | unfixed | 1.2-3+squeeze1 | unfixed | 1.3-4+deb7u1 | unfixed | 1.5 | | CVE-5678-1234 | unfixed | unfixed | unfixed | unfixed | unfixed | unfixed | +---+---++---+-+---+---+ Im principle it should look like an aggregated view of each CVE page, for a queried source package. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org