date:20150222

Bug#761859: prototype ready

2015-02-22 Thread Paul Wise

On Sun, 22 Feb 2015 00:37:49 +0100 Holger Levsen wrote:

 I have a prototype ready, see attached...

I noticed that fixed issues are not listed, we need that so people can
look up the security history of any package by clicking a 'security'
link in the links section. Just an item link: True|False would be
enough, True for anything that has any info in the security tracker.

I see a bunch of urgency set to high** and medium**, should it be
high and medium instead?

I think it might be a good idea to include attack range information
(local/remote/etc).

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



signature.asc
Description: This is a digitally signed message part

debsecan now on Gitorious

2015-02-22 Thread Florian Weimer

I've moved the debsecan Git repository to Gitorious.  Please speak up
if you want to be added to the push ACL.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87385xda3c@mid.deneb.enyo.de

Bug#761859: yaml...

2015-02-22 Thread Florian Weimer

* Holger Levsen:

 the patch currently creates yaml, not json. Which do you prefer?

JSON has less risk of unwanted data execution when deserializing.  It
is also supported by Python out of the box, so it's more natural for
the successor of the custom debsecan format (which I created when
Python did not have built-in JSON support).


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87vbit8tff@mid.deneb.enyo.de

Bug#761859: yaml...

2015-02-22 Thread Holger Levsen

Hi,

the patch currently creates yaml, not json. Which do you prefer?

Also, is the bug description useful in the data? Do you want no 
data/remote/local or (null|None)/true/false?

Anything else? 


cheers,
Holger
From 4237fa854c9dc4f1d8ac8de5c8e2030f68bf847b Mon Sep 17 00:00:00 2001
From: Holger Levsen hol...@layer-acht.org
Date: Sun, 22 Feb 2015 00:39:00 +0100
Subject: [PATCH] Dump data as .yaml via /tracker/data/yaml (Closes: #761859)

---
 bin/tracker_service.py | 48 
 1 file changed, 48 insertions(+)

diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index ec7cee5..fcc5621 100644
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -138,6 +138,7 @@ class TrackerService(webservice_base_class):
 self.register('data/funny-versions', self.page_data_funny_versions)
 self.register('data/fake-names', self.page_data_fake_names)
 self.register('data/pts/1', self.page_data_pts)
+self.register('data/yaml', self.page_yaml)
 self.register('debsecan/**', self.page_debsecan)
 self.register('data/report', self.page_report)
 self.register('style.css', self.page_style_css)
@@ -1226,6 +1227,53 @@ Debian bug number.'''),
 data.append('\n')
 return BinaryResult(''.join(data),'application/octet-stream')
 
+def page_yaml(self, path, params, url):
+data = []
+old_pkg = ''
+releases = ('sid', 'jessie', 'wheezy', 'squeeze')
+for (pkg, bug, desc, release, subrelease, status, urgency, remote, nodsa) in self.db.cursor().execute(
+SELECT sp.name, st.bug_name, bugs.description,
+sp.release, sp.subrelease, st.vulnerable, st.urgency,
+(SELECT range_remote FROM nvd_data
+WHERE cve_name = st.bug_name),
+(SELECT comment FROM package_notes_nodsa AS nd
+WHERE nd.package = sp.name AND nd.release = sp.release
+AND nd.bug_name = st.bug_name) AS nodsa
+FROM source_package_status AS st, source_packages AS sp, bugs
+WHERE sp.rowid = st.package AND st.bug_name = bugs.name
+AND ( sp.release = ? OR sp.release = ? OR sp.release = ?
+OR sp.release = ? )
+ORDER BY sp.name, st.bug_name, sp.release, sp.subrelease , releases):
+
+if old_pkg != pkg:
+old_pkg = pkg
+old_bug = ''
+data.append(pkg+':\n')
+if old_bug != bug:
+old_bug = bug
+data.append('  '+bug+':\n')
+data.append('description: '+desc+'\n')
+data.append('releases: \n')
+if subrelease == '':
+my_release = release
+else:
+my_release = release+'-'+subrelease
+data.append('  '+my_release+':\n')
+if status  0:
+data.append('status: open\n')
+else:
+data.append('status: resolved\n')
+data.append('urgency: '+urgency+'\n')
+if str(remote) == 'None':
+data.append('range: no data\n')
+elif remote == 1:
+data.append('range: remote\n')
+else:
+data.append('range: local\n')
+if str(nodsa) != 'None':
+data.append('nodsa: '+nodsa+'\n')
+return BinaryResult(''.join(data),'application/octet-stream')
+
 def page_debsecan(self, path, params, url):
 obj = '/'.join(path)
 data = self.db.getDebsecan(obj)
-- 
1.9.1



signature.asc
Description: This is a digitally signed message part.

Bug#761859: prototype ready

2015-02-22 Thread Paul Wise

On Sun, 2015-02-22 at 19:00 +0100, Holger Levsen wrote:
 On Sonntag, 22. Februar 2015, Paul Wise wrote:
  I see a bunch of urgency set to high** and medium**, should it
  be high and medium instead?
 
 this comes directly from the database, so I don't think it should be modified.

Hmm, it appears that these are the default urgency from NVD and the ones
without asterisks are ones set by SVN committers. That doesn't appear to
be a distinction worth preserving but it is fine to do so.

Please ensure that this json is linked to from the front page of the
security tracker and from the security tracker documentation so that
people building on it can find it easily. It is vastly more friendly to
potential consumers than the current output consumed by the PTS and the
current output consumed by debsecan. We've already had people looking
for JSON and trying to use the debsecan data.

I think for other consumers of the data (not distro-tracker), exposing
fixed version numbers might be interesting. For instance, someone with
500 machines who aggregates host/package/version information and then
correlates that with the list of security issues from the sectracker.
I should stop bike-shedding though :)

Anyway, the current JSON is good for the distro-tracker from a content
perspective (so please deploy) but it doesn't load using the python JSON
module so it is probably not valid JSON, I'd suggest using Python's
json.dump instead of whatever method you are using now.

 with open('json') as f: data = json.load(f)
... 
Traceback (most recent call last):
  File stdin, line 1, in module
  File /usr/lib/python2.7/json/__init__.py, line 290, in load
**kw)
  File /usr/lib/python2.7/json/__init__.py, line 338, in loads
return _default_decoder.decode(s)
  File /usr/lib/python2.7/json/decoder.py, line 369, in decode
raise ValueError(errmsg(Extra data, s, end, len(s)))
ValueError: Extra data: line 1 column 4 - line 428027 column 1 (char 3 - 
10590028)

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



signature.asc
Description: This is a digitally signed message part

Bug#761859: prototype ready

debsecan now on Gitorious

Bug#761859: yaml...

Bug#761859: yaml...

Bug#761859: prototype ready

5 matches

Site Navigation

Mail list logo

Footer information