Skip to content

Fix/deb kernel meta package series check #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mhrznamn068 wants to merge 20 commits into from
Closed

Fix/deb kernel meta package series check #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
2ef0864
Bump requests from 2.32.4 to 2.33.0
dependabot[bot] Mar 26, 2026
0e392a0
use sets instead of lists for update tracking
furlongm Mar 6, 2026
eea7d6d
merge duplicate update-finding methods into find_repo_updates
furlongm Mar 27, 2026
84cc429
remove underscore prefix from kernel helper methods
furlongm Mar 31, 2026
de53ae7
don't rename repos from client reports
furlongm Mar 31, 2026
b96e4f7
filter deb kernel updates by major.minor series
furlongm Mar 31, 2026
a0384a0
add package updates list view with table, filters, and nav entry
furlongm Mar 5, 2026
c137276
add sortable columns to package list and name detail views
furlongm Mar 31, 2026
71c97d3
Bump django from 4.2.29 to 4.2.30
dependabot[bot] Apr 8, 2026
57b88f4
add celery worker resilience for database connection timeouts
furlongm Apr 11, 2026
9d04908
auto-enable wal mode for sqlite backend
furlongm Apr 11, 2026
5eb5e52
fix duplicate verbose_name_plural in report model meta
furlongm Apr 7, 2026
ad8d648
sanitize filter_params in bulk action views
furlongm Apr 7, 2026
e2fed70
add null guard for missing references element in updateinfo xml
furlongm Apr 7, 2026
0c30dcb
return early on yaml parse error in extract_module_metadata
furlongm Apr 7, 2026
578e4a3
fix null url handling in osv.dev cve references
furlongm Apr 2, 2026
bb53742
send info messages to stdout instead of stderr
furlongm Apr 1, 2026
159ceca
move function-level import to top-level
furlongm Apr 14, 2026
847964a
bulk db optimizations for errata processing
furlongm Apr 22, 2026
fc693b8
fix: deb kernel meta-packages bypass series check causing false HWE u…
mhrznamn068 Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 45 additions & 44 deletions errata/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

from errata.managers import ErratumManager
from packages.models import Package, PackageUpdate
from packages.utils import find_evr, get_matching_packages
from packages.utils import find_evr, get_matching_packages_q
from security.models import CVE, Reference
from security.utils import get_or_create_cve, get_or_create_reference
from util import get_url
Expand Down Expand Up @@ -64,34 +64,32 @@ def get_absolute_url(self):

def scan_for_security_updates(self):
if self.e_type == 'security':
for package in self.fixed_packages.all():
affected_updates = PackageUpdate.objects.filter(
newpackage=package,
security=False,
fixed_pks = list(self.fixed_packages.values_list('pk', flat=True))
if fixed_pks:
self._mark_updates_security(
PackageUpdate.objects.filter(newpackage__in=fixed_pks, security=False)
)
for affected_update in affected_updates:
affected_update.security = True
try:
affected_update.save()
except IntegrityError as e:
error_message(text=e)
# a version of this update already exists that is
# marked as a security update, so delete this one
affected_update.delete()
for package in self.affected_packages.all():
affected_updates = PackageUpdate.objects.filter(
oldpackage=package,
security=False,
affected_pks = list(self.affected_packages.values_list('pk', flat=True))
if affected_pks:
self._mark_updates_security(
PackageUpdate.objects.filter(oldpackage__in=affected_pks, security=False)
)
for affected_update in affected_updates:
affected_update.security = True
try:
affected_update.save()
except IntegrityError as e:
error_message(text=e)
# a version of this update already exists that is
# marked as a security update, so delete this one
affected_update.delete()

def _mark_updates_security(self, updates):
""" Mark a queryset of PackageUpdates as security updates.
Handles IntegrityError by deleting duplicates.
"""
try:
updates.update(security=True)
except IntegrityError:
# fall back to individual saves to handle duplicates
for update in updates:
update.security = True
try:
update.save()
except IntegrityError as e:
error_message(text=e)
update.delete()

def fetch_osv_dev_data(self):
osv_dev_url = f'https://api.osv.dev/v1/vulns/{self.name}'
Expand All @@ -104,15 +102,19 @@ def fetch_osv_dev_data(self):
self.parse_osv_dev_data(osv_dev_json)

def parse_osv_dev_data(self, osv_dev_json):
from django.db.models import Q
name = osv_dev_json.get('id')
if name != self.name:
error_message(text=f'Erratum name mismatch - {self.name} != {name}')
return
related = osv_dev_json.get('related')
if related:
cves = []
for vuln in related:
if vuln.startswith('CVE'):
self.add_cve(vuln)
cves.append(vuln)
for cve_id in cves:
self.add_cve(cve_id)
affected = osv_dev_json.get('affected')
if not affected:
return
Expand All @@ -129,30 +131,29 @@ def parse_osv_dev_data(self, osv_dev_json):
for match in matching_packages:
fixed_packages.add(match)
affected_versions = package.get('versions')
if not affected_versions:
if not affected_versions or not fixed_packages:
continue
for package in fixed_packages:
for fp in fixed_packages:
q = Q()
for version in affected_versions:
epoch, ver, rel = find_evr(version)
matching_packages = get_matching_packages(
name=package.name,
epoch=epoch,
version=ver,
release=rel,
arch=package.arch,
p_type=package.packagetype,
)
for match in matching_packages:
affected_packages.add(match)
q |= Q(epoch=epoch, version=ver, release=rel)
matching_packages = get_matching_packages_q(
name=fp.name,
q=q,
arch=fp.arch,
p_type=fp.packagetype,
)
affected_packages.update(matching_packages)
self.add_affected_packages(affected_packages)

def add_fixed_packages(self, packages):
for package in packages:
self.fixed_packages.add(package)
if packages:
self.fixed_packages.add(*packages)

def add_affected_packages(self, packages):
for package in packages:
self.affected_packages.add(package)
if packages:
self.affected_packages.add(*packages)

def add_cve(self, cve_id):
""" Add a CVE to an Erratum object
Expand Down
2 changes: 2 additions & 0 deletions errata/sources/repos/yum.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ def add_updateinfo_erratum_references(e, update, ref_type, urls):
for url in urls:
e.add_reference(ref_type, url)
references = update.find('references')
if references is None:
return
for reference in references.findall('reference'):
if reference.attrib.get('type') == 'cve':
cve_id = reference.attrib.get('id')
Expand Down
2 changes: 2 additions & 0 deletions etc/systemd/system/patchman-celery-beat.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ After=network-online.target

[Service]
Type=simple
Restart=on-failure
RestartSec=10
User=patchman
Group=patchman
Environment="REDIS_HOST=127.0.0.1"
Expand Down
3 changes: 3 additions & 0 deletions etc/systemd/system/patchman-celery-worker@.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ After=network-online.target

[Service]
Type=simple
Restart=on-failure
RestartSec=10
User=patchman
Group=patchman
Environment="REDIS_HOST=127.0.0.1"
Expand All @@ -19,6 +21,7 @@ ExecStart=/usr/bin/celery \
--task-events \
--pool ${CELERY_POOL_TYPE} \
--concurrency ${CELERY_CONCURRENCY} \
--loglevel info \
--hostname patchman-celery-worker%i@%%h

[Install]
Expand Down
Loading
Loading