Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hardcode OpenShift CPEs #1795

Merged
merged 1 commit into from
Feb 10, 2025
Merged

hardcode OpenShift CPEs #1795

merged 1 commit into from
Feb 10, 2025

Conversation

RTann
Copy link
Collaborator

@RTann RTann commented Jan 29, 2025

See https://issues.redhat.com/browse/SECDATA-869 for more information. The OpenShift unfixed vuln OVAL files keep flapping. This PR ignores the CPE's minor version in favor of using our own hardcoded ones just to make the data consistently work.

The idea is: OpenShift 4.20 will not be released for quite some time, so we won't need to update this any time soon (ideally, never).

@jvdm
Copy link
Contributor

jvdm commented Jan 29, 2025

Now we need to put a reminder somewhere...

Copy link
Contributor

@dcaravel dcaravel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be open to adding generate-dumps-on-pr so we can see what the bundle will look like with this change?

@RTann RTann added the generate-dumps-on-pr Generates the image based on dumps from the PR label Feb 7, 2025

Verified

This commit was signed with the committer’s verified signature. The key has expired.
Czaki Grzegorz Bokota
@RTann RTann force-pushed the hardcode-openshift-cpe branch from e8c6dd6 to bf6d2bb Compare February 7, 2025 00:54
@RTann
Copy link
Collaborator Author

RTann commented Feb 7, 2025

/retest

@dcaravel
Copy link
Contributor

dcaravel commented Feb 7, 2025

I was just spot checking a few vulns in genesis dump from this PR to the one produced as part of the 2.35.3 (4.6.2) release.

cd <unzip path>/rhelv2/vulns

2.35.3

$ ls -l | wc -l
     394

$ grep -il "RHSA-2024:2776" *
RHEL8-openshift-4.15.json
RHEL9-openshift-4.15.json

$ grep -il "RHSA-2024:" * | wc -l
     105

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "CVE" | wc -l
     695

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "RHSA" | wc -l
       0


This PR:

$ ls -l | wc -l
     336

$ grep -il "RHSA-2024:2776" *
RHEL9-openshift-4-including-unpatched.json

$ grep -il "RHSA-2024:" * | wc -l
      46

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "CVE" | wc -l
     613

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "RHSA" | wc -l
      74

Wondering if this too is a result of the flapping issue already reported... current OVAL data indicating 4.15 cpes for all unpatched openshift vulns.

These are the files in the 2.35.3 genesis that are NOT in the genesis from this PR:

RHEL6-amq-clients-1-including-unpatched.json
RHEL6-amq-clients-1.json
RHEL6-jboss-ws-4-including-unpatched.json
RHEL6-jboss-ws-4.json
RHEL6-rhvh-4-including-unpatched.json
RHEL6-rhvh-4.json
RHEL6-satellite-tools-6.2.json
RHEL6-satellite-tools-6.6.json
RHEL6-satellite-tools-6.7.json
RHEL6-satellite-tools-6.8.json
RHEL7-amq-clients-1-including-unpatched.json
RHEL7-amq-clients-1.json
RHEL7-jboss-ws-4-including-unpatched.json
RHEL7-jboss-ws-4.json
RHEL7-jboss-ws-6.json
RHEL7-openshift-4.11.json
RHEL7-openshift-service-mesh-2.0-including-unpatched.json
RHEL7-openshift-service-mesh-2.0.json
RHEL7-openshift-service-mesh-2.1-including-unpatched.json
RHEL7-openshift-service-mesh-2.1.json
RHEL7-rhacm-1.json
RHEL7-rhacm-2.json
RHEL7-satellite-tools-6.2.json
RHEL7-satellite-tools-6.6.json
RHEL7-satellite-tools-6.7.json
RHEL7-satellite-tools-6.8.json
RHEL8-amq-clients-3-including-unpatched.json
RHEL8-amq-clients-3.json
RHEL8-openshift-4.18.json
RHEL8-openshift-service-mesh-2.2-including-unpatched.json
RHEL8-openshift-service-mesh-2.2.json
RHEL8-openshift-service-mesh-2.3-including-unpatched.json
RHEL8-openshift-service-mesh-2.3.json
RHEL8-openshift-service-mesh-2.4-including-unpatched.json
RHEL8-openshift-service-mesh-2.4.json
RHEL8-openshift-service-mesh-2.5-including-unpatched.json
RHEL8-openshift-service-mesh-2.5.json
RHEL8-openshift-service-mesh-2.6-including-unpatched.json
RHEL8-openshift-service-mesh-2.6.json
RHEL8-openstack-17.1.json
RHEL8-openstack-17.json
RHEL8-rhacm-1.json
RHEL8-rhacm-2.json
RHEL8-rhoar-nodejs-10-including-unpatched.json
RHEL8-rhoar-nodejs-10.json
RHEL8-rhoar-nodejs-12-including-unpatched.json
RHEL8-rhoar-nodejs-12.json
RHEL8-satellite-tools-6.6.json
RHEL8-satellite-tools-6.7.json
RHEL8-satellite-tools-6.8.json
RHEL9-amq-clients-2.json
RHEL9-amq-clients-3-including-unpatched.json
RHEL9-amq-clients-3.json
RHEL9-jboss-cs.json
RHEL9-openshift-4.18.json
RHEL9-openshift-service-mesh-3.0.json
RHEL9-rhacm-2.json

@RTann
Copy link
Collaborator Author

RTann commented Feb 7, 2025

I wonder how much this explains things:

Fix missing OVAL data for advisories with more than 4 digits in their IDs, such as RHSA-2024:10289.

https://access.redhat.com/articles/5554431

@RTann
Copy link
Collaborator Author

RTann commented Feb 7, 2025

/retest

@dcaravel
Copy link
Contributor

dcaravel commented Feb 7, 2025

Retried the comparison with a genesis dump from one of the more recent master runs:

$ ls -l | wc -l
     393

$ grep -il "RHSA-2024:2776" *
RHEL8-openshift-4.15.json
RHEL9-openshift-4-including-unpatched.json
RHEL9-openshift-4.15.json

$ grep -il "RHSA-2024:" * | wc -l
     107

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "CVE" | wc -l
     613

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "RHSA" | wc -l
      74

Looks to be a combo of the two previous compares.

@RTann
Copy link
Collaborator Author

RTann commented Feb 7, 2025

Retried the comparison with a genesis dump from one of the more recent master runs:

$ ls -l | wc -l
     393

$ grep -il "RHSA-2024:2776" *
RHEL8-openshift-4.15.json
RHEL9-openshift-4-including-unpatched.json
RHEL9-openshift-4.15.json

$ grep -il "RHSA-2024:" * | wc -l
     107

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "CVE" | wc -l
     613

$ cat RHEL9-openshift-4-including-unpatched.json | jq | grep "RHSA" | wc -l
      74

Looks to be a combo of the two previous compares.

Hard to tell: is this an LGTM or a call to dive into discrepancies?

@RTann RTann requested a review from dcaravel February 7, 2025 23:25
Copy link
Contributor

@dcaravel dcaravel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks 'OK' to me, would like to have had OVAL in a state where it had accurate data to compare and confirm the only diff before/after this PR is the CPEs on CVEs. Of the CVEs spot checked it appears to be working as desired.

@RTann RTann merged commit 4a14f82 into master Feb 10, 2025
29 checks passed
@RTann RTann deleted the hardcode-openshift-cpe branch February 10, 2025 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants