diff --git a/0001-fix-issue-gen-cve-task-failed.patch b/0001-fix-issue-gen-cve-task-failed.patch deleted file mode 100644 index d2ea7ac..0000000 --- a/0001-fix-issue-gen-cve-task-failed.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 614e6462e28c7ab013b669d7a7b2cc9c996a0a3f Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Wed, 28 Jun 2023 11:57:38 +0800 -Subject: [PATCH 1/1] fix issue:gen cve task failed - ---- - apollo/database/proxy/task.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/apollo/database/proxy/task.py b/apollo/database/proxy/task.py -index dd172b8..ed5e858 100644 ---- a/apollo/database/proxy/task.py -+++ b/apollo/database/proxy/task.py -@@ -3224,8 +3224,9 @@ class TaskProxy(TaskMysqlProxy, TaskEsProxy): - """ - - try: -- exists_cve_count = self.session.query(CveHostAssociation).filter( -- CveHostAssociation.cve_id.in_(cve_id)).count() -+ exists_cve_count = self.session.query(CveHostAssociation.cve_id).filter( -+ CveHostAssociation.cve_id.in_(cve_id)).distinct().count() -+ - - return True if exists_cve_count == len(cve_id) else False - except SQLAlchemyError as error: --- -2.33.0 - diff --git a/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch b/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch deleted file mode 100644 index 11e60a8..0000000 --- a/0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4225065c74beb5e66c4d66a4bd3dfca5bcac91bd Mon Sep 17 00:00:00 2001 -From: wang-guangge -Date: Wed, 28 Jun 2023 16:53:10 +0800 -Subject: [PATCH] do not return the related hotpatches when the cve is fixed - ---- - hotpatch/hotpatch_updateinfo.py | 15 ++++++++++++--- - hotpatch/hotupgrade.py | 2 +- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py -index 4b39969..7dc92ce 100644 ---- a/hotpatch/hotpatch_updateinfo.py -+++ b/hotpatch/hotpatch_updateinfo.py -@@ -291,7 +291,7 @@ class HotpatchUpdateInfo(object): - Get hotpatches from specified cve. If there are several hotpatches for the same source package for a cve, only return the - hotpatch with the highest version. - -- Args: -+ Args: - cves: [cve_id_1, cve_id_2] - - Returns: -@@ -307,14 +307,23 @@ class HotpatchUpdateInfo(object): - continue - # find the hotpatch with the highest version for the same source package - mapping_src_pkg_to_hotpatches = dict() -+ # check whether the cve is fixed -+ is_cve_fixed = False - for hotpatch in self.hotpatch_cves[cve_id].hotpatches: -+ if hotpatch.state == self.INSTALLED: -+ is_cve_fixed = True - if hotpatch.state == self.INSTALLABLE: -- mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append([hotpatch.hotpatch_name, hotpatch]) -+ mapping_src_pkg_to_hotpatches.setdefault(hotpatch.src_pkg, []).append( -+ [hotpatch.hotpatch_name, hotpatch] -+ ) -+ # do not return the releated hotpatches if the cve is fixed -+ if is_cve_fixed: -+ continue - for src_pkg, hotpatches in mapping_src_pkg_to_hotpatches.items(): - # extract the number in HPxxx and sort hotpatches in descending order according to the number - hotpatches = sorted(hotpatches, key=lambda x: int(re.findall("\d+", x[0])[0]), reverse=True) - mapping_cve_hotpatches[cve_id].append(hotpatches[0][1].nevra) -- -+ - return mapping_cve_hotpatches - - def get_hotpatches_from_advisories(self, advisories: list[str]) -> dict(): -diff --git a/hotpatch/hotupgrade.py b/hotpatch/hotupgrade.py -index 2a36312..3bff9a1 100644 ---- a/hotpatch/hotupgrade.py -+++ b/hotpatch/hotupgrade.py -@@ -251,7 +251,7 @@ class HotupgradeCommand(dnf.cli.Command): - cve_hp_dict = updateinfo.get_hotpatches_from_cve(cves) - for cve, hp in cve_hp_dict.items(): - if not hp: -- logger.info(_("The cve's hot patch doesn't exist: %s"), cve) -+ logger.info(_("The cve doesn't exist or cannot be fixed by hotpatch: %s"), cve) - continue - hp_list += hp - return list(set(hp_list)) --- -2.33.0 - diff --git a/0003-update-condition-under-which-hotpatches-can-be-applied.patch b/0003-update-condition-under-which-hotpatches-can-be-applied.patch deleted file mode 100644 index c741058..0000000 --- a/0003-update-condition-under-which-hotpatches-can-be-applied.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 30a0f76f2150f27db79fedde3af4926b36954066 Mon Sep 17 00:00:00 2001 -From: rabbitali -Date: Fri, 30 Jun 2023 19:07:55 +0800 -Subject: [PATCH] Update the condition under which hot patches can be applied -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - hotpatch/hotpatch_updateinfo.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hotpatch/hotpatch_updateinfo.py b/hotpatch/hotpatch_updateinfo.py -index 7dc92ce..3963867 100644 ---- a/hotpatch/hotpatch_updateinfo.py -+++ b/hotpatch/hotpatch_updateinfo.py -@@ -212,7 +212,7 @@ class HotpatchUpdateInfo(object): - hp_vere = '%s-%s' % (src_pkg_version, src_pkg_release) - if hp_vere != inst_pkg_vere: - continue -- elif self._get_hotpatch_status_in_syscare(hotpatch) == 'ACTIVED': -+ elif self._get_hotpatch_status_in_syscare(hotpatch) in ('ACTIVED', "ACCEPTED"): - hotpatch.state = self.INSTALLED - else: - hotpatch.state = self.INSTALLABLE --- -2.33.0 - diff --git a/aops-apollo-v1.2.2.tar.gz b/aops-apollo-v1.2.2.tar.gz deleted file mode 100644 index fe2a601..0000000 Binary files a/aops-apollo-v1.2.2.tar.gz and /dev/null differ diff --git a/aops-apollo-v1.3.0.tar.gz b/aops-apollo-v1.3.0.tar.gz new file mode 100644 index 0000000..8d502ee Binary files /dev/null and b/aops-apollo-v1.3.0.tar.gz differ diff --git a/aops-apollo.spec b/aops-apollo.spec index 67f8589..0ea4155 100644 --- a/aops-apollo.spec +++ b/aops-apollo.spec @@ -1,13 +1,10 @@ Name: aops-apollo -Version: v1.2.2 -Release: 4 +Version: v1.3.0 +Release: 1 Summary: Cve management service, monitor machine vulnerabilities and provide fix functions. License: MulanPSL2 URL: https://gitee.com/openeuler/%{name} Source0: %{name}-%{version}.tar.gz -Patch0001: 0001-fix-issue-gen-cve-task-failed.patch -Patch0002: 0002-do-not-return-the-related-hotpatches-when-the-cve-is.patch -Patch0003: 0003-update-condition-under-which-hotpatches-can-be-applied.patch BuildRequires: python3-setuptools @@ -24,7 +21,7 @@ Cve management service, monitor machine vulnerabilities and provide fix function %package -n dnf-hotpatch-plugin Summary: dnf hotpatch plugin -Requires: python3-hawkey python3-dnf syscare >= 1.0.1 +Requires: python3-hawkey python3-dnf syscare >= 1.1.0 %description -n dnf-hotpatch-plugin dnf hotpatch plugin, it's about hotpatch query and fix @@ -63,11 +60,12 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %files %doc README.* %attr(0644,root,root) %{_sysconfdir}/aops/apollo.ini -%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.ini +%attr(0644,root,root) %{_sysconfdir}/aops/apollo_crontab.yml %attr(0755,root,root) %{_bindir}/aops-apollo %attr(0755,root,root) /usr/lib/systemd/system/aops-apollo.service %{python3_sitelib}/aops_apollo*.egg-info %{python3_sitelib}/apollo/* +%attr(0755, root, root) /opt/aops/database/* %files -n dnf-hotpatch-plugin %{python3_sitelib}/dnf-plugins/* @@ -79,6 +77,10 @@ cp -r hotpatch %{buildroot}/%{python3_sitelib}/dnf-plugins/ %{python3_sitelib}/aops_apollo_tool/* %changelog +* Tue Aug 29 2023 wangguangge - v1.3.0-1 +- update the dnf hot-updateinfo, dnf hotpatch and dnf hotupgrade command +- support the mixed management ability for coldpatches and hotpatches + * Fri Jun 30 2023 wenxin - v1.2.2-4 - Update the condition under which hot patches can be applied