api: adding current status field to plan api #3065
Conversation
|
Jira: This PR is not related to a Jira item. (The PR title does not include a SC-#### reference) GitHub Issues: No GitHub issues are fixed by this PR. (No commits have Fixes: #### references) Launchpad Bugs: No Launchpad bugs are fixed by this PR. (No commits have LP: #### references) Documentation: The changes in this PR do not require documentation changes. 👍 this comment to confirm that this is correct. |
dheyay
force-pushed
the
cve-affected-status
branch
from
3cdbae5
to
b3b03db
Compare
dheyay
changed the title
dheyay
force-pushed
the
cve-affected-status
branch
7 times, most recently
from
478f9c7
to
c59686d
Compare
| self.fix_steps[0].data.status == "system-not-affected" | ||
| or self.fix_steps[0].data.status == "cve-already-fixed" | ||
| or self.fix_steps[0].data.status == "cve-fixed-by-livepatch" |
There was a problem hiding this comment.
just a style suggestion, but we can update this for a in check:
self.fix_steps[0].data.status in ("system-not-affected", "cve-already-fixed", "cve-fixed-by-livepatch")
There was a problem hiding this comment.
Looks better, updated!
dheyay
force-pushed
the
cve-affected-status
branch
3 times, most recently
from
243fff3
to
3189860
Compare
There was a problem hiding this comment.
Let's re-use the existing enum values for FixStatus
More importantly, I think we should expose the current state as it is rather than try to derive the current state from the plan and expected state after the fact (that is exactly what we said was too messy/hacky to recommend to users).
So in _generate_fix_plan there is a check if count == 0:. If that is true then we know the system is not affected, so if true it can do something like fix_plan.current_status = FixStatus.SYSTEM_NOT_AFFECTED.
Then later, there is a if not binary_pkgs: if src_packages: I think in that situation we'd want fix_plan.current_status = FixStatus.SYSTEM_NON_VULNERABLE.
It looks like we're missing logic to determine if the fixed package is already installed but we haven't rebooted yet, so I don't think we'll be able to set fix_plan.current_status = FixStatus.SYSTEM_VULNERABLE_UNTIL_REBOOT until we solve that - which might warrant it's own bug.
WDYT @lucasmoura ?
|
@orndorffgrant I agree, the current status would be more effective if not derived from the plan and can be set in the For the logic regarding |
dheyay
force-pushed
the
cve-affected-status
branch
6 times, most recently
from
238dc6c
to
ba401ac
Compare
|
Updated @orndorffgrant, let me know if this works? |
|
@orndorffgrant I thinks this is a good idea |
There was a problem hiding this comment.
Looking good! Some nits
Since #3050 will depend on this new feature, it may need to be split into a PR that can go live immediately and a separate PR that will only be published with version 33
Also you'll need to add documentation for this API endpoint change
| @@ -52,6 +52,7 @@ def __init__(self, value: int, msg: str): | |||
| SYSTEM_NOT_AFFECTED = _Value(0, "not-affected") | |||
| SYSTEM_STILL_VULNERABLE = _Value(1, "still-affected") | |||
| SYSTEM_VULNERABLE_UNTIL_REBOOT = _Value(2, "affected-until-reboot") | |||
| SYSTEM_VULNERABLE = _Value(3, "affected") | |||
There was a problem hiding this comment.
How is this different from "still-affected"?
There was a problem hiding this comment.
The rationale for having this as a different message was that if the user would like to see if their system is affected, a still-affected status could be confusing compared to a simple binary - affected / not-affected. Also, the still-affected message is used to convey the expected_status where it makes sense since we provide with a reason as to why the fix/plan did not resolve the cve.
But I understand if having this only adds to complexity and can be substituted by the already existing still-affected message. What do you suggest @orndorffgrant ?
There was a problem hiding this comment.
I see your point about user-facing messages, but this is an enum and not intended to be a user-facing message. If it is currently being used as a user-facing message then that is arguably a defect.
I see that perhaps "affected" would've been a better enum value when we defined these originally, but changing it now would break backwards compatibility.
dheyay
force-pushed
the
cve-affected-status
branch
from
ba401ac
to
fe1fbad
Compare
|
Updated @orndorffgrant, will also update the documentation and create a PR for the same |
| @@ -395,10 +396,12 @@ def __init__( | |||
| error: Optional[FixPlanError], | |||
| additional_data: AdditionalData, | |||
| description: Optional[str] = None, | |||
| affected_packages: Optional[List[str]] = None | |||
| affected_packages: Optional[List[str]] = None, | |||
| current_status: Optional[str] = None, | |||
There was a problem hiding this comment.
| current_status: Optional[str] = None, | |
| current_status: Optional[str] = None |
This extra comma is a syntax error in Python 3.5 (see xenial build package CI failure)
dheyay
force-pushed
the
cve-affected-status
branch
2 times, most recently
from
56d8593
to
99cb30f
Compare
dheyay
force-pushed
the
cve-affected-status
branch
from
99cb30f
to
912a83b
Compare
|
Weird, my comment from my last review didn't post... I'll find it |
| @@ -942,6 +958,7 @@ def _generate_fix_plan( | |||
| apt.update_esm_caches(cfg) | |||
| esm_cache_updated = True | |||
| except Exception as e: | |||
| fix_plan.current_status = "error" | |||
There was a problem hiding this comment.
I think we don't need this anymore?
There was a problem hiding this comment.
Fixed @orndorffgrant
dheyay
force-pushed
the
cve-affected-status
branch
from
912a83b
to
3929d28
Compare
Why is this needed?
This PR adds a field displaying the
current_statusof the cve to show if a system is currently affected by a cve/usn before the fix plan is executed.The field is returned as a part of the plan api.
Test Steps
Checklist
Does this PR require extra reviews?