-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: adding current status field to plan api #3065
Conversation
Jira: This PR is not related to a Jira item. (The PR title does not include a SC-#### reference) GitHub Issues: No GitHub issues are fixed by this PR. (No commits have Fixes: #### references) Launchpad Bugs: No Launchpad bugs are fixed by this PR. (No commits have LP: #### references) Documentation: The changes in this PR do not require documentation changes. 👍 this comment to confirm that this is correct. |
3cdbae5
to
b3b03db
Compare
478f9c7
to
c59686d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a python style suggestion, but if you disagree, no worries at all
self.fix_steps[0].data.status == "system-not-affected" | ||
or self.fix_steps[0].data.status == "cve-already-fixed" | ||
or self.fix_steps[0].data.status == "cve-fixed-by-livepatch" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a style suggestion, but we can update this for a in
check:
self.fix_steps[0].data.status in ("system-not-affected", "cve-already-fixed", "cve-fixed-by-livepatch")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks better, updated!
243fff3
to
3189860
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's re-use the existing enum values for FixStatus
More importantly, I think we should expose the current state as it is rather than try to derive the current state from the plan and expected state after the fact (that is exactly what we said was too messy/hacky to recommend to users).
So in _generate_fix_plan
there is a check if count == 0:
. If that is true then we know the system is not affected, so if true it can do something like fix_plan.current_status = FixStatus.SYSTEM_NOT_AFFECTED
.
Then later, there is a if not binary_pkgs: if src_packages:
I think in that situation we'd want fix_plan.current_status = FixStatus.SYSTEM_NON_VULNERABLE
.
It looks like we're missing logic to determine if the fixed package is already installed but we haven't rebooted yet, so I don't think we'll be able to set fix_plan.current_status = FixStatus.SYSTEM_VULNERABLE_UNTIL_REBOOT
until we solve that - which might warrant it's own bug.
WDYT @lucasmoura ?
@orndorffgrant I agree, the current status would be more effective if not derived from the plan and can be set in the For the logic regarding |
238dc6c
to
ba401ac
Compare
Updated @orndorffgrant, let me know if this works? |
@orndorffgrant I thinks this is a good idea |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Some nits
Since #3050 will depend on this new feature, it may need to be split into a PR that can go live immediately and a separate PR that will only be published with version 33
Also you'll need to add documentation for this API endpoint change
@@ -52,6 +52,7 @@ def __init__(self, value: int, msg: str): | |||
SYSTEM_NOT_AFFECTED = _Value(0, "not-affected") | |||
SYSTEM_STILL_VULNERABLE = _Value(1, "still-affected") | |||
SYSTEM_VULNERABLE_UNTIL_REBOOT = _Value(2, "affected-until-reboot") | |||
SYSTEM_VULNERABLE = _Value(3, "affected") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is this different from "still-affected"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rationale for having this as a different message was that if the user would like to see if their system is affected, a still-affected
status could be confusing compared to a simple binary - affected
/ not-affected
. Also, the still-affected
message is used to convey the expected_status where it makes sense since we provide with a reason as to why the fix/plan did not resolve the cve.
But I understand if having this only adds to complexity and can be substituted by the already existing still-affected message. What do you suggest @orndorffgrant ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point about user-facing messages, but this is an enum and not intended to be a user-facing message. If it is currently being used as a user-facing message then that is arguably a defect.
I see that perhaps "affected" would've been a better enum value when we defined these originally, but changing it now would break backwards compatibility.
ba401ac
to
fe1fbad
Compare
Updated @orndorffgrant, will also update the documentation and create a PR for the same |
@@ -395,10 +396,12 @@ def __init__( | |||
error: Optional[FixPlanError], | |||
additional_data: AdditionalData, | |||
description: Optional[str] = None, | |||
affected_packages: Optional[List[str]] = None | |||
affected_packages: Optional[List[str]] = None, | |||
current_status: Optional[str] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
current_status: Optional[str] = None, | |
current_status: Optional[str] = None |
This extra comma is a syntax error in Python 3.5 (see xenial build package CI failure)
56d8593
to
99cb30f
Compare
99cb30f
to
912a83b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One last nit then I think we're good
Weird, my comment from my last review didn't post... I'll find it |
@@ -942,6 +958,7 @@ def _generate_fix_plan( | |||
apt.update_esm_caches(cfg) | |||
esm_cache_updated = True | |||
except Exception as e: | |||
fix_plan.current_status = "error" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't need this anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed @orndorffgrant
912a83b
to
3929d28
Compare
Why is this needed?
This PR adds a field displaying the
current_status
of the cve to show if a system is currently affected by a cve/usn before the fix plan is executed.The field is returned as a part of the plan api.
Test Steps
Checklist
Does this PR require extra reviews?