[juju] Add checks for 3 CVEs #985
Conversation
Closes: canonical#984 Signed-off-by: Ponnuvel Palaniyappan <[email protected]>
| handler: hotsos.core.plugins.juju.JujuBinaryInterface | ||
| juju: | ||
| - min: '2.9.0' | ||
| max: '2.9.50' |
There was a problem hiding this comment.
@xmkg with the logic you added can the min be omitted here i.e. so that we only define the 'max'?
There was a problem hiding this comment.
Yes, you should be able to do:
juju:
- lt: '2.9.50' # or `max:`
and vice versa.
There was a problem hiding this comment.
I don't know exactly how lt is implemented. But it doesn't seem to work quite how I'd want.
For example, if I use
-lt : 2.8.9
without min, it produces the warning when it shouldn't as the CVE only existed from 2.9.0 onwards.
There was a problem hiding this comment.
It's less than '<'. So if the cve is 2.9.0 and onwards and still unfixed, you can change it to greater equal (ge), and add a less than 3 (assuming juju 3 is unaffected). If the affected version range is known, it's better to be explicit I think (ie the initial approach)
There was a problem hiding this comment.
fwiw there is some documentation here but now that I look at it i realise it could do with an update - https://hotsos.readthedocs.io/en/latest/contrib/language_ref/property_ref/requirement_types.html#apt
There was a problem hiding this comment.
Sorry I was a bit clumsy in my previous comment. I did not use -lt: 2.8.9, rather I expected the following to change on top of this PR to work:
diff --git a/hotsos/defs/scenarios/juju/juju_binary_cve.yaml b/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
index b6407063..d6624425 100644
--- a/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
+++ b/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
@@ -20,8 +20,7 @@ checks:
binary:
handler: hotsos.core.plugins.juju.JujuBinaryInterface
juju:
- - min: '2.9.0'
- max: '2.9.50'
+ - lt: '2.9.50'
- min: '3.0.0'
max: '3.1.9'
- min: '3.2.0'
diff --git a/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml b/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
index 5a388e83..e370effe 100644
--- a/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
+++ b/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
@@ -2,21 +2,5 @@ mock:
patch:
hotsos.core.plugins.juju.resources.JujuBinaryInterface.get_version:
kwargs:
- return_value: 3.4.1
+ return_value: 2.8.9
raised-bugs:
- https://www.cve.org/CVERecord?id=CVE-2024-3250: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-7558: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-8037: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-8038: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
But it doesn't since we needed both the min & max versions (between which the CVEs exist). So I guess no changes are needed here.
Closes: #984