-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[juju] Add checks for 3 CVEs #985
base: main
Are you sure you want to change the base?
Conversation
Closes: canonical#984 Signed-off-by: Ponnuvel Palaniyappan <[email protected]>
handler: hotsos.core.plugins.juju.JujuBinaryInterface | ||
juju: | ||
- min: '2.9.0' | ||
max: '2.9.50' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xmkg with the logic you added can the min be omitted here i.e. so that we only define the 'max'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you should be able to do:
juju:
- lt: '2.9.50' # or `max:`
and vice versa.
- lt: '1:8.2p1-4ubuntu0.5' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know exactly how lt
is implemented. But it doesn't seem to work quite how I'd want.
For example, if I use
-lt : 2.8.9
without min
, it produces the warning when it shouldn't as the CVE only existed from 2.9.0 onwards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's less than '<'. So if the cve is 2.9.0 and onwards and still unfixed, you can change it to greater equal (ge), and add a less than 3 (assuming juju 3 is unaffected). If the affected version range is known, it's better to be explicit I think (ie the initial approach)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fwiw there is some documentation here but now that I look at it i realise it could do with an update - https://hotsos.readthedocs.io/en/latest/contrib/language_ref/property_ref/requirement_types.html#apt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I was a bit clumsy in my previous comment. I did not use -lt: 2.8.9
, rather I expected the following to change on top of this PR to work:
diff --git a/hotsos/defs/scenarios/juju/juju_binary_cve.yaml b/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
index b6407063..d6624425 100644
--- a/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
+++ b/hotsos/defs/scenarios/juju/juju_binary_cve.yaml
@@ -20,8 +20,7 @@ checks:
binary:
handler: hotsos.core.plugins.juju.JujuBinaryInterface
juju:
- - min: '2.9.0'
- max: '2.9.50'
+ - lt: '2.9.50'
- min: '3.0.0'
max: '3.1.9'
- min: '3.2.0'
diff --git a/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml b/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
index 5a388e83..e370effe 100644
--- a/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
+++ b/hotsos/defs/tests/scenarios/juju/juju_binary_cve.yaml
@@ -2,21 +2,5 @@ mock:
patch:
hotsos.core.plugins.juju.resources.JujuBinaryInterface.get_version:
kwargs:
- return_value: 3.4.1
+ return_value: 2.8.9
raised-bugs:
- https://www.cve.org/CVERecord?id=CVE-2024-3250: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-7558: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-8037: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
- https://www.cve.org/CVERecord?id=CVE-2024-8038: >-
- 3.4.1 is the running version of Juju on this host which is
- affected by a known security vulnerability. Please upgrade
- to the latest version to get the fix.
But it doesn't since we needed both the min & max versions (between which the CVEs exist). So I guess no changes are needed here.
Closes: #984