forked from RedHatProductSecurity/osidb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmixins.py
85 lines (73 loc) · 3.22 KB
/
mixins.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from django.db import models
import osidb
from apps.exploits.constants import (
INCLUSION_LIST_PRODUCTS,
NOT_INCLUSION_LIST_COMPONENTS,
)
class AffectExploitExtensionMixin(models.Model):
"""
Extends Affect model with a behavior only needed by exploit functionality and reports.
"""
@property
def tracker_resolution_combined(self):
"""
Take all tracker resolution values for a specific Affect object, and provide a sorted
list of distinct values. The main purpose is to provide human-readable information about
DELEGATED affects, because their resolution is not clear.
It is used for an exploit query answering the following question:
What are the flaw-affect combinations with an exploit which are not fixed?
The important part there is that if Affect is fixed or not is harder to answer for affects
with resolution DELEGATED. Human review is usually required and providing this information
is useful.
"""
tracker_resolutions = set()
for tracker in self.trackers.all():
resolution = tracker.resolution
# Convert weird values to human-readable strings
if resolution == "" or resolution is None:
resolution = "None"
tracker_resolutions.add(resolution)
return sorted(tracker_resolutions)
@property
def resolution_expanded(self):
"""
For purposes of exploit reports, any DELEGATED resolution needs to be expanded to signify
state of the trackers in a human-readable form.
"""
delegated = osidb.models.Affect.AffectResolution.DELEGATED
if self.resolution == delegated:
if self.tracker_resolution_combined:
return delegated + "-" + "/".join(self.tracker_resolution_combined)
else:
return delegated + "-None"
else:
return self.resolution
@property
def impact_expanded(self):
"""
For purposes of exploit reports, impact needs to be expanded, so it signifies either affect
impact, if it exists, or associated flaw impact otherwise.
"""
# TODO: Theoretically "NONE" value should not be used anymore, but for transitional period
# it seems that both values are possible (maybe caused by broken migration).
# Remove when not needed anymore.
if self.impact in [osidb.models.Affect.AffectImpact.NOVALUE, "NONE"]:
return self.flaw.impact
else:
return self.impact
@property
def should_be_excluded(self):
"""
Any long-term products should have components not on inclusion list removed from any
exploit related reports.
Unfortunately, using inclusion list https://access.redhat.com/node/4082531 is not feasible,
as source RPM / component names are not noted and not trivial to find automatically.
For that reason static lists of products and components to exclude as we find them was
created.
"""
return (
self.ps_module in INCLUSION_LIST_PRODUCTS
and self.ps_component in NOT_INCLUSION_LIST_COMPONENTS
)
class Meta:
abstract = True