Age | Commit message (Collapse) | Author |
|
srtool: cumulative deployment features and fixes
High level new features:
* Publishing support to external/public databases
* Ability to label products as "active", "inactive", "under development"
Inactive (EOL) products appear but
* Do not affect status propagation
* Do not auto-create defects
Development product status is not exported to pubic database
* Extend NIST download range to 2002..2019
* Added MITRE downloads to provide RESERVED tracking
* Extended audit history tracking and meta-data
* Delete CVE records
* Ability to do "OR" searches (default is "AND")
Example: "CVE-2019-20095 OR CVE-2019-20096 OR CVE-2019-19977"
* Automated defect creation (Jira)
If selected, creates customer defect for selected and active products
Reuse existing defect if present for given product
* Many small sorting, readability, edge case fixes
Backups:
* Add meta-data stamp file for each backup
* Save daily backups with day name instead of day number
* Preserve file dates when making copies to backup
* Add list command
Automated Updates:
* Fix report format
* Add trial run test
Utilities:
* Add 13 new database fix up procedures
Some are one-shot historical fixes, some are learned validation checks
Database Schema:
* Add "SRTool" class to wrap shared enumerations (e.g. Priority)
* Add "Update" class to tag and track audit trail objects
* Change Priority naming to match CVE model instead of JIRA
* Add srt_created/srt_updated to CVE/Vul/Inv/Notify for improved updating and auditing
* Add to Defect the SRT versions of Status, Priority, Outcome
To distinguish these from the customer's defect system's values
Common Tools:
* Fix new CVE auto-scoring to skip CVE's already scored (though still NEW)
* Add automated propagation of Defects/Investigations status to parent Vulnerabilities
See "srtool_common.py" for rule details
CVEs:
* Add MITRE as an automatic upstream source
This is to specifically capture all of the "RESERVED" CVE enumerations which
will not appear in the MIST databases, and have the CVE records in place for
internal investigations and transitions to "public" status.
* Spell out the command arguments in the NIST data source files for greater legibility
* Change Priority naming to match CVE instead of JIRA
* Add parallel status states for "inactive" products
This specifically blocks state propagation from inactive objects to active objects
NIST management script:
* Refactor file for greater clarity
* Reorder methods to reflect workflow order
* Fully spell out names of objects
* Remove temporary holding class "CVE" in favor of dictionary objects
* Debugging enhancements
* Incremental update commands for stepped debugging
For example, ability to fetch/update specific CVE(s)
* Additional debugging flags
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Track the current running update task in ".srtupdate.task" to help
track background update activity and overhead. Make calls to the
update start/stop absolute paths to help track active SRTool
tasks, especially between multiple servers.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Update the master app tool to create new master apps.
Also, update the master app change feature to remove the previous
apps data source entries. Note that the existing users and products
are left untouched (to keep the database records working); such
such obsolete content must be removed manually or the data base
restarted clean.
Creation example, using 'yoyo' for the "Yoyodyne Corporation":
$ ./stop.sh
$ ./master_app create yoyo
$ ./start.sh
Switch bask to Yocto Project example:
$ ./stop.sh
$ ./master_app yp
$ ./start.sh
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Various updates and fixes:
* Use the new SRT_EMAIL_* variable names
* Fix hardcoded value for 'from' address
* Add additional error handling
* Allow the email settings to be defined in SrtSetting values, and provide
example in the ACME datasource file
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Separate the environment variables of the username and password
for the defect and email systems into separate values, in case they
need separate credentials.
Also, fix a Wind River-ism in the Jira template to reflect that the
product key is not necessarily also defect name prefix.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Complete the support for backgroup data source updates:
* Add cron-start,cron-stop to srtool_update
* Have cron update run as a user space script to avoid sudo
* Hook cron-start,cron-stop into srt start,stop
* Add list command to show update sources
* Have force command propagate to update script calls, and
add force option to all source scripts
* Add 'srt manage update ...' for access to the update functions
* Add flag SRT_SKIP_AUTOUPDATE and srt option noautoupdate to
disable the automatic update app for development assistance
Related Fixes:
* Set the schema generator to always update on startup (13138)
* Fix CVE 'recommend' default to the integer zero (13139)
with auto-fix at startup for existing databases
[YOCTO #13131]
[YOCTO #13138]
[YOCTO #13139]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add a devtool helper script 'suport.sh' to help start the super user
setup call. Add 'srt_err.log' to 'tail.sh'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Transition the datasource scanning from 'datasource_org' to
the new master app environment variable, so that it all works
off of one key.
Also, add a sample logo for ACME, plus fix datasource trace details.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The SRTool allows users to substitute an alternate master application
instead of the default "yp" in order to customize their instance to
their organization.
This is done by:
(a) Creating a datasource directory under bin
(b) Defining a "datasource.json" file
(c) Defining 'export SRT_MAIN_APP="<app>"' in "srtool_env.sh"
This environment files are scanned by 'bin/srt', and if such an
alternate master app is found it pre-empts the default 'yp'.
This value is set via the environment because "lib/srtmain/settings.py"
is the file that sets the app (and this the URL) ordering, and it is
processed before any database is attached.
To disable the alternate main app, simply rename its "datasource.json"
file and it will be ignored for the next start.
The sample alternate app "acme" is provided to demonstrate this facility.
Additionally, a development tool 'bin/dev_tools/master_app.sh' has been
added to help switch between master apps, to aid testing.
$ ./stop.sh
$ ./master_app.sh acme
$ ./start.sh
... test ...
$ ./stop.sh
$ ./master_app.sh yp
$ ./start.sh
Other included fixes:
* Fix the ACME JSON files formating
* Remove ACME "_sample" from all but "datasource.json_sample"
* Fix tabs to spaces in "srt"
* Add global contect values to views::managedcontextprocessor so
that other app templates can share them
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Run 'bin/common/srtool_sanity_test.py -i' to get a
quick sanity test of the database content and the
running SRTool server instance.
Development helper tools are provided in 'bin/dev_tools'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|