Age | Commit message (Collapse) | Author |
|
|
|
Fixes:
* Support Django development head in version check
(e.g. '2.2.dev20181217100344')
* Remove the single quotes around the comments content
* Include Documentation/Export links for Guest users
* Allow 'ip:port/acme' to link to 'acme_hello'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Run 'bin/common/srtool_sanity_test.py -i' to get a
quick sanity test of the database content and the
running SRTool server instance.
Development helper tools are provided in 'bin/dev_tools'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Ideally, these are all centralised.
|
|
|
|
|
|
|
|
|
|
|
|
Support Django-2.2:
Move 'django.core.urlresolvers' to 'django.urls'
Disable 'register.assignment_tag' tags
Move settings 'MIDDLEWARE_CLASSES' to 'MIDDLEWARE'
Move urlpatterns 'include' to 'path'
Move 'regex.pattern' to 'pattern.regex.pattern'
Maintain Django-1.11 support
General Fixes:
Fix commit for notify_categories
Add more error halt checks during lsupdates
Add explicit 'on_delete=models.CASCADE' for all ForeignKey's
Fix 'get_defect_tag' processing
[YOCTO #13091]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Create the sample "bin/acme_sample" organization data source,
to assist companies in adopting and customizing SRTool.
2. Add error detection and halting to the startup datasource scripts.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Changes:
Repartition the data sources
Reconfigure the data sources into self-contained directories under the "bin" directory.
Implement dynamic data source discovery and import
Remove all hard coded data source data (e.g. fixtures, data, CVE lookups)
Add license files to all data sources
Django User model
Add "users" Django application dir
Login page
Self create user account page
Password change page
User access and delete management
CVE
Name sorting by hidden 'name_sort' field (CVE-nnnn-0nnnnnn)
CVE Triage
Auto import reserved CVEs
Add MITRE CVE records where NIST missing
Add data source count to triage page
Easy checkbox toggle by clicking any field
Triage any CVE status category (not just new)
Assign to any CVE status category
Object create/delete
Create/Delete Vulnerablities
Create/Delete Investigations from Vulnerablity page
Add "Historical" CVE status
When bootstraping system, all CVEs older than 60 days preset to "Historical"
Add CVEs withint 60 days preset to "New"
Can be overridden by defect and systaining status imports
Preadd Debian data for "New" CVEs
Abstraction
Add generic Product mappings to defect system ("defect_tag": defect prefix)
Add generic Product mappings to product system ("product_tag": product reference, related)
Manage functions via "srt" script
For example add superuser
Normalize Vulnerability to Investigation mapping
Replace orm_vulnerabilityproduct with orm_vulnerabilitytoinvestigation
General
Enable the 'srtool-requirements.txt' Django test
Speed the CVE scoring by pre-fetching the datasources
Progress display cleanup
Move and update srtool_defect prototype to 'bin/yp'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Extend the NIST CPE scanning to also accept "cpe_match" as a table
for included CPEs (CVEs >= 2018).
[YOCTO #12996]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the NIST update check to skip the UTC offset. Add the exec to
MITRE update to create data cache dir, update report.py for cve
data source schema changes.
[YOCTO #12996]
[YOCTO #12997]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the change list alert for non-vulnerable CVE triage. Fix
the mistaken error message from srtool_common.py.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the ability to edit the names for local
CVE's. This can specifically be used to create
placeholders for reserved CVEs (which are not
included in the NIST data) and then download the
data from the alternate CVE sources.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Summary:
* CVE management enhancements
* Lookup Mitre, Red Hat, Debian
* Local CVE's
* Edit CVE's
* CVE triage: create defects and notifications
* Packages
* Table, packages to C/V/I/D
* Filter model update
* Triage filtering script
* Notifications
* Upstream CVE changes
* Upstream defect changes
* Notices and reminders
* Creation
* Emails
* Productization
* Move DataSource to Init/Update/Lookup model
* Add defect details to Management home page
* Add author to notification records
* Move fixture data and SrtSettings to JSON files
* database column mappings for scripts generated directly from database
* srtool_utils.py: add [backup|restore]_cve_packages
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Improve the CVE detail caching
* Fix the "_FALLBACK" settings management
* Fix the YP "samples" fixture file
* Rename "srtool_cve.py" as "srtool_nist.cy"
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Add incremental NIST scans and import to CVE database
* Add modified NIST scans and import to CVE database
* Moved CVE details out of SRTool database to reduce size
* Add CVE details lookup in cached CVE upstream files
* Added edit support for Vulnerabilies and Investigations
* Comments
* Attachments and downloads
* Product list
* History audit trail
* Add Vulnerability and Investigation creation from CVE triage
* Add user id to session variables
* Add defect import placeholder script
* Modularize the fixture files for common versus site-specific setup
Signed-off-by: Moayer, Puya <Puya.Moayer@windriver.com>
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
executable
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix typo in shutdown code to kill threads when "kill -0" is not enough.
Use the '--noreload' flag for 'runserver' so that there are no extra
and unaccounted threads.
[YOCTO #12555]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a 'nobuild' option for starting Toaster without the project
and hosted builds support. This allows a Toaster host to provide
local build statistics without opening the host to external users
building projects.
[YOCTO #12315]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Toaster needs the ability to allow custom extensions to execute when
Toaster is started and stopped. Toaster will look for a custom
extension script in the fixtures directory and execute any applicable
hooks.
[YOCTO #11938]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We were bridging the gap between the server and UI here by calling a
bb.siggen.find_siginfo, a function defined and set on that module from
the metadata. This worked from the UI side before but since the recent
server changes is no longer accessible. Create a new command so this can
execute on the server side and return the result by way of a new event.
(We're still running compare_sigfiles() on the signature generator but
that isn't quite the same thing and does still work.)
Fixes [YOCTO #11844].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Python style recommends underscore based naming rather than camelCase,
and thus the former has been used for most of tinfoil's functions. Add
an underscored version of parseRecipes() for consistency and change the
one place we call it to use the new version.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There are four main API deprecations in Django-1.10:
(a) String view arguments to url() must be replaced by
the explicit class reference
(b) New TEMPLATES stucture in settings.py consolidates
TEMPLATE_DIRS, TEMPLATE_CONTEXT_PROCESSORS,
TEMPLATE_LOADERS, TEMPLATE_STRING_IF_INVALID, and
TEMPLATE_DEBUG
(c) patterns() wrapper in url() is removed, with
urlpatterns now a simple list
(d) NoArgsCommand in commands() must be replace by
BaseCommand, and handle_noargs() changed to
handle()
Also, the Django version checker must be updated to accept
two digit sub-version numbers (e.g. "1.8" < "1.10")
[YOCTO #11684]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Tests for bitbake event module were created on bb.tests.event.
This change is to include them on the default test list in
bitbake-selftest script.
[YOCTO #10368]
Signed-off-by: Jair Gonzalez <jair.de.jesus.gonzalez.plascencia@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When the 'noweb' option for Toaster is used, perform the database
check/create if the Toaster database does not yet exist.
This will allow Toaster to not fail if the first use is with 'noweb'.
This avoids potentially clashing database updates if there are
multiple overlaping 'noweb' sessions (for example with a CI system).
If the user wished to update the database, they can either use the
explicit "lsupdate" command or (re)start a web hosted Toaster session
(which is gated by the webserver's PID).
[YOCTO #11378]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In the original implementation, "bitbake-layers add-layers <layer>"
succeeded without error checking. This will further introduce
failures in recipe parsing only when "bitbake" command is executed.
Adding a meta layer without its dependency layer(s) should failed
and exit the process gracefully.
Added extra argument "-F" to force add a layer without checking
layer dependency.
[YOCTO #10913]
Signed-off-by: Phoong Stanley Cheong Kwan <stanley.cheong.kwan.phoong@intel.com>
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This script will be used by the git fetcher to create shallow mirror tarballs.
usage: git-make-shallow [-h] [--ref REF] [--shrink] REVISION [REVISION ...]
Remove the history of the specified revisions, then optionally filter the
available refs to those specified.
positional arguments:
REVISION a git revision/commit
optional arguments:
-h, --help show this help message and exit
--ref REF, -r REF remove all but the specified refs (cumulative)
--shrink, -s shrink the git repository by repacking and pruning
While git does provide the ability to clone at a specific depth, and fetch all
remote refs at a particular depth, the depth is across all branches/tags, and
doesn't provide the flexibility we need, hence this script.
Refs (branches+tags) can be filtered, as the process of history removal scales
up rapidly with the number of refs. Even the existing `git fetch --depth=` is
extremely slow on an upstream kernel repository with all the branches and tags
kept.
This uses the same underlying mechanism to implement the history removal which
git itself uses (.git/shallow), and the results, when configured similarly, are
in line with the results git itself produces with `fetch --depth`.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixed:
bitbake-layers show-recipes | less
press "q" to exit
There will be a Broken pipe error output as follows:
"BrokenPipeError: [Errno 32] Broken pipe"
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In the move over to argparse we've made the two signature file arguments
optional and thus if -t is not in use we need to explicitly check if at
least one signature file has been specified - and if not, show an error
and the command-line help.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If the output is a TTY, add colour to the output in order to make it
easier to read. At the moment this is fairly basic, just add colour to
the "titles" of each change and to the diff output.
I tried to introduce this without changing the code too much - rather
than moving everything over to the new python formatting style, I've
introduced a color_format() function which takes care of the colour
formatting, either accepting additional format arguments or
alternatively leaving the caller to use the old-style formatting (%) to
insert values.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With the -t option which recurses to find the ultimate cause of a
signature change, it was hardcoded to take the last two executions of
the specified task. On the other hand, if you have two specific task
hashes (say from bitbake output, or some other tool) then you'll want to
pick those, so provide an option to specify those as well. (Note, the
new -s option needs to be specified alongside -t rather than instead of
it.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Argparse is a bit easier to deal with than optparse, and since we're
about to add some options, migrate this script over.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When dumping changes to signatures e.g. output of bitbake -s printdiff,
if for example a function has changed, it's much more readable to see a
unified diff of the changes rather than just printing the old function
followed by the new function, so use difflib to do that.
Note: I elected to keep to one item in the returned list per change,
rather than one line per line of output, so that the caller can still
look at changes individually if needed. Thus I've added some handling to
bitbake-diffsigs to split the change into lines so that each line is
displayed indented.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This logic doesn't work in practice, certainly not with current versions
where sigdata files are preserved in the stamps directory and therefore
there will often be multiple sigdata files - you can now easily get
files for the same signature from sstate and the stamps directory with the
result that bitbake-diffsigs reports nothing has changed. Instead, let's
change the find_siginfo function in OE-Core to simply not return
duplicates so we don't have to filter them out here.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If just one of the two signatures we want to compare aren't available,
report that one rather than misleadingly claiming both are missing.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We weren't picking the right files to compare here - according to the
order in which the list is sorted (by mtime), we need to be taking the
last two items and not the first two.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|