tracker_service.py 77.6 KB
Newer Older
1 2 3 4 5 6 7 8
#!/usr/bin/python

import sys
sys.path.insert(0,'../lib/python')
import bugs
import re
import security_db
from web_support import *
9
import json
10
from datetime import datetime
11

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
if __name__ == "__main__":
    if len(sys.argv) not in (3, 5):
        print "usage: python tracker_service.py SOCKET-PATH DATABASE-PATH"
        print "       python tracker_service.py URL HOST PORT DATABASE-PATH"
        sys.exit(1)
    if len(sys.argv) == 3:
        socket_name = sys.argv[1]
        db_name = sys.argv[2]
        webservice_base_class = WebService
    else:
        server_base_url = sys.argv[1]
        server_address = sys.argv[2]
        server_port = int(sys.argv[3])
        socket_name = (server_base_url, server_address, server_port)
        db_name = sys.argv[4]
        webservice_base_class = WebServiceHTTP
28 29 30
else:
    webservice_base_class = WebServiceHTTP

31 32 33 34 35 36 37 38 39 40 41 42 43 44
def clean_dict(d):
    """ taken from http://w3facility.org/question/exclude-emptynull-values-from-json-serialization/
    Delete keys with the value ``None`` in a dictionary, recursively.

    This alters the input so you may wish to ``copy`` the dict first.
    """
    # d.iteritems isn't used as you can't del or the iterator breaks.
    for key, value in d.items():
        if value is None:
            del d[key]
        elif isinstance(value, dict):
            clean_dict(value)
    return d  # For convenience

45
class BugFilter:
46 47 48 49
    default_action_list = [('high_urgency', 'high', 'urgency'),
                           ('medium_urgency', 'medium', 'urgency'),
                           ('low_urgency', 'low', 'urgency'),
                           ('unimportant_urgency', 'unimportant', 'urgency'),
50
                           ('unassigned_urgency', 'not yet assigned', 'urgency'),
51
                           ('endoflife_urgency', 'end-of-life', 'urgency'),
52 53 54 55 56

                           ('remote', 'hide remote scope', 'scope'),
                           ('local', 'hide local scope', 'scope'),
                           ('unclear', 'hide unclear scope', 'scope'),

57
                           ('undetermined_issues', 'include issues to be checked (shown in purple)', 'extra'),]
58

59
    def __init__(self, params, nonodsa=False, noignored=False, nopostponed=False):
60 61
        self.action_list = self.default_action_list
        if not nonodsa:
62 63 64 65 66
            self.action_list = self.action_list +  [('nodsa', 'include issues tagged <no-dsa>', 'nodsa')]
        if not noignored:
            self.action_list = self.action_list +  [('noignored', 'include issues tagged <ignored>', 'nodsa')]
        if not nopostponed:
            self.action_list = self.action_list +  [('nopostponed', 'include issues tagged <postponed>', 'nodsa')]
67
        self.params = {}
68
        for (prop, desc, field) in self.action_list:
69
            self.params[prop] = int(params.get(prop, (0,))[0])
70 71
        self.filters=params.get('filter')
        if not self.filters:
72
            self.filters=['high_urgency', 'medium_urgency', 'low_urgency', 'unassigned_urgency']
73 74 75

    def actions(self, url):
        """Returns a HTML snippet which can be used to change the filter."""
76 77

        l = []
78 79 80
        l.append(INPUT(type='hidden', name='filter', value='1'))
        for (prop, desc, field) in self.action_list:
            if prop in self.filters:
81
                l.append(LABEL(INPUT(desc, type='checkbox', name='filter', value=prop, onChange='this.form.submit()', checked='checked'), rel=field))
82
                self.params[prop]=1
83
            else:
84
                l.append(LABEL(INPUT(desc, type='checkbox', name='filter', value=prop, onChange='this.form.submit()'), rel=field))
85

86 87
        return FORM(tag("SPAN",l, id="filters"),
                    tag("NOSCRIPT", [INPUT(type='submit', value='Apply')]),
88
                    method='get')
89

90 91
    def urgencyFiltered(self, urg, vuln):
        """Returns True for urgencies that should be filtered."""
92 93 94 95 96 97 98 99
        filterlow = not self.params['low_urgency'] and \
                    urg in ('low', 'low**')
        filtermed = not self.params['medium_urgency'] and \
                    urg in ('medium', 'medium**')
        filterhigh = not self.params['high_urgency'] and \
                    urg in ('high', 'high**')
        filterund = not self.params['undetermined_issues'] and vuln == 2
        filteruni = not self.params['unimportant_urgency'] \
100
                    and urg == 'unimportant'
101 102
        filteruna = not self.params['unassigned_urgency'] \
                    and urg ==  'not yet assigned'
103 104 105
        filterend = not self.params['endoflife_urgency'] \
                    and urg == 'end-of-life'
        return filterlow or filtermed or filterhigh or filterund or filteruni or filteruna or filterend
106 107

    def remoteFiltered(self, remote):
108 109 110 111
	filterr = self.params['remote'] and remote and remote is not None
	filterl = self.params['local'] and not remote and remote is not None
	filteru = self.params['unclear'] and remote is None
	return filterr or filterl or filteru
112 113

    def nodsaFiltered(self, nodsa):
114
        """Returns True for no DSA issues if filtered."""
115
        return nodsa and not self.params['nodsa']
116 117 118 119 120 121
    def ignoredFiltered(self, no_dsa_reason):
        """Returns True for ignored issues if filtered."""
        return no_dsa_reason == 'ignored' and not self.params['noignored']
    def postponedFiltered(self, no_dsa_reason):
        """Returns True for postponedissues if filtered."""
        return no_dsa_reason == 'postponed' and not self.params['nopostponed']
122

123
class TrackerService(webservice_base_class):
124 125
    head_contents = compose(
	LINK(' ', href="/tracker/style.css"),
126 127
	SCRIPT(' ', src="/tracker/script.js"),
	).toHTML()
128

129 130 131 132 133 134 135 136
    nvd_text =  P('''If a "**" is included, the urgency field was automatically
        assigned by the NVD (National Vulnerability Database). Note that this
        rating is automatically derived from a set of known factors about the
        issue (such as access complexity, confidentiality impact, exploitability,
        remediation level, and others). Human intervention is involved in
        determining the values of these factors, but the rating itself comes
        from a fully automated formula.''')

137 138
    json_generation_interval = 5 * 60 # in seconds

139
    def __init__(self, socket_name, db_name):
140
        webservice_base_class.__init__(self, socket_name)
141
        self.db = security_db.DB(db_name)
142 143
        self.json_data = None # the JSON dump itself
        self.json_timestamp = None # timestamp of JSON generation
144 145
        self.register('', self.page_home)
        self.register('*', self.page_object)
146
        self.register('redirect/*', self.page_redirect)
147
        self.register('source-package/*', self.page_source_package)
148 149
        self.register('status/release/oldoldstable',
                      self.page_status_release_oldoldstable)
Thijs Kinkhorst committed
150 151
        self.register('status/release/oldstable',
                      self.page_status_release_oldstable)
152
        self.register('status/release/stable', self.page_status_release_stable)
153
        self.register('status/release/stable-backports',
154
                      self.page_status_release_stable_backports)
155
        self.register('status/release/oldstable-backports',
156
                      self.page_status_release_oldstable_backports)
157 158
        self.register('status/release/oldoldstable-backports',
                      self.page_status_release_oldoldstable_backports)
159 160 161 162 163 164 165
        self.register('status/release/testing',
                      self.page_status_release_testing)
        self.register('status/release/unstable',
                      self.page_status_release_unstable)
        self.register('status/dtsa-candidates',
                      self.page_status_dtsa_candidates)
        self.register('status/todo', self.page_status_todo)
166 167
        self.register('status/undetermined', self.page_status_undetermined)
        self.register('status/unimportant', self.page_status_unimportant)
168
        self.register('status/itp', self.page_status_itp)
169
        self.register('status/unreported', self.page_status_unreported)
170 171
        self.register('data/unknown-packages', self.page_data_unknown_packages)
        self.register('data/missing-epochs', self.page_data_missing_epochs)
172 173
        self.register('data/latently-vulnerable',
                      self.page_data_latently_vulnerable)
174 175
        self.register('data/releases', self.page_data_releases)
        self.register('data/funny-versions', self.page_data_funny_versions)
176
        self.register('data/fake-names', self.page_data_fake_names)
177
        self.register('data/pts/1', self.page_data_pts)
178
        self.register('data/json', self.page_json)
179
        self.register('debsecan/**', self.page_debsecan)
180
        self.register('data/report', self.page_report)
181
        self.register('style.css', self.page_style_css)
182
        self.register('logo.png', self.page_logo_png)
183
        self.register('distributions.json', self.page_distributions_json)
184
        self.register('script.js', self.page_script_js)
185 186

    def page_style_css(self, path, params, url):
187
        f=open('../static/style.css', 'r')
188 189 190
	content=f.read()
	f.close()
        return BinaryResult(content,'text/css')
191

192 193 194 195 196 197
    def page_logo_png(self, path, params, url):
        f=open('../static/logo.png', 'r')
	content=f.read()
	f.close()
        return BinaryResult(content,'image/png')

198 199 200 201 202 203
    def page_distributions_json(self, path, params, url):
        f=open('../static/distributions.json', 'r')
        content=f.read()
        f.close()
        return BinaryResult(content,'application/json')

204 205 206 207 208 209 210
    def page_script_js(self, path, params, url):
        f=open('../static/script.js', 'r')
        content=f.read()
        f.close()
        return BinaryResult(content,'text/javascript')


211 212 213 214 215 216 217
    def page_home(self, path, params, url):
        query = params.get('query', ('',))[0]
        if query:
            if '/' in query:
                return self.page_not_found(url, query)
            else:
                return RedirectResult(url.scriptRelativeFull(query))
218

219 220 221
        return self.create_page(
            url, 'Security Bug Tracker',
            [P(
222
            """The data in this tracker comes solely from the bug database maintained
223 224
by Debian's security team located in the security-tracker Git """,
            A("https://salsa.debian.org/security-tracker-team/security-tracker/tree/master/data", "repository"),
225
            """.  The data represented here is derived from: """,
226
            A("https://www.debian.org/security/#DSAS", "DSAs"),
227
            """ issued by the Security Team; issues tracked in the """,
228
            A("https://cve.mitre.org/cve/", "CVE database"),
229
            """, issues tracked in the """,
230
            A("https://nvd.nist.gov/", "National Vulnerability Database"),
231 232
            """ (NVD), maintained by NIST; and security issues
discovered in Debian packages as reported in the BTS."""),
Stefan Fritsch committed
233
             P("""All external data (including Debian bug reports and official Debian
234
security advisories) must be added to this database before it appears
235
here. Please help us keep this information up-to-date by """,
236
               A(url.scriptRelative("data/report"), "reporting"),
Nicholas Luedtke committed
237
               """ any discrepancies or change of status that you are
238
aware of and/or help us improve the quality of this information by """,
239
               A(url.scriptRelative("data/report"), "participating"),
240
               "."),
241

242
            NAV(make_menu(
243 244 245
            url.scriptRelative,
            ('status/release/unstable',
             'Vulnerable packages in the unstable suite'),
246 247 248 249
            ('status/release/testing',
             'Vulnerable packages in the testing suite'),
            ('status/release/stable',
             'Vulnerable packages in the stable suite'),
250 251
            ('status/release/stable-backports',
             'Vulnerable packages in backports for stable'),
252 253 254 255
            ('status/release/oldstable',
             'Vulnerable packages in the oldstable suite'),
            ('status/release/oldstable-backports',
             'Vulnerable packages in backports for oldstable'),
256 257 258 259
            ('status/release/oldoldstable',
             'Vulnerable packages in the oldoldstable suite'),
            ('status/release/oldoldstable-backports',
             'Vulnerable packages in backports for oldoldstable'),
260 261
            ('status/dtsa-candidates', "Candidates for DTSAs"),
            ('status/todo', 'TODO items'),
262 263
            ('status/undetermined', 'Packages that may be vulnerable but need to be checked (undetermined issues)'),
            ('status/unimportant', 'Packages that have open unimportant issues'),
264
            ('status/itp', 'ITPs with potential security issues'),
265
            ('status/unreported', 'Open vulnerabilities without filed Debian bugs'),
266 267
            ('data/unknown-packages',
             'Packages names not found in the archive'),
268
            ('data/fake-names', 'Tracked issues without a CVE name'),
269 270
            ('data/missing-epochs',
             'Package versions which might lack an epoch'),
271 272
            ('data/latently-vulnerable',
             'Packages which are latently vulnerable in unstable'),
273 274 275
            ('data/funny-versions',
             'Packages with strange version numbers'),
            ('data/releases',
276 277 278
             'Covered Debian releases and architectures'),
            ('data/json',
             'All information in JSON format')
279
			)),
280 281 282

            self.make_search_button(url),
            P("""(You can enter CVE names, Debian bug numbers and package
283
names in the search forms.)"""),
284

285
             H3("External interfaces"),
286 287 288 289 290 291
             P("""If you want to automatically open a relevant web page for
some object, use the """,
               CODE(str(url.scriptRelative("redirect/")), EM("object")),
               """ URL.  If no information is contained in this database,
the browser is automatically redirected to the corresponding external
data source.""")],
292 293 294 295
            search_in_page=True)

    def page_object(self, path, params, url):
        obj = path[0]
296 297 298
        return self.page_object_or_redirect(url, obj, False)

    def page_redirect(self, path, params, url):
299 300 301 302
        if path == ():
            obj = ''
        else:
            obj = path[0]
303 304 305 306
        return self.page_object_or_redirect(url, obj, True)

    def page_object_or_redirect(self, url, obj, redirect):
        c = self.db.cursor()
307 308 309 310 311

        if not obj:
            # Redirect to start page.
            return RedirectResult(url.scriptRelativeFull(""))

312 313
        # Attempt to decode a bug number.  TEMP-nnn bugs (but not
        # TEMP-nnn-mmm bugs) are treated as bug references, too.
314
        bugnumber = 0
315
        fake_bug = False
316
        try:
317
            if obj[0:5] == 'FAKE-' or obj[0:5] == 'TEMP-':
318 319 320 321
                bugnumber = int(obj[5:])
                fake_bug = True
            else:
                bugnumber = int(obj)
322 323 324
        except ValueError:
            pass
        if bugnumber:
325 326
            buglist = list(self.db.getBugsFromDebianBug(c, bugnumber))
            if buglist:
327
                return self.page_debian_bug(url, bugnumber, buglist, fake_bug)
328 329 330
            if redirect:
                return RedirectResult(self.url_debian_bug(url, str(bugnumber)),
                                      permanent=False)
331

332 333 334 335
        if 'A' <= obj[0] <= 'Z':
            # Bug names start with a capital letter.
            return self.page_bug(url, obj, redirect)

336 337 338 339 340
        if self.db.isSourcePackage(c, obj):
            return RedirectResult(self.url_source_package(url, obj, full=True))

        return self.page_not_found(url, obj)

341
    def page_bug(self, url, name, redirect):
342 343 344 345 346
        # FIXME: Normalize CAN-* to CVE-* when redirecting.  Too many
        # people still use CAN.
        if redirect and name[0:4] == 'CAN-':
            name = 'CVE-' + name[4:]

347 348 349 350
        cursor = self.db.cursor()
        try:
            bug = bugs.BugFromDB(cursor, name)
        except ValueError:
351
            if redirect:
352
                if name[0:4] == 'CVE-':
353 354
                    return RedirectResult(self.url_cve(url, name),
                                          permanent=False)
355
            return self.page_not_found(url, name)
356
        if bug.name <> name or redirect:
357 358 359 360 361 362 363
            # Show the normalized bug name in the browser address bar.
            return RedirectResult(url.scriptRelativeFull(bug.name))

        page = []

        def gen_header():
            yield B("Name"), bug.name
364

365 366 367 368 369 370
            nvd = self.db.getNVD(cursor, bug.name)

            if nvd and nvd.cve_desc:
                yield B("Description"), nvd.cve_desc
            elif bug.description:
                yield B("Description"), bug.description
371 372

            source = bug.name.split('-')[0]
373
            if source == 'CVE':
374
                source_xref = compose(self.make_cve_ref(url, bug.name, 'CVE'),
375
                                      " (at ",
376
                                      self.make_nvd_ref(url, bug.name,
377 378
                                                        'NVD'),
                                      "; ",
379 380
                                      self.make_cert_bug_ref(url, bug.name, 'CERT'),
                                      ", ",
381 382
                                      self.make_lwn_bug_ref(url, bug.name, 'LWN'),
                                      ", ",
383 384
                                      self.make_osssec_bug_ref(url, bug.name, 'oss-sec'),
                                      ", ",
385 386
                                      self.make_fulldisc_bug_ref(url, bug.name, 'fulldisc'),
                                      ", ",
387 388
                                      self.make_bugtraq_bug_ref(url, bug.name, 'bugtraq'),
                                      ", ",
389 390
                                      self.make_edb_bug_ref(url, bug.name, 'EDB'),
                                      ", ",
391 392
                                      self.make_metasploit_bug_ref(url, bug.name, 'Metasploit'),
                                      ", ",
393
                                      self.make_rhbug_ref(url, bug.name,
394 395
                                                        'Red Hat'),
                                      ", ",
396
                                      self.make_ubuntu_bug_ref(url, bug.name, 'Ubuntu'),
397
                                      ", ",
398
                                      self.make_gentoo_bug_ref(url, bug.name, 'Gentoo'),
399 400 401 402
                                      ", SUSE ",
                                      self.make_suse_bug_ref(url, bug.name, 'bugzilla'),
                                      "/",
                                      self.make_suse_cve_ref(url, bug.name, 'CVE'),
403
                                      ", ",
404
                                      self.make_mageia_bug_ref(url, bug.name, 'Mageia'),
405 406 407 408
                                      ", GitHub ",
                                      self.make_github_code_ref(url, bug.name, 'code'),
                                      "/",
                                      self.make_github_issues_ref(url, bug.name, 'issues'),
409
                                      ", ",
410
                                      self.make_web_search_bug_ref(url, bug.name, 'web search'),
411
                                      ", ",
412
                                      A(url.absolute('http://oss-security.openwall.org/wiki/vendors'), 'more'),
413
                                      ")")
414 415 416 417
            elif source == 'DSA':
                source_xref = self.make_dsa_ref(url, bug.name, 'Debian')
            elif source == 'DTSA':
                source_xref = 'Debian Testing Security Team'
418
            elif source == 'DLA':
419
                source_xref = self.make_dla_ref(url, bug.name, 'Debian LTS')
420
            elif source == 'TEMP':
421 422 423 424 425 426 427 428 429 430 431
                source_xref = (
        'Automatically generated temporary name.  Not for external reference.')
            else:
                source_xref = None

            if source_xref:
                yield B("Source"), source_xref

            xref = list(self.db.getBugXrefs(cursor, bug.name))
            if xref:
                yield B("References"), self.make_xref_list(url, xref)
432 433 434

            if nvd:
                nvd_range = nvd.rangeString()
435 436 437 438 439 440
                if nvd.severity:
                    nvd_severity = nvd.severity.lower()
                    if nvd_range:
                        nvd_severity = "%s (attack range: %s)" \
                                       % (nvd_severity, nvd_range)
                    yield B("NVD severity"), nvd_severity
441

442 443 444 445 446
            debian_bugs = bug.getDebianBugs(cursor)
            if debian_bugs:
                yield (B("Debian Bugs"),
                       self.make_debian_bug_list(url, debian_bugs))

447 448 449 450 451 452 453 454
# Disable table with fixed status per release.
#           if not bug.not_for_us:
#               for (release, status, reason) in bug.getStatus(cursor):
#                   if status == 'undetermined':
#                       reason = self.make_purple(reason)
#                   elif status <> 'fixed':
#                       reason = self.make_red(reason)
#                   yield B('Debian/%s' % release), reason
455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470

        page.append(make_table(gen_header()))

        if bug.notes:

            def gen_source():
                old_pkg = ''
                for (package, release, version, vulnerable) \
                        in self.db.getSourcePackages(cursor, bug.name):
                    if package == old_pkg:
                        package = ''
                    else:
                        old_pkg = package
                        package = compose(
                            self.make_source_package_ref(url, package),
                            " (", self.make_pts_ref(url, package, 'PTS'), ")")
471
                    if vulnerable == 1:
472 473
                        vuln = self.make_red('vulnerable')
                        version = self.make_red(version)
474 475 476
                    elif vulnerable == 2:
                        vuln = self.make_purple('undetermined')
                        version = self.make_purple(version)
477 478 479 480 481 482
                    else:
                        vuln = 'fixed'

                    yield package, ', '.join(release), version, vuln

            page.append(make_table(gen_source(),
483 484 485
                title=H2('Vulnerable and fixed packages'),
                caption=("Source Package", "Release", "Version", "Status"),
                introduction=P('The table below lists information on source packages.')))
486 487 488 489 490 491 492 493 494 495

            def gen_data():
                notes_sorted = bug.notes[:]
                notes_sorted.sort(lambda a, b: cmp(a.package, b.package))
                for n in notes_sorted:
                    if n.release:
                        rel = str(n.release)
                    else:
                        rel = '(unstable)'
                    urgency = str(n.urgency)
496 497
		    if urgency == 'end-of-life':
			urgency = self.make_purple('end-of-life')
498 499 500 501 502 503 504
                    if n.fixed_version:
                        ver = str(n.fixed_version)
                        if ver == '0':
                            ver = '(not affected)'
                            urgency = ''
                    else:
                        ver = self.make_red('(unfixed)')
505 506
                    if urgency == 'not yet assigned':
                        urgency = ''
507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531

                    pkg = n.package
                    pkg_kind = n.package_kind
                    if pkg_kind == 'source':
                        pkg = self.make_source_package_ref(url, pkg)
                    elif pkg_kind == 'itp':
                        pkg_kind = 'ITP'
                        rel = ''
                        ver = ''
                        urgency = ''

                    bugs = n.bugs
                    bugs.sort()
                    bugs = make_list(
                        map(lambda x: self.make_debian_bug(url, x), bugs))
                    if n.bug_origin:
                        origin = self.make_xref(url, n.bug_origin)
                    else:
                        origin = ''
                    yield (pkg, pkg_kind, rel, ver, urgency, origin, bugs)

            page.append(
                make_table(gen_data(),
                    caption=("Package", "Type", "Release", "Fixed Version",
                             "Urgency", "Origin", "Debian Bugs"),
532
                    introduction=P("The information below is based on the following data on fixed versions.")))
533 534 535 536 537 538

        if bug.comments:
            page.append(H2("Notes"))
            def gen_comments():
                for (t, c) in bug.comments:
                    yield c
539
            page.append(make_pre(gen_comments()))
540 541 542

        return self.create_page(url, bug.name, page)

543 544 545 546 547
    def page_debian_bug(self, url, bugnumber, buglist, fake_bug):
        if fake_bug:
            new_buglist = []
            for b in buglist:
                (bug_name, urgency, description) = b
548
                if bug_name[0:5] == 'FAKE-' or bug_name[0:5] == 'TEMP-':
549 550 551 552 553 554
                    new_buglist.append(b)
            if len(new_buglist) > 0:
                # Only replace the bug list if there are still fake
                # bug reports.
                buglist = new_buglist

555 556 557 558 559 560 561 562 563 564
        if len(buglist) == 1:
            # Single issue, redirect.
            return RedirectResult(url.scriptRelativeFull(buglist[0][0]))

        def gen():
            for (name, urgency, description) in buglist:
                if urgency == "unknown":
                    urgency = ""
                yield self.make_xref(url, name), urgency, description

565 566 567 568 569 570 571
        if fake_bug:
            intro = """The URL you used contained a non-stable name
based on a Debian bug number.  This name cannot be mapped to a specific
issue. """
        else:
            intro = ""

572 573
        return self.create_page(
            url, "Information related to Debian bug #%d" % bugnumber,
574
            [P(intro + "The following issues reference to Debian bug ",
575 576 577
               self.make_debian_bug(url, bugnumber), ":"),
             make_table(gen(),
                        caption=("Name", "Urgency", "Description"))])
578 579 580 581 582 583 584 585

    def page_not_found(self, url, query):
        return self.create_page(url, 'Not found',
                                [P('Your query ',
                                   CODE(query),
                                   ' matched no results.')],
                                status=404)

586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605
    def page_report(self, path, params, url):
        return self.create_page(
            url, 'Reporting discrepancies in the data',
            [P("""The data in this tracker is always in flux, as bugs are fixed and new
issues disclosed, the data contained herein is updated. We strive to
maintain complete and accurate state information, and appreciate any
updates in status, information or new issues."""),
             P("There are three ways that you can report updates to this information:"),
             make_numbered_list(
            [P("""IRC: We can be found at """,
               CODE("irc.oftc.net"),
               ", ",
               CODE("#debian-security"),
    """. If you have information to report, please go ahead and join
the channel and tell us.  Please feel free to state the issue,
regardless if there is someone who has acknowledged you. Many of us
idle on this channel and may not be around when you join, but we read
the backlog and will see what you have said. If you require a
response, do not forget to let us know how to get a hold of you."""),
             P("Mailing list: Our mailing list is: ",
606 607
               A("mailto:debian-security-tracker@lists.debian.org",
                 "debian-security-tracker@lists.debian.org")),
608 609 610
             P("""Helping out: We welcome people who wish to join us in tracking
issues. The process is designed to be easy to learn and participate,
please read our """,
611
               A("https://security-team.debian.org/security_tracker.html",
612 613
                 "Introduction"),
               """ to get familiar with how things work.  Join us on
614 615
our mailing list, and on IRC and request to be added to the Salsa """,
               A("https://salsa.debian.org/security-tracker-team/security-tracker/", "project"),
616 617 618 619
               """. We are really quite friendly. If you have a
question about how things work, don't be afraid to ask, we would like
to improve our documentation and procedures, so feedback is welcome.""")])])

620 621
    def page_source_package(self, path, params, url):
        pkg = path[0]
622
        data = security_db.getBugsForSourcePackage(self.db.cursor(), pkg)
623

624
        def gen_versions():
625 626 627
            for (release, version) in self.db.getSourcePackageVersions(
                    self.db.cursor(), pkg):
                yield release, version
628
        def gen_bug_list(lst):
629 630
            for bug in lst:
                yield self.make_xref(url, bug.bug), bug.description
631

632 633 634 635 636
        def format_summary_entry(per_release):
            if per_release is None:
                return self.make_purple('unknown')
            if per_release.vulnerable == 1:
                if per_release.state == 'no-dsa':
637 638 639 640 641 642 643
                    if per_release.reason:
                        text = 'vulnerable (no DSA, %s)' % per_release.reason
                    else:
                        text = 'vulnerable (no DSA)'
                    hint = per_release.comment
                    return self.make_mouseover((self.make_yellow(text),),
                                               text=hint)
644 645 646 647 648 649
                else:
                    return self.make_red('vulnerable')
            if per_release.vulnerable == 2:
                return self.make_purple('undetermined')
            assert per_release.vulnerable == 0
            return self.make_green('fixed')
650 651

        def gen_summary(bugs):
652
            for bug in bugs:
653 654 655
                status_row = tuple(
                    format_summary_entry(bug.releases.get(rel, None))
                    for rel in data.all_releases)
656 657
                yield (self.make_xref(url, bug.bug),) + status_row \
                    + (bug.description,)
658

659
        return self.create_page(
660
            url, 'Information on source package ' + pkg,
661 662 663 664 665
            [make_menu(lambda x: x,
                       (self.url_pts(url, pkg),
                        pkg + ' in the Package Tracking System'),
                       (self.url_debian_bug_pkg(url, pkg),
                        pkg + ' in the Bug Tracking System'),
666 667
                       (self.url_source_code(url, pkg),
                        pkg + ' source code'),
668 669
                       (self.url_testing_status(url, pkg),
                        pkg + ' in the testing migration checker')),
670
             make_table(gen_versions(), title=H2('Available versions'), caption=('Release', 'Version')),
671

672
             make_table(
673
                 gen_summary(data.open),
674
                 title=H2('Open issues'),
675
                 caption=('Bug',) + data.all_releases + ('Description',),
676 677 678
                 replacement='No known open issues.'
             ),

679

680
             make_table(
681
                 gen_summary(data.unimportant),
682
                 title=H2('Open unimportant issues'),
683
                 caption=('Bug',) + data.all_releases + ('Description',),
684 685
                 replacement='No known unimportant issues.'
             ),
686

687
             make_table(gen_bug_list(data.resolved),
688
                        title=H2('Resolved issues'),
689
                        caption=('Bug', 'Description'),
690
                        replacement='No known resolved issues.'),
691

692 693
             make_table(gen_bug_list(self.db.getDSAsForSourcePackage
                                     (self.db.cursor(), pkg)),
694
                        title=H2('Security announcements'),
Holger Levsen committed
695
                        caption=('DSA / DLA', 'Description'),
696 697
                        replacement='No known security announcements.')
             ])
698

699 700
    def page_status_release_stable_oldstable_oldoldstable(self, release, params, url):
        assert release in ('stable', 'oldstable', 'oldoldstable',)
701

702
        bf = BugFilter(params)
703

704 705
        def gen():
            old_pkg_name = ''
706
            for (pkg_name, bug_name, archive, urgency, vulnerable, remote, no_dsa, no_dsa_reason) in \
707
                    self.db.cursor().execute(
708
                """SELECT package, bug, section, urgency, vulnerable, remote, no_dsa, no_dsa_reason
709 710
                FROM %s_status
                WHERE (bug LIKE 'CVE-%%' OR bug LIKE 'TEMP-%%')""" % release):
711
                if bf.urgencyFiltered(urgency, vulnerable):
712 713 714
                    continue
                if bf.remoteFiltered(remote):
                    continue
715 716
                if bf.nodsaFiltered(no_dsa):
                    continue
717 718 719 720
                if bf.ignoredFiltered(no_dsa_reason):
                    continue
                if bf.postponedFiltered(no_dsa_reason):
                    continue
721

722 723 724 725
                if pkg_name == old_pkg_name:
                    pkg_name = ''
                else:
                    old_pkg_name = pkg_name
726
                    title = None
727
                    if archive <> 'main':
728
                        title = "%s (%s)" % (pkg_name, archive)
729

730
                if remote is None:
731
                    remote = '?'
732 733 734 735 736
                elif remote:
                    remote = 'yes'
                else:
                    remote = 'no'

737
                if urgency.startswith('high'):
738
                    urgency = self.make_red(urgency)
739 740
                elif vulnerable == 2:
                    urgency = self.make_purple(urgency)
741 742 743
                else:
                    if no_dsa:
                        urgency = urgency + '*'
744

745
                yield self.make_source_package_ref(url, pkg_name, title), self.make_xref(url, bug_name), urgency, remote
746 747

        return self.create_page(
748
            url, 'Vulnerable source packages in the %s suite' % release,
749
            [bf.actions(url), BR(),
750 751 752 753
             make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote")),
             P('''If a "*" is included in the urgency field, no DSA is planned
                  for this vulnerability.'''),
             self.nvd_text])
754 755

    def page_status_release_stable(self, path, params, url):
756
        return self.page_status_release_stable_oldstable_oldoldstable('stable', params, url)
Thijs Kinkhorst committed
757
    def page_status_release_oldstable(self, path, params, url):
758 759
        return self.page_status_release_stable_oldstable_oldoldstable('oldstable',
                                                         params, url)
Holger Levsen committed
760
    def page_status_release_oldoldstable(self, path, params, url):
761
        return self.page_status_release_stable_oldstable_oldoldstable('oldoldstable',
Thijs Kinkhorst committed
762
                                                         params, url)
763

764
    def page_status_release_testing(self, path, params, url):
765
        bf = BugFilter(params)
766

767 768
        def gen():
            old_pkg_name = ''
769
            for (pkg_name, bug_name, archive, urgency, vulnerable,
770 771
                 sid_vulnerable, ts_fixed, remote, no_dsa) \
                 in self.db.cursor().execute(
772 773
                """SELECT package, bug, section, urgency, vulnerable,
                unstable_vulnerable, testing_security_fixed, remote, no_dsa
774
                FROM testing_status"""):
775
                if bf.urgencyFiltered(urgency, vulnerable):
776 777 778
                    continue
                if bf.remoteFiltered(remote):
                    continue
779 780
                if bf.nodsaFiltered(no_dsa):
                    continue
781

782 783 784 785
                if pkg_name == old_pkg_name:
                    pkg_name = ''
                else:
                    old_pkg_name = pkg_name
786
                    title = None
787
                    if archive <> 'main':
788
                        title = "%s (%s)" % (pkg_name, archive)
789

790
                if remote is None:
791
                    remote = '?'
792 793 794 795 796
                elif remote:
                    remote = 'yes'
                else:
                    remote = 'no'

797 798 799 800 801 802 803 804
                if ts_fixed:
                    status = 'fixed in testing-security'
                else:
                    if sid_vulnerable:
                        status = self.make_red('unstable is vulnerable')
                    else:
                        status = self.make_dangerous('fixed in unstable')

805 806 807 808 809
                if urgency.startswith('high'):
                    urgency = self.make_red(urgency)
                elif vulnerable == 2:
                    urgency = self.make_purple(urgency)

810
                yield (self.make_source_package_ref(url, pkg_name, title), self.make_xref(url, bug_name),
811
                       urgency, remote, status)
812 813 814 815 816

        return self.create_page(
            url, 'Vulnerable source packages in the testing suite',
            [make_menu(url.scriptRelative,
                       ("status/dtsa-candidates", "Candidates for DTSAs")),
817
             bf.actions(url), BR(),
818
             make_table(gen(), caption=("Package", "Bug", "Urgency", "Remote", 'Status')),
819
             self.nvd_text])
820

821
    def page_status_release_unstable_like(self, path, params, url,
822
                                          rel, title, subrel=""):
823
        bf = BugFilter(params,nonodsa=True,noignored=True,nopostponed=True)
824

825 826
        def gen():
            old_pkg_name = ''
827
            for (pkg_name, bug_name, section, urgency, vulnerable, remote) \
828 829
                    in self.db.cursor().execute(
                """SELECT DISTINCT sp.name, st.bug_name,
830
                sp.archive, st.urgency, st.vulnerable,
831 832
                (SELECT range_remote FROM nvd_data
                 WHERE cve_name = st.bug_name)
833
                FROM source_package_status AS st, source_packages AS sp
834
                WHERE st.vulnerable AND sp.rowid = st.package
835 836
                AND sp.release = ?  AND sp.subrelease = ''
                ORDER BY sp.name, st.bug_name""", (rel,)):
837
                if bf.urgencyFiltered(urgency, vulnerable):
838 839 840 841
                    continue
                if bf.remoteFiltered(remote):
                    continue

842 843 844 845
                if pkg_name == old_pkg_name:
                    pkg_name = ''
                else:
                    old_pkg_name = pkg_name
846
                    title = None
847
                    if section <> 'main':
848
                        title = "%s (%s)" % (pkg_name, section)
849

850
                if remote is None:
851
                    remote = '?'
852 853 854 855 856
                elif remote:
                    remote = 'yes'
                else:
                    remote = 'no'

857
                if urgency.startswith('high'):
858
                    urgency = self.make_red(urgency)
859
                elif vulnerable == 2:
860
                    urgency = self.make_purple(urgency)
861

862
                yield self.make_source_package_ref(url, pkg_name, title), self.make_xref(url, bug_name), urgency, remote
863

864
        return self.create_page(
865
            url, title,
866 867 868
            [P("""Note that the list below is based on source packages.
            This means that packages are not listed here once a new,
            fixed source version has been uploaded to the archive, even
Thijs Kinkhorst committed
869
            if there are still some vulnerable binary packages present
870
            in the archive."""),
871
             bf.actions(url), BR(),
872 873
             make_table(gen(), caption=('Package', 'Bug', 'Urgency', 'Remote')),
             self.nvd_text])
874

875 876 877 878
    def page_status_release_unstable(self, path, params, url):
        return self.page_status_release_unstable_like(
            path, params, url,
            title='Vulnerable source packages in the unstable suite',
879
            rel='sid')
880 881 882 883 884

    def page_status_release_stable_backports(self, path, params, url):
        return self.page_status_release_unstable_like(
            path, params, url,
            title='Vulnerable source packages among backports for stable',
885
            rel='stretch-backports')
886

887 888 889 890
    def page_status_release_oldstable_backports(self, path, params, url):
        return self.page_status_release_unstable_like(
            path, params, url,
            title='Vulnerable source packages among backports for oldstable',
891
            rel='jessie-backports')
892 893 894 895 896

    def page_status_release_oldoldstable_backports(self, path, params, url):
        return self.page_status_release_unstable_like(
            path, params, url,
            title='Vulnerable source packages among backports for oldoldstable',
897
            rel='wheezy-backports')
898

899

900
    def page_status_dtsa_candidates(self, path, params, url):
901
        bf = BugFilter(params,nonodsa=True,noignored=True,nopostponed=True)
902

903 904
        def gen():
            old_pkg_name = ''
905 906
            for (pkg_name, bug_name, archive, urgency, vulnerable,
                 stable_later, remote) \
907
                    in self.db.cursor().execute(
908
                """SELECT package, bug, section, urgency, vulnerable,
909 910 911
                (SELECT testing.version_id < stable.version_id
                 FROM source_packages AS testing, source_packages AS stable
                 WHERE testing.name = testing_status.package
912
                 AND testing.release = 'buster'
913 914 915
                 AND testing.subrelease = ''
                 AND testing.archive = testing_status.section
                 AND stable.name = testing_status.package
916
                 AND stable.release = 'stretch'
917
                 AND stable.subrelease = 'security'
918 919 920
                 AND stable.archive = testing_status.section),
                (SELECT range_remote FROM nvd_data
                 WHERE cve_name = bug)
921 922 923
                FROM testing_status
                WHERE (NOT unstable_vulnerable)
                AND (NOT testing_security_fixed)"""):
924
                if bf.urgencyFiltered(urgency, vulnerable):
925 926 927 928
                    continue
                if bf.remoteFiltered(remote):
                    continue

929 930 931 932 933
                if pkg_name == old_pkg_name:
                    pkg_name = ''
                    migration = ''
                else:
                    old_pkg_name = pkg_name
934
                    title = None
935 936 937
                    migration = A(self.url_testing_status(url, pkg_name),
                                  "check")
                    if archive <> 'main':
938
                        title = "%s (%s)" % (pkg_name, archive)
939

940
                if remote is None:
941
                    remote = '?'
942 943 944 945 946
                elif remote:
                    remote = 'yes'
                else:
                    remote = 'no'

947
                if urgency.startswith('high'):
948
                    urgency = self.make_red(urgency)
949 950
                elif vulnerable == 2:
                    urgency = self.make_purple(urgency)
951 952 953 954 955 956

                if stable_later:
                    notes = "(fixed in stable?)"
                else:
                    notes = ''

957
                yield (self.make_source_package_ref(url, pkg_name, title), migration, self.make_xref(url, bug_name),
958
                       urgency, remote, notes)
959 960 961 962 963

        return self.create_page(
            url, "Candidates for DTSAs",
            [P("""The table below lists packages which are fixed
in unstable, but unfixed in testing.  Use the testing migration
964
checker to find out why they have not entered testing yet."""),
965 966 967
             make_menu(url.scriptRelative,
                       ("status/release/testing",
                        "List of vulnerable packages in testing")),
968
             bf.actions(url), BR(),
969
             make_table(gen(),
970
                        caption=("Package", "Migration", "Bug", "Urgency",
971
                                 "Remote", ""))])
972 973

    def page_status_todo(self, path, params, url):
974 975 976 977 978 979 980
        hide_check = params.get('hide_check', False)
        if hide_check:
            flags = A(url.updateParamsDict({'hide_check' : None}),
                      'Show "check" TODOs')
        else:
            flags = A(url.updateParamsDict({'hide_check' : '1'}),
                  'Hide "check" TODOs')
981

982
        def gen():
983 984
            for (bug, description, note) in self.db.getTODOs(hide_check=hide_check):
                yield self.make_xref(url, bug), description, note
985
        return self.create_page(
986 987
            url, 'Bugs with TODO items',
            [P(flags), make_table(gen(), caption=('Bug', 'Description', 'Note'))])
988 989 990 991 992 993 994 995

    def page_status_undetermined(self, path, params, url):
        def gen():
            outrel = []
            old_bug = ''
            old_pkg = ''
            old_dsc = ''
            last_displayed = ''
996
            releases = ('sid', 'buster', 'stretch', 'jessie', 'wheezy')
997 998 999 1000 1001 1002
            for (pkg_name, bug_name, release, desc) in self.db.cursor().execute(
                    """SELECT DISTINCT sp.name, st.bug_name, sp.release,
                    bugs.description
                    FROM source_package_status AS st, source_packages AS sp, bugs
                    WHERE st.vulnerable == 2 AND sp.rowid = st.package
                    AND ( sp.release = ? OR sp.release = ? OR sp.release = ?
1003
                    OR sp.release = ? OR sp.release = ? )
1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040
                    AND sp.subrelease = '' AND st.bug_name == bugs.name
                    ORDER BY sp.name, st.bug_name""", releases):

                if old_bug == '':
                    old_bug = bug_name
                    old_pkg = pkg_name
                    old_dsc = desc
                elif old_bug != bug_name:
                    if old_pkg == last_displayed:
                        to_display = ''
                    else:
                        to_display = old_pkg
                    yield to_display, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
                    last_displayed = old_pkg
                    old_bug = bug_name
                    old_pkg = pkg_name
                    old_dsc = desc
                    outrel = []
                outrel.append( release )
            yield old_pkg, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)

        return self.create_page(url, 'Packages that may be vulnerable but need to be checked      (undetermined issues)',
            [P("""This page lists packages that may or may not be affected
            by known issues.  This means that some additional work needs to
            be done to determined whether the package is actually
            vulnerable or not.  This list is a good area for new
            contributors to make quick and meaningful contributions."""),
            make_table(gen(), caption=('Package', 'Bug', 'Description', 'Releases'))])

    def page_status_unimportant(self, path, params, url):
        def gen():
            outrel = []
            old_bug = ''
            old_pkg = ''
            old_dsc = ''
            old_name = ''
            last_displayed = ''
1041
            releases = ('sid', 'buster', 'stretch', 'jessie', 'wheezy')
1042 1043 1044 1045 1046 1047
            for (pkg_name, bug_name, release, desc) in self.db.cursor().execute(
                    """SELECT DISTINCT sp.name, st.bug_name, sp.release,
                    bugs.description
                    FROM source_package_status AS st, source_packages AS sp, bugs
                    WHERE st.vulnerable > 0 AND sp.rowid = st.package
                    AND ( sp.release = ? OR sp.release = ? OR sp.release = ?
1048
                    OR sp.release = ? OR sp.release = ? ) AND st.urgency == 'unimportant'
1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075
                    AND sp.subrelease = '' AND st.bug_name == bugs.name
                    ORDER BY sp.name, st.bug_name""", releases):

                if old_bug == '':
                    old_bug = bug_name
                    old_pkg = pkg_name
                    old_dsc = desc
                elif old_bug != bug_name:
                    if old_pkg == last_displayed:
                        to_display = ''
                    else:
                        to_display = old_pkg
                    yield to_display, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)
                    last_displayed = old_pkg
                    old_bug = bug_name
                    old_pkg = pkg_name
                    old_dsc = desc
                    outrel = []
                outrel.append( release )
            yield old_pkg, self.make_xref(url, old_bug), old_dsc, ', '.join(outrel)

        return self.create_page(url, 'Packages that have open unimportant issues',
            [P("""This page lists packages that are affected by issues
            that are considered unimportant from a security perspective.
            These issues are thought to be unexploitable or uneffective
            in most situations (for example, browser denial-of-services)."""),
            make_table(gen(), caption=('Package', 'Bug', 'Description', 'Releases'))])
1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091

    def page_status_itp(self, path, params, url):
        def gen():
            old_pkg = ''
            for pkg, bugs, debian_bugs in self.db.getITPs(self.db.cursor()):
                if pkg == old_pkg:
                    pkg = ''
                else:
                    old_pkg = pkg
                yield (pkg, self.make_xref_list(url, bugs),
                       self.make_debian_bug_list(url, debian_bugs))
        return self.create_page(
            url, "ITPs with potential security issues",
            [make_table(gen(), caption=("Package", "Issue", "Debian Bugs"),
                        replacement="No ITP bugs are currently known.")])

1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103
    def page_status_unreported(self, path, params, url):
        def gen():
            for (bug, packages) in self.db.getUnreportedVulnerabilities():
                pkgs = make_list([self.make_source_package_ref(url, pkg)
                                  for pkg in packages], ", ")
                yield self.make_xref(url, bug), pkgs
        return self.create_page(
            url, "Unfixed vulnerabilities in unstable without a filed bug",
            [P("""The list below contains vulnerabilities for which no matching
Debian bug has been filed, and there is still an unfixed package in sid."""),
             make_table(gen(), caption=("Bug", "Packages"))])

1104 1105 1106 1107 1108 1109 1110 1111
    def page_data_unknown_packages(self, path, params, url):
        def gen():
            for name, bugs in self.db.getUnknownPackages(self.db.cursor()):
                yield name, self.make_xref_list(url, bugs)
        return self.create_page(
            url, "Unknown packages",
            [P("""Sometimes, a package referenced in a bug report
cannot be found in the database.  This can be the result of a spelling
Thijs Kinkhorst committed
1112 1113
error, or a historic entry refers to a
package which is no longer in the archive."""),
1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150
             make_table(gen(), caption=("Package", "Bugs"),
        replacement="No unknown packages are referenced in the database.")])

    def page_data_missing_epochs(self, path, params, url):
        def gen():
            old_bug = ''
            old_pkg = ''
            for bug, pkg, ver1, ver2 in self.db.cursor().execute(
                """SELECT DISTINCT bug_name, n.package,
                n.fixed_version, sp.version
                FROM package_notes AS n, source_packages AS sp
                WHERE n.package_kind = 'source'
                AND n.fixed_version NOT LIKE '%:%'
                AND n.fixed_version <> '0'
                AND n.bug_origin = ''
                AND sp.name = n.package
                AND sp.version LIKE '%:%'
                ORDER BY bug_name, package"""):
                if bug == old_bug:
                    bug = ''
                else:
                    old_bug = bug
                    old_pkg = ''
                    bug = self.make_xref(url, bug)
                if pkg == old_pkg:
                    pkg = ''
                else:
                    old_pkg = pkg
                    pkg = self.make_source_package_ref(url, pkg)
                yield bug, pkg, ver1, ver2

        return self.create_page(
            url, "Missing epochs in package versions",
            [make_table(gen(),
                caption=("Bug", "Package", "Version 1", "Version 2"),
                replacement="No source package version with missing epochs.")])

1151 1152 1153 1154 1155 1156
    def page_data_latently_vulnerable(self, path, params, url):
        def gen():
            for pkg, bugs in self.db.cursor().execute(
                """SELECT package, string_set(bug_name)
                FROM package_notes AS p1
                WHERE release <> ''
1157
                AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169
                AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
                                WHERE p2.bug_name = p1.bug_name
                                AND p2.package = p1.package
                                AND release = '')
                AND EXISTS (SELECT 1 FROM source_packages
                           WHERE name = p1.package AND release = 'sid')
                GROUP BY package
                ORDER BY package"""):
                pkg = self.make_source_package_ref(url, pkg)
                bugs = bugs.split(',')
                yield pkg, self.make_xref_list(url, bugs)

1170 1171 1172 1173 1174 1175
        def gen_unimportant():
            for pkg, bugs in self.db.cursor().execute(
                """SELECT package, string_set(bug_name)
                FROM package_notes AS p1
                WHERE release <> ''
                AND urgency <> 'unimportant'
1176
                AND (bug_name LIKE 'CVE-%' OR bug_name LIKE 'TEMP-%')
1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193
                AND EXISTS (SELECT 1 FROM package_notes AS p2
                                WHERE p2.bug_name = p1.bug_name
                                AND p2.package = p1.package
                                AND release = '')
                AND NOT EXISTS (SELECT 1 FROM package_notes AS p2
                                WHERE p2.bug_name = p1.bug_name
                                AND p2.package = p1.package
                                AND urgency <> 'unimportant'
                                AND release = '')
                AND EXISTS (SELECT 1 FROM source_packages
                           WHERE name = p1.package AND release = 'sid')
                GROUP BY package
                ORDER BY package"""):
                pkg = self.make_source_package_ref(url, pkg)
                bugs = bugs.split(',')
                yield pkg, self.make_xref_list(url, bugs)

1194 1195 1196 1197 1198 1199 1200 1201 1202
        return self.create_page(
            url, "Latently vulnerable packages in unstable",
            [P(
"""A package is latently vulnerable in unstable if it is vulnerable in
any release, and there is no package note for the same vulnerability
and package in unstable (and the package is still available in
unstable, of course)."""),
             make_table(gen(),
                caption=("Package", "Bugs"),
1203 1204 1205 1206 1207 1208 1209 1210 1211 1212
                replacement="No latently vulnerable packages were found."),
             P(
"""The next table lists issues which are marked unimportant for
unstable, but for which release-specific annotations exist which are
not unimportant."""),
             make_table(gen_unimportant(),
                caption=("Package", "Bugs"),
                replacement=
    "No packages with unimportant latent vulnerabilities were found."),
            ])
1213

1214 1215 1216 1217 1218 1219 1220 1221
    def page_data_releases(self, path, params, url):
        def gen():
            for (rel, subrel, archive, sources, archs) \
                    in self.db.availableReleases():
                if sources:
                    sources = 'yes'
                else:
                    sources = 'no'
1222 1223
                if 'source' in archs:
                    archs.remove('source')
1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248
                yield rel, subrel, archive, sources, make_list(archs)
        return self.create_page(
            url, "Available releases",
            [P("""The security issue database is checked against
the Debian releases listed in the table below."""),
             make_table(gen(),
                        caption=("Release", "Subrelease", "Archive",
                                 "Sources", "Architectures"))])

    def page_data_funny_versions(self, path, params, url):
        def gen():
            for name, release, archive, version, source_version \
                in self.db.getFunnyPackageVersions():
                yield name, release, archive, source_version, version

        return self.create_page(
            url, "Version conflicts between source/binary packages",
            [P("""The table below lists source packages
            which have a binary package of the same name, but with a different
            version.  This means that extra care is necessary to determine
            the version of a package which has been fixed.  (Note that
            the bug tracker prefers source versions to binary versions
            in this case.)"""),
             make_table(gen(),
                        caption=(