From 93a4f8add09edee81aa8710f85bde6ebe664871b Mon Sep 17 00:00:00 2001 From: gnaponie Date: Jul 19 2019 07:58:09 +0000 Subject: Rebuild only affected pkgs by the CVE An RHSA that addresses a specific advisory will contain RPM build(s) for addressing a specific CVE. Freshmaker uses these RPM build(s) to find out which images should be rebuilt. In some cases, additional RPM build(s) are attached to RHSA. These are unrelated to the CVE. With this change Freshmaker is going to rebuild only the affected pkgs by the CVE, and not all the contained RPMs in the RHSA. Signed-off-by: gnaponie --- diff --git a/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py b/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py index ea16e7e..d5ab453 100644 --- a/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py +++ b/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py @@ -24,6 +24,7 @@ import json import koji +import kobo from freshmaker import conf, db from freshmaker.events import ErrataAdvisoryRPMsSignedEvent @@ -411,6 +412,18 @@ class RebuildImagesOnRPMAdvisoryChange(ContainerBuildHandler): # For each SRPM NVR, find out all the containers which include # this SRPM NVR. srpm_nvrs = set(errata.get_builds(errata_id)) + # affected_pkgs contains the list of actually affected pkgs from the CVE. + # We don't need to build images that really don't affect the CVE, even if they are + # listed in the RHSA. So let's just remove the ones that are not listed in here. + # In case this is empty we are just going to use the "old" behavior before this + # change was made, and rebuild everything. + affected_pkgs = set([pkg['pkg_name'] for pkg in self.event.advisory.affected_pkgs]) + if affected_pkgs: + tmp_srpm_nvrs = srpm_nvrs + srpm_nvrs = set([srpm_nvr for srpm_nvr in srpm_nvrs if kobo.rpmlib.parse_nvr(srpm_nvr)["name"] in affected_pkgs]) + self.log_info(("Not going to rebuild these container images," + "because they're not affected: %r"), tmp_srpm_nvrs.difference(srpm_nvrs)) + self.log_info( "Going to find all the container images to rebuild as " "result of %r update.", srpm_nvrs) diff --git a/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py b/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py index 1ac4004..712c734 100644 --- a/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py +++ b/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py @@ -516,6 +516,29 @@ class TestFindImagesToRebuild(helpers.FreshmakerTestCase): published=True, release_categories=('Generally Available', 'Tech Preview', 'Beta'), leaf_container_images=["foo", "bar"]) + @patch.object(freshmaker.conf, 'handler_build_whitelist', new={ + 'RebuildImagesOnRPMAdvisoryChange': { + 'image': {'advisory_name': 'RHBA-*'} + } + }) + @patch('os.path.exists', return_value=True) + def test_whitelist_affected_packages(self, exists): + """ + In case there are more pkgs in a RHSA, but not all of them are actually affected from the CVE, + the images that will have to be rebuild will be only the ones affected. + This test is checking this process. + """ + self.event.advisory.affected_pkgs = [{'product': 'whatever', 'pkg_name': 'httpd'}] + self.get_builds.return_value = ["httpd-2.4-11.el7", "foo-1-1"] + for x in self.handler._find_images_to_rebuild(123456): + pass + + self.find_images_to_rebuild.assert_called_once_with( + set(['httpd-2.4-11.el7']), ['content-set-1'], + filter_fnc=self.handler._filter_out_not_allowed_builds, + published=True, release_categories=('Generally Available', 'Tech Preview', 'Beta'), + leaf_container_images=None) + class TestAllowBuild(helpers.ModelsTestCase): """Test RebuildImagesOnRPMAdvisoryChange.allow_build"""