peridot/apollo/workflow/downstream_check.go

// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.
// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.
// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice,
// this list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors
// may be used to endorse or promote products derived from this software without
// specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.

package workflow

import (
	"context"
	"fmt"
	"github.com/sirupsen/logrus"
	"go.temporal.io/sdk/activity"
	"go.temporal.io/sdk/workflow"
	apollodb "peridot.resf.org/apollo/db"
	apollopb "peridot.resf.org/apollo/pb"
	"peridot.resf.org/apollo/rpmutils"
	"peridot.resf.org/utils"
	"strings"
	"time"
)

func (c *Controller) DownstreamCVECheckActivity(ctx context.Context) error {
	go func() {
		for {
			activity.RecordHeartbeat(ctx)
			time.Sleep(10 * time.Second)
		}
	}()

	pendingProducts, err := c.db.GetPendingAffectedProducts()
	if err != nil {
		logrus.Errorf("could not get fixed cves: %v", err)
		return fmt.Errorf("could not get fixed cves")
	}

	for _, affectedProduct := range pendingProducts {
		if !affectedProduct.CveID.Valid {
			continue
		}

		err = func() error {
			willNotFixOnly := true
			allFixed := true

			switch affectedProduct.State {
			case
				int(apollopb.AffectedProduct_STATE_WILL_NOT_FIX_UPSTREAM),
				int(apollopb.AffectedProduct_STATE_OUT_OF_SUPPORT_SCOPE):
				return nil
			case
				int(apollopb.AffectedProduct_STATE_UNDER_INVESTIGATION_UPSTREAM),
				int(apollopb.AffectedProduct_STATE_AFFECTED_UPSTREAM):
				allFixed = false
				willNotFixOnly = false
				return nil
			}

			product, err := c.db.GetProductByID(affectedProduct.ProductID)
			if err != nil {
				logrus.Errorf("could not get product with id %d: %v", affectedProduct.ProductID, err)
				return err
			}

			ignoredUpstreamPackages, err := c.db.GetAllIgnoredPackagesByProductID(product.ID)
			if err != nil {
				logrus.Errorf("could not get ignored packages: %v", err)
				return err
			}

			beginTx, err := c.db.Begin()
			if err != nil {
				logrus.Errorf("could not begin transaction: %v", err)
				return err
			}
			tx := c.db.UseTransaction(beginTx)

			skipProduct := false
			defer func(skipProduct *bool, affectedProduct apollodb.AffectedProduct) {
				if *skipProduct {
					logrus.Infof("%s: Skipping package for now", affectedProduct.Package)
					_ = beginTx.Rollback()
				}
			}(&skipProduct, *affectedProduct)

			cve, err := c.db.GetCVEByID(affectedProduct.CveID.String)
			if err != nil {
				return err
			}

			nvrOnly := strings.Replace(affectedProduct.Package, ":", "-", 1)
			if rpmutils.Module().MatchString(nvrOnly) {
				if !affectedProduct.Advisory.Valid {
					skipProduct = true
				}

				redHatAdvisory, err := c.errata.GetErrata(affectedProduct.Advisory.String)
				if err != nil {
					logrus.Errorf("Could not get Red Hat Advisory: %v", err)
					skipProduct = true
				}

				for _, arch := range product.Archs {
					redHatProductName := affectedProductNameForArchAndVersion(arch, product.RedHatMajorVersion.Int32)
					affected := redHatAdvisory.AffectedProducts[redHatProductName]
					if affected == nil {
						continue
					}
					srpms := affected.SRPMs
					for _, srpm := range srpms {
						status := c.checkKojiForBuild(tx, ignoredUpstreamPackages, srpm, affectedProduct, cve)
						if status == apollopb.BuildStatus_BUILD_STATUS_SKIP {
							skipProduct = true
							break
						} else if status == apollopb.BuildStatus_BUILD_STATUS_FIXED {
							willNotFixOnly = false
						} else if status == apollopb.BuildStatus_BUILD_STATUS_NOT_FIXED {
							allFixed = false
							willNotFixOnly = false
						}
					}
					break
				}
				if skipProduct {
					logrus.Errorf("%s has not been fixed for NVR %s", cve.ID, nvrOnly)
				}
			} else {
				nvrOnly = rpmutils.Epoch().ReplaceAllString(affectedProduct.Package, "")
				status := c.checkKojiForBuild(tx, ignoredUpstreamPackages, nvrOnly, affectedProduct, cve)
				if status == apollopb.BuildStatus_BUILD_STATUS_SKIP {
					skipProduct = true
				} else if status == apollopb.BuildStatus_BUILD_STATUS_FIXED {
					willNotFixOnly = false
				} else if status == apollopb.BuildStatus_BUILD_STATUS_NOT_FIXED {
					allFixed = false
					willNotFixOnly = false
				}
			}

			if !skipProduct {
				newState := apollopb.AffectedProduct_STATE_FIXED_UPSTREAM
				if allFixed {
					newState = apollopb.AffectedProduct_STATE_FIXED_DOWNSTREAM
				}
				if willNotFixOnly {
					newState = apollopb.AffectedProduct_STATE_WILL_NOT_FIX_UPSTREAM
				}
				err := tx.UpdateAffectedProductStateAndPackageAndAdvisory(affectedProduct.ID, int(newState), affectedProduct.Package, utils.NullStringToPointer(affectedProduct.Advisory))
				if err != nil {
					logrus.Errorf("Could not save new CVE state: %v", err)
					return err
				}
				err = beginTx.Commit()
				if err != nil {
					logrus.Errorf("could not commit transaction: %v", err)
					return err
				}

				logrus.Infof("%s is now set to %s", cve.ID, newState.String())
			}

			return nil
		}()
		if err != nil {
			return err
		}
	}

	return nil
}

func (c *Controller) DownstreamCVECheckWorkflow(ctx workflow.Context) error {
	activityCtx := workflow.WithActivityOptions(ctx, workflow.ActivityOptions{
		ScheduleToStartTimeout: 30 * time.Minute,
		StartToCloseTimeout:    6 * time.Hour,
		HeartbeatTimeout:       30 * time.Second,
	})
	return workflow.ExecuteActivity(activityCtx, c.DownstreamCVECheckActivity).Get(ctx, nil)
}
Sync-01 - 10/30/2022 2022-10-30 01:59:25 +00:00			`// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.`
			`// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.`
			`// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.`
			`//`
			`// Redistribution and use in source and binary forms, with or without`
			`// modification, are permitted provided that the following conditions are met:`
			`//`
			`// 1. Redistributions of source code must retain the above copyright notice,`
			`// this list of conditions and the following disclaimer.`
			`//`
			`// 2. Redistributions in binary form must reproduce the above copyright notice,`
			`// this list of conditions and the following disclaimer in the documentation`
			`// and/or other materials provided with the distribution.`
			`//`
			`// 3. Neither the name of the copyright holder nor the names of its contributors`
			`// may be used to endorse or promote products derived from this software without`
			`// specific prior written permission.`
			`//`
			`// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE`
			`// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`// POSSIBILITY OF SUCH DAMAGE.`

			`package workflow`

			`import (`
			`"context"`
			`"fmt"`
			`"github.com/sirupsen/logrus"`
			`"go.temporal.io/sdk/activity"`
			`"go.temporal.io/sdk/workflow"`
			`apollodb "peridot.resf.org/apollo/db"`
			`apollopb "peridot.resf.org/apollo/pb"`
			`"peridot.resf.org/apollo/rpmutils"`
			`"peridot.resf.org/utils"`
			`"strings"`
			`"time"`
			`)`

			`func (c *Controller) DownstreamCVECheckActivity(ctx context.Context) error {`
			`go func() {`
			`for {`
			`activity.RecordHeartbeat(ctx)`
			`time.Sleep(10 * time.Second)`
			`}`
			`}()`

			`pendingProducts, err := c.db.GetPendingAffectedProducts()`
			`if err != nil {`
			`logrus.Errorf("could not get fixed cves: %v", err)`
			`return fmt.Errorf("could not get fixed cves")`
			`}`

			`for _, affectedProduct := range pendingProducts {`
			`if !affectedProduct.CveID.Valid {`
			`continue`
			`}`

			`err = func() error {`
			`willNotFixOnly := true`
			`allFixed := true`

			`switch affectedProduct.State {`
			`case`
			`int(apollopb.AffectedProduct_STATE_WILL_NOT_FIX_UPSTREAM),`
			`int(apollopb.AffectedProduct_STATE_OUT_OF_SUPPORT_SCOPE):`
			`return nil`
			`case`
			`int(apollopb.AffectedProduct_STATE_UNDER_INVESTIGATION_UPSTREAM),`
			`int(apollopb.AffectedProduct_STATE_AFFECTED_UPSTREAM):`
			`allFixed = false`
			`willNotFixOnly = false`
			`return nil`
			`}`

			`product, err := c.db.GetProductByID(affectedProduct.ProductID)`
			`if err != nil {`
			`logrus.Errorf("could not get product with id %d: %v", affectedProduct.ProductID, err)`
			`return err`
			`}`

			`ignoredUpstreamPackages, err := c.db.GetAllIgnoredPackagesByProductID(product.ID)`
			`if err != nil {`
			`logrus.Errorf("could not get ignored packages: %v", err)`
			`return err`
			`}`

			`beginTx, err := c.db.Begin()`
			`if err != nil {`
			`logrus.Errorf("could not begin transaction: %v", err)`
			`return err`
			`}`
			`tx := c.db.UseTransaction(beginTx)`

			`skipProduct := false`
			`defer func(skipProduct *bool, affectedProduct apollodb.AffectedProduct) {`
			`if *skipProduct {`
			`logrus.Infof("%s: Skipping package for now", affectedProduct.Package)`
			`_ = beginTx.Rollback()`
			`}`
			`}(&skipProduct, *affectedProduct)`

			`cve, err := c.db.GetCVEByID(affectedProduct.CveID.String)`
			`if err != nil {`
			`return err`
			`}`

			`nvrOnly := strings.Replace(affectedProduct.Package, ":", "-", 1)`
			`if rpmutils.Module().MatchString(nvrOnly) {`
			`if !affectedProduct.Advisory.Valid {`
			`skipProduct = true`
			`}`

			`redHatAdvisory, err := c.errata.GetErrata(affectedProduct.Advisory.String)`
			`if err != nil {`
			`logrus.Errorf("Could not get Red Hat Advisory: %v", err)`
			`skipProduct = true`
			`}`

			`for _, arch := range product.Archs {`
			`redHatProductName := affectedProductNameForArchAndVersion(arch, product.RedHatMajorVersion.Int32)`
			`affected := redHatAdvisory.AffectedProducts[redHatProductName]`
			`if affected == nil {`
			`continue`
			`}`
			`srpms := affected.SRPMs`
			`for _, srpm := range srpms {`
			`status := c.checkKojiForBuild(tx, ignoredUpstreamPackages, srpm, affectedProduct, cve)`
			`if status == apollopb.BuildStatus_BUILD_STATUS_SKIP {`
			`skipProduct = true`
			`break`
			`} else if status == apollopb.BuildStatus_BUILD_STATUS_FIXED {`
			`willNotFixOnly = false`
			`} else if status == apollopb.BuildStatus_BUILD_STATUS_NOT_FIXED {`
			`allFixed = false`
			`willNotFixOnly = false`
			`}`
			`}`
			`break`
			`}`
			`if skipProduct {`
			`logrus.Errorf("%s has not been fixed for NVR %s", cve.ID, nvrOnly)`
			`}`
			`} else {`
			`nvrOnly = rpmutils.Epoch().ReplaceAllString(affectedProduct.Package, "")`
			`status := c.checkKojiForBuild(tx, ignoredUpstreamPackages, nvrOnly, affectedProduct, cve)`
			`if status == apollopb.BuildStatus_BUILD_STATUS_SKIP {`
			`skipProduct = true`
			`} else if status == apollopb.BuildStatus_BUILD_STATUS_FIXED {`
			`willNotFixOnly = false`
			`} else if status == apollopb.BuildStatus_BUILD_STATUS_NOT_FIXED {`
			`allFixed = false`
			`willNotFixOnly = false`
			`}`
			`}`

			`if !skipProduct {`
			`newState := apollopb.AffectedProduct_STATE_FIXED_UPSTREAM`
			`if allFixed {`
			`newState = apollopb.AffectedProduct_STATE_FIXED_DOWNSTREAM`
			`}`
			`if willNotFixOnly {`
			`newState = apollopb.AffectedProduct_STATE_WILL_NOT_FIX_UPSTREAM`
			`}`
			`err := tx.UpdateAffectedProductStateAndPackageAndAdvisory(affectedProduct.ID, int(newState), affectedProduct.Package, utils.NullStringToPointer(affectedProduct.Advisory))`
			`if err != nil {`
			`logrus.Errorf("Could not save new CVE state: %v", err)`
			`return err`
			`}`
			`err = beginTx.Commit()`
			`if err != nil {`
			`logrus.Errorf("could not commit transaction: %v", err)`
			`return err`
			`}`

			`logrus.Infof("%s is now set to %s", cve.ID, newState.String())`
			`}`

			`return nil`
			`}()`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func (c *Controller) DownstreamCVECheckWorkflow(ctx workflow.Context) error {`
			`activityCtx := workflow.WithActivityOptions(ctx, workflow.ActivityOptions{`
			`ScheduleToStartTimeout: 30 * time.Minute,`
			`StartToCloseTimeout: 6 * time.Hour,`
			`HeartbeatTimeout: 30 * time.Second,`
			`})`
			`return workflow.ExecuteActivity(activityCtx, c.DownstreamCVECheckActivity).Get(ctx, nil)`
			`}`