From 87fa77b02b73f591682a0b99a59d6ebd0f6367a6 Mon Sep 17 00:00:00 2001 From: Jan Dobes Date: Thu, 2 Nov 2023 15:57:49 +0100 Subject: [PATCH] refactor: change selects to use the system_cve_data table RHINENG-2328 --- manager/cve_handler.py | 45 ++++++++++++++++++++---------- manager/filters.py | 7 ++--- manager/system_handler.py | 40 ++++++++++++++++---------- manager/vulnerabilities_handler.py | 13 +++++++-- taskomatic/jobs/cacheman.py | 21 ++++++++++---- taskomatic/jobs/usage_metrics.py | 4 ++- 6 files changed, 88 insertions(+), 42 deletions(-) diff --git a/manager/cve_handler.py b/manager/cve_handler.py index 7bfd07362..e966d85cf 100644 --- a/manager/cve_handler.py +++ b/manager/cve_handler.py @@ -59,6 +59,7 @@ from common.peewee_model import InventoryHosts from common.peewee_model import RHAccount from common.peewee_model import Status +from common.peewee_model import SystemCveData from common.peewee_model import SystemPlatform from common.peewee_model import SystemVulnerabilities from common.peewee_model import SystemVulnerablePackage @@ -220,9 +221,9 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte SystemPlatform.stale_timestamp, SystemPlatform.stale_warning_timestamp, SystemPlatform.culled_timestamp, - Status.id.alias("status_id"), - Status.name.alias("status_name"), - SystemVulnerabilities.status_text.alias("status_text"), + fn.COALESCE(Status.id, 0).alias("status_id"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), + SystemCveData.status_text.alias("status_text"), SystemVulnerabilities.rule_hit_details, SystemVulnerabilities.when_mitigated, SystemVulnerabilities.first_reported, @@ -248,8 +249,10 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte subq = (SystemVulnerabilities .select(*selectables) .join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id)) - .join(Status, on=(SystemVulnerabilities.status_id == Status.id)) .join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) & (CveMetadata.id == CveAccountData.cve_id))) .join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id)) @@ -280,9 +283,9 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters): SystemPlatform.stale_timestamp, SystemPlatform.stale_warning_timestamp, SystemPlatform.culled_timestamp, - Value(0).alias("status_id"), - Value("Not Reviewed").alias("status_name"), - Value(None).alias("status_text"), + fn.COALESCE(Status.id, 0).alias("status_id"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), + SystemCveData.status_text.alias("status_text"), Value(None).alias("rule_hit_details"), Value(datetime.min).alias("when_mitigated"), SystemVulnerablePackage.first_reported, @@ -308,6 +311,9 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters): .join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id)) .join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id)) .join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) & (CveMetadata.id == CveAccountData.cve_id))) .where(CveMetadata.cve == synopsis) @@ -331,8 +337,8 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter= SystemPlatform.last_upload, SystemPlatform.advisor_evaluated.alias("rules_evaluation"), InsightsRule.name.alias("rule_id"), - SystemVulnerabilities.status_id.alias("status_id"), - SystemVulnerabilities.status_text.alias("status_text"), + fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + SystemCveData.status_text.alias("status_text"), SystemVulnerabilities.first_reported, SystemVulnerabilities.advisories, SystemVulnerabilities.mitigation_reason, @@ -348,6 +354,8 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter= ) .join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id)) .join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) .join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id)) .where(CveMetadata.cve == synopsis) .where(SystemVulnerabilities.rh_account_id == rh_account_id) @@ -372,8 +380,8 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters): SystemPlatform.last_upload, SystemPlatform.advisor_evaluated.alias("rules_evaluation"), Value(None).alias("rule_id"), - Value(0).alias("status_id"), - Value(None).alias("status_text"), + fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + SystemCveData.status_text.alias("status_text"), SystemVulnerablePackage.first_reported, Value(None).alias("advisories"), Value(None).alias("mitigation_reason"), @@ -391,6 +399,8 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters): .join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id)) .join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id)) .join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) .where(CveMetadata.cve == synopsis) .where(SystemVulnerablePackage.rh_account_id == rh_account_id) .where(system_is_active(rh_account_id=rh_account_id, edge=edge_feature_arg()))) @@ -496,28 +506,35 @@ def _cve_details(cls, synopsis, advisory_available): remediation_filter, return_only_first_subq = get_remediation_filter(advisory_available) status_detail_fixed = (SystemVulnerabilities - .select(SystemVulnerabilities.status_id, fn.Count(SystemVulnerabilities.status_id).alias("systems")) + .select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems")) .join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id)) .join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) .join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id)) .where(CveMetadata.cve == synopsis) .where(SystemVulnerabilities.rh_account_id == rh_account_id) .where(system_is_active(rh_account_id=rh_account_id, edge=edge)) .where(system_is_vulnerable()) - .group_by(SystemVulnerabilities.status_id) + .group_by(fn.COALESCE(SystemCveData.status_id, 0)) .dicts()) if remediation_filter: status_detail_fixed = status_detail_fixed.where(SystemVulnerabilities.remediation_type_id << remediation_filter) status_detail_fixed = cyndi_join(status_detail_fixed) status_detail_unfixed = (SystemVulnerablePackage - .select(Value(0).alias("status_id"), fn.Count(SystemVulnerablePackage.id).alias("systems")) + .select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems")) .join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id)) .join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id)) .join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) .where(CveMetadata.cve == synopsis) .where(SystemVulnerablePackage.rh_account_id == rh_account_id) .where(system_is_active(rh_account_id=rh_account_id, edge=edge)) + .group_by(fn.COALESCE(SystemCveData.status_id, 0)) .dicts()) status_detail_unfixed = cyndi_join(status_detail_unfixed) diff --git a/manager/filters.py b/manager/filters.py index a27ddd250..cd6b9327a 100644 --- a/manager/filters.py +++ b/manager/filters.py @@ -18,6 +18,7 @@ from common.peewee_model import CveRuleMapping from common.peewee_model import InsightsRule from common.peewee_model import InventoryHosts +from common.peewee_model import SystemCveData from common.peewee_model import SystemPlatform from common.peewee_model import SystemVulnerabilities from common.peewee_model import SystemVulnerablePackage @@ -330,11 +331,7 @@ def _filter_system_cve_by_status(query, args, _kwargs): object: Modified query with system CVE status filter applied """ if "status_id" in args and args["status_id"]: - if "unfixed" in _kwargs and True in _kwargs["unfixed"]: - # We need to filter out unfixed vulnerabilities and must reference dummy values because some tables are non existent - query = query.where(Value(0) << args["status_id"]) - else: - query = query.where(SystemVulnerabilities.status_id << args["status_id"]) + query = query.where(fn.COALESCE(SystemCveData.status_id, 0) << args["status_id"]) return query diff --git a/manager/system_handler.py b/manager/system_handler.py index 991b41195..b13780630 100644 --- a/manager/system_handler.py +++ b/manager/system_handler.py @@ -16,6 +16,7 @@ from .base import cyndi_join from .base import DEFAULT_BUSINESS_RISK from .base import DEFAULT_REMEDIATION_FILTER +from .base import DEFAULT_STATUS from .base import get_account_data from .base import get_remediation_filter from .base import GetRequest @@ -50,6 +51,7 @@ from common.peewee_model import InsightsRule from common.peewee_model import InventoryHosts from common.peewee_model import Status +from common.peewee_model import SystemCveData from common.peewee_model import SystemPlatform from common.peewee_model import SystemVulnerabilities from common.peewee_model import SystemVulnerablePackage @@ -183,9 +185,9 @@ def _full_query(rh_account_id, query_args, parsed_args, filters, remediation_fil CveMetadata.exploit_data, CveMetadata.impact_id, fn.COALESCE(CveAccountData.status_id, 0).alias("cve_status_id"), - Status.id.alias("status_id"), - Status.name.alias("status_name"), - SystemVulnerabilities.status_text.alias("status_text"), + fn.COALESCE(Status.id, 0).alias("status_id"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), + SystemCveData.status_text.alias("status_text"), SystemVulnerabilities.when_mitigated, SystemVulnerabilities.first_reported, SystemVulnerabilities.advisories, @@ -208,8 +210,10 @@ def _full_query(rh_account_id, query_args, parsed_args, filters, remediation_fil .join(SystemPlatform, on=((SystemVulnerabilities.system_id == SystemPlatform.id) & system_is_active(edge=None, stale=None, rh_account_id=rh_account_id))) .join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) .join(CveImpact, on=(CveMetadata.impact_id == CveImpact.id)) - .join(Status, on=(SystemVulnerabilities.status_id == Status.id)) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.cve_id == CveMetadata.id) & (CveAccountData.rh_account_id == rh_account_id))) .join(BusinessRisk, JOIN.LEFT_OUTER, on=(CveAccountData.business_risk_id == BusinessRisk.id)) @@ -240,9 +244,9 @@ def _unpatched_full_query(rh_account_id, query_args, parsed_args, filters): CveMetadata.exploit_data, CveMetadata.impact_id, fn.COALESCE(CveAccountData.status_id, 0).alias("cve_status_id"), - Value(0).alias("status_id"), - Value("Not Reviewed").alias("status_name"), - Value(None).alias("status_text"), + fn.COALESCE(Status.id, 0).alias("status_id"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), + SystemCveData.status_text.alias("status_text"), Value(None).alias("when_mitigated"), SystemVulnerablePackage.first_reported, Value(None).alias("advisories"), @@ -266,6 +270,9 @@ def _unpatched_full_query(rh_account_id, query_args, parsed_args, filters): system_is_active(edge=None, stale=None, rh_account_id=rh_account_id)) .join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id)) .join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveImpact, on=(CveMetadata.impact_id == CveImpact.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.cve_id == CveMetadata.id) & (CveAccountData.rh_account_id == rh_account_id))) @@ -295,10 +302,10 @@ def _id_query(rh_account_id, query_args, parsed_args, filters, remediation_filte fn.COALESCE(CveAccountData.business_risk_id, 0).alias("business_risk_id"), fn.COALESCE(BusinessRisk.name, DEFAULT_BUSINESS_RISK).alias("business_risk"), SystemVulnerabilities.first_reported, - SystemVulnerabilities.status_id, - SystemVulnerabilities.status_text, + fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + SystemCveData.status_text.alias("status_text"), SystemVulnerabilities.advisories, - Status.name.alias("status_name"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), InsightsRule.name.alias("rule_id"), InsightsRule.description_text, fn.COALESCE(CveAccountData.status_id, 0).alias("cve_status_id"), @@ -310,7 +317,9 @@ def _id_query(rh_account_id, query_args, parsed_args, filters, remediation_filte .join(SystemPlatform, on=((SystemVulnerabilities.system_id == SystemPlatform.id) & system_is_active(edge=None, stale=None, rh_account_id=rh_account_id))) .join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id)) - .join(Status, on=(SystemVulnerabilities.status_id == Status.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.cve_id == CveMetadata.id) & (CveAccountData.rh_account_id == rh_account_id))) .join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id)) @@ -343,10 +352,10 @@ def _unpatched_id_query(rh_account_id, query_args, parsed_args, filters): fn.COALESCE(CveAccountData.business_risk_id, 0).alias("business_risk_id"), fn.COALESCE(BusinessRisk.name, DEFAULT_BUSINESS_RISK).alias("business_risk"), SystemVulnerablePackage.first_reported, - Value(0).alias("status_id"), - Value(None).alias("status_text"), + fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"), + SystemCveData.status_text.alias("status_text"), Value(None).alias("advisories"), - Value("Not Reviewed").alias("status_name"), + fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"), Value(None).alias("rule_id"), Value(None).alias("description_text"), fn.COALESCE(CveAccountData.status_id, 0).alias("cve_status_id"), @@ -359,6 +368,9 @@ def _unpatched_id_query(rh_account_id, query_args, parsed_args, filters): system_is_active(edge=None, stale=None, rh_account_id=rh_account_id)) .join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id)) .join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id)) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (CveMetadata.id == SystemCveData.cve_id))) + .join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id)) .join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.cve_id == CveMetadata.id) & (CveAccountData.rh_account_id == rh_account_id))) .join(CveImpact, on=(CveMetadata.impact_id == CveImpact.id)) diff --git a/manager/vulnerabilities_handler.py b/manager/vulnerabilities_handler.py index b261632c8..68a7c2dd9 100644 --- a/manager/vulnerabilities_handler.py +++ b/manager/vulnerabilities_handler.py @@ -48,6 +48,7 @@ from common.peewee_model import CveRuleMapping from common.peewee_model import InsightsRule from common.peewee_model import Status +from common.peewee_model import SystemCveData from common.peewee_model import SystemPlatform from common.peewee_model import SystemVulnerabilities from common.peewee_model import SystemVulnerablePackage @@ -200,12 +201,15 @@ def _count_subquery(rh_account_id, args, filters, remediation_filter=None): .select(SystemVulnerabilities.cve_id.alias("cve_id_"), fn.SUM(Case(None, ((SystemPlatform.host_type.is_null(True), 1),), 0)).alias("systems_affected_rpmdnf_"), fn.SUM(Case(None, ((SystemPlatform.host_type == "edge", 1),), 0)).alias("systems_affected_edge_"), - fn.SUM(Case(None, ((SystemVulnerabilities.status_id != CveAccountData.status_id, 1),), 0)).alias("systems_status_divergent_"), + fn.SUM(Case(None, ((fn.COALESCE(SystemCveData.status_id, 0) != CveAccountData.status_id, 1),), 0)) + .alias("systems_status_divergent_"), fn.Bool_Or(SystemVulnerabilities.advisory_available).alias("advisory_available_")) .join(SystemPlatform, on=((SystemVulnerabilities.system_id == SystemPlatform.id) & system_is_active(rh_account_id=rh_account_id, edge=edge_feature_arg()))) .join(CveAccountData, JOIN.LEFT_OUTER, on=((SystemVulnerabilities.cve_id == CveAccountData.cve_id) & (CveAccountData.rh_account_id == rh_account_id))) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (SystemVulnerabilities.cve_id == SystemCveData.cve_id))) .where(SystemVulnerabilities.rh_account_id == rh_account_id) .where(system_is_vulnerable()) .group_by(SystemVulnerabilities.cve_id)) @@ -227,11 +231,16 @@ def _unpatched_count_subquery(rh_account_id, args, filters): .alias("systems_affected_rpmdnf_"), fn.COUNT(fn.DISTINCT(Case(None, ((SystemPlatform.host_type == "edge", SystemPlatform.id),), None))) .alias("systems_affected_edge_"), - Value(0).alias("systems_status_divergent_"), + fn.SUM(Case(None, ((fn.COALESCE(SystemCveData.status_id, 0) != CveAccountData.status_id, 1),), 0)) + .alias("systems_status_divergent_"), Value(False).alias("advisory_available_")) .join(SystemPlatform, on=((SystemVulnerablePackage.system_id == SystemPlatform.id) & system_is_active(rh_account_id=rh_account_id, edge=edge_feature_arg()))) .join(VulnerablePackageCVE, on=((SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id))) + .join(CveAccountData, JOIN.LEFT_OUTER, on=((VulnerablePackageCVE.cve_id == CveAccountData.cve_id) + & (CveAccountData.rh_account_id == rh_account_id))) + .join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id) + & (VulnerablePackageCVE.cve_id == SystemCveData.cve_id))) .where(SystemVulnerablePackage.rh_account_id == rh_account_id) .group_by(VulnerablePackageCVE.cve_id)) unfixed_subq = cyndi_join(unfixed_subq) diff --git a/taskomatic/jobs/cacheman.py b/taskomatic/jobs/cacheman.py index 6ec4def09..be012b067 100644 --- a/taskomatic/jobs/cacheman.py +++ b/taskomatic/jobs/cacheman.py @@ -58,9 +58,11 @@ def _select_count_affected(account_id, group_ids, all_host_types=False): """ SELECT sv.cve_id, COUNT(*) FILTER (WHERE sv.remediation_type_id != 0) AS systems_affected, - SUM(CASE WHEN sv.status_id != cad.status_id AND sv.remediation_type_id != 0 THEN 1 ELSE 0 END) AS systems_status_divergent, + SUM(CASE WHEN COALESCE(scd.status_id, 0) != cad.status_id AND sv.remediation_type_id != 0 THEN 1 ELSE 0 END) + AS systems_status_divergent, COUNT(*) FILTER (WHERE sv.remediation_type_id = 0) AS systems_affected_unpatched, - SUM(CASE WHEN sv.status_id != cad.status_id AND sv.remediation_type_id = 0 THEN 1 ELSE 0 END) AS systems_status_divergent_unpatched, + SUM(CASE WHEN COALESCE(scd.status_id, 0) != cad.status_id AND sv.remediation_type_id = 0 THEN 1 ELSE 0 END) + AS systems_status_divergent_unpatched, BOOL_OR(sv.advisory_available) AS advisory_available FROM system_vulnerabilities_active sv INNER JOIN system_platform sp ON (sv.system_id = sp.id AND @@ -70,7 +72,9 @@ def _select_count_affected(account_id, group_ids, all_host_types=False): sp.when_deleted IS NULL{host_type_cond}) INNER JOIN inventory.hosts ih ON sp.inventory_id = ih.id LEFT JOIN cve_account_data cad ON (sv.cve_id = cad.cve_id AND - cad.rh_account_id = %s) + cad.rh_account_id = %s) LEFT JOIN + system_cve_data scd ON (sv.system_id = scd.system_id AND + sv.cve_id = scd.cve_id) WHERE sv.rh_account_id = %s AND (sv.when_mitigated IS NULL OR (sv.mitigation_reason IS NULL AND sv.rule_id IN (SELECT id FROM insights_rule WHERE active = true AND @@ -93,7 +97,8 @@ def _select_count_unpatched(account_id, group_ids, all_host_types=False): 0 AS systems_affected, 0 AS systems_status_divergent, COUNT(DISTINCT svp.system_id) AS systems_affected_unpatched, - 0 AS systems_status_divergent_unpatched, + SUM(CASE WHEN COALESCE(scd.status_id, 0) != cad.status_id THEN 1 ELSE 0 END) + AS systems_status_divergent_unpatched, FALSE AS advisory_available FROM system_vulnerable_package svp INNER JOIN system_platform sp ON (svp.system_id = sp.id AND @@ -102,12 +107,16 @@ def _select_count_unpatched(account_id, group_ids, all_host_types=False): sp.stale = false AND sp.when_deleted IS NULL{host_type_cond}) INNER JOIN inventory.hosts ih ON sp.inventory_id = ih.id INNER JOIN - vulnerable_package_cve vpc ON svp.vulnerable_package_id = vpc.vulnerable_package_id + vulnerable_package_cve vpc ON svp.vulnerable_package_id = vpc.vulnerable_package_id LEFT JOIN + cve_account_data cad ON (vpc.cve_id = cad.cve_id AND + cad.rh_account_id = %s) LEFT JOIN + system_cve_data scd ON (svp.system_id = scd.system_id AND + vpc.cve_id = scd.cve_id) WHERE svp.rh_account_id = %s {groups_cond} GROUP BY vpc.cve_id """ ).format(host_type_cond=host_type_cond, groups_cond=groups_cond), - [account_id, account_id, groups_arg], + [account_id, account_id, account_id, groups_arg], ) diff --git a/taskomatic/jobs/usage_metrics.py b/taskomatic/jobs/usage_metrics.py index 71e6c0fdc..954eb7c78 100644 --- a/taskomatic/jobs/usage_metrics.py +++ b/taskomatic/jobs/usage_metrics.py @@ -111,7 +111,9 @@ def query_system_cve_status_usage(self): ON sv.system_id = sp.id JOIN rh_account ra ON sp.rh_account_id = ra.id - WHERE sv.status_id != 0 + LEFT JOIN system_cve_data scd + ON (sv.system_id = scd.system_id AND sv.cve_id = scd.cve_id) + WHERE COALESCE(scd.status_id, 0) != 0 AND sp.opt_out = false AND sp.stale = false AND sp.when_deleted IS NULL