Skip to content

Commit

Permalink
refactor: change selects to use the system_cve_data table
Browse files Browse the repository at this point in the history
RHINENG-2328
  • Loading branch information
jdobes committed Nov 2, 2023
1 parent 349ecd7 commit d63c0d4
Show file tree
Hide file tree
Showing 6 changed files with 87 additions and 41 deletions.
45 changes: 31 additions & 14 deletions manager/cve_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
from common.peewee_model import InventoryHosts
from common.peewee_model import RHAccount
from common.peewee_model import Status
from common.peewee_model import SystemCveData
from common.peewee_model import SystemPlatform
from common.peewee_model import SystemVulnerabilities
from common.peewee_model import SystemVulnerablePackage
Expand Down Expand Up @@ -220,9 +221,9 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte
SystemPlatform.stale_timestamp,
SystemPlatform.stale_warning_timestamp,
SystemPlatform.culled_timestamp,
Status.id.alias("status_id"),
Status.name.alias("status_name"),
SystemVulnerabilities.status_text.alias("status_text"),
fn.COALESCE(Status.id, 0).alias("status_id"),
fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"),
SystemCveData.status_text.alias("status_text"),
SystemVulnerabilities.rule_hit_details,
SystemVulnerabilities.when_mitigated,
SystemVulnerabilities.first_reported,
Expand All @@ -248,8 +249,10 @@ def _full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filte
subq = (SystemVulnerabilities
.select(*selectables)
.join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id))
.join(Status, on=(SystemVulnerabilities.status_id == Status.id))
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id)
& (CveMetadata.id == CveAccountData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
Expand Down Expand Up @@ -280,9 +283,9 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters):
SystemPlatform.stale_timestamp,
SystemPlatform.stale_warning_timestamp,
SystemPlatform.culled_timestamp,
Value(0).alias("status_id"),
Value("Not Reviewed").alias("status_name"),
Value(None).alias("status_text"),
fn.COALESCE(Status.id, 0).alias("status_id"),
fn.COALESCE(Status.name, DEFAULT_STATUS).alias("status_name"),
SystemCveData.status_text.alias("status_text"),
Value(None).alias("rule_hit_details"),
Value(datetime.min).alias("when_mitigated"),
SystemVulnerablePackage.first_reported,
Expand All @@ -308,6 +311,9 @@ def _unpatched_full_query(rh_account_id, synopsis, parsed_args, filters):
.join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id))
.join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id))
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(Status, JOIN.LEFT_OUTER, on=(SystemCveData.status_id == Status.id))
.join(CveAccountData, JOIN.LEFT_OUTER, on=((CveAccountData.rh_account_id == rh_account_id) &
(CveMetadata.id == CveAccountData.cve_id)))
.where(CveMetadata.cve == synopsis)
Expand All @@ -331,8 +337,8 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter=
SystemPlatform.last_upload,
SystemPlatform.advisor_evaluated.alias("rules_evaluation"),
InsightsRule.name.alias("rule_id"),
SystemVulnerabilities.status_id.alias("status_id"),
SystemVulnerabilities.status_text.alias("status_text"),
fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
SystemCveData.status_text.alias("status_text"),
SystemVulnerabilities.first_reported,
SystemVulnerabilities.advisories,
SystemVulnerabilities.mitigation_reason,
Expand All @@ -348,6 +354,8 @@ def _id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter=
)
.join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id))
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerabilities.rh_account_id == rh_account_id)
Expand All @@ -372,8 +380,8 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters):
SystemPlatform.last_upload,
SystemPlatform.advisor_evaluated.alias("rules_evaluation"),
Value(None).alias("rule_id"),
Value(0).alias("status_id"),
Value(None).alias("status_text"),
fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
SystemCveData.status_text.alias("status_text"),
SystemVulnerablePackage.first_reported,
Value(None).alias("advisories"),
Value(None).alias("mitigation_reason"),
Expand All @@ -391,6 +399,8 @@ def _unpatched_id_query(rh_account_id, synopsis, parsed_args, filters):
.join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id))
.join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id))
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerablePackage.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=edge_feature_arg())))
Expand Down Expand Up @@ -496,28 +506,35 @@ def _cve_details(cls, synopsis, advisory_available):
remediation_filter, return_only_first_subq = get_remediation_filter(advisory_available)

status_detail_fixed = (SystemVulnerabilities
.select(SystemVulnerabilities.status_id, fn.Count(SystemVulnerabilities.status_id).alias("systems"))
.select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems"))
.join(SystemPlatform, on=(SystemVulnerabilities.system_id == SystemPlatform.id))
.join(CveMetadata, on=(SystemVulnerabilities.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.join(InsightsRule, JOIN.LEFT_OUTER, on=(InsightsRule.id == SystemVulnerabilities.rule_id))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerabilities.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=edge))
.where(system_is_vulnerable())
.group_by(SystemVulnerabilities.status_id)
.group_by(fn.COALESCE(SystemCveData.status_id, 0))
.dicts())
if remediation_filter:
status_detail_fixed = status_detail_fixed.where(SystemVulnerabilities.remediation_type_id << remediation_filter)
status_detail_fixed = cyndi_join(status_detail_fixed)

status_detail_unfixed = (SystemVulnerablePackage
.select(Value(0).alias("status_id"), fn.Count(SystemVulnerablePackage.id).alias("systems"))
.select(fn.COALESCE(SystemCveData.status_id, 0).alias("status_id"),
fn.Count(fn.COALESCE(SystemCveData.status_id, 0)).alias("systems"))
.join(SystemPlatform, on=(SystemVulnerablePackage.system_id == SystemPlatform.id))
.join(VulnerablePackageCVE, on=(SystemVulnerablePackage.vulnerable_package_id == VulnerablePackageCVE.vulnerable_package_id))
.join(CveMetadata, on=(VulnerablePackageCVE.cve_id == CveMetadata.id))
.join(SystemCveData, JOIN.LEFT_OUTER, on=((SystemPlatform.id == SystemCveData.system_id)
& (CveMetadata.id == SystemCveData.cve_id)))
.where(CveMetadata.cve == synopsis)
.where(SystemVulnerablePackage.rh_account_id == rh_account_id)
.where(system_is_active(rh_account_id=rh_account_id, edge=edge))
.group_by(fn.COALESCE(SystemCveData.status_id, 0))
.dicts())
status_detail_unfixed = cyndi_join(status_detail_unfixed)

Expand Down
7 changes: 2 additions & 5 deletions manager/filters.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
from common.peewee_model import CveRuleMapping
from common.peewee_model import InsightsRule
from common.peewee_model import InventoryHosts
from common.peewee_model import SystemCveData
from common.peewee_model import SystemPlatform
from common.peewee_model import SystemVulnerabilities
from common.peewee_model import SystemVulnerablePackage
Expand Down Expand Up @@ -330,11 +331,7 @@ def _filter_system_cve_by_status(query, args, _kwargs):
object: Modified query with system CVE status filter applied
"""
if "status_id" in args and args["status_id"]:
if "unfixed" in _kwargs and True in _kwargs["unfixed"]:
# We need to filter out unfixed vulnerabilities and must reference dummy values because some tables are non existent
query = query.where(Value(0) << args["status_id"])
else:
query = query.where(SystemVulnerabilities.status_id << args["status_id"])
query = query.where(fn.COALESCE(SystemCveData.status_id, 0) << args["status_id"])
return query


Expand Down
Loading

0 comments on commit d63c0d4

Please sign in to comment.