Revert "feat: Expose Ubuntu fix status for downstream consumption" (#438

)
aquasecurity · Sep 10, 2024 · 7e0f4d2 · 7e0f4d2
1 parent 5730659
commit 7e0f4d2
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 82 deletions.
diff --git a/pkg/types/status.go b/pkg/types/status.go
@@ -11,9 +11,6 @@ var (
 	//
 	// In addition to them, Red Hat has "will_not_fix" and "fix_deferred".
 	// cf. https://access.redhat.com/blogs/product-security/posts/2066793
-	//
-	// In addition to them, Ubuntu has "DNE", "ignored", "needed", "pending"
-	// https://askubuntu.com/a/1509706
 	Statuses = []string{
 		"unknown",
 		"not_affected",
@@ -32,7 +29,7 @@ const (
 	StatusAffected
 	StatusFixed
 	StatusUnderInvestigation
-	StatusWillNotFix
+	StatusWillNotFix // Red Hat specific
 	StatusFixDeferred
 	StatusEndOfLife
 )

diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -106,9 +106,9 @@ type Advisory struct {
 
 	Arches []string `json:",omitempty"`
 
-	// Status is used to provide the status when a status is known and supported by the data source (e.g. "Will not fix").
-	// When a patch is available, the status will be empty since the status is obviously "Fixed".
-	Status Status `json:",omitempty"`
+	// It is filled only when FixedVersion is empty since it is obvious the state is "Fixed" when FixedVersion is not empty.
+	// e.g. Will not fix and Affected
+	Status Status `json:"-"`
 
 	// Trivy DB has "vulnerability" bucket and severities are usually stored in the bucket per a vulnerability ID.
 	// In some cases, the advisory may have multiple severities depending on the packages.

diff --git a/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json b/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json
@@ -19,13 +19,12 @@
       "bionic": {
         "Status": "released",
         "Note": "1.2.3"
+      },
+      "focal": {
+        "Status": "needs-triage",
+        "Note": ""
       }
-    },
-    "wpa": {
-      "bionic": {
-        "Status": "deferred"
-      }
-    },
-    "UpstreamLinks": {}
-  }
+    }
+  },
+  "UpstreamLinks": {}
 }
diff --git a/pkg/vulnsrc/ubuntu/ubuntu.go b/pkg/vulnsrc/ubuntu/ubuntu.go
@@ -23,7 +23,7 @@ const (
 )
 
 var (
-	targetStatuses        = []string{"needed", "pending", "deferred", "released"}
+	targetStatuses        = []string{"needed", "deferred", "released"}
 	UbuntuReleasesMapping = map[string]string{
 		"precise": "12.04",
 		"quantal": "12.10",
@@ -170,12 +170,8 @@ func defaultPut(dbc db.Operation, tx *bolt.Tx, advisory interface{}) error {
 			}
 
 			adv := types.Advisory{}
-			normalisedStatus := StatusFromUbuntuStatus(status.Status)
-			if normalisedStatus == types.StatusFixed {
+			if status.Status == "released" {
 				adv.FixedVersion = status.Note
-			} else {
-				// Store the status only if it's unfixed
-				adv.Status = normalisedStatus
 			}
 			if err := dbc.PutAdvisoryDetail(tx, cve.Candidate, pkgName, []string{platformName}, adv); err != nil {
 				return xerrors.Errorf("failed to save Ubuntu advisory: %w", err)
@@ -217,15 +213,3 @@ func SeverityFromPriority(priority string) types.Severity {
 		return types.SeverityUnknown
 	}
 }
-
-// StatusFromUbuntuStatus normalises Ubuntu status into common Trivy Types
-func StatusFromUbuntuStatus(status string) types.Status {
-	switch status {
-	case "needed", "pending", "deferred":
-		return types.StatusFixDeferred
-	case "released":
-		return types.StatusFixed
-	default:
-		return types.StatusUnknown
-	}
-}
diff --git a/pkg/vulnsrc/ubuntu/ubuntu_test.go b/pkg/vulnsrc/ubuntu/ubuntu_test.go
@@ -3,8 +3,6 @@ package ubuntu_test
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
@@ -37,12 +35,6 @@ func TestVulnSrc_Update(t *testing.T) {
 						FixedVersion: "1.2.3",
 					},
 				},
-				{
-					Key: []string{"advisory-detail", "CVE-2020-1234", "ubuntu 18.04", "wpa"},
-					Value: types.Advisory{
-						Status: types.StatusFixDeferred,
-					},
-				},
 				{
 					Key: []string{"vulnerability-detail", "CVE-2020-1234", "ubuntu"},
 					Value: types.VulnerabilityDetail{
@@ -68,44 +60,3 @@ func TestVulnSrc_Update(t *testing.T) {
 		})
 	}
 }
-
-func TestUbuntuStatusFromStatus(t *testing.T) {
-	tests := []struct {
-		name     string
-		status   string
-		expected types.Status
-	}{
-		{
-			name:     "deferred",
-			status:   "deferred",
-			expected: types.StatusFixDeferred,
-		},
-		{
-			name:     "needed",
-			status:   "needed",
-			expected: types.StatusFixDeferred,
-		},
-		{
-			name:     "pending",
-			status:   "pending",
-			expected: types.StatusFixDeferred,
-		},
-		{
-			name:     "released",
-			status:   "released",
-			expected: types.StatusFixed,
-		},
-		{
-			name:     "unknown",
-			status:   "unknown",
-			expected: types.StatusUnknown,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			actual := ubuntu.StatusFromUbuntuStatus(test.status)
-			assert.Equal(t, test.expected, actual)
-		})
-	}
-}