update public date on oracle flaws to be 3rd Tuesday from Apr 2022

advisory_parser/__init__.py

@@ -5,4 +5,4 @@
 from .parser import Parser
 
 
-__version__ = "1.12"
+__version__ = "1.13"

advisory_parser/parsers/mysql.py

@@ -2,6 +2,7 @@
 # Author: Martin Prpič, Red Hat Product Security
 # License: LGPLv3+
 
+import calendar
 import re
 from datetime import datetime, timedelta
 
@@ -14,6 +15,21 @@
 MARIADB_VULN_PAGE = "https://mariadb.com/kb/en/security/"
 VERSION_REGEX = re.compile(r"(\d\d?\.\d\.\d\d?)")
 
+month_to_num = {
+    "jan": 1,
+    "feb": 2,
+    "mar": 3,
+    "apr": 4,
+    "may": 5,
+    "jun": 6,
+    "jul": 7,
+    "aug": 8,
+    "sep": 9,
+    "oct": 10,
+    "nov": 11,
+    "dec": 12,
+}
+
 
 def _nearest_tuesday(year, month, day=17):
     """For a given year and month, return nearest Tuesday to the 17th of that month
@@ -24,25 +40,8 @@ def _nearest_tuesday(year, month, day=17):
     July and October."
     [https://www.oracle.com/security-alerts/]
     """
-    month_to_num = {
-        "jan": 1,
-        "feb": 2,
-        "mar": 3,
-        "apr": 4,
-        "may": 5,
-        "jun": 6,
-        "jul": 7,
-        "aug": 8,
-        "sep": 9,
-        "oct": 10,
-        "nov": 11,
-        "dec": 12,
-    }
-
-    if month.lower() not in month_to_num:
-        raise AdvisoryParserTextException("Invalid month parsed from advisory URL:", str(month))
 
-    base_date = datetime(year, month_to_num[month.lower()], day)
+    base_date = datetime(year, month, day)
 
     previous_tuesday = base_date - timedelta(days=((base_date.weekday() + 6) % 7))
     next_tuesday = base_date + timedelta(days=((1 - base_date.weekday()) % 7))
@@ -54,6 +53,34 @@ def _nearest_tuesday(year, month, day=17):
     )
 
 
+def _third_tuesday(year, month):
+    """For a given year and month, return the 3rd Tuesday of that month
+
+    "Critical Patch Updates provide security patches for supported Oracle on-premises products.
+    They are available to customers with valid support contracts. Starting in April 2022,
+    Critical Patch Updates are released on the third Tuesday of January, April, July, and October
+    (They were previously published on the Tuesday closest to the 17th day of January, April, July,
+     and October). The next four dates are:
+
+    16 July 2024
+    15 October 2024
+    21 January 2025
+    15 April 2025
+    "
+    [https://www.oracle.com/security-alerts/]
+    """
+
+    c = calendar.Calendar()
+    monthcal = c.monthdatescalendar(year, month)
+    third_tuesday = [
+        day
+        for week in monthcal
+        for day in week
+        if day.weekday() == calendar.TUESDAY and day.month == month
+    ][2]
+    return third_tuesday
+
+
 def create_mariadb_cve_map():
     # Pull plain text of the MariaDB page since the HTML is invalid: it
     # doesn't define </li> ending tags for list elements. The HTML would
@@ -98,7 +125,20 @@ def parse_mysql_advisory(url):
     # Extract the CPU's month and year from the URL since the verbose page has
     # no dates on it
     month, year = url_match.groups()
-    cpu_date = _nearest_tuesday(int(year), month)
+    if month.lower() not in month_to_num:
+        raise AdvisoryParserTextException("Invalid month parsed from advisory URL:", str(month))
+    month_num = month_to_num[month.lower()]
+    year_int = int(year)
+    # Starting in April 2022, Critical Patch Updates are released on the third Tuesday of January,
+    # April, July, and October (They were previously published on the Tuesday closest to the 17th
+    # day of January, April, July, and October).
+    # [https://www.oracle.com/security-alerts/]
+    if year_int < 2022:
+        cpu_date = _nearest_tuesday(year_int, month_num)
+    elif year_int == 2022 and month_num < 4:
+        cpu_date = _nearest_tuesday(year_int, month_num)
+    else:
+        cpu_date = _third_tuesday(year_int, month_num)
     advisory_id = "CPU {} {}".format(month.capitalize(), year)
 
     # Fetch the CPU verbose page

setup.py

@@ -12,7 +12,7 @@
 
 setup(
     name="advisory-parser",
-    version="1.12",
+    version="1.13",
     description="Security flaw parser for upstream security advisories",
     long_description=description,
     url="https://github.com/RedHatProductSecurity/advisory-parser",

tests/test_mysql_parser.py

@@ -8,28 +8,42 @@
 except ImportError:
     from mock import patch
 
-from advisory_parser.parsers.mysql import parse_mysql_advisory, _nearest_tuesday
+from advisory_parser.parsers.mysql import parse_mysql_advisory, _nearest_tuesday, _third_tuesday
 
 
 @pytest.mark.parametrize(
     "year, month, day, expected_date",
     [
-        (2017, "jul", 3, datetime(2017, 7, 4)),
-        (2017, "jul", 4, datetime(2017, 7, 4)),  # Tuesday
-        (2017, "jul", 5, datetime(2017, 7, 4)),
-        (2017, "jul", 6, datetime(2017, 7, 4)),
-        (2017, "jul", 7, datetime(2017, 7, 4)),
-        (2017, "jul", 8, datetime(2017, 7, 11)),
-        (2017, "jul", 9, datetime(2017, 7, 11)),
-        (2017, "jul", 10, datetime(2017, 7, 11)),
-        (2017, "jul", 11, datetime(2017, 7, 11)),  # Tuesday
-        (2017, "jul", 12, datetime(2017, 7, 11)),
+        (2017, 7, 3, datetime(2017, 7, 4)),
+        (2017, 7, 4, datetime(2017, 7, 4)),  # Tuesday
+        (2017, 7, 5, datetime(2017, 7, 4)),
+        (2017, 7, 6, datetime(2017, 7, 4)),
+        (2017, 7, 7, datetime(2017, 7, 4)),
+        (2017, 7, 8, datetime(2017, 7, 11)),
+        (2017, 7, 9, datetime(2017, 7, 11)),
+        (2017, 7, 10, datetime(2017, 7, 11)),
+        (2017, 7, 11, datetime(2017, 7, 11)),  # Tuesday
+        (2017, 7, 12, datetime(2017, 7, 11)),
     ],
 )
 def test_nearest_tuesday(year, month, day, expected_date):
     assert expected_date == _nearest_tuesday(year, month, day)
 
 
+@pytest.mark.parametrize(
+    "year, month, expected_date",
+    [
+        (2017, 7, datetime(2017, 7, 18).date()),
+        (2024, 7, datetime(2024, 7, 16).date()),
+        (2024, 10, datetime(2024, 10, 15).date()),
+        (2025, 1, datetime(2025, 1, 21).date()),
+        (2025, 4, datetime(2025, 4, 15).date()),
+    ],
+)
+def test_third_tuesday(year, month, expected_date):
+    assert expected_date == _third_tuesday(year, month)
+
+
 @patch("advisory_parser.parsers.mysql.get_request")
 @patch("advisory_parser.parsers.mysql.create_mariadb_cve_map")
 @pytest.mark.parametrize(