Drop support for CVEs.

Bodhi has code to deal with CVEs, but it has never worked and was
not used. Since nobody has ever asked for it to work during my
tenure, I decided to trim it out of the code for now so we don't
have to maintain it.

fixes #1998

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>

bodhi/client/__init__.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright © 2014-2018 Red Hat, Inc. and others.
+# Copyright © 2014-2019 Red Hat, Inc. and others.
 #
 # This file is part of Bodhi.
 #
@@ -518,7 +518,6 @@ def edit(user, password, url, debug, openid_api, **kwargs):
 @click.option('--bugs', help='A list of bug numbers')
 @click.option('--critpath', is_flag=True, default=None,
               help='Query only critical path packages')
-@click.option('--cves', help='Query by CVE id')
 @click.option('--packages', help='Query by package name(s)')
 @click.option('--content-type', help='Query updates based on content type',
               type=click.Choice(['rpm', 'module']))  # And someday, container.
@@ -675,7 +674,6 @@ def comment(update, text, karma, user, password, url, openid_api, **kwargs):
 @click.option('--arch',
               help=('Specify arch of packages to download, "all" will retrieve packages from all '
                     'architectures'))
-@click.option('--cves', help='Download update(s) by CVE(s) (comma-separated list)')
 @click.option('--updateid', help='Download update(s) by ID(s) (comma-separated list)')
 @click.option('--builds', help='Download update(s) by build NVR(s) (comma-separated list)')
 @url_option
@@ -702,9 +700,9 @@ def download(url, **kwargs):
     del(kwargs['staging'])
     del(kwargs['arch'])
     # At this point we need to have reduced the kwargs dict to only our
-    # query options (cves, updateid, builds)
+    # query options (updateid or builds)
     if not any(kwargs.values()):
-        click.echo("ERROR: must specify at least one of --cves, --updateid, --builds")
+        click.echo("ERROR: must specify at least one of --updateid or --builds")
         sys.exit(1)
 
     # As the query method doesn't let us construct OR queries, we're

bodhi/client/bindings.py

@@ -351,7 +351,6 @@ def query(self, **kwargs):
             approved_since (basestring): A datetime string.
             builds (basestring): A space or comma delimited string of build nvrs.
             critpath (bool): A boolean to query only critical path updates.
-            cves (basestring): Filter by CVE IDs.
             locked (bool): A boolean to filter only locked updates.
             modified_before (basestring): A datetime string to query updates that have been modified
                 before a certain time.

bodhi/server/mail.py

@@ -1,4 +1,4 @@
-# Copyright 2007-2018 Red Hat, Inc. and others.
+# Copyright 2007-2019 Red Hat, Inc. and others.
 #
 # This file is part of Bodhi.
 #
@@ -310,10 +310,10 @@ def get_template(update, use_template='fedora_errata_template'):
                 '\n'.join(wrap(update.notes, width=80))
             info['notes'] += line
 
-        # Add this updates referenced Bugzillas and CVEs
+        # Add this updates referenced Bugzillas
         i = 1
         info['references'] = ""
-        if len(update.bugs) or len(update.cves):
+        if len(update.bugs):
             info['references'] = u"References:\n\n"
             parent = True in [bug.parent for bug in update.bugs]
             for bug in update.bugs:
@@ -329,10 +329,6 @@ def get_template(update, use_template='fedora_errata_template'):
                 info['references'] += u"  [ %d ] Bug #%d%s\n        %s\n" % \
                                       (i, bug.bug_id, title, bug.url)
                 i += 1
-            for cve in update.cves:
-                info['references'] += u"  [ %d ] %s\n        %s\n" % \
-                                      (i, cve.cve_id, cve.url)
-                i += 1
             info['references'] += line
 
         # Find the most recent update for this package, other than this one

bodhi/server/metadata.py

@@ -1,4 +1,4 @@
-# Copyright 2007-2018 Red Hat, Inc. and others.
+# Copyright 2007-2019 Red Hat, Inc. and others.
 #
 # This file is part of Bodhi.
 #
@@ -276,14 +276,6 @@ def add_update(self, update):
             ref.title = to_bytes(bug.title)
             rec.append_reference(ref)
 
-        # Create references for each CVE
-        for cve in update.cves:
-            ref = cr.UpdateReference()
-            ref.type = 'cve'
-            ref.id = to_bytes(cve.cve_id)
-            ref.href = to_bytes(cve.url)
-            rec.append_reference(ref)
-
         self.uinfo.append(rec)
 
     def insert_updateinfo(self, compose_path):

bodhi/server/migrations/versions/5c86a3f9dc03_drop_support_for_cve_tracking.py

@@ -0,0 +1,63 @@
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# This file is part of Bodhi.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+"""
+Drop support for CVE tracking.
+
+Revision ID: 5c86a3f9dc03
+Revises: 8e9dc57e082d
+Create Date: 2019-01-10 12:20:05.261652
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '5c86a3f9dc03'
+down_revision = '8e9dc57e082d'
+
+
+def upgrade():
+    """Drop the cves table and related association tables."""
+    op.drop_table('update_cve_table')
+    op.drop_table('bug_cve_table')
+    op.drop_table('cves')
+
+
+def downgrade():
+    """Recreate the cves table and related association tables."""
+    op.create_table(
+        'cves',
+        sa.Column('id', sa.INTEGER(), server_default=sa.text("nextval('cves_id_seq'::regclass)"),
+                  autoincrement=True, nullable=False),
+        sa.Column('cve_id', sa.VARCHAR(length=13), autoincrement=False, nullable=False),
+        sa.PrimaryKeyConstraint('id', name='cves_pkey'),
+        sa.UniqueConstraint('cve_id', name='cves_cve_id_key'),
+        postgresql_ignore_search_path=False)
+    op.create_table(
+        'bug_cve_table',
+        sa.Column('bug_id', sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column('cve_id', sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.ForeignKeyConstraint(['bug_id'], ['bugs.id'], name='bug_cve_table_bug_id_fkey'),
+        sa.ForeignKeyConstraint(['cve_id'], ['cves.id'], name='bug_cve_table_cve_id_fkey'))
+    op.create_table(
+        'update_cve_table',
+        sa.Column('update_id', sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.Column('cve_id', sa.INTEGER(), autoincrement=False, nullable=True),
+        sa.ForeignKeyConstraint(['cve_id'], ['cves.id'], name='update_cve_table_cve_id_fkey'),
+        sa.ForeignKeyConstraint(['update_id'], ['updates.id'],
+                                name='update_cve_table_update_id_fkey'))

bodhi/server/models.py

@@ -742,16 +742,6 @@ class ComposeState(DeclEnum):
     Column('update_id', Integer, ForeignKey('updates.id')),
     Column('bug_id', Integer, ForeignKey('bugs.id')))
 
-update_cve_table = Table(
-    'update_cve_table', metadata,
-    Column('update_id', Integer, ForeignKey('updates.id')),
-    Column('cve_id', Integer, ForeignKey('cves.id')))
-
-bug_cve_table = Table(
-    'bug_cve_table', metadata,
-    Column('bug_id', Integer, ForeignKey('bugs.id')),
-    Column('cve_id', Integer, ForeignKey('cves.id')))
-
 user_package_table = Table(
     'user_package_table', metadata,
     Column('user_id', Integer, ForeignKey('users.id')),
@@ -1629,8 +1619,6 @@ class Update(Base):
             contained in this update.
         bugs (sqlalchemy.orm.collections.InstrumentedList): A list of :class:`Bug` objects
             associated with this update.
-        cves (sqlalchemy.orm.collections.InstrumentedList): A list of :class:`CVE` objects
-            associated with this update.
         user_id (int): A foreign key to the :class:`User` that created this update.
         test_gating_status (EnumSymbol): The test gating status of the update. This must be one
             of the values defined in :class:`TestGatingStatus` or ``None``. None indicates that
@@ -1645,7 +1633,7 @@ class Update(Base):
     """
 
     __tablename__ = 'updates'
-    __exclude_columns__ = ('id', 'user_id', 'release_id', 'cves')
+    __exclude_columns__ = ('id', 'user_id', 'release_id')
     __include_extras__ = ('meets_testing_requirements', 'url',)
     __get_by__ = ('title', 'alias')
 
@@ -1709,7 +1697,6 @@ class Update(Base):
 
     # Many-to-many relationships
     bugs = relationship('Bug', secondary=update_bug_table, backref='updates')
-    cves = relationship('CVE', secondary=update_cve_table, backref='updates')
 
     user_id = Column(Integer, ForeignKey('users.id'))
 
@@ -2336,15 +2323,6 @@ def get_bugstring(self, show_titles=False):
             val = u' '.join([str(bug.bug_id) for bug in self.bugs])
         return val
 
-    def get_cvestring(self):
-        """
-        Return a space-delimited string of CVE ids for this update.
-
-        Returns:
-            basestring: A space-separated list of CVE ids.
-        """
-        return u' '.join([cve.cve_id for cve in self.cves])
-
     def get_bug_karma(self, bug):
         """
         Return the karma for this update for the given bug.
@@ -2816,8 +2794,6 @@ def __str__(self):
         if len(self.bugs):
             bugs = self.get_bugstring(show_titles=True)
             val += u"\n       Bugs: %s" % bugs
-        if len(self.cves):
-            val += u"\n       CVEs: %s" % self.get_cvestring()
         if self.notes:
             notes = wrap(
                 self.notes, width=67, subsequent_indent=' ' * 11 + ': ')
@@ -2888,35 +2864,6 @@ def update_bugs(self, bug_ids, session):
         session.flush()
         return new
 
-    def update_cves(self, cves, session):  # pragma: no cover
-        """
-        Create any new CVES, and remove any missing ones.
-
-        This method cannot possibly work:
-            https://github.com/fedora-infra/bodhi/issues/1998#issuecomment-344332011
-
-        This method has pragma: no cover on it because of the combination of it not working (see
-        above), and because the CVE feature is planned for removal in a future X release of Bodhi
-        since it has never been used.
-
-        Args:
-            cves (list): A list of basestrings of CVE identifiers.
-            session (sqlalchemy.orm.session.Session): A database session.
-        """
-        for cve in self.cves:
-            if cve.cve_id not in cves and len(cve.updates) == 0:
-                log.debug("Destroying stray CVE #%s" % cve.cve_id)
-                session.delete(cve)
-        for cve_id in cves:
-            cve = CVE.query.filter_by(cve_id=cve_id).one()
-            if cve not in self.cves:
-                self.cves.append(cve)
-                log.debug("Creating new CVE: %s" % cve_id)
-                cve = CVE(cve_id=cve_id)
-                session.save(cve)
-                self.cves.append(cve)
-        session.flush()
-
     def obsolete_if_unstable(self, db):
         """
         Obsolete the update if it reached the negative karma threshold while pending.
@@ -3997,36 +3944,6 @@ def __str__(self):
                                               self.timestamp, karma, self.text)
 
 
-class CVE(Base):
-    """
-    Represents a CVE.
-
-    Attributes:
-        cve_id (unicode): The CVE identifier for this CVE.
-        updates (sqlalchemy.orm.collections.InstrumentedList): An iterable of
-            :class:`Updates <Update>` associated with this CVE.
-        bugs (sqlalchemy.orm.collections.InstrumentedList): An iterable of :class:`Bugs <Bug>`
-            associated with this CVE.
-    """
-
-    __tablename__ = 'cves'
-    __exclude_columns__ = ('id', 'updates', 'bugs')
-    __get_by__ = ('cve_id',)
-
-    cve_id = Column(Unicode(13), unique=True, nullable=False)
-
-    @property
-    def url(self):
-        """
-        Return a URL about this CVE.
-
-        Returns:
-            str: A URL describing this CVE.
-        """
-        return "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%s" % \
-            self.cve_id
-
-
 class Bug(Base):
     """
     Represents a Bugzilla bug.
@@ -4038,12 +3955,10 @@ class Bug(Base):
         url (unicode): The URL for the bug. Inaccessible due to being overridden by the url
             property (https://github.com/fedora-infra/bodhi/issues/1995).
         parent (bool): True if this is a parent tracker bug for release-specific bugs.
-        cves (sqlalchemy.orm.collections.InstrumentedList): An interable of :class:`CVEs <CVE>` this
-            bug is associated with.
     """
 
     __tablename__ = 'bugs'
-    __exclude_columns__ = ('id', 'cves', 'updates')
+    __exclude_columns__ = ('id', 'updates')
     __get_by__ = ('bug_id',)
 
     # Bug number. If None, assume ``url`` points to an external bug tracker
@@ -4061,9 +3976,6 @@ class Bug(Base):
     # If this bug is a parent tracker bug for release-specific bugs
     parent = Column(Boolean, default=False)
 
-    # List of Mitre CVE's associated with this bug
-    cves = relationship(CVE, secondary=bug_cve_table, backref='bugs')
-
     # Is it public or private
     private = Column(Boolean, default=False)
 

bodhi/server/schemas.py

@@ -16,7 +16,6 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 """A set of API schemas to validate input and generate documentation."""
-import re
 import os
 
 import colander
@@ -35,8 +34,6 @@
 from bodhi.server.validators import validate_csrf_token
 
 
-CVE_REGEX = re.compile(r"CVE-[0-9]{4,4}-[0-9]{4,}")
-
 # Retrieving list of templates from filesystem for `mail_template` validation in SaveReleaseSchema
 template_directory = util.get_absolute_path(config.get('mail.templates_basepath'))
 MAIL_TEMPLATES = [os.path.splitext(file)[0] for file in os.listdir(template_directory)]
@@ -64,25 +61,6 @@ class Builds(colander.SequenceSchema):
     build = colander.SchemaNode(colander.String())
 
 
-class CVE(colander.String):
-    """A String schema to validate a CVE."""
-
-    def deserialize(self, node, cstruct):
-        """Parse a CVE out of a given API CVE parameter."""
-        value = super(CVE, self).deserialize(node, cstruct)
-
-        if CVE_REGEX.match(value) is None:
-            raise colander.Invalid(node, '"%s" is not a valid CVE id' % value)
-
-        return value
-
-
-class CVEs(colander.SequenceSchema):
-    """A SequenceSchema to validate a list of CVE objects."""
-
-    cve = colander.SchemaNode(CVE())
-
-
 class Packages(colander.SequenceSchema):
     """A SequenceSchema to validate a list of Package objects."""
 
@@ -502,13 +480,6 @@ class ListUpdateSchema(PaginatedSchema, SearchableSchema, Cosmetics):
         missing=None,
     )
 
-    cves = CVEs(
-        colander.Sequence(accept_scalar=True),
-        location="querystring",
-        missing=None,
-        preparer=[util.splitter],
-    )
-
     locked = colander.SchemaNode(
         colander.Boolean(true_choices=('true', '1')),
         location="querystring",