Allow rebuilds for all repos on moderate security advisories

This commit changes our approach to handling moderate security advisories by removing the restriction that previously limited rebuilds to only compliance priority repositories. Now, all repositories are eligible for rebuilds when a moderate security advisory is released. JIRA: CWFHEALTH-2876
qixiang · Apr 21, 2024 · 8b58169 · 8b58169
1 parent 626f035
commit 8b58169
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 111 deletions.
diff --git a/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py b/freshmaker/handlers/koji/rebuild_images_on_rpm_advisory_change.py
@@ -34,7 +34,6 @@
 from freshmaker.errata import Errata
 from freshmaker.types import ArtifactType, ArtifactBuildState, EventState, RebuildReason
 from freshmaker.models import Event, Compose, ArtifactBuild
-from freshmaker.utils import load_remote_yaml
 
 
 class RebuildImagesOnRPMAdvisoryChange(ContainerBuildHandler):
@@ -453,30 +452,6 @@ def _find_images_to_rebuild(self, errata_id, skip_nvrs=None):
             affected_nvrs,
         )
 
-        adv_is_compliance_priority = getattr(self.event.advisory, "is_compliance_priority", False)
-        # We should only use a restriction for external repos for advisories that are not critical
-        # or important; we should not apply the restriction for critical/important advisories when
-        # they have the 'compliance-priority' label
-        compliance_priority_repos = None
-        if adv_is_compliance_priority and self.event.advisory.security_impact not in [
-            "critical",
-            "important",
-        ]:
-            try:
-                compliance_priority_repos = self._lookup_external_repos()
-            except Exception as e:
-                msg = f"Unable to fetch external repos: {str(e)}"
-                self.log_error(msg)
-                db_event = Event.get_or_create_from_event(db.session, self.event)
-                db_event.transition(EventState.FAILED, msg)
-                db.session.commit()
-                return []
-
-            if not compliance_priority_repos:
-                msg = "No external repositories are specified in the remote yaml, skipping this event."
-                self.log_info(msg)
-                return []
-
         batches = pyxis.find_images_to_rebuild(
             affected_nvrs,
             content_sets,
@@ -485,16 +460,5 @@ def _find_images_to_rebuild(self, errata_id, skip_nvrs=None):
             release_categories=release_categories,
             leaf_container_images=leaf_container_images,
             skip_nvrs=skip_nvrs,
-            repositories=compliance_priority_repos,
         )
         return batches
-
-    def _lookup_external_repos(self) -> list[str]:
-        """Fetches the external repositories to be used for lower criticality CVEs
-
-        :return: Names of the external repositories
-        :rtype: list of str
-        """
-
-        url = conf.compliance_priority_repositories_remote_file
-        return load_remote_yaml(url).get("repositories", [])
diff --git a/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py b/tests/handlers/koji/test_rebuild_images_on_rpm_advisory_change.py
@@ -20,13 +20,9 @@
 # SOFTWARE.
 
 import json
-from unittest import TestCase
 from unittest.mock import patch, PropertyMock, Mock, call
 
-from requests.exceptions import HTTPError
-
 import freshmaker
-
 from freshmaker.config import all_
 from freshmaker import db, events
 from freshmaker.events import (
@@ -538,7 +534,6 @@ def test_published_unset(self, exists):
             release_categories=conf.container_release_categories,
             leaf_container_images=None,
             skip_nvrs=None,
-            repositories=None,
         )
 
     @patch.object(
@@ -560,7 +555,6 @@ def test_multiple_srpms(self, exists):
             release_categories=conf.container_release_categories,
             leaf_container_images=None,
             skip_nvrs=None,
-            repositories=None,
         )
 
     @patch.object(
@@ -596,7 +590,6 @@ def test_published_false(self, exists):
             release_categories=None,
             leaf_container_images=None,
             skip_nvrs=None,
-            repositories=None,
         )
 
     @patch.object(
@@ -621,7 +614,6 @@ def test_published_true(self, exists):
             release_categories=conf.container_release_categories,
             leaf_container_images=None,
             skip_nvrs=None,
-            repositories=None,
         )
 
     @patch.object(
@@ -647,7 +639,6 @@ def test_manual_event_leaf_container_images(self, exists):
             release_categories=conf.container_release_categories,
             leaf_container_images=["foo", "bar"],
             skip_nvrs=None,
-            repositories=None,
         )
 
     @patch.object(
@@ -672,56 +663,8 @@ def test_affected_packages_with_modules(self, exists, affected_rpm_nvrs):
             release_categories=conf.container_release_categories,
             leaf_container_images=None,
             skip_nvrs=None,
-            repositories=None,
         )
 
-    @patch(
-        "freshmaker.handlers.koji.RebuildImagesOnRPMAdvisoryChange._lookup_external_repos",
-        return_value=["foo/bar/repo"],
-    )
-    def test_moderate_cve_external_repo(self, mock_lookup):
-        self.event.advisory.security_impact = "moderate"
-        self.event.advisory.is_compliance_priority = True
-
-        self.handler._find_images_to_rebuild(123456)
-
-        self.find_images_to_rebuild.assert_called_once_with(
-            ["httpd-2.4-11.el7"],
-            ["content-set-1", "pulp_repo_x86_64"],
-            filter_fnc=self.handler._filter_out_not_allowed_builds,
-            published=None,
-            release_categories=None,
-            leaf_container_images=None,
-            skip_nvrs=None,
-            repositories=["foo/bar/repo"],
-        )
-
-    @patch(
-        "freshmaker.handlers.koji.RebuildImagesOnRPMAdvisoryChange._lookup_external_repos",
-        side_effect=HTTPError("404 Client Error: not found for url: foo.bar/baz"),
-    )
-    def test_moderate_cve_external_repo_http_error(self, mock_lookup):
-        self.event.advisory.security_impact = "moderate"
-        self.event.advisory.is_compliance_priority = True
-
-        result = self.handler._find_images_to_rebuild(123456)
-
-        db_event = Event.get_or_create_from_event(db.session, self.event)
-        self.assertEqual(db_event.state, 3)
-        self.assertEqual(result, [])
-
-    @patch(
-        "freshmaker.handlers.koji.RebuildImagesOnRPMAdvisoryChange._lookup_external_repos",
-        return_value=[],
-    )
-    def test_moderate_cve_external_repo_empty(self, mock_lookup):
-        self.event.advisory.security_impact = "moderate"
-        self.event.advisory.is_compliance_priority = True
-
-        result = self.handler._find_images_to_rebuild(123456)
-
-        self.assertEqual(result, [])
-
 
 class TestAllowBuild(helpers.ModelsTestCase):
     """Test RebuildImagesOnRPMAdvisoryChange.allow_build"""
@@ -1869,21 +1812,3 @@ def test_parent_image_already_built(self):
         ).first()
         self.assertNotEqual(None, child_image)
         self.assertEqual(child_image.dep_on, None)
-
-
-class TestLookupExternalRepos(TestCase):
-    """Test RebuildImagesOnRPMAdvisoryChange._lookup_external_repos"""
-
-    @patch.object(
-        freshmaker.conf, "compliance_priority_repositories_remote_file", "foo.net/bar", create=True
-    )
-    @patch(
-        "freshmaker.handlers.koji.rebuild_images_on_rpm_advisory_change.load_remote_yaml",
-        return_value={"repositories": ["foo", "bar"]},
-    )
-    def test_retrieve_some_repos(self, mock_load):
-        handler = RebuildImagesOnRPMAdvisoryChange()
-
-        result = handler._lookup_external_repos()
-
-        self.assertEqual(result, ["foo", "bar"])