turnip

Not able to download repository ref as a tarball

Bug #2032871 reported by Greg Villicana
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
New
Undecided
Unassigned
turnip
Triaged
Low
Unassigned

Bug Description

We used to be able to retrieve and cache the CVEs from master branch on a daily basis by downloading it from "https://git.launchpad.net/ubuntu-cve-tracker/snapshot/master.tar.gz" endpoint, which was effectively a compressed file with the repo in "master" ref. Since 08/19th we haven't been able to call this API as the snapshots are not generated/returned anymore.

Is there any alternative to fetch the repository's code without having to rely on git tooling? Or was there a recent configuration update that removed the snapshots?

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Greg,

Thanks for the report. It seems this was an unintended change in launchpad's git hosting, but it's also unclear whether the prior behavior of making the snapshots available was intended as well.

Marking this as affecting launchpad itself, so that the launchpad developers can make a determination as to whether it's something they should address.

Thanks again.

Revision history for this message
Colin Watson (cjwatson) wrote :

We haven't yet decided what we want to do here; but I do have some concerns, because the snapshots feature isn't particularly lightweight and this one repository is already a major drain on our available resources. In particular, since we never explicitly configured cgit snapshots, I believe the caching behaviour was cgit's default, i.e. to cache a snapshot for five minutes - not great for something the size of ubuntu-cve-tracker, but I'm also unsure whether we'd risk the potential of some kind of denial of service by tweaking this.

Have you considered using the exported OVAL data instead? My understanding is that that's usually what we recommend for things like security scanners rather than fetching the repository directly.

affects: launchpad → turnip
Revision history for this message
Greg Villicana (gvillicana) wrote :

Thanks for the quick response.

I wasn't aware of that approach, where is the exported OVAL file? We currently are parsing all "CVE-.." files located under the "active" and "retired" folders (since we are also doing recalls in our DB). If there is a better way to gather that info, then we can definitely give it a go. Otherwise, we may end up using "libgit2sharp" to fetch content of those items but I agree it will be far more burden on the service at large scale.

Revision history for this message
Colin Watson (cjwatson) wrote :

I'm not authoritative on this, but I think that https://security-metadata.canonical.com/oval/ is the place to look.

Revision history for this message
Greg Villicana (gvillicana) wrote :

Thanks for sharing, we are looking to capture just the CVEs and impacted versions + patches available if any.

The OVAL data has far more metadata than we need, and all of its properties would need to be sanitized to make them generic enough, otherwise we would end up storing multiple entries in our advisory cache for the exact same item, just different release which we want to avoid. The CVE files you have in ubuntu-cve-tracker are perfect for this requirement. We don't even need to know the release beforehand since the CVE file will organically include new ones.

Guruprasad (lgp171188)
Changed in turnip:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.