compose: Bake advisory information into commit metadata

There are a lot of use cases for this, notably: - This allows us to display advisories without fetching updateinfo metadata in the pure OSTree case. - It allows pipelines to fetch and display this information to sanity-check builds. - It makes it much easier to fix the "intermediate CVEs" issue described in https://github.com/coreos/rpm-ostree/issues/1696#issuecomment-443861107. This patch just adds the advisory information to the commit metadata. There's follow-up work to make the client-side of rpm-ostree use this data. Also, remove the newly added metadata from the output of `rpm-ostree status --json` for the same reason we remove the rpmdb. A follow-up patch will teach `rpm-ostree db list/diff` to output advisories. Closes: #1696
2021-04-01 17:33:23 -04:00 · 2021-04-01 17:33:23 -04:00 · 427fe683a8
commit 427fe683a8
parent 17d80dc566
2 changed files with 20 additions and 0 deletions
--- a/src/app/rpmostree-compose-builtin-tree.cxx
+++ b/src/app/rpmostree-compose-builtin-tree.cxx
@ -779,6 +779,22 @@ rpm_ostree_compose_context_new (const char    *treefile_pathstr,
  return TRUE;
 }

+static gboolean
+inject_advisories (RpmOstreeTreeComposeContext *self,
+                   GCancellable    *cancellable,
+                   GError         **error)
+{
+  g_autoptr(GPtrArray) pkgs = rpmostree_context_get_packages (self->corectx);
+  DnfContext *dnfctx = rpmostree_context_get_dnf (self->corectx);
+  DnfSack *yum_sack = dnf_context_get_sack (dnfctx);
+  g_autoptr(GVariant) advisories = rpmostree_advisories_variant (yum_sack, pkgs);
+
+  if (advisories && g_variant_n_children (advisories) > 0)
+    g_hash_table_insert (self->metadata, g_strdup ("rpmostree.advisories"), g_steal_pointer (&advisories));
+
+  return TRUE;
+}
+
 static gboolean
 impl_install_tree (RpmOstreeTreeComposeContext *self,
                   gboolean        *out_changed,
@ -926,6 +942,9 @@ impl_install_tree (RpmOstreeTreeComposeContext *self,
                           rpmostree_context_get_rpmmd_repo_commit_metadata (self->corectx));
    }

+  if (!inject_advisories (self, cancellable, error))
+    return FALSE;
+
  /* Destroy this now so the libdnf stack won't have any references
   * into the filesystem before we manipulate it.
   */
--- a/src/daemon/rpmostreed-deployment-utils.cxx
+++ b/src/daemon/rpmostreed-deployment-utils.cxx
@ -220,6 +220,7 @@ filter_commit_meta (GVariant *commit_meta)
  g_variant_dict_init (&dict, commit_meta);
  /* for now we just blacklist, but we may want to whitelist in the future */
  g_variant_dict_remove (&dict, "rpmostree.rpmdb.pkglist");
+  g_variant_dict_remove (&dict, "rpmostree.advisories");
  return g_variant_dict_end (&dict);
 }