From 33683b4995c99e2a46be5480e878e5e36cc95135 Mon Sep 17 00:00:00 2001
From: Patrik Segedy <psegedy@redhat.com>
Date: Wed, 27 Nov 2024 13:29:40 +0100
Subject: [PATCH] fix: ignore updates from rhel-alt el7a release

RHINENG-14561
---
 vmaas/common.go               |  6 +++++-
 vmaas/common_test.go          | 34 +++++++++++++++++-----------------
 vmaas/options.go              | 16 +++++++++++++++-
 vmaas/vulnerabilities.go      |  6 +++---
 vmaas/vulnerabilities_test.go |  2 +-
 5 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/vmaas/common.go b/vmaas/common.go
index 0ae8e7c..e2d5dd3 100644
--- a/vmaas/common.go
+++ b/vmaas/common.go
@@ -683,7 +683,11 @@ func cveMapValues(cves map[string]VulnerabilityDetail) []VulnerabilityDetail {
 	return vals
 }
 
-func isApplicable(c *Cache, update, input *utils.Nevra) bool {
+func isApplicable(c *Cache, update, input *utils.Nevra, opts *options) bool {
+	splittedRelease := strings.Split(update.Release, ".")
+	if opts.excludedReleases[splittedRelease[len(splittedRelease)-1]] {
+		return false
+	}
 	if update.Name != input.Name {
 		return false
 	}
diff --git a/vmaas/common_test.go b/vmaas/common_test.go
index 38c779f..72f84b6 100644
--- a/vmaas/common_test.go
+++ b/vmaas/common_test.go
@@ -570,25 +570,25 @@ func TestIsApplicabe(t *testing.T) {
 	bash := pkgID2Nevra(&c, 7)
 
 	// newer noarch is applicable to all other archs
-	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelNoarch))
-	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelX86))
-	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelAarch))
+	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelNoarch, &defaultOpts))
+	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelX86, &defaultOpts))
+	assert.True(t, isApplicable(&c, &kernelNoarchNew, &kernelAarch, &defaultOpts))
 	// newer x86_64 kernel can be applied only on x86_64 or noarch
-	assert.True(t, isApplicable(&c, &kernelX86New, &kernelX86))
-	assert.True(t, isApplicable(&c, &kernelX86New, &kernelNoarch))
+	assert.True(t, isApplicable(&c, &kernelX86New, &kernelX86, &defaultOpts))
+	assert.True(t, isApplicable(&c, &kernelX86New, &kernelNoarch, &defaultOpts))
 	// x86_64 cannot be applied on aarch64 and vice versa
-	assert.False(t, isApplicable(&c, &kernelX86New, &kernelAarch))
-	assert.False(t, isApplicable(&c, &kernelAarchNew, &kernelX86))
+	assert.False(t, isApplicable(&c, &kernelX86New, &kernelAarch, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelAarchNew, &kernelX86, &defaultOpts))
 	// same or older version cannot be applied
-	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelNoarch))
-	assert.False(t, isApplicable(&c, &kernelX86, &kernelX86))
-	assert.False(t, isApplicable(&c, &kernelAarch, &kernelAarch))
-	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelNoarchNew))
-	assert.False(t, isApplicable(&c, &kernelX86, &kernelX86New))
-	assert.False(t, isApplicable(&c, &kernelAarch, &kernelAarchNew))
-	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelX86))
-	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelAarchNew))
+	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelNoarch, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelX86, &kernelX86, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelAarch, &kernelAarch, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelNoarchNew, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelX86, &kernelX86New, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelAarch, &kernelAarchNew, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelX86, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelNoarch, &kernelAarchNew, &defaultOpts))
 	// bash cannot be update for kernel or kernel for bash
-	assert.False(t, isApplicable(&c, &bash, &kernelNoarch))
-	assert.False(t, isApplicable(&c, &kernelNoarchNew, &bash))
+	assert.False(t, isApplicable(&c, &bash, &kernelNoarch, &defaultOpts))
+	assert.False(t, isApplicable(&c, &kernelNoarchNew, &bash, &defaultOpts))
 }
diff --git a/vmaas/options.go b/vmaas/options.go
index 61490a7..0c57b25 100644
--- a/vmaas/options.go
+++ b/vmaas/options.go
@@ -1,11 +1,14 @@
 package vmaas
 
-var defaultOpts = options{20, true, map[string]bool{"kernel-alt": true}, true, true}
+var defaultOpts = options{
+	20, true, map[string]bool{"kernel-alt": true}, map[string]bool{"el7a": true}, true, true,
+}
 
 type options struct {
 	maxGoroutines        int
 	evalUnfixed          bool
 	excludedPackages     map[string]bool
+	excludedReleases     map[string]bool
 	newerReleaseverRepos bool
 	newerReleaseverCsaf  bool
 }
@@ -55,6 +58,17 @@ func WithExcludedPackages(pkgs map[string]bool) Option {
 	return excludedPkgsOption(pkgs)
 }
 
+type excludedRelsOption map[string]bool
+
+func (p excludedRelsOption) apply(opts *options) {
+	opts.excludedReleases = p
+}
+
+// Option to set excluded package releases
+func WithExcludedReleases(rel map[string]bool) Option {
+	return excludedRelsOption(rel)
+}
+
 type newerReleaseverReposOption bool
 
 func (n newerReleaseverReposOption) apply(opts *options) {
diff --git a/vmaas/vulnerabilities.go b/vmaas/vulnerabilities.go
index dc5131d..68550e9 100644
--- a/vmaas/vulnerabilities.go
+++ b/vmaas/vulnerabilities.go
@@ -123,7 +123,7 @@ func evaluate(c *Cache, opts *options, request *Request) (*VulnerabilitiesCvesDe
 
 	// 3. evaluate Manually Fixable CVEs
 	// if CVE is already in Unpatched or CVE list -> skip it
-	evaluateManualCves(c, products, &cves)
+	evaluateManualCves(c, products, &cves, opts)
 	return &cves, nil
 }
 
@@ -157,7 +157,7 @@ func evaluateUnpatchedCves(c *Cache, products []ProductsPackage, cves *Vulnerabi
 	}
 }
 
-func evaluateManualCves(c *Cache, products []ProductsPackage, cves *VulnerabilitiesCvesDetails) {
+func evaluateManualCves(c *Cache, products []ProductsPackage, cves *VulnerabilitiesCvesDetails, opts *options) {
 	for _, pp := range products {
 		pp := pp // make copy because &pp is used
 		seenProducts := make(map[CSAFProduct]bool, len(pp.ProductsFixed))
@@ -169,7 +169,7 @@ func evaluateManualCves(c *Cache, products []ProductsPackage, cves *Vulnerabilit
 			}
 			seenProducts[product] = true
 			updateNevra := pkgID2Nevra(c, product.PackageID)
-			if !isApplicable(c, &updateNevra, &pp.Package.Nevra) {
+			if !isApplicable(c, &updateNevra, &pp.Package.Nevra, opts) {
 				continue
 			}
 
diff --git a/vmaas/vulnerabilities_test.go b/vmaas/vulnerabilities_test.go
index f4605c2..7e6fd12 100644
--- a/vmaas/vulnerabilities_test.go
+++ b/vmaas/vulnerabilities_test.go
@@ -99,7 +99,7 @@ func TestCSAF(t *testing.T) {
 		UnpatchedCves: make(map[string]VulnerabilityDetail),
 	}
 	evaluateUnpatchedCves(&c, products, &cves)
-	evaluateManualCves(&c, products, &cves)
+	evaluateManualCves(&c, products, &cves, &defaultOpts)
 
 	unpatchedCves := maps.Keys(cves.UnpatchedCves)
 	manualCves := maps.Keys(cves.ManualCves)