Merge pull request #32 from jasinner/public-oracle

update public date on oracle flaws to be 3rd Tuesday from Apr 2022

advisory_parser/__init__.py

@@ -5,4 +5,4 @@
 from .parser import Parser
 
 
-__version__ = "1.12"
+__version__ = "1.13"

advisory_parser/parsers/mysql.py

@@ -2,6 +2,7 @@
 # Author: Martin Prpič, Red Hat Product Security
 # License: LGPLv3+
 
+import calendar
 import re
 from datetime import datetime, timedelta
 
@@ -14,6 +15,21 @@
 MARIADB_VULN_PAGE = "https://mariadb.com/kb/en/security/"
 VERSION_REGEX = re.compile(r"(\d\d?\.\d\.\d\d?)")
 
+month_to_num = {
+ "jan": 1,
+ "feb": 2,
+ "mar": 3,
+ "apr": 4,
+ "may": 5,
+ "jun": 6,
+ "jul": 7,
+ "aug": 8,
+ "sep": 9,
+ "oct": 10,
+ "nov": 11,
+ "dec": 12,
+}
+
 
 def _nearest_tuesday(year, month, day=17):
  """For a given year and month, return nearest Tuesday to the 17th of that month
@@ -24,25 +40,8 @@ def _nearest_tuesday(year, month, day=17):
  July and October."
  [https://www.oracle.com/security-alerts/]
  """
- month_to_num = {
- "jan": 1,
- "feb": 2,
- "mar": 3,
- "apr": 4,
- "may": 5,
- "jun": 6,
- "jul": 7,
- "aug": 8,
- "sep": 9,
- "oct": 10,
- "nov": 11,
- "dec": 12,
- }
-
- if month.lower() not in month_to_num:
- raise AdvisoryParserTextException("Invalid month parsed from advisory URL:", str(month))
 
- base_date = datetime(year, month_to_num[month.lower()], day)
+ base_date = datetime(year, month, day)
 
  previous_tuesday = base_date - timedelta(days=((base_date.weekday() + 6) % 7))
  next_tuesday = base_date + timedelta(days=((1 - base_date.weekday()) % 7))
@@ -54,6 +53,34 @@ def _nearest_tuesday(year, month, day=17):
  )
 
 
+def _third_tuesday(year, month):
+ """For a given year and month, return the 3rd Tuesday of that month
+
+ "Critical Patch Updates provide security patches for supported Oracle on-premises products.
+ They are available to customers with valid support contracts. Starting in April 2022,
+ Critical Patch Updates are released on the third Tuesday of January, April, July, and October
+ (They were previously published on the Tuesday closest to the 17th day of January, April, July,
+ and October). The next four dates are:
+
+ 16 July 2024
+ 15 October 2024
+ 21 January 2025
+ 15 April 2025
+ "
+ [https://www.oracle.com/security-alerts/]
+ """
+
+ c = calendar.Calendar()
+ monthcal = c.monthdatescalendar(year, month)
+ third_tuesday = [
+ day
+ for week in monthcal
+ for day in week
+ if day.weekday() == calendar.TUESDAY and day.month == month
+ ][2]
+ return third_tuesday
+
+
 def create_mariadb_cve_map():
  # Pull plain text of the MariaDB page since the HTML is invalid: it
  # doesn't define </li> ending tags for list elements. The HTML would
@@ -98,7 +125,20 @@ def parse_mysql_advisory(url):
  # Extract the CPU's month and year from the URL since the verbose page has
  # no dates on it
  month, year = url_match.groups()
- cpu_date = _nearest_tuesday(int(year), month)
+ if month.lower() not in month_to_num:
+ raise AdvisoryParserTextException("Invalid month parsed from advisory URL:", str(month))
+ month_num = month_to_num[month.lower()]
+ year_int = int(year)
+ # Starting in April 2022, Critical Patch Updates are released on the third Tuesday of January,
+ # April, July, and October (They were previously published on the Tuesday closest to the 17th
+ # day of January, April, July, and October).
+ # [https://www.oracle.com/security-alerts/]
+ if year_int < 2022:
+ cpu_date = _nearest_tuesday(year_int, month_num)
+ elif year_int == 2022 and month_num < 4:
+ cpu_date = _nearest_tuesday(year_int, month_num)
+ else:
+ cpu_date = _third_tuesday(year_int, month_num)
  advisory_id = "CPU {} {}".format(month.capitalize(), year)
 
  # Fetch the CPU verbose page

setup.py

@@ -12,7 +12,7 @@
 
 setup(
  name="advisory-parser",
- version="1.12",
+ version="1.13",
  description="Security flaw parser for upstream security advisories",
  long_description=description,
  url="https://github.com/RedHatProductSecurity/advisory-parser",

tests/test_mysql_parser.py

@@ -8,28 +8,42 @@
 except ImportError:
  from mock import patch
 
-from advisory_parser.parsers.mysql import parse_mysql_advisory, _nearest_tuesday
+from advisory_parser.parsers.mysql import parse_mysql_advisory, _nearest_tuesday, _third_tuesday
 
 
 @pytest.mark.parametrize(
  "year, month, day, expected_date",
  [
- (2017, "jul", 3, datetime(2017, 7, 4)),
- (2017, "jul", 4, datetime(2017, 7, 4)), # Tuesday
- (2017, "jul", 5, datetime(2017, 7, 4)),
- (2017, "jul", 6, datetime(2017, 7, 4)),
- (2017, "jul", 7, datetime(2017, 7, 4)),
- (2017, "jul", 8, datetime(2017, 7, 11)),
- (2017, "jul", 9, datetime(2017, 7, 11)),
- (2017, "jul", 10, datetime(2017, 7, 11)),
- (2017, "jul", 11, datetime(2017, 7, 11)), # Tuesday
- (2017, "jul", 12, datetime(2017, 7, 11)),
+ (2017, 7, 3, datetime(2017, 7, 4)),
+ (2017, 7, 4, datetime(2017, 7, 4)), # Tuesday
+ (2017, 7, 5, datetime(2017, 7, 4)),
+ (2017, 7, 6, datetime(2017, 7, 4)),
+ (2017, 7, 7, datetime(2017, 7, 4)),
+ (2017, 7, 8, datetime(2017, 7, 11)),
+ (2017, 7, 9, datetime(2017, 7, 11)),
+ (2017, 7, 10, datetime(2017, 7, 11)),
+ (2017, 7, 11, datetime(2017, 7, 11)), # Tuesday
+ (2017, 7, 12, datetime(2017, 7, 11)),
  ],
 )
 def test_nearest_tuesday(year, month, day, expected_date):
  assert expected_date == _nearest_tuesday(year, month, day)
 
 
+@pytest.mark.parametrize(
+ "year, month, expected_date",
+ [
+ (2017, 7, datetime(2017, 7, 18).date()),
+ (2024, 7, datetime(2024, 7, 16).date()),
+ (2024, 10, datetime(2024, 10, 15).date()),
+ (2025, 1, datetime(2025, 1, 21).date()),
+ (2025, 4, datetime(2025, 4, 15).date()),
+ ],
+)
+def test_third_tuesday(year, month, expected_date):
+ assert expected_date == _third_tuesday(year, month)
+
+
 @patch("advisory_parser.parsers.mysql.get_request")
 @patch("advisory_parser.parsers.mysql.create_mariadb_cve_map")
 @pytest.mark.parametrize(