src/templates/static/vulnerabilities/cves.yml

- name: update vulnerable packages
  hosts: "@@HOSTS@@"
  vars:
    insights_issues: "@@ISSUES@@"
    insights_signature_exclude: /hosts,/vars/insights_signature,/vars/insights_issues
    insights_signature: !!binary |
      TFMwdExTMUNSVWRKVGlCUVIxQWdVMGxIVGtGVVZWSkZMUzB0TFMwS1ZtVnljMmx2YmpvZ1IyNTFV
      RWNnZGpFS0NtbFJTVlpCZDFWQldrWjZORlJqZG5jMU9FUXJhalZ3VGtGUmFUVm9aeTh2VTBKTmNY
      RnZRekYzVFRWU1JFUk9ibFYwUVRoRE9XZG5UVlV2UVhObVMwMEtZMXBKY0c1aVIyWnhhbEkzYzJw
      NFFYSXpkWGxZUWxReVQyOTBOVUp5V0dOQlQyTXdhblJJVDJ0UlJFTmhlR1ozYmxZeVVWSldiVUkw
      WWxOSllYbFNRZ3BKY1U5aE1tbEhSREZSTlN0bmVVUnNkM1poZEhkSmRFaEViME4wZGs1QmVFRkJi
      bmRrVUVkWlJEVnJSMWNyZEdFNVExQkJaa2RaVTNsQ1RIRm9PVFZuQ21zMFlrNTBkMHRVUzFOYVNV
      WTJVbWN5TUdKWFRFdzBUa1l4ZUVJeGJ6VlJWMmxqVDBwaGNtVlphazhyZW01TFZEVTJiMDQyUzFC
      TlRtSnNVV0ppYVRrS1NFTk1SMjVaYmtFMWJVdzNSbkJTYm1jMVIySlRVRVJyV2sxUWFURlBURzF4
      U3prdlpWWnFhMXBsWVhoWFpUWkdRamR0Vm5ST2FtTnFZM2xUUTNkcU9RcHFORVI1WVVSclNrOUJX
      a0pzYkhKc1lVczNUbEE0UmpkVk5rMHlWbVYyWTNGS1lsUXllbkUzZFZWcWVITjJNV2d4ZGpoSFN6
      UkpkbWhWY25sT2NsWk5Da3hHYUU1MlZtSm9UV3R5VGpoRVpVNVRSMUp1YWxadGFWQkRkbmw1UWtK
      NlEyOTBiVXBaZDFFMUsyTkxNbUZ1VVZKUFNWQnRVVFpHZURoamRrRkhSa2NLT1hwWVEyZE1TRGhu
      WTFSV2JHaFZORFJtZFdORlJ6TXZXbEpwVjFsNFpuaG5aR3BZV1N0MlZFTktNbWxUY1hGUEsyRlBS
      WEp2Y2s5eGRFZHNNVmx4ZVFwalVWTnNlbkI0T1U0NWJXSklMM0prWTFaSVVUTXJPREZsVG1WeWMx
      SlphSGhVWlhvck5reFRkRGt2YVM5YU4wMWxOMkpUWjB4aVVuVlhhVkJrVFRCU0NucHlRelUzTlVj
      MVpqSXhiV05UVERGak0wdExhRWRwVVdNM1pFeEtZbmh3T1hvd05rVkZUMmhXVTNNeE5VaEtTbFEw
      T0RkT1kzcFRRVFIxWlhrclQzWUtaRmQ0VkcweVFVWnhORVZyTTBWTmIxaGpRblZIZWtwTE4zRXJT
      VXBCVGtOU1VqWjVNVlZHWWpZckt6WnRheXMzYjNSRFNHcDVWMlZsYkVaaVExbFNlUXBuU1ZONFlt
      RjZiSEpLVlQwS1BUbEtZbFFLTFMwdExTMUZUa1FnVUVkUUlGTkpSMDVCVkZWU1JTMHRMUzB0Q2c9
      PQ==
  become: true
  tasks:
    - name: check for update
      shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q {{ insights_issues | regex_search('(--cve (CVE-[0-9]{4}-[0-9]+)\\s*)+') }}"
      check_mode: no
      register: check_out
      failed_when: check_out.rc != 0 and check_out.rc != 100

    - when: check_out.rc == 100
      name: upgrade package
      shell: "{{ ansible_facts['pkg_mgr'] }} upgrade -v -y {{ insights_issues | regex_search('(--cve (CVE-[0-9]{4}-[0-9]+)\\s*)+') }}"

    - when: check_out.rc == 100
      name: set reboot fact
      set_fact:
        insights_needs_reboot: true