Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Add XML output option to 'dnf5 advisories list' #1524

Conversation

stewartsmith
Copy link
Contributor

Add an option to output the list of applicable advisories in the same XML format as the updateinfo.xml file in the repository.

This allows tooling to have a consistent machine readable format for getting what advisories apply to a system. Resorting to parsing text output of commands is (naturally) error prone, and designed for humans to look at rather than machines.

Alternatives for these tools include using the APIs of dnf/yum/other-rpm-package-manager, and keeping up with their evolution. For tooling that supports a wide range of distributions and versions, this can become rather onerous, especially across the many different security/patch management products.

With a documented format, we can help these tools get the correct information both on available updates, and what ones are applicable to particular systems. Using the same format these tools need to be able to parse already avoids the need to get multiple parsers correct.


One issue I have with this code is that the user needs to pass -q to dnf5 in order to get valid XML on stdout. Even with that, sometimes you get Fedora 40 openh264 (From Cisco) - aarc 100% | 3.1 KiB/s | 990.0 B | 00m00s and similar. Hints on how to avoid this are welcome - I'd prefer to not have to go via a file on disk.

I dislike the --xml-output option name, perhaps a --format=[xml|text|morse-code]? Suggestions welcome.

I'd like feedback on if this should be part of core dnf5 or a plugin. Being part of the core command does mean that third party tools can start relying on it being there rather than needing to also parse text output forever as well.

#1523 is related, as it starts documenting the updateinfo.xml format.

I also intend to backport to https://github.com/rpm-software-management/dnf so this functionality can be added to existing distributions, but wanted feedback here first.


Sample output of ./dnf5/dnf5 -q advisory list --xml-output on Fedora 40:
advisory-list.xml.txt

Add an option to output the list of applicable advisories in the same
XML format as the updateinfo.xml file in the repository.

This allows tooling to have a consistent machine readable format for
getting what advisories apply to a system. Resorting to parsing text
output of commands is (naturally) error prone, and designed for humans
to look at rather than machines.

Alternatives for these tools include using the APIs of
dnf/yum/other-rpm-package-manager, and keeping up with their evolution.
For tooling that supports a wide range of distributions and versions,
this can become rather onerous, especially across the many
different security/patch management products.

With a documented format, we can help these tools get the correct
information both on available updates, and what ones are applicable to
particular systems. Using the same format these tools need to be able to
parse already avoids the need to get multiple parsers correct.

Signed-off-by: Stewart Smith <trawets@amazon.com>
@kontura
Copy link
Contributor

kontura commented Jun 5, 2024

We do have a plan for machine readable output format but we plan to use json: #512 and #867.
Is xml something you require or would you be fine with json?

One issue I have with this code is that the user needs to pass -q to dnf5 in order to get valid XML on stdout. Even with that, sometimes you get Fedora 40 openh264 (From Cisco) - aarc 100% | 3.1 KiB/s | 990.0 B | 00m00s and similar. Hints on how to avoid this are welcome

This appears to be a bug. The -q option should suppress that output. It was discussed here: #1522 (comment)

@stewartsmith
Copy link
Contributor Author

The main motivation for XML was to match a format that the tools have to parse anyway, avoiding them needing to correctly parse two formats.

The output of "dnf advisories list" may be the first time these tools are learning of a particular advisory. Parsing updateinfo from the repo is useful for a UI to browse and look up advisories, but for what applies to an instance, it needs to come from the instance to ensure all enabled yum repositories on that instance are covered.

Thus, if these are the same formats, it saves some extra code in these tools.

So, while JSON would functionally work, it would mean there's now two formats that must be parsed correctly rather than one.

What are your thoughts on just having --output=text|updateinfoxml|json ?

@stewartsmith
Copy link
Contributor Author

One of the tools in question is SSM Patch Manager, a widely used AWS service. One benefit of a format with a well defined schema is that any output deviating from that schema can be alarmed on.

@stewartsmith stewartsmith marked this pull request as draft June 5, 2024 23:43
@stewartsmith
Copy link
Contributor Author

With #1531 merged, I'm going to close this PR as agreement has been reached on JSON, and the code ends up being a bunch simpler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants