From 5a7abf05d6cb2f61394b0dafb4e739b61e4eb1e6 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 14 May 2020 22:05:13 +0200
Subject: [PATCH] RedHat have started requiring both a html and a json to
 display CVEs

And dumb as it is they return "200 OK" on the CVE *page* even if the CVE
doesn't exist. So we have to poll both the page and the API call in
order to figure out if it's actually there.
---
 pgweb/security/management/commands/update_cve_links.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pgweb/security/management/commands/update_cve_links.py b/pgweb/security/management/commands/update_cve_links.py
index bc3d27c0..b70c8f76 100644
--- a/pgweb/security/management/commands/update_cve_links.py
+++ b/pgweb/security/management/commands/update_cve_links.py
@@ -23,9 +23,13 @@ class Command(BaseCommand):
             for s in SecurityPatch.objects.filter(cve_visible=False):
                 r = requests.get(s.cvelink, timeout=10)
                 if r.status_code == 200:
-                    newly_visible.append(s.cve)
-                    s.cve_visible = True
-                    s.save()
+                    # RedHat have started requiring both a HTML page and a JSON api call to view
+                    # CVEs. Dumb dumb dumb, but what can we do...
+                    r = requests.get('https://access.redhat.com/api/redhat_node/CVE-{}.json'.format(s.cve))
+                    if r.status_code == 200:
+                        newly_visible.append(s.cve)
+                        s.cve_visible = True
+                        s.save()
             if newly_visible:
                 send_simple_mail(settings.NOTIFICATION_FROM,
                                  settings.NOTIFICATION_EMAIL,
-- 
2.39.5