RedHat have started requiring both a html and a json to display CVEs

And dumb as it is they return "200 OK" on the CVE *page* even if the CVE
doesn't exist. So we have to poll both the page and the API call in
order to figure out if it's actually there.

diff --git a/pgweb/security/management/commands/update_cve_links.py b/pgweb/security/management/commands/update_cve_links.py
index bc3d27c09d715b12bf369236be6f64efdbccdf37..b70c8f767fc1ff01f642645f8f899d672f27eb87 100644 (file)
--- a/pgweb/security/management/commands/update_cve_links.py
+++ b/pgweb/security/management/commands/update_cve_links.py
@@ -23,9 +23,13 @@ class Command(BaseCommand):
             for s in SecurityPatch.objects.filter(cve_visible=False):
                 r = requests.get(s.cvelink, timeout=10)
                 if r.status_code == 200:
-                    newly_visible.append(s.cve)
-                    s.cve_visible = True
-                    s.save()
+                    # RedHat have started requiring both a HTML page and a JSON api call to view
+                    # CVEs. Dumb dumb dumb, but what can we do...
+                    r = requests.get('https://access.redhat.com/api/redhat_node/CVE-{}.json'.format(s.cve))
+                    if r.status_code == 200:
+                        newly_visible.append(s.cve)
+                        s.cve_visible = True
+                        s.save()
             if newly_visible:
                 send_simple_mail(settings.NOTIFICATION_FROM,
                                  settings.NOTIFICATION_EMAIL,