> But then I "forgot" to run datapatch.
> ...
> Check out DBA_REGISTRY_SQLPATCH

datapatch populates DBA_REGISTRY_SQLPATCH. If it was not run, you will have nothing there.

SQL> !$ORACLE_HOME/OPatch/opatch lspatches
36233263;Database Release Update : 19.23.0.0.240416 (36233263)
35926646;OJVM RELEASE UPDATE: 19.22.0.0.240116 (35926646)
35967489;OCW RELEASE UPDATE 19.22.0.0.0 (35967489)

OPatch succeeded.

SQL>
SQL> select patch_id, status from dba_registry_sqlpatch;

  PATCH_ID STATUS
---------- -------------------------
  35926646 SUCCESS
  35943157 SUCCESS

SQL>
SQL> select patch_id, description, sql_patch
  2    from xmltable('InventoryInstance/patches/*'
  3                   passing dbms_qopatch.get_opatch_lsinventory
  4           columns
  5             patch_id int path 'patchID',
  6             description varchar2(255) path 'patchDescription',
  7             sql_patch varchar2(10) path 'sqlPatch')
  8  /

  PATCH_ID DESCRIPTION                                                            SQL_PATCH
---------- ---------------------------------------------------------------------- ----------
  36233263 Database Release Update : 19.23.0.0.240416 (36233263)                  true
  35926646 OJVM RELEASE UPDATE: 19.22.0.0.240116 (35926646)                       true
  35967489 OCW RELEASE UPDATE 19.22.0.0.0 (35967489)                              true

To determine whether you need to run datapatch, pass the prereq argument to it (datapatch -prereq), or compare DBA_REGISTRY_SQLPATCH against your binary registry as it is demonstrated above. For example, patch 36233263 is an SQL patch which is not in DBA_REGISTRY_SQLPATCH. Hence, it needs to be applied by datapatch.

Thanks Mikhail,

You have given valuable input - And sort of confirmed that this is not straight forward

I've been asked to "confirm" that all databases are at a certain patch level, and that all data patches have been applied, also. Let's just say I am auditor without much knowledge on the subject (I am actually Developer crossing certain lines)

I will work from your valued input, thanks!

//Peter

Hello Chris/Connor,

Hope you are doing well.
Would you know whether DBMS_QOPATCH is NOT intended to be used by normal users? The documentation for 19c https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_QOPATCH.html#GUID-10BC18AA-EC71-44B7-A3E7-2E4D06FA2DC4 appears to suggest that only SYS can use this.
If I am honest, just like those V4 views for accessing trace file contents, this package looks like harmless but very useful.
Would you know
a) whether EXECUTE privilege on DBMS_QOPATCH is enough to use its subprograms to get patching details &
b) whether there is any Risk/vulnerability in giving access to DBMS_QOPATCH to normal (non-admin) users?

Thanks in advance

Hello Connor,

Appreciate your input on the impact on security.
My question was mainly focussed on how the privilege model works in the database. The documentation appears to suggest that user needs to have SYS level privileges in order to be able to use DBMS_QOPATCH APIs. However, I am able to grant only EXECUTE privilege on DBMS_QOPATCH to a local user and that user is able to access patch details.

First, without EXECUTE privilege on DBMS_QOPATCH, I get error as expected:

SQL> show user
USER is "NP"
SQL> select * from session_privs ;

PRIVILEGE
----------------------------------------
CREATE SESSION
ALTER SESSION
CREATE TABLE
SELECT ANY TABLE
CREATE SEQUENCE
CREATE PROCEDURE
MANAGE ANY QUEUE
ADMINISTER RESOURCE MANAGER
SELECT ANY DICTIONARY
GRANT ANY OBJECT PRIVILEGE
ANALYZE ANY DICTIONARY
ADVISOR
CREATE JOB
ADMINISTER SQL MANAGEMENT OBJECT

14 rows selected.

Elapsed: 00:00:00.16
SQL> select * from session_roles ;

ROLE
--------------------------------------------------------------------------------------------------------------------------------
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
AQ_USER_ROLE
OEM_MONITOR

Elapsed: 00:00:00.08
SQL> set pagesize 0
SQL> set long 1000000 
SQL> select xmltransform(dbms_qopatch.get_opatch_install_info, dbms_qopatch.get_opatch_xslt) "Home and Inventory" from dual;
select xmltransform(dbms_qopatch.get_opatch_install_info, dbms_qopatch.get_opatch_xslt) "Home and Inventory" from dual
                                                          *
ERROR at line 1:
ORA-00904: "DBMS_QOPATCH"."GET_OPATCH_XSLT": invalid identifier


Elapsed: 00:00:00.02
SQL> select xmltransform(sys.dbms_qopatch.get_opatch_install_info, sys.dbms_qopatch.get_opatch_xslt) "Home and Inventory" from dual;
select xmltransform(sys.dbms_qopatch.get_opatch_install_info, sys.dbms_qopatch.get_opatch_xslt) "Home and Inventory" from dual
                                                              *
ERROR at line 1:
ORA-00904: "SYS"."DBMS_QOPATCH"."GET_OPATCH_XSLT": invalid identifier


Elapsed: 00:00:00.01

After granting EXECUTE on DBMS_QOPATCH, it works

SQL> select * from user_tab_privs where table_name = 'DBMS_QOPATCH' ;
NP                 SYS
DBMS_QOPATCH                SYS       EXECUTE
NO  NO NO  PACKAGE       NO


Elapsed: 00:00:01.71
SQL> select xmltransform(sys.dbms_qopatch.get_opatch_install_info, sys.dbms_qopatch.get_opatch_xslt) "Home and Inventory" from dual;

Oracle Home   : /opt/oracle/product/19c/dbhome_1
Inventory   : /opt/oracle/oraInventory


Elapsed: 00:00:27.86

I still believe that the above is correct behaviour and the responsibility should be with administrators to decide which users, if any, should be able to query patch inventory.
However, the documentation appears to be misleading and not in sync with the actual implementation.
What am I missing?

Thanks in advance

Hello Connor,

Thank you for your time and response.
In addition to the potential risks that you have already mentioned, do you see any other potential risks in granting EXECUTE on DBMS_QOPATCH? I am hoping none as query able patch inventory has been promoted as a new feature but happy to listen to any concerns/issues.