Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:try-lookup-kernel-cves-from-local-repo into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. try-lookup-kernel-cves-from-local-repo
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: f0b7992bb2fa2e85c53ca3f374f0258c5345e9b8
Proposed branch: ~alexmurray/ubuntu-cve-tracker:try-lookup-kernel-cves-from-local-repo
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+41/-6)
1 file modified
scripts/cve_lib.py (+41/-6)
Reviewer Review Type Date Requested Status
Rodrigo Figueiredo Zaiden Approve
Ubuntu Security Team Pending
Review via email: mp+466121@code.launchpad.net

Commit message

scripts/cve_lib.py: try looking up kernel commits from local git clone

First try and look up kernel git commit details from the locally configured
linux_kernel_path (this is already used in the kernel CVE triage scripts) and
then fallback to pulling down the individual commit via the network if that
fails.

This should speed up these operations when a local git repo exists is configured
AND has the relevant commits.

Tested with a simple example:

$ grep linux_kernel_path ~/.ubuntu-cve-tracker.conf
$ time ./scripts/active_edit -p linux -c CVE-2025-00001 -k -r https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760

real 0m6.611s
user 0m6.115s
sys 0m0.054s

$ sed -i s/'#linux_kernel_path'/'linux_kernel_path'/ ~/.ubuntu-cve-tracker.conf
$ time ./scripts/active_edit -p linux -c CVE-2025-00002 -k -r https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760

real 0m6.173s
user 0m6.105s
sys 0m0.066s

$ diff active/CVE-2025-0000{1,2}
1c1
< Candidate: CVE-2025-00001
---
> Candidate: CVE-2025-00002
4c4
< https://www.cve.org/CVERecord?id=CVE-2025-00001
---
> https://www.cve.org/CVERecord?id=CVE-2025-00002

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

LGTM.
Thanks for this, was wanting something like that for a while.
Ran a few tests on my side and it is working fine!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
2index f8cff79..c522742 100755
3--- a/scripts/cve_lib.py
4+++ b/scripts/cve_lib.py
5@@ -3618,6 +3618,21 @@ def wrap_text(text, width=75):
6 """
7 return wordwrap(text, width).replace(' \n', '\n')
8
9+def git_cmd(command, commit, repo=os.getcwd()):
10+ rc, report = cmd(['git', '-C', repo, command, commit])
11+ if rc != 0:
12+ print(report, file=sys.stderr)
13+ return None
14+ return report
15+
16+def git_show(commit, repo=os.getcwd()):
17+ '''Look up a commit from a local git clone.'''
18+ return git_cmd('show', commit, repo)
19+
20+def git_revparse(commit, repo=os.getcwd()):
21+ '''Run git rev-parse on a local git clone.'''
22+ return git_cmd('rev-parse', commit, repo)
23+
24 def fetch_kernel_fixes(url):
25 '''Downloads a kernel commit and returns a list of break-fixes'''
26 commit_hash = None
27@@ -3642,12 +3657,23 @@ def fetch_kernel_fixes(url):
28 # Get the raw patch
29 url = url.replace('/commit/', '/patch/')
30
31+ # first try from local git repo
32+ patch = None
33+ config = read_uct_config()
34 try:
35- with urllib.request.urlopen(url) as response:
36- patch = response.read().decode('utf-8')
37- except urllib.error.HTTPError as e:
38- print("WARNING: Failed to fetch patch URL %s: %s" % (url, str(e)), file=sys.stderr)
39- return fixes
40+ commit = url.rsplit('=', maxsplit=1)[1]
41+ patch = git_show(commit, config["linux_kernel_path"])
42+ except KeyError:
43+ # no linux_kernel_path configured - TODO warn user?
44+ pass
45+ finally:
46+ if patch is None:
47+ try:
48+ with urllib.request.urlopen(url) as response:
49+ patch = response.read().decode('utf-8')
50+ except urllib.error.HTTPError as e:
51+ print("WARNING: Failed to fetch patch URL %s: %s" % (url, str(e)), file=sys.stderr)
52+ return fixes
53
54 backport_re = re.compile(r"(commit [0-9a-f]{40} upstream.|\[ Upstream commit [0-9a-f]{40} \])")
55 for line in patch.split("\n"):
56@@ -3657,7 +3683,7 @@ def fetch_kernel_fixes(url):
57 if backport_re.match(line):
58 # This is an LTS backport, skip it
59 return []
60- if not commit_hash and line.startswith("From "):
61+ if not commit_hash and line.startswith("From ") or line.startswith("commit "):
62 commit_hash = line.split(' ')[1]
63 continue
64 elif line.startswith("Fixes: "):
65@@ -3695,6 +3721,15 @@ def get_long_kernel_hash(short_hash):
66 if len(short_hash) > 12 and INITIAL_COMMIT_HASH.startswith(short_hash):
67 return INITIAL_COMMIT_HASH
68
69+ commit_hash = None
70+ config = read_uct_config()
71+ try:
72+ commit_hash = git_revparse(short_hash, config["linux_kernel_path"])
73+ except KeyError:
74+ pass
75+ if commit_hash and commit_hash.startswith(short_hash):
76+ return short_hash.strip()
77+
78 url = 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=' + short_hash
79 with urllib.request.urlopen(url) as response:
80 try:

Subscribers

People subscribed via source and target branches