Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:try-lookup-kernel-cves-from-local-repo into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. try-lookup-kernel-cves-from-local-repo
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: f0b7992bb2fa2e85c53ca3f374f0258c5345e9b8
Proposed branch: ~alexmurray/ubuntu-cve-tracker:try-lookup-kernel-cves-from-local-repo
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+41/-6)
1 file modified
scripts/cve_lib.py (+41/-6)
Reviewer Review Type Date Requested Status
Rodrigo Figueiredo Zaiden Approve
Ubuntu Security Team Pending
Review via email: mp+466121@code.launchpad.net

Commit message

scripts/cve_lib.py: try looking up kernel commits from local git clone

First try and look up kernel git commit details from the locally configured
linux_kernel_path (this is already used in the kernel CVE triage scripts) and
then fallback to pulling down the individual commit via the network if that
fails.

This should speed up these operations when a local git repo exists is configured
AND has the relevant commits.

Tested with a simple example:

$ grep linux_kernel_path ~/.ubuntu-cve-tracker.conf
$ time ./scripts/active_edit -p linux -c CVE-2025-00001 -k -r https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760

real 0m6.611s
user 0m6.115s
sys 0m0.054s

$ sed -i s/'#linux_kernel_path'/'linux_kernel_path'/ ~/.ubuntu-cve-tracker.conf
$ time ./scripts/active_edit -p linux -c CVE-2025-00002 -k -r https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760

real 0m6.173s
user 0m6.105s
sys 0m0.066s

$ diff active/CVE-2025-0000{1,2}
1c1
< Candidate: CVE-2025-00001
---
> Candidate: CVE-2025-00002
4c4
< https://www.cve.org/CVERecord?id=CVE-2025-00001
---
> https://www.cve.org/CVERecord?id=CVE-2025-00002

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

LGTM.
Thanks for this, was wanting something like that for a while.
Ran a few tests on my side and it is working fine!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/cve_lib.py b/scripts/cve_lib.py
index f8cff79..c522742 100755
--- a/scripts/cve_lib.py
+++ b/scripts/cve_lib.py
@@ -3618,6 +3618,21 @@ def wrap_text(text, width=75):
3618 """3618 """
3619 return wordwrap(text, width).replace(' \n', '\n')3619 return wordwrap(text, width).replace(' \n', '\n')
36203620
3621def git_cmd(command, commit, repo=os.getcwd()):
3622 rc, report = cmd(['git', '-C', repo, command, commit])
3623 if rc != 0:
3624 print(report, file=sys.stderr)
3625 return None
3626 return report
3627
3628def git_show(commit, repo=os.getcwd()):
3629 '''Look up a commit from a local git clone.'''
3630 return git_cmd('show', commit, repo)
3631
3632def git_revparse(commit, repo=os.getcwd()):
3633 '''Run git rev-parse on a local git clone.'''
3634 return git_cmd('rev-parse', commit, repo)
3635
3621def fetch_kernel_fixes(url):3636def fetch_kernel_fixes(url):
3622 '''Downloads a kernel commit and returns a list of break-fixes'''3637 '''Downloads a kernel commit and returns a list of break-fixes'''
3623 commit_hash = None3638 commit_hash = None
@@ -3642,12 +3657,23 @@ def fetch_kernel_fixes(url):
3642 # Get the raw patch3657 # Get the raw patch
3643 url = url.replace('/commit/', '/patch/')3658 url = url.replace('/commit/', '/patch/')
36443659
3660 # first try from local git repo
3661 patch = None
3662 config = read_uct_config()
3645 try:3663 try:
3646 with urllib.request.urlopen(url) as response:3664 commit = url.rsplit('=', maxsplit=1)[1]
3647 patch = response.read().decode('utf-8')3665 patch = git_show(commit, config["linux_kernel_path"])
3648 except urllib.error.HTTPError as e:3666 except KeyError:
3649 print("WARNING: Failed to fetch patch URL %s: %s" % (url, str(e)), file=sys.stderr)3667 # no linux_kernel_path configured - TODO warn user?
3650 return fixes3668 pass
3669 finally:
3670 if patch is None:
3671 try:
3672 with urllib.request.urlopen(url) as response:
3673 patch = response.read().decode('utf-8')
3674 except urllib.error.HTTPError as e:
3675 print("WARNING: Failed to fetch patch URL %s: %s" % (url, str(e)), file=sys.stderr)
3676 return fixes
36513677
3652 backport_re = re.compile(r"(commit [0-9a-f]{40} upstream.|\[ Upstream commit [0-9a-f]{40} \])")3678 backport_re = re.compile(r"(commit [0-9a-f]{40} upstream.|\[ Upstream commit [0-9a-f]{40} \])")
3653 for line in patch.split("\n"):3679 for line in patch.split("\n"):
@@ -3657,7 +3683,7 @@ def fetch_kernel_fixes(url):
3657 if backport_re.match(line):3683 if backport_re.match(line):
3658 # This is an LTS backport, skip it3684 # This is an LTS backport, skip it
3659 return []3685 return []
3660 if not commit_hash and line.startswith("From "):3686 if not commit_hash and line.startswith("From ") or line.startswith("commit "):
3661 commit_hash = line.split(' ')[1]3687 commit_hash = line.split(' ')[1]
3662 continue3688 continue
3663 elif line.startswith("Fixes: "):3689 elif line.startswith("Fixes: "):
@@ -3695,6 +3721,15 @@ def get_long_kernel_hash(short_hash):
3695 if len(short_hash) > 12 and INITIAL_COMMIT_HASH.startswith(short_hash):3721 if len(short_hash) > 12 and INITIAL_COMMIT_HASH.startswith(short_hash):
3696 return INITIAL_COMMIT_HASH3722 return INITIAL_COMMIT_HASH
36973723
3724 commit_hash = None
3725 config = read_uct_config()
3726 try:
3727 commit_hash = git_revparse(short_hash, config["linux_kernel_path"])
3728 except KeyError:
3729 pass
3730 if commit_hash and commit_hash.startswith(short_hash):
3731 return short_hash.strip()
3732
3698 url = 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=' + short_hash3733 url = 'https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=' + short_hash
3699 with urllib.request.urlopen(url) as response:3734 with urllib.request.urlopen(url) as response:
3700 try:3735 try:

Subscribers

People subscribed via source and target branches