Merge ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_usn_option into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merged at revision: | 6328a97df0080172a383406c289c19c30f1bde9f |
Proposed branch: | ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_usn_option |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
56 lines (+20/-0) 2 files modified
scripts/prepare-kernel-usn.py (+4/-0) scripts/sis-generate-usn (+16/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Review via email: mp+440359@code.launchpad.net |
Commit message
prepare-
with the optional argument --filter-cves it is possible to filter out
CVEs that are marked as released but where found in the changelog.
It is mainly needed in the kernel USNs context as kernel changelogs
may include previous version changelogs.
Description of the change
When dealing with kernel releases, it is common to have changelogs that will include previous versions changelogs in the current.
When running `prepare-
example:
focal/linux-aws : 5.4.0-1100.108 - https:/
"linux-aws (5.4.0-1099.107)" and olders can be found there.
$ cd $UCT
$ ./scripts/
...
ValueError: CVEs found in changelog but not command line: CVE-2022-3567 CVE-2022-3524 CVE-2022-3643 CVE-2022-2196 CVE-2022-3621 CVE-2022-41218 CVE-2022-3564 CVE-2023-0461 CVE-2022-4382 CVE-2022-3061 CVE-2023-0266 CVE-2022-3594 CVE-2022-42703 CVE-2022-43945 CVE-2022-2663 CVE-2022-4139 CVE-2023-23559 CVE-2021-3669 CVE-2022-3545 CVE-2022-3566 CVE-2022-3565 CVE-2022-47520 CVE-2022-42896 CVE-2022-45934
...
Those CVEs are already released in older kernels.
with the change proposed:
$ cd $UCT
$ ./scripts/
...
INFO: CVEs '{'CVE-2022-41218', 'CVE-2022-42703', 'CVE-2022-3524', 'CVE-2022-3621', 'CVE-2022-3567', 'CVE-2022-4139', 'CVE-2022-3565', 'CVE-2022-3564', 'CVE-2022-42896', 'CVE-2022-3566', 'CVE-2022-45934', 'CVE-2023-0266', 'CVE-2022-3061', 'CVE-2022-4382', 'CVE-2022-47520', 'CVE-2022-2663', 'CVE-2022-3643', 'CVE-2023-23559', 'CVE-2023-0461', 'CVE-2022-2196', 'CVE-2022-3545', 'CVE-2022-43945', 'CVE-2022-3594', 'CVE-2021-3669'}' in changelog are already released, ignoring
...
The name feels a bit generic for what it does; if there's a good reason to go with this, that's fine, but I'd like to suggest something more like:
--ignore- released- cves released- cves released- cves released- cves-in- changelog released- cves-in- changelog released- cves-in- changelog
--filter-
--skip-
--ignore-
--filter-
--skip-
or something else :) -- something that's more specific about what exact operation is going to be done, and the cves that it is going to be done to.
Thanks