Merge ~rodrigo-zaiden/ubuntu-cve-tracker:sis_generate_usn_ignore_cves_changelog into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merged at revision: | 038b128978c27bbbe5a7bcdd2e34d3324a6292cb |
Proposed branch: | ~rodrigo-zaiden/ubuntu-cve-tracker:sis_generate_usn_ignore_cves_changelog |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
13 lines (+3/-0) 1 file modified
scripts/sis-generate-usn (+3/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Alex Murray | Approve | ||
Review via email: mp+454541@code.launchpad.net |
Commit message
scripts/
when generating USN, we first parse CVEs from changelog before updating
the CVE set (removing the CVE(s)) with the ignored CVEs from the argument
'--ignore-cves'. So, if there is a CVE that will fail when parsing the
changelog, we cannot use the '--ignore-cves' argument because it fails
before reaching the CVE set update for ignored cves from command.
verifying if the parsed CVE is listed to be ignored gives us the chance
to skip that check and won't add the CVE to the USN.
Description of the change
Scenario:
CVE-2023-4563 is a duplicated CVE, it was identified as duplicate after
the kernel team prepared the kernels and listed it as fixed in the changelog.
When identified, it was moved to the ignored/ folder.
The CVE that it was duplicate of (CVE-2023-4244) is also listed in the
changelog.
It can also happen if a CVE has a typo when being mentioned in the changelog.
How to reproduce it:
$ cd $UCT
$./scripts/
...
ERROR: CVE-2023-4563 does not exist in UCT in either retired
Traceback (most recent call last):
File "/home/
subprocess.
File "/usr/lib/
raise CalledProcessEr
subprocess.
Notes:
When we first executed prepare-kernel-usn script, we identified that it was ok
to ignore that CVE. But even when we want to ignore it, it keeps failing
because the script first check if there is an error with the CVE and stop.
just later it would update the CVE set to remove the ignored CVEs.
It can also happen when there is a typo when listing CVEs in the changelog
(It happens with the above execution with CVE-2023-42572, that is a typo
for CVE-2023-42752)
currently, the trace is:
sis-
|_ parse_changes()
| |_ parse_CVEs()
| |_ check_cve_
X
|_ if opt.ignore_cves:
//won't have the chance to use the ignored CVEs
this commit will:
sis-
|_ parse_changes()
| |_ parse_CVEs() //skip the following check if CVE is in ignored list
| |_ check_cve_
|
|_ if opt.ignore_cves:
//will update the CVE set with ignored CVEs with success
LGTM!