Ubuntu CVE Tracker

Code review comment for ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_cna_cves_usn

Revision history for this message

Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote on 2024-04-05:

General Notes:
I'm personally inclined to vote for us to move out of the usage of
get_maintainer.pl to generate the list of affected subsystem for two reasons:

1) performance: this would be the main reason. unless, we can find a different
approach on how to run the 'get_maintainer.pl' script, it is proving to be
too much slow to get the subsystem information for each file on each commit.
I have examples of time constrains below.

2) quality of text: don't really know how to name this, but I'm not in favor of
having something like "EDAC-CAVIUM THUNDERX" and "EDAC-CORE" (as the result of
get_maintainer.pl for "drivers/edac/thunderx_edac.c") where we could instead
have "EDAC drivers" (for "drivers/edac/").

So, in the end, I personally don't think maintaining the hardcode bits is that
big of an issue. Considering that, from now on the idea is that the Kernel CNA
will be assigning most of the kernel CVEs, we would be moving from writing USN
descriptions to writing hierarch descriptions...

One thing that I'm proposing with the next commits is to move from a hardcode
mapping to a json meta file as a result of an input from Steve's comment
earlier.

Testing:
I've put together a better scenario for testing both approaches:

# move to my branch:
$ git remote add rodrigo-zaiden git+ssh://<email address hidden>/~rodrigo-zaiden/ubuntu-cve-tracker
$ git checkout rodrigo-zaiden/kernel_cna_cves_usn

# standalone script using get_maintainer.pl with:
./scripts/get_maintainer.pl --separator ':' --subsystem -f <file path>
https://pastebin.canonical.com/p/sGTN76wDN3/

$ time python3 test-kernel_cna.py
...
  - ARM/FREESCALE IMX / MXC ARM ARCHITECTURE;
  - ARM64 PORT (AARCH64 ARCHITECTURE);
  - BLOCK LAYER;
  - BLUETOOTH SUBSYSTEM;
  - BPF JIT for LOONGARCH;
  - BPF [CORE];
  - BPF [GENERAL] (Safe Dynamic Programs and Tools);
...
real 0m36,722s
user 0m33,750s
sys 0m2,888s

full results: https://pastebin.canonical.com/p/bprVtW7gb5/

# standalone script using json meta file:
https://pastebin.canonical.com/p/KFQRFpNdXG/

$ time python3 test_kernel-cna-overrides.py
...
   - EDAC drivers;
   - GPU drivers;
   - Media drivers;
   - Multifunction device drivers;
   - MTD block device drivers;
...
real 0m0,963s
user 0m0,849s
sys 0m0,113s

full results: https://pastebin.canonical.com/p/BV2qYc66tr/

General Notes:
I'm personally inclined to vote for us to move out of the usage of
get_maintainer.pl to generate the list of affected subsystem for two reasons:

One thing that I'm proposing with the next commits is to move from a hardcode
mapping to a json meta file as a result of an input from Steve's comment
earlier.

Testing:
I've put together a better scenario for testing both approaches:

# move to my branch:
 $ git remote add rodrigo-zaiden git+ssh://rodrigo-zaiden@git.launchpad.net/~rodrigo-zaiden/ubuntu-cve-tracker
 $ git checkout rodrigo-zaiden/kernel_cna_cves_usn

# standalone script using get_maintainer.pl with:
 ./scripts/get_maintainer.pl --separator ':' --subsystem -f <file path>
https://pastebin.canonical.com/p/sGTN76wDN3/

$ time python3 test-kernel_cna.py
 ...
  - ARM/FREESCALE IMX / MXC ARM ARCHITECTURE;
  - ARM64 PORT (AARCH64 ARCHITECTURE);
  - BLOCK LAYER;
  - BLUETOOTH SUBSYSTEM;
  - BPF JIT for LOONGARCH;
  - BPF [CORE];
  - BPF [GENERAL] (Safe Dynamic Programs and Tools);
 ...
 real    0m36,722s
 user    0m33,750s
 sys     0m2,888s

full results: https://pastebin.canonical.com/p/bprVtW7gb5/

# standalone script using json meta file:
https://pastebin.canonical.com/p/KFQRFpNdXG/

$ time python3 test_kernel-cna-overrides.py
 ...
   - EDAC drivers;
   - GPU drivers;
   - Media drivers;
   - Multifunction device drivers;
   - MTD block device drivers;
 ...
 real    0m0,963s
 user    0m0,849s
 sys     0m0,113s

full results: https://pastebin.canonical.com/p/BV2qYc66tr/

« Back to merge proposal