Closed marcosps closed 2 weeks ago
fgyanz
commented
1 month ago Hi @marcosps,
I created a branch implementing the proposed idea, in case anyone wants to try it out. I've been testing it so far and seems to work fine, but ofc, that's only assuming we don't encounter a case as the one described in the "Problem" column.
kind regards, Fernando
marcosps
commented
1 month ago @fgyanz please send a PR for your branch so we can test and merge it. But as you mentioned, this doesn't fix the issue that I'm seeing: codestreams that were already released and contain the fix backported, but without the CVE number, meaning that the CVE number was created after the patch was backported and tag created.
Either way we can extend the check later for such cases!
marcosps
commented
4 weeks ago Update the original issue to mention a new idea.
marcosps
commented
2 weeks ago I believe that we currently have in hand everything that we need in order to correct detect if a codestream is vulnerable or not. I was wrong when I thought we werent.
In the case that we have a patch already applied before the CVE entry was created, klp-build would first check which codestream family (SLE12-SP5, SLE15-SP2, ...) has backports, and then check the specific codestreams themselves (12.5u48, 12.5u49, 15.5u10, 15.5u20, ..), so in this case, if a codestream already contains the fix, there won't be any backports done to the codestream families, so we are covered.
With it I believe that we can close this issue. Good work @fgyanz for implementing the last missing piece of the checking code!
What we currently have
This is the workflow that we use to detect if a codestream is vulnerable or not:
But what if the patch that fixes the CVE was backported pro-actively and thus doesn't mention the CVE?
Other approaches
git-checkoutto switch to the tagCombining the
git-grepapproach would make things more reliable.