Closed marcosps closed 2 weeks ago
Hi @marcosps,
I created a branch implementing the proposed idea, in case anyone wants to try it out. I've been testing it so far and seems to work fine, but ofc, that's only assuming we don't encounter a case as the one described in the "Problem" column.
kind regards, Fernando
@fgyanz please send a PR for your branch so we can test and merge it. But as you mentioned, this doesn't fix the issue that I'm seeing: codestreams that were already released and contain the fix backported, but without the CVE number, meaning that the CVE number was created after the patch was backported and tag created.
Either way we can extend the check later for such cases!
Update the original issue to mention a new idea.
I believe that we currently have in hand everything that we need in order to correct detect if a codestream is vulnerable or not. I was wrong when I thought we werent.
In the case that we have a patch already applied before the CVE entry was created, klp-build would first check which codestream family (SLE12-SP5, SLE15-SP2, ...) has backports, and then check the specific codestreams themselves (12.5u48, 12.5u49, 15.5u10, 15.5u20, ..), so in this case, if a codestream already contains the fix, there won't be any backports done to the codestream families, so we are covered.
With it I believe that we can close this issue. Good work @fgyanz for implementing the last missing piece of the checking code!
What we currently have
This is the workflow that we use to detect if a codestream is vulnerable or not:
But what if the patch that fixes the CVE was backported pro-actively and thus doesn't mention the CVE?
Other approaches
git-checkout
to switch to the tagCombining the
git-grep
approach would make things more reliable.