Closed fgyanz closed 4 weeks ago
(just to document here our private chat)
I believe that we can add your new way to detect patched kernel, and have the older method as a fallback, since we can have the fix backported proactively, and thus doesn't contain the CVE number.
Thanks, and done. As proposed, I added the old technique as a fallback in case no commits are found with the new method. I also reworked the code, having each technique as separate function.
Hey @fgyanz ! Thanks for the update! I'm checking your new update to the PR, and now we check both the tag and the commit hash. What I had in mind was to first check the commit tag using git grep, and ir we can't find it then to fallback to the old method. I believe that this would make the process faster, since a codestream that matches the check for git log --grep --tags don't need the git tag --contains , and vice versa. If if find in one place, we don't need to check the other.
What do you think about it?
The good news is that with this version it matches the number of affected/patched cases from bsc#1226325 that I tested before, thanks!!!
Well, let's merge it. We can always come back and rework if the delays in searching vulnerable codestreams is taking too much time. Thanks a lot for implementing this functionality!
Currently patched kernels are found by checking which kernel tags contain the patch's commit, previously obtained from the respective SLE main branch.
The new approach directly checks each kernel's tag for the patch itself. By doing so, it covers edge cases in which each kernel contains a different commit. The old method will still be used, but as a fallback.
For more information, see https://github.com/SUSE/klp-build/issues/19
For instance, CVE-2023-52846:
Old way (incorrectly labels
15.6rtu0
as vulnerable):New way: