Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using glvd to generate the 'Changes' section for gardenlinux release notes #132

Open
fwilhe opened this issue Dec 9, 2024 · 1 comment
Open

Using glvd to generate the 'Changes' section for gardenlinux release notes #132

fwilhe opened this issue Dec 9, 2024 · 1 comment
Assignees
@fwilhe

Comments

@fwilhe
Copy link
Member

fwilhe commented Dec 9, 2024
edited
Loading

goal

glvd should be able to generate markdown text suitable for release notes.
it should describe which cves are closed and which packages were upgraded for this.

sample output

The following packages have been upgraded, to address the mentioned CVEs:

   - upgrade 'coreutils' to version `9.5-1` 
     - CVE-2024-0684
   - upgrade 'curl' to version `8.11.0-1`
     - CVE-2024-8096
     - CVE-2024-7264
     - CVE-2024-9681

required information

  • release (sample value 1592.4)
  • previous release (sample value 1592.3 (might not always be that simple if releases are 'burned'))

From this information, using the information we have in glvd we should be able to derive the following information:

  • which cves are fixed in the new version (discounting 'triaged' cves for both)
  • which packages are affected by those cves
  • which which version of those packages both the old and the new release have

This information should be enough to generate above output.

how to identify fixed cves

Looking at the is_vulnerable field in sourcepackagecve should give us the information regardless if the cve was resolved using a package upgrade or using the triage feature.

So, for example, we could have this data:

is_vulnerable_old = ['CVE-2024-0684', 'CVE-2024-8096', 'CVE-2024-7264']
is_vulnerable_new = ['CVE-2024-8096']

From this, we can derive the list of fixed cves:

is_fixed = ['CVE-2024-0684', 'CVE-2024-7264']

For each cve, we can look up which package(s) this affects:

cve_package_mapping = {'CVE-2024-0684': 'coreutils', 'CVE-2024-7264': 'curl'}

And what the new version of those packages is:

release_notes_changes = {
  'curl': {
    'version': '8.11.0-1gl0',
    'fixed': ['CVE-2024-7264']
  },
  'coreutils': {
    'version': '9.5-1gl0~bp1592',
    'fixed': ['CVE-2024-7264']
  }
}

this data structure can then be formatted to get the markdown output we desire.

caveats

  • glvd only operates on source packages, so also this is what we can output. this might be confusing in some cases to users as they work with binary packages. We could generate a list of binary packages produced from this source package, not sure if that is helpful.
@fwilhe fwilhe self-assigned this Dec 9, 2024
@fwilhe
Copy link
Member Author

fwilhe commented Dec 10, 2024
edited
Loading

poc in a128439a0710c66981e2b527ab2ee9c883c088e1 and ad9e836bfacb985b7e3cece5651991e2f8b91dfe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fwilhe fwilhe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fwilhe