* [cip-dev] [Git][cip-project/cip-kernel/cip-kernel-sec][master] 2 commits: report_affected: add support for reporting on tags
@ 2019-07-17 18:01 Ben Hutchings
0 siblings, 0 replies; only message in thread
From: Ben Hutchings @ 2019-07-17 18:01 UTC (permalink / raw)
To: cip-dev
Ben Hutchings pushed to branch master at cip-project / cip-kernel / cip-kernel-sec
Commits:
40329eb5 by Daniel Sangorrin at 2019-07-17T17:30:41Z
report_affected: add support for reporting on tags
Reporting on tags is useful for product engineers that
have shipped a kernel with a specific tag and need to know
which issues affect their product after some time.
Examples:
$ ./scripts/report_affected.py v4.4 v4.4.107 v4.4.181-cip33
$ cd ../kernel
$ git tag myproduct-v1 0f13d9b4d0efa9e87381717c113df57718bc92d6
$ cd ../cip-kernel-sec
$ ./scripts/report_affected.py linux-4.19.y-cip:myproduct-v1 v4.19.50-cip3
Signed-off-by: Daniel Sangorrin <daniel.sangorrin at toshiba.co.jp>
Signed-off-by: Ben Hutchings <ben.hutchings at codethink.co.uk>
- - - - -
d202dc5b by Daniel Sangorrin at 2019-07-17T17:30:41Z
report_affected: add show-description option
Rather than looking up each issue file, I would like
to have an overview of what each CVE ID means.
Example:
$ ./scripts/report_affected.py --show-description linux-4.4.y-cip
Signed-off-by: Daniel Sangorrin <daniel.sangorrin at toshiba.co.jp>
Signed-off-by: Ben Hutchings <ben.hutchings at codethink.co.uk>
- - - - -
4 changed files:
- README.md
- conf/branches.yml
- scripts/kernel_sec/branch.py
- scripts/report_affected.py
Changes:
=====================================
README.md
=====================================
@@ -41,7 +41,8 @@ current or previous year or that are already tracked here.
stable and other configured branches, by reading the git commit logs.
* `scripts/report_affected.py` - report which issues affect the
-specified branches, or all active branches.
+specified branches, or all active branches. You can use --show-description
+to obtain a short description for each CVE ID.
* `scripts/validate.py` - validate all issue files against the
schema.
@@ -72,6 +73,7 @@ keys:
* `base_ver`: Stable version that the branch is based on, e.g.
"4.4". This needs to be quoted so that it's a string not a
number.
+* `tag_regexp`: A regular expression that matches tags on a branch.
### Remotes
=====================================
conf/branches.yml
=====================================
@@ -2,7 +2,9 @@
base_ver: "4.4"
git_remote: cip
git_name: linux-4.4.y-cip
+ tag_regexp: '^v4\.4\.\d+-cip\d+$'
- short_name: linux-4.19.y-cip
base_ver: "4.19"
git_remote: cip
git_name: linux-4.19.y-cip
+ tag_regexp: '^v4\.19\.\d+-cip\d+$'
=====================================
scripts/kernel_sec/branch.py
=====================================
@@ -23,11 +23,13 @@ from . import version
def get_base_ver_stable_branch(base_ver):
branch_name = 'linux-%s.y' % base_ver
+ esc_base_ver = re.escape(base_ver)
return {
'short_name': branch_name,
'git_remote': 'stable',
'git_name': branch_name,
- 'base_ver': base_ver
+ 'base_ver': base_ver,
+ 'tag_regexp' : r'(^v%s$|^v%s\.\d+$)' % (esc_base_ver, esc_base_ver)
}
@@ -141,7 +143,7 @@ def get_sort_key(branch):
return version.get_sort_key(base_ver)
-def _get_commits(git_repo, end, start=None):
+def iter_rev_list(git_repo, end, start=None):
if start:
list_expr = '%s..%s' % (start, end)
else:
@@ -170,7 +172,7 @@ class CommitBranchMap:
branch['git_name'])
else:
end = 'v' + branch['base_ver']
- for commit in _get_commits(git_repo, end, start):
+ for commit in iter_rev_list(git_repo, end, start):
self._commit_sort_key[commit] \
= self._branch_sort_key[branch_name]
start = end
=====================================
scripts/report_affected.py
=====================================
@@ -9,28 +9,53 @@
# Report issues affecting each stable branch.
import argparse
+import copy
import subprocess
+import re
import kernel_sec.branch
import kernel_sec.issue
import kernel_sec.version
-def main(git_repo, remotes,
- only_fixed_upstream, include_ignored, *branch_names):
+def main(git_repo, remotes, only_fixed_upstream,
+ include_ignored, show_description, *branch_names):
live_branches = kernel_sec.branch.get_live_branches()
if branch_names:
branches = []
for branch_name in branch_names:
+ tag = None
if branch_name[0].isdigit():
# 4.4 is mapped to linux-4.4.y
name = 'linux-%s.y' % branch_name
+ elif branch_name[0] == 'v':
+ # an official tag, e.g. v4.4.92-cip11
+ # infer branch from tag (regexp's must be specific)
+ for branch in live_branches:
+ if 'tag_regexp' not in branch:
+ # no tag_regexp defined, or mainline
+ continue
+
+ # predefined in branches.yml or a stable branch
+ if re.match(branch['tag_regexp'], branch_name):
+ tag = branch_name
+ name = branch['short_name']
+ break
+ else:
+ raise ValueError('Failed to match tag %r' % branch_name)
+ elif ':' in branch_name:
+ # a possibly custom tag, e.g. linux-4.19.y-cip:myproduct-v1
+ name, tag = branch_name.split(':', 1)
else:
name = branch_name
for branch in live_branches:
if branch['short_name'] == name:
- branches.append(branch)
+ # there could be multiple tags for the same branch
+ branch_copy = copy.deepcopy(branch)
+ if tag:
+ branch_copy['tag'] = tag
+ branches.append(branch_copy)
break
else:
msg = "Branch %s could not be found" % branch_name
@@ -45,6 +70,18 @@ def main(git_repo, remotes,
c_b_map = kernel_sec.branch.CommitBranchMap(git_repo, remotes, branches)
+ # cache tag commits and set full_name to show the tag
+ tag_commits = {}
+ for branch in branches:
+ if 'tag' in branch:
+ start = 'v' + branch['base_ver']
+ end = branch['tag']
+ tag_commits[end] = set(
+ kernel_sec.branch.iter_rev_list(git_repo, end, start))
+ branch['full_name'] = ':'.join([branch['short_name'], end])
+ else:
+ branch['full_name'] = branch['short_name']
+
branch_issues = {}
issues = set(kernel_sec.issue.get_list())
@@ -65,15 +102,32 @@ def main(git_repo, remotes,
if not include_ignored and ignore.get(branch_name):
continue
+ # Check if the branch is affected. If not and the issue was fixed
+ # on that branch, then make sure the tag contains that fix
if kernel_sec.issue.affects_branch(
issue, branch, c_b_map.is_commit_in_branch):
- branch_issues.setdefault(branch_name, []).append(cve_id)
+ branch_issues.setdefault(
+ branch['full_name'], []).append(cve_id)
+ elif 'tag' in branch and fixed:
+ if fixed.get(branch_name, 'never') == 'never':
+ continue
+ for commit in fixed[branch_name]:
+ if commit not in tag_commits[branch['tag']]:
+ branch_issues.setdefault(
+ branch['full_name'], []).append(cve_id)
+ break
for branch in branches:
- branch_name = branch['short_name']
- print('%s:' % branch_name,
- *sorted(branch_issues.get(branch_name, []),
- key=kernel_sec.issue.get_id_sort_key))
+ sorted_cve_ids = sorted(
+ branch_issues.get(branch['full_name'], []),
+ key=kernel_sec.issue.get_id_sort_key)
+ if show_description:
+ print('%s:' % branch['full_name'])
+ for cve_id in sorted_cve_ids:
+ print(cve_id, '=>',
+ kernel_sec.issue.load(cve_id).get('description', 'None'))
+ else:
+ print('%s:' % branch['full_name'], *sorted_cve_ids)
if __name__ == '__main__':
@@ -102,15 +156,20 @@ if __name__ == '__main__':
parser.add_argument('--include-ignored',
action='store_true',
help='include issues that have been marked as ignored')
+ parser.add_argument('--show-description',
+ action='store_true',
+ help='show the issue description')
parser.add_argument('branches',
nargs='*',
- help=('specific branch to report on '
- '(default: all active branches)'),
- metavar='BRANCH')
+ help=('specific branch[:tag] or stable tag to '
+ 'report on (default: all active branches). '
+ 'e.g. linux-4.14.y linux-4.4.y:v4.4.107 '
+ 'v4.4.181-cip33 linux-4.19.y-cip:myproduct-v33'),
+ metavar='[BRANCH[:TAG]|TAG]')
args = parser.parse_args()
remotes = kernel_sec.branch.get_remotes(args.remote_name,
mainline=args.mainline_remote_name,
stable=args.stable_remote_name)
kernel_sec.branch.check_git_repo(args.git_repo, remotes)
- main(args.git_repo, remotes,
- args.only_fixed_upstream, args.include_ignored, *args.branches)
+ main(args.git_repo, remotes, args.only_fixed_upstream,
+ args.include_ignored, args.show_description, *args.branches)
View it on GitLab: https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/compare/ddf0f91c8b596022cbb40fc7b75f978420b96451...d202dc5b8e2a3b2e9a8c196891b8667d964a662f
--
View it on GitLab: https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/compare/ddf0f91c8b596022cbb40fc7b75f978420b96451...d202dc5b8e2a3b2e9a8c196891b8667d964a662f
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cip-project.org/pipermail/cip-dev/attachments/20190717/a195abe2/attachment-0001.html>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-07-17 18:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-17 18:01 [cip-dev] [Git][cip-project/cip-kernel/cip-kernel-sec][master] 2 commits: report_affected: add support for reporting on tags Ben Hutchings
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.