11#!/usr/bin/env python3
22
33import argparse
4- import os
54import re
65import subprocess
76import sys
87import textwrap
9- from typing import Optional
108
11- from ciq_helpers import (
9+ from kt . ktlib . ciq_helpers import (
1210 CIQ_find_fixes_in_mainline ,
11+ CIQ_find_matching_cve ,
1312 CIQ_get_commit_body ,
1413 CIQ_hash_exists_in_ref ,
1514 CIQ_run_git ,
15+ CIQ_setup_vulns_repo ,
1616)
1717
1818
@@ -67,24 +67,6 @@ def extract_cve_from_message(msg):
6767 return None
6868
6969
70- def run_cve_search (vulns_repo , kernel_repo , query ) -> tuple [bool , Optional [str ]]:
71- """
72- Run the cve_search script from the vulns repo.
73- Returns (success, output_message).
74- """
75- cve_search_path = os .path .join (vulns_repo , "scripts" , "cve_search" )
76- if not os .path .exists (cve_search_path ):
77- raise RuntimeError (f"cve_search script not found at { cve_search_path } " )
78-
79- env = os .environ .copy ()
80- env ["CVEKERNELTREE" ] = kernel_repo
81-
82- result = subprocess .run ([cve_search_path , query ], text = True , capture_output = True , check = False , env = env )
83-
84- # cve_search outputs results to stdout
85- return result .returncode == 0 , result .stdout .strip ()
86-
87-
8870def main ():
8971 parser = argparse .ArgumentParser (description = "Check upstream references and Fixes: tags in PR branch commits." )
9072 parser .add_argument ("--repo" , help = "Path to the git repo" , required = True )
@@ -112,27 +94,11 @@ def main():
11294 vulns_repo = None
11395 if args .check_cves :
11496 vulns_repo = args .vulns_dir
115- vulns_repo_url = "https://git.kernel.org/pub/scm/linux/security/vulns.git"
116-
117- if os .path .exists (vulns_repo ):
118- # Repository exists, update it with git pull
119- try :
120- CIQ_run_git (vulns_repo , ["pull" ])
121- except RuntimeError as e :
122- print (f"WARNING: Failed to update vulns repo: { e } " )
123- print ("Continuing with existing repository..." )
124- else :
125- # Repository doesn't exist, clone it
126- try :
127- result = subprocess .run (
128- ["git" , "clone" , vulns_repo_url , vulns_repo ], text = True , capture_output = True , check = False
129- )
130- if result .returncode != 0 :
131- print (f"ERROR: Failed to clone vulns repo: { result .stderr } " )
132- sys .exit (1 )
133- except Exception as e :
134- print (f"ERROR: Failed to clone vulns repo: { e } " )
135- sys .exit (1 )
97+ try :
98+ CIQ_setup_vulns_repo (vulns_repo = vulns_repo )
99+ except RuntimeError as e :
100+ print (e )
101+ sys .exit (1 )
136102
137103 # Validate that all required refs exist before continuing
138104 missing_refs = []
@@ -197,17 +163,9 @@ def main():
197163 fix_cves = {}
198164 if args .check_cves :
199165 for fix_hash , fix_display in fixes :
200- try :
201- success , cve_output = run_cve_search (vulns_repo , args .repo , fix_hash )
202- if success :
203- # Parse the CVE from the result
204- match = re .search (r"(CVE-\d{4}-\d+)\s+is assigned to git id" , cve_output )
205- if match :
206- bugfix_cve = match .group (1 )
207- fix_cves [fix_hash ] = bugfix_cve
208- except (RuntimeError , subprocess .SubprocessError ) as e :
209- # Log a warning instead of silently ignoring errors when checking bugfix CVEs
210- print (f"Warning: Failed to check CVE for bugfix commit { fix_hash } : { e } " , file = sys .stderr )
166+ bugfix_cve = CIQ_find_matching_cve (vulns_repo = vulns_repo , kernel_repo = args .repo , hash_ = fix_hash )
167+ if bugfix_cve :
168+ fix_cves [fix_hash ] = bugfix_cve
211169
212170 # Build the fixes display text with CVE info
213171 fixes_lines = []
@@ -248,48 +206,21 @@ def main():
248206
249207 # Check if the upstream commit has a CVE associated with it
250208 try :
251- success , cve_output = run_cve_search (vulns_repo , args .repo , uhash )
252- if success :
253- # Parse the output to get the CVE from the result
254- # Expected format: "CVE-2024-35962 is assigned to git id
255- # 65acf6e0501ac8880a4f73980d01b5d27648b956"
256- match = re .search (r"(CVE-\d{4}-\d+)\s+is assigned to git id" , cve_output )
257- if match :
258- found_cve = match .group (1 )
259-
260- if cve_id :
261- # PR commit has a CVE reference - check if it matches
262- if found_cve != cve_id :
263- any_findings = True
264- if args .markdown :
265- out_lines .append (
266- f"- ❌ PR commit `{ pr_commit_desc } ` references `{ cve_id } ` but \n "
267- f" upstream commit `{ short_uhash } ` is associated with `{ found_cve } `\n "
268- )
269- else :
270- prefix = "[CVE-MISMATCH] "
271- header = (
272- f"{ prefix } PR commit { pr_commit_desc } references { cve_id } but "
273- f"upstream commit { short_uhash } is associated with { found_cve } "
274- )
275- out_lines .append (
276- wrap_paragraph (
277- header , width = 80 , initial_indent = "" , subsequent_indent = " " * len (prefix )
278- )
279- )
280- out_lines .append ("" ) # blank line
281- else :
282- # PR commit doesn't reference a CVE, but upstream has one
209+ found_cve = CIQ_find_matching_cve (vulns_repo = vulns_repo , kernel_repo = args .repo , hash_ = uhash )
210+ if found_cve :
211+ if cve_id :
212+ # PR commit has a CVE reference - check if it matches
213+ if found_cve != cve_id :
283214 any_findings = True
284215 if args .markdown :
285216 out_lines .append (
286- f"- ⚠️ PR commit `{ pr_commit_desc } ` does not reference a CVE but \n "
217+ f"- ❌ PR commit `{ pr_commit_desc } ` references ` { cve_id } ` but \n "
287218 f" upstream commit `{ short_uhash } ` is associated with `{ found_cve } `\n "
288219 )
289220 else :
290- prefix = "[CVE-MISSING ] "
221+ prefix = "[CVE-MISMATCH ] "
291222 header = (
292- f"{ prefix } PR commit { pr_commit_desc } does not reference a CVE but "
223+ f"{ prefix } PR commit { pr_commit_desc } references { cve_id } but "
293224 f"upstream commit { short_uhash } is associated with { found_cve } "
294225 )
295226 out_lines .append (
@@ -298,6 +229,26 @@ def main():
298229 )
299230 )
300231 out_lines .append ("" ) # blank line
232+ else :
233+ # PR commit doesn't reference a CVE, but upstream has one
234+ any_findings = True
235+ if args .markdown :
236+ out_lines .append (
237+ f"- ⚠️ PR commit `{ pr_commit_desc } ` does not reference a CVE but \n "
238+ f" upstream commit `{ short_uhash } ` is associated with `{ found_cve } `\n "
239+ )
240+ else :
241+ prefix = "[CVE-MISSING] "
242+ header = (
243+ f"{ prefix } PR commit { pr_commit_desc } does not reference a CVE but "
244+ f"upstream commit { short_uhash } is associated with { found_cve } "
245+ )
246+ out_lines .append (
247+ wrap_paragraph (
248+ header , width = 80 , initial_indent = "" , subsequent_indent = " " * len (prefix )
249+ )
250+ )
251+ out_lines .append ("" ) # blank line
301252 else :
302253 # The upstream commit has no CVE assigned
303254 if cve_id :
0 commit comments