Skip to content

Commit 7f373e1

Browse files
authored
Merge branch 'mainline' into commit-msg-lib
2 parents bf54e3e + 079de11 commit 7f373e1

21 files changed

Lines changed: 1259 additions & 143 deletions

check_kernel_commits.py

Lines changed: 39 additions & 88 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,18 @@
11
#!/usr/bin/env python3
22

33
import argparse
4-
import os
54
import re
65
import subprocess
76
import sys
87
import textwrap
9-
from typing import Optional
108

11-
from ciq_helpers import (
9+
from kt.ktlib.ciq_helpers import (
1210
CIQ_find_fixes_in_mainline,
11+
CIQ_find_matching_cve,
1312
CIQ_get_commit_body,
1413
CIQ_hash_exists_in_ref,
1514
CIQ_run_git,
15+
CIQ_setup_vulns_repo,
1616
)
1717

1818

@@ -67,24 +67,6 @@ def extract_cve_from_message(msg):
6767
return None
6868

6969

70-
def run_cve_search(vulns_repo, kernel_repo, query) -> tuple[bool, Optional[str]]:
71-
"""
72-
Run the cve_search script from the vulns repo.
73-
Returns (success, output_message).
74-
"""
75-
cve_search_path = os.path.join(vulns_repo, "scripts", "cve_search")
76-
if not os.path.exists(cve_search_path):
77-
raise RuntimeError(f"cve_search script not found at {cve_search_path}")
78-
79-
env = os.environ.copy()
80-
env["CVEKERNELTREE"] = kernel_repo
81-
82-
result = subprocess.run([cve_search_path, query], text=True, capture_output=True, check=False, env=env)
83-
84-
# cve_search outputs results to stdout
85-
return result.returncode == 0, result.stdout.strip()
86-
87-
8870
def main():
8971
parser = argparse.ArgumentParser(description="Check upstream references and Fixes: tags in PR branch commits.")
9072
parser.add_argument("--repo", help="Path to the git repo", required=True)
@@ -112,27 +94,11 @@ def main():
11294
vulns_repo = None
11395
if args.check_cves:
11496
vulns_repo = args.vulns_dir
115-
vulns_repo_url = "https://git.kernel.org/pub/scm/linux/security/vulns.git"
116-
117-
if os.path.exists(vulns_repo):
118-
# Repository exists, update it with git pull
119-
try:
120-
CIQ_run_git(vulns_repo, ["pull"])
121-
except RuntimeError as e:
122-
print(f"WARNING: Failed to update vulns repo: {e}")
123-
print("Continuing with existing repository...")
124-
else:
125-
# Repository doesn't exist, clone it
126-
try:
127-
result = subprocess.run(
128-
["git", "clone", vulns_repo_url, vulns_repo], text=True, capture_output=True, check=False
129-
)
130-
if result.returncode != 0:
131-
print(f"ERROR: Failed to clone vulns repo: {result.stderr}")
132-
sys.exit(1)
133-
except Exception as e:
134-
print(f"ERROR: Failed to clone vulns repo: {e}")
135-
sys.exit(1)
97+
try:
98+
CIQ_setup_vulns_repo(vulns_repo=vulns_repo)
99+
except RuntimeError as e:
100+
print(e)
101+
sys.exit(1)
136102

137103
# Validate that all required refs exist before continuing
138104
missing_refs = []
@@ -197,17 +163,9 @@ def main():
197163
fix_cves = {}
198164
if args.check_cves:
199165
for fix_hash, fix_display in fixes:
200-
try:
201-
success, cve_output = run_cve_search(vulns_repo, args.repo, fix_hash)
202-
if success:
203-
# Parse the CVE from the result
204-
match = re.search(r"(CVE-\d{4}-\d+)\s+is assigned to git id", cve_output)
205-
if match:
206-
bugfix_cve = match.group(1)
207-
fix_cves[fix_hash] = bugfix_cve
208-
except (RuntimeError, subprocess.SubprocessError) as e:
209-
# Log a warning instead of silently ignoring errors when checking bugfix CVEs
210-
print(f"Warning: Failed to check CVE for bugfix commit {fix_hash}: {e}", file=sys.stderr)
166+
bugfix_cve = CIQ_find_matching_cve(vulns_repo=vulns_repo, kernel_repo=args.repo, hash_=fix_hash)
167+
if bugfix_cve:
168+
fix_cves[fix_hash] = bugfix_cve
211169

212170
# Build the fixes display text with CVE info
213171
fixes_lines = []
@@ -248,48 +206,21 @@ def main():
248206

249207
# Check if the upstream commit has a CVE associated with it
250208
try:
251-
success, cve_output = run_cve_search(vulns_repo, args.repo, uhash)
252-
if success:
253-
# Parse the output to get the CVE from the result
254-
# Expected format: "CVE-2024-35962 is assigned to git id
255-
# 65acf6e0501ac8880a4f73980d01b5d27648b956"
256-
match = re.search(r"(CVE-\d{4}-\d+)\s+is assigned to git id", cve_output)
257-
if match:
258-
found_cve = match.group(1)
259-
260-
if cve_id:
261-
# PR commit has a CVE reference - check if it matches
262-
if found_cve != cve_id:
263-
any_findings = True
264-
if args.markdown:
265-
out_lines.append(
266-
f"- ❌ PR commit `{pr_commit_desc}` references `{cve_id}` but \n"
267-
f" upstream commit `{short_uhash}` is associated with `{found_cve}`\n"
268-
)
269-
else:
270-
prefix = "[CVE-MISMATCH] "
271-
header = (
272-
f"{prefix}PR commit {pr_commit_desc} references {cve_id} but "
273-
f"upstream commit {short_uhash} is associated with {found_cve}"
274-
)
275-
out_lines.append(
276-
wrap_paragraph(
277-
header, width=80, initial_indent="", subsequent_indent=" " * len(prefix)
278-
)
279-
)
280-
out_lines.append("") # blank line
281-
else:
282-
# PR commit doesn't reference a CVE, but upstream has one
209+
found_cve = CIQ_find_matching_cve(vulns_repo=vulns_repo, kernel_repo=args.repo, hash_=uhash)
210+
if found_cve:
211+
if cve_id:
212+
# PR commit has a CVE reference - check if it matches
213+
if found_cve != cve_id:
283214
any_findings = True
284215
if args.markdown:
285216
out_lines.append(
286-
f"- ⚠️ PR commit `{pr_commit_desc}` does not reference a CVE but \n"
217+
f"- PR commit `{pr_commit_desc}` references `{cve_id}` but \n"
287218
f" upstream commit `{short_uhash}` is associated with `{found_cve}`\n"
288219
)
289220
else:
290-
prefix = "[CVE-MISSING] "
221+
prefix = "[CVE-MISMATCH] "
291222
header = (
292-
f"{prefix}PR commit {pr_commit_desc} does not reference a CVE but "
223+
f"{prefix}PR commit {pr_commit_desc} references {cve_id} but "
293224
f"upstream commit {short_uhash} is associated with {found_cve}"
294225
)
295226
out_lines.append(
@@ -298,6 +229,26 @@ def main():
298229
)
299230
)
300231
out_lines.append("") # blank line
232+
else:
233+
# PR commit doesn't reference a CVE, but upstream has one
234+
any_findings = True
235+
if args.markdown:
236+
out_lines.append(
237+
f"- ⚠️ PR commit `{pr_commit_desc}` does not reference a CVE but \n"
238+
f" upstream commit `{short_uhash}` is associated with `{found_cve}`\n"
239+
)
240+
else:
241+
prefix = "[CVE-MISSING] "
242+
header = (
243+
f"{prefix}PR commit {pr_commit_desc} does not reference a CVE but "
244+
f"upstream commit {short_uhash} is associated with {found_cve}"
245+
)
246+
out_lines.append(
247+
wrap_paragraph(
248+
header, width=80, initial_indent="", subsequent_indent=" " * len(prefix)
249+
)
250+
)
251+
out_lines.append("") # blank line
301252
else:
302253
# The upstream commit has no CVE assigned
303254
if cve_id:

0 commit comments

Comments
 (0)