Bug#1001451: Candidate script

To: Neil Williams <codehelp@debian.org>
Cc: 1001451@bugs.debian.org, pochu@debian.org
Subject: Bug#1001451: Candidate script
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 20 Dec 2021 12:30:36 +0100
Message-id: <[🔎] YcBpXKTIZ4ju1Tpj@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1001451@bugs.debian.org
In-reply-to: <[🔎] 20211220110602.7ea4fe36@felix.codehelp>
References: <[🔎] YbyPEV9u+HEwfjoW@eldamar.lan> <[🔎] 20211220110602.7ea4fe36@felix.codehelp> <[🔎] 163913286148.129423.13368997047364584570.reportbug@felix.codehelp>

Hi Neil,

On Mon, Dec 20, 2021 at 11:06:02AM +0000, Neil Williams wrote:
> Hi Salvatore,
> 
> > > > > > Online - query either the distro-tracker or
> > > > > > debian-devel-changes mail archive: --email EMAIL      URL of
> > > > > > debian-devel-changes announcement in the list archive
> > > > > > --tracker TRACKER  URL of tracker.debian.org 'Accepted NEWS'
> > > > > > page for unstable
> > > > > > 
> > > > > 
> > > > > Nice! I will need (or want) to try to experiment with it a bit
> > > > > on apparing real cases.
> > > > 
> > > > Just doing a quick test, while beeing entusiastic about your
> > > > proposed script: I think it will not work correctly yet wit
> > > > bin/merge-cve-list. On either side it will need adaption.
> > > 
> > > OK. I will add that to my tests on next versions of the script.
> 
> I've renamed the old --email option to --archive to distinguish it from the --input option which is intended to accept the body of an email on STDIN:
> 
> cat freerdp2.email | ./bin/grab-cve-in-fix --input
> or indeed:
> ./bin/grab-cve-in-fix --input < freerdp2.email
> 
> ./bin/grab-cve-in-fix --archive https://lists.debian.org/debian-devel-changes/2021/12/msg01280.html
> 
> > > > Taking the example with freerdp2, assuming there won't be the fixed
> > > > version yet in the data/CVE/list it will produce the following
> > > > freerdp2.list:
> > > > 
> > > > CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
> > > >         - freerdp2 2.4.1+dfsg1-1 (bug #1001062)
> > > >         [bullseye] - freerdp2 <no-dsa> (Minor issue)
> > > >         [buster] - freerdp2 <no-dsa> (Minor issue)
> > > >         - freerdp <removed>
> > > 
> > > > $ ./bin/merge-cve-list data/CVE/list ./freerdp2.list
> > > > [...]
> > > > NotImplementedError: unsupported annotation of type NOTE (line 7)
> > > > 
> > > > So maybe it's just merge-cve-list which should be better and allow for
> > > > such situation and handle as well the NOTEs.
> > > 
> > > I'll work on adding that support - it will be useful for the
> > > changes for #1001453 which wants to explicitly add a NOTE entry.
> > 
> > Yes agreed, unter this aspect it makes more sense to fix and expand
> > merge-cve-list script.
> 
> https://salsa.debian.org/codehelp/security-tracker/-/compare/master...grabcvefix#4716ef5aa8f2742228ba3b3633215c8b808565e3
> contains a change to bin/merge-cve-files to add support for merging
> StringAnnotations.
> 
> The grabcvefix branch is (naturally) behind security-tracker/master, so
> the data/CVE/list file in the branch is old.
> 
> Also, the update-vuln script is not ready yet. If you are happy with
> grab-cve-in-fix then I can prepare a commit to add it and the change to
> merge-cve-files without going through the grabcvefix branch on my fork
> of security tracker.
> 
> It's the change to merge-cve-files which needs some review

Looping on Emilo directly, Emilio do you have time to review the
merge-cve-files changes?

> (When testing, if you remove existing NOTE: entries from a CVE for
> freerdp2 2.4.1+dfsg1-1, the merged file is likely to re-order the NOTE
> entries.)
> 
> In "real case use", any NOTE in the file to be merged into
> data/CVE/list would append to any existing NOTEs - I've tried to
> preserve the original order from the file being merged, allowing for
> skipping of duplicate descriptions.

Thanks! I will try to play around a bit with your new version (just
grabbing it from your repo) on real cases. Keep us posted with your
progress and thanks a lot for taking time to work on it.

Btw, if you want "real" cases why not to do automatic merges:
https://tracker.debian.org/news/1287752/accepted-epiphany-browser-412-1-source-into-unstable/
typo in CVE, and
https://tracker.debian.org/news/1287534/accepted-bluez-562-1-source-into-unstable/
where one CVE was actually not really fixed.

(notablene, not to blame anyone, just to give some background/example
and in particular we do as well mistkaes on reviews, but the above is
more helpful to have first checked, then merged, but the script can
help to first get the snippes to review and then merge).

Regards,
Salvatore

Reply to:

References:
- Bug#1001451: Candidate script
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1001451: Candidate script
  - From: Neil Williams <codehelp@debian.org>
- Bug#1001451: security-tracker: create tool to ease processing of new uploads that fix CVEs
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Bug#1001451: Candidate script
Next by Date: External check
Previous by thread: Bug#1001451: Candidate script
Next by thread: Bug#1001453: security-tracker: extend support for bug reporting to update the CVE list with the bug number
Index(es):
- Date
- Thread