[CKC] Add CVE verification with --check-cves option #33
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull Request Overview
This pull request adds CVE verification functionality to the kernel commit checker, allowing validation that CVE references in PR commit messages correctly match their upstream counterparts. The change enables cross-referencing with the kernel vulnerabilities database to detect mismatched, missing, or invalid CVE assignments.
Key changes:
- Adds
--check-cvesflag to enable CVE validation against the vulnerabilities database - Implements automatic cloning/updating of the kernel vulns repository
- Integrates CVE information into existing bugfix detection output
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bmastbergen
force-pushed
the
ckc-add-cve-checking
branch
from
15e9a3a to
00cab6a
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bmastbergen
force-pushed
the
ckc-add-cve-checking
branch
from
00cab6a to
da974d3
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| def extract_cve_from_message(msg): | ||
| """Extract CVE reference from commit message. Returns CVE ID or None. | ||
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" |
There was a problem hiding this comment.
[nitpick] The docstring example uses CVE-2025-12345 which appears to be a future year. Consider using a more realistic example like CVE-2024-12345 or CVE-2023-12345.
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" | |
| Only matches 'cve CVE-2024-12345', ignores 'cve-bf' and 'cve-pre' variants.""" |
There was a problem hiding this comment.
The future is now copilot! Its 2025!
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| def extract_cve_from_message(msg): | ||
| """Extract CVE reference from commit message. Returns CVE ID or None. | ||
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" | ||
| match = re.search(r'(?<!\S)cve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) |
There was a problem hiding this comment.
The regex pattern uses a negative lookbehind (?<!\S) but the docstring mentions it ignores 'cve-bf' and 'cve-pre' variants. The current pattern would still match 'cve CVE-2025-12345' in 'somecve CVE-2025-12345'. Consider using word boundaries \\bcve\\s+ for clearer intent.
| match = re.search(r'(?<!\S)cve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) | |
| match = re.search(r'\bcve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) |
There was a problem hiding this comment.
Oh Co-Pilot, your contexted didn't even follow the comment directly above which you also whined about.
bmastbergen
requested review from
PlaidCat,
kerneltoast,
roxanan1996 and
shreeya-patel98
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
This is too useful to block on a tree of if's
| out_lines.append(' ' + line) | ||
| out_lines.append("") # blank line | ||
|
|
||
| # Check CVE if enabled |
There was a problem hiding this comment.
I really hate this tree of if statements.
Can we make a ticket to clean this up ... ideally as a part of python mock testing ?
There was a problem hiding this comment.
@PlaidCat Yees, I fully agree with you! On my list to refactor this when I migrate to 'kt'
roxanan1996
left a comment
roxanan1996
left a comment
There was a problem hiding this comment.
This script needs refactoring soon, as it becoming bigger and bigger but for now, it's fine.
One question: this does not cover the case where there are multiple commits upstream for a CVE but the pull requests does not include all of them, right?
Do you have an example of this since Kernel.org became the CNA. it might be useful to some pre 2023 but we have no way of validating those within the |
Adds ability to verify that CVE references in PR commit messages correctly match the upstream commits they reference. Uses the kernel vulnerabilities database to cross-check CVE assignments against upstream commit hashes. The --check-cves flag enables validation that detects three error conditions: mismatched CVE assignments between PR and upstream commits, CVE references to upstream commits with no CVE assignment, and failures accessing the vulnerabilities database. Output format matches existing checker patterns with support for both plain text and markdown modes.
bmastbergen
force-pushed
the
ckc-add-cve-checking
branch
from
da974d3 to
dabfdef
Compare
|
Addressed comments from @roxanan1996 I agree with both of you that this script could use some refactoring. Lets get it in and checking PRs then fix it up. Thanks! |
Adds ability to verify that CVE references in PR commit messages correctly match the upstream commits they reference. Uses the kernel vulnerabilities database to cross-check CVE assignments against upstream commit hashes.
The --check-cves flag enables validation that detects three error conditions: mismatched CVE assignments between PR and upstream commits, CVE references to upstream commits with no CVE assignment, and failures accessing the vulnerabilities database. Output format matches existing checker patterns with support for both plain text and markdown modes.
Here is an example github comment from this code:
ctrliq/kernel-src-tree#616 (comment)
This was written by Claude BTW.