unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

feat(cve-watch): richer tracking issue — descriptions, severity, self-update #14

Merged
zach merged 1 commit from feat/cve-watch-richer-issue into main 2026-06-06 06:26:22 +00:00
Conversation 0 Commits 1 Files changed 3 +123 -17
zach commented 2026-06-06 06:23:47 +00:00
Owner
Copy link

Builds on the best-effort CVE list (#8) per the four enhancements requested. All best-effort and non-blocking — issue creation never fails.

1. Descriptions — each CVE renders as a collapsible <details> block: summary = the kernel's one-line title, body = the explanatory text from the same vulns.git record (capped at CVE_DESC_MAX=20 lines; fence markers stripped so it can't break out of the rendered code block).

2. Severity — best-effort annotation from Red Hat's security feed (access.redhat.com), e.g. Important (CVSS 7.8). The kernel CNA publishes no CVSS, so this is a secondary source, clearly labelled as Red Hat's rating, not the project's. Bounded by CVE_SEV_BUDGET=90s so a slow/blocked API can't stall the hourly job; CVE_SEVERITY=0 disables it for offline tests.

3. Snapshot timestamp — the list carries a UTC 'as of' line + a 're-check vulns.git before building' reminder, since the feed lags.

4. Self-update while open — instead of exiting when a tracking issue already exists, cve-watch diffs the CVE-ID set (not the whole body, so the changing timestamp is never a trigger) and, if more CVEs have since been attributed to the release, refreshes the body and posts a comment naming the new entries. Guards: never overwrite a populated list with an empty one (a transient feed failure yields zero IDs), and no edit/comment when unchanged (no hourly noise).

docs/users/cve-policy.md updated for all of the above, including that building the upstream tag already contains every fix in it regardless of CVE-assignment timing — so the list stays informational, never gating.

Validated: shellcheck clean · yamllint relaxed clean · the workflow-expressions guard (#12) clean · bash -n on the issue step · offline + live (real Red Hat) unit tests against an actual vulns.git snapshot · diff/no-clobber logic simulated (unchanged/grew/empty).

Operator note: adds best-effort egress to access.redhat.com (on top of kernel.googlesource.com from #8). If you enforce runner-setup.md's outbound allowlist, allowlist both — otherwise these details just degrade to 'omitted', never a failure.

Builds on the best-effort CVE list (#8) per the four enhancements requested. All best-effort and non-blocking — issue creation never fails. **1. Descriptions** — each CVE renders as a collapsible `<details>` block: summary = the kernel's one-line title, body = the explanatory text from the same `vulns.git` record (capped at `CVE_DESC_MAX`=20 lines; fence markers stripped so it can't break out of the rendered code block). **2. Severity** — best-effort annotation from Red Hat's security feed (`access.redhat.com`), e.g. `Important (CVSS 7.8)`. The kernel CNA publishes no CVSS, so this is a secondary source, **clearly labelled as Red Hat's rating, not the project's**. Bounded by `CVE_SEV_BUDGET`=90s so a slow/blocked API can't stall the hourly job; `CVE_SEVERITY=0` disables it for offline tests. **3. Snapshot timestamp** — the list carries a UTC 'as of' line + a 're-check vulns.git before building' reminder, since the feed lags. **4. Self-update while open** — instead of exiting when a tracking issue already exists, cve-watch diffs the CVE-**ID set** (not the whole body, so the changing timestamp is never a trigger) and, if more CVEs have since been attributed to the release, refreshes the body **and posts a comment** naming the new entries. Guards: never overwrite a populated list with an empty one (a transient feed failure yields zero IDs), and no edit/comment when unchanged (no hourly noise). `docs/users/cve-policy.md` updated for all of the above, including that building the upstream tag already contains *every* fix in it regardless of CVE-assignment timing — so the list stays informational, never gating. **Validated:** shellcheck clean · yamllint relaxed clean · the `workflow-expressions` guard (#12) clean · `bash -n` on the issue step · offline + live (real Red Hat) unit tests against an actual `vulns.git` snapshot · diff/no-clobber logic simulated (unchanged/grew/empty). **Operator note:** adds best-effort egress to `access.redhat.com` (on top of `kernel.googlesource.com` from #8). If you enforce runner-setup.md's outbound allowlist, allowlist both — otherwise these details just degrade to 'omitted', never a failure.
feat(cve-watch): richer tracking issue — descriptions, severity, self-update
All checks were successful
validate / yamllint (pull_request) Successful in 12s
Details
validate / workflow-expressions (pull_request) Successful in 4s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
validate / shellcheck (pull_request) Successful in 13s
Details
8387e5a87f 
Builds on the best-effort CVE list (#8) per operator request. Four additions:

1. Descriptions: each CVE renders as a collapsible <details> block whose
   summary is the kernel's one-line title and whose body is the explanatory
   text from the same vulns.git record (capped at CVE_DESC_MAX lines, default
   20; stray code-fence markers stripped so the text can't break out of the
   fenced block it renders in).

2. Severity: best-effort annotation from Red Hat's security feed
   (access.redhat.com), e.g. "Important (CVSS 7.8)". The kernel CNA publishes
   no CVSS, so this is a secondary source, clearly labelled as Red Hat's
   rating (not the project's). Bounded by CVE_SEV_BUDGET (default 90s) so a
   slow/blocked API can't stall the hourly job; CVE_SEVERITY=0 disables it for
   offline/deterministic tests.

3. Snapshot timestamp: the list carries a UTC "as of" line and a "re-check
   vulns.git before building" reminder, since the feed lags.

4. Self-update while open: instead of exiting when a tracking issue already
   exists, cve-watch diffs the CVE-ID SET (not the whole body, so the
   timestamp alone is never a trigger) and, if more CVEs have been attributed
   to the release, refreshes the body and posts a comment naming the new
   entries. Guards: never overwrite a populated list with an empty one (a
   transient feed failure yields zero IDs), and no edit/comment when unchanged
   (no hourly noise).

cve-policy.md updated for all of the above, including that building the
upstream tag already contains every fix in it regardless of CVE-assignment
timing (so the list stays informational, never gating).

Validated: shellcheck clean; yamllint relaxed clean; workflow-expressions
guard clean; bash -n on the issue step; offline + live (Red Hat) unit tests
against a real vulns.git snapshot; diff/no-clobber logic simulated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit 7d2efe84be into main 2026-06-06 06:26:22 +00:00
zach deleted branch feat/cve-watch-richer-issue 2026-06-06 06:26:25 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!14
No description provided.