unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Fix cve-watch false positives from an empty local tag list #5

Merged
zach merged 1 commit from fix/cve-watch-empty-local into main 2026-05-29 20:48:19 +00:00
Conversation 0 Commits 1 Files changed 1 +19 -1
zach commented 2026-05-29 20:36:02 +00:00
Owner
Copy link

cve-watch filed issue #4 ("Upstream linux-hardened tag v7.0.10-hardened1 available") — a false positive: that's the same upstream patch we already ship as v7.0.10-hardened1.5. The tell was the blank "Local latest:" line.

Root cause: the compare upstream vs local step's checkout used fetch-tags: true on a shallow clone, which does not fetch tags on this Forgejo act runner. git tag --list returned nothing → local was empty → upstream != "" was always true, so every run looked like a new release. (This — not a real upstream release — is what fired the earlier runs as well.)

Fix

  • checkout: add fetch-depth: 0 (matches build-kernel.yml, which reads tags reliably); a full clone fetches all tags.
  • compare: log the resolved upstream / local_newest / local_core, and guard — if either side is empty, set new=false instead of filing. So even if a checkout ever fails to provide tags again, it cannot spam a false "new upstream" issue for a tag we already ship.

Verified locally against the real tag set: upstream=v7.0.10-hardened1 vs local_newest=v7.0.10-hardened1.5 (core v7.0.10-hardened1) → new=false; a genuine hardened2 / 7.0.11new=true; empty localnew=false.

Follow-up: issue #4 can be closed as a false positive.

🤖 Generated with Claude Code

cve-watch filed issue #4 ("Upstream linux-hardened tag v7.0.10-hardened1 available") — a **false positive**: that's the same upstream patch we already ship as `v7.0.10-hardened1.5`. The tell was the blank **"Local latest:"** line. **Root cause:** the `compare upstream vs local` step's checkout used `fetch-tags: true` on a *shallow* clone, which does not fetch tags on this Forgejo act runner. `git tag --list` returned nothing → `local` was empty → `upstream != ""` was always true, so every run looked like a new release. (This — not a real upstream release — is what fired the earlier runs as well.) ## Fix - **checkout**: add `fetch-depth: 0` (matches `build-kernel.yml`, which reads tags reliably); a full clone fetches all tags. - **compare**: log the resolved `upstream` / `local_newest` / `local_core`, and guard — if either side is empty, set `new=false` instead of filing. So even if a checkout ever fails to provide tags again, it cannot spam a false "new upstream" issue for a tag we already ship. Verified locally against the real tag set: `upstream=v7.0.10-hardened1` vs `local_newest=v7.0.10-hardened1.5` (core `v7.0.10-hardened1`) → `new=false`; a genuine `hardened2` / `7.0.11` → `new=true`; empty `local` → `new=false`. Follow-up: issue #4 can be closed as a false positive. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
ci: fix cve-watch false positives from an empty local tag list
All checks were successful
validate / shellcheck (pull_request) Successful in 13s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
0798961f57 
Issue #4 ("Upstream linux-hardened tag v7.0.10-hardened1 available") was a
false positive — we already ship that patch as 1.5. The tell was the blank
"Local latest:" line. Root cause: cve-watch's checkout used `fetch-tags:
true` on a shallow clone, which does NOT fetch tags on this Forgejo act
runner, so `git tag --list` returned nothing, `local` was empty, and
`upstream != ""` was always true. (This — not a real upstream release — is
what fired the earlier runs too; correcting my earlier claim that it was a
genuine detection.)

- checkout: add `fetch-depth: 0` (matches build-kernel.yml, which reads
  tags reliably); a full clone fetches all tags.
- compare: log the resolved values, and guard — if `upstream` OR `local`
  is empty, set new=false instead of filing, so a checkout that ever fails
  to provide tags can't spam a false "new upstream" issue for a tag we
  already ship.

Verified: tags present -> upstream v7.0.10-hardened1 vs local
v7.0.10-hardened1.5 (core v7.0.10-hardened1) = new=false; genuine
hardened2 / 7.0.11 = new=true; empty local = new=false.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit 3b5a351f19 into main 2026-05-29 20:48:19 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!5
No description provided.