cve-watch: list fixed CVEs in the tracking issue (best-effort) #8

Merged

zach merged 1 commit from feat/cve-list-in-issue into main 2026-05-30 08:41:06 +00:00

Conversation 0 Commits 1 Files changed 3 +167 -2

zach commented 2026-05-30 08:02:52 +00:00

Owner

Copy link

Implements the operator's request: when cve-watch detects a new upstream linux-hardened tag, the tracking issue now lists the mainline CVEs reported fixed between the kernel we ship and the new one.

How

• tools/list-fixed-cves.sh (new): given <current_kver> <new_kver>, selects CVEs from the kernel.org CVE project's vulns.git whose .dyad fixed-version is on the new major.minor branch with patch in (cur, new], and prints a Markdown list (CVE id + the commit-subject title from the CVE's .json). It fetches the ~20 MB tarball from the googlesource mirror (plain curl+jq+tar — no new tooling; cgit on git.kernel.org is behind an anti-bot gate).
  • Best-effort by contract: always exits 0 and prints a one-line note on any failure, so it can never block issue creation.
  • Special cases: same-version refresh → "no new mainline CVEs"; cross stable series → a "not automated" note; feed unreachable → "unavailable, enumerate manually".
  • Offline-testable via VULNS_DIR; list cap via CVE_LIST_MAX (default 60).
• cve-watch.yml: the cmp step emits upstream_kver/local_kver; a new best-effort step runs the helper into /tmp/cve-block.md; the issue step folds it into the body via a shell-variable expansion, so the block's backticks/markdown are literal data, not command substitution (verified — a CVE title containing `backticks` or $(...) can't execute).
• cve-policy.md: documents the source and the honest caveats — the kernel CVE feed has no CVSS, so it can't tell you which entries meet the "CVSS ≥ 7.0 / exploited-in-the-wild" SLA tier; the list is long, can lag a release, and is informational only (never gates the response action).

Verification

tools/list-fixed-cves.sh is shellcheck-clean and unit-tested against a mock vulns.git tree (range selection incl. multi-branch .dyad lines, title rendering, the refresh/cross-series/no-match/cap paths, and always-exit-0). cve-watch.yml is yamllint-clean. Live end-to-end fires on the next real upstream tag (operator-side).

🤖 Generated with Claude Code

Implements the operator's request: when `cve-watch` detects a new upstream `linux-hardened` tag, the tracking issue now lists the mainline CVEs reported fixed between the kernel we ship and the new one. ## How - **`tools/list-fixed-cves.sh`** (new): given `<current_kver> <new_kver>`, selects CVEs from the kernel.org CVE project's `vulns.git` whose `.dyad` fixed-version is on the new `major.minor` branch with patch in `(cur, new]`, and prints a Markdown list (CVE id + the commit-subject title from the CVE's `.json`). It fetches the ~20 MB tarball from the **googlesource mirror** (plain `curl`+`jq`+`tar` — no new tooling; cgit on `git.kernel.org` is behind an anti-bot gate). - **Best-effort by contract:** always exits 0 and prints a one-line note on any failure, so it can never block issue creation. - Special cases: same-version refresh → "no new mainline CVEs"; cross stable series → a "not automated" note; feed unreachable → "unavailable, enumerate manually". - Offline-testable via `VULNS_DIR`; list cap via `CVE_LIST_MAX` (default 60). - **`cve-watch.yml`**: the `cmp` step emits `upstream_kver`/`local_kver`; a new best-effort step runs the helper into `/tmp/cve-block.md`; the issue step folds it into the body via a **shell-variable expansion**, so the block's backticks/markdown are literal data, not command substitution (verified — a CVE title containing `` `backticks` `` or `$(...)` can't execute). - **`cve-policy.md`**: documents the source and the honest caveats — the kernel CVE feed has **no CVSS**, so it can't tell you which entries meet the "CVSS ≥ 7.0 / exploited-in-the-wild" SLA tier; the list is long, can lag a release, and is **informational only** (never gates the response action). ## Verification `tools/list-fixed-cves.sh` is shellcheck-clean and unit-tested against a mock `vulns.git` tree (range selection incl. multi-branch `.dyad` lines, title rendering, the refresh/cross-series/no-match/cap paths, and always-exit-0). `cve-watch.yml` is yamllint-clean. Live end-to-end fires on the next real upstream tag (operator-side). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

zach added 1 commit 2026-05-30 08:02:53 +00:00

ci(cve-watch): list CVEs fixed in the new release in the tracking issue ... 3b3811e92e

When cve-watch detects a new upstream tag, the tracking issue now includes
a best-effort list of the mainline CVEs the kernel CNA reports fixed between
our shipped kernel and the new one.

- tools/list-fixed-cves.sh (new): given <current_kver> <new_kver>, selects
  CVEs from the kernel.org CVE project's vulns.git whose .dyad fixed-version
  is on the new major.minor branch with patch in (cur, new], and prints a
  markdown list (CVE id + the commit-subject title from the .json). Fetches
  the ~20 MB tarball from the googlesource mirror (curl + jq + tar — no new
  tooling; cgit on git.kernel.org is behind an anti-bot gate). BEST-EFFORT:
  always exits 0 and prints a note on any failure, so it can never block
  issue creation. Special cases handled: same-version refresh -> "no new
  CVEs"; cross stable series -> a note (not automated); feed unreachable ->
  "unavailable". Offline-testable via VULNS_DIR; cap via CVE_LIST_MAX (60).
- cve-watch.yml: the cmp step now emits upstream_kver/local_kver; a new
  best-effort step runs the helper into /tmp/cve-block.md; the issue step
  folds it into the body via a shell-variable expansion (so the block's
  backticks/markdown are literal data, not command substitution).
- cve-policy.md: document the source + caveats (no CVSS, so severity triage
  stays human; long/lagging/best-effort; informational, never gates the SLA).

Verified: helper shellcheck-clean + unit-tested (range selection, titles,
refresh / cross-series / no-match / cap, always-exit-0); cve-watch.yml
yamllint-clean; the issue-body construction confirmed backtick/$()-safe.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

zach merged commit 20098b851d into main 2026-05-30 08:41:06 +00:00

zach referenced this pull request from a commit 2026-05-30 08:41:06 +00:00

Merge pull request 'cve-watch: list fixed CVEs in the tracking issue (best-effort)' (#8) from feat/cve-list-in-issue into main

zach referenced this pull request from a commit 2026-06-06 05:48:44 +00:00

fix(ci): cve-watch fails to load — empty double-curly template in a comment

zach referenced this pull request 2026-06-06 05:49:04 +00:00

fix(ci): cve-watch fails to load — empty template in a comment #12

zach referenced this pull request from a commit 2026-06-06 06:23:25 +00:00

feat(cve-watch): richer tracking issue — descriptions, severity, self-update

zach referenced this pull request 2026-06-06 06:23:47 +00:00

feat(cve-watch): richer tracking issue — descriptions, severity, self-update #14

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

unredacted/linux-hardened-unredacted!8

No description provided.