Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1674

[GHI#29813] Snyk report to identify branches impacted by a CVE

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Problem Statement:

      The current script used to report CVEs on third-party libraries was not designed with release branches in mind, as a result, it only scans the main branch. This limitation prevents our teams from identifying which release branches are impacted by a CVE. To ensure extensive coverage, we need to scan both the main and release branches.

      Proposal:

      1. Identify and update existing GitHub issues:

      • The script should be able to recognize when a CVE already exists across different branches, and it should update the existing CVE report with appropriate labels indicating the affected branches.

      2. Branch label assignment:

      • The script should assign labels based on the specific branch requiring a backport. For example, if a backport is needed for the main branch and version 24.0, the labels should be backport/main and backport/24.0 respectively.

      By ensuring that all release branches are scanned and appropriately labeled, we should be able to manage vulnerabilities across all branches.

      Working PoC

      1. The scanner runs once a day and CVE reports are created in the upstream
      <a href="https://ibb.co/ySDJSQ6"><img src="https://i.ibb.co/Zm3CmMB/Screenshot-from-2024-05-30-17-23-00.png" alt="Screenshot-from-2024-05-30-17-23-00" border="0"></a>
      2. Labels are assigned per branch
      <a href="https://ibb.co/cLJ3ZVy"><img src="https://i.ibb.co/nCrmYtw/Screenshot-from-2024-05-30-17-24-35.png" alt="Screenshot-from-2024-05-30-17-24-35" border="0"></a>

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Continuous Testing
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: