-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Problem Statement:
The current script used to report CVEs on third-party libraries was not designed with release branches in mind, as a result, it only scans the main branch. This limitation prevents our teams from identifying which release branches are impacted by a CVE. To ensure extensive coverage, we need to scan both the main and release branches.
Proposal:
1. Identify and update existing GitHub issues:
- The script should be able to recognize when a CVE already exists across different branches, and it should update the existing CVE report with appropriate labels indicating the affected branches.
2. Branch label assignment:
- The script should assign labels based on the specific branch requiring a backport. For example, if a backport is needed for the main branch and version 24.0, the labels should be backport/main and backport/24.0 respectively.
By ensuring that all release branches are scanned and appropriately labeled, we should be able to manage vulnerabilities across all branches.
Working PoC
1. The scanner runs once a day and CVE reports are created in the upstream
<a href="https://ibb.co/ySDJSQ6"><img src="https://i.ibb.co/Zm3CmMB/Screenshot-from-2024-05-30-17-23-00.png" alt="Screenshot-from-2024-05-30-17-23-00" border="0"></a>
2. Labels are assigned per branch
<a href="https://ibb.co/cLJ3ZVy"><img src="https://i.ibb.co/nCrmYtw/Screenshot-from-2024-05-30-17-24-35.png" alt="Screenshot-from-2024-05-30-17-24-35" border="0"></a>
- links to