Problem Statement:

The current script used to report CVEs on third-party libraries was not designed with release branches in mind, as a result, it only scans the main branch. This limitation prevents our teams from identifying which release branches are impacted by a CVE. To ensure extensive coverage, we need to scan both the main and release branches.

Proposal:

1. Identify and update existing GitHub issues:

• The script should be able to recognize when a CVE already exists across different branches, and it should update the existing CVE report with appropriate labels indicating the affected branches.

2. Branch label assignment:

• The script should assign labels based on the specific branch requiring a backport. For example, if a backport is needed for the main branch and version 24.0, the labels should be backport/main and backport/24.0 respectively.

By ensuring that all release branches are scanned and appropriately labeled, we should be able to manage vulnerabilities across all branches.

Working PoC

1. The scanner runs once a day and CVE reports are created in the upstream
<a href="https://ibb.co/ySDJSQ6"><img src="https://i.ibb.co/Zm3CmMB/Screenshot-from-2024-05-30-17-23-00.png" alt="Screenshot-from-2024-05-30-17-23-00" border="0"></a>
2. Labels are assigned per branch
<a href="https://ibb.co/cLJ3ZVy"><img src="https://i.ibb.co/nCrmYtw/Screenshot-from-2024-05-30-17-24-35.png" alt="Screenshot-from-2024-05-30-17-24-35" border="0"></a>