From cc2be7b0757166f28be933ddca9f980e093394e5 Mon Sep 17 00:00:00 2001 From: Michal Hocko Date: Apr 12 2024 12:44:19 +0000 Subject: scripts/check-kernel-fix: require both bsc and cvss for security fixes cve2bsc DB might be out of sync. This could be annoying when dealing with freshly coming CVE bugs where the bsc# is known and proposed references addition miss the bug number. Enforce both bsc and CVSS data for security bugs and allow to provide/override the bug number by -b bsc#NUMBER parameter. --- diff --git a/scripts/check-kernel-fix b/scripts/check-kernel-fix index cfa9577..069b3f6 100755 --- a/scripts/check-kernel-fix +++ b/scripts/check-kernel-fix @@ -48,6 +48,7 @@ usage() echo " ancestors." echo " -s CVSS: override the CVSS score if known. This can be useful when" echo " the CVE->CVSS DB is not synced yet." + echo " -b bsc#NUMBER: override the bugzilla number if known" } branch= @@ -323,7 +324,7 @@ verbose_mode= quiet_mode= flat_mode=0 -while getopts "hvrqfs:" OPT +while getopts "hvrqfs:b:" OPT do case $OPT in h) @@ -344,6 +345,10 @@ do ;; s) cvss=$OPTARG + ;; + b) + bsc=$OPTARG + esac done @@ -370,13 +375,12 @@ fi print_upstream_sha_summary $sha cve=$(sha2cve $sha $refresh) -bsc= if [ -n "$cve" ] then - bsc=$(cve2bugzilla $cve $refresh) + [ -z "$bsc" ] && bsc=$(cve2bugzilla $cve $refresh) [ -z "$cvss" ] && cvss=$(cve2cvss $cve $refresh) - echo "Security fix for $cve $bsc with CVSS ${cvss:-unknown, re-check with -r or use -s score if the score is in bugzilla whiteboard}" - [ -z "$cvss" ] && exit 1 + echo "Security fix for $cve ${bsc:-bsc unknown} with CVSS ${cvss:-unknown}" + [ -z "$cvss" -o -z "$bsc" ] && fail "Incomplete references re-check with -r or use -s/-b to specify missing references" else # emulate no CVE fix as CVSS==0. This will typically happen # for upstream commit with Fixes: which we want to target to