From 2d79955cd58dca569e80dd426ae47f94ba1ee4fc Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: May 15 2025 08:16:31 +0000
Subject: scripts/check-kernel-fix: do a full check in verbose mode


we are skipping evaluation of ineligible (based on CVSS scoring) branches
to save runtime because a common case is a low score CVE that is not
eligible to any LTSS branches. Security team would like to know whether
as specific branch is affected even in those case so let's change the
implementation and do the full evaluation even if a branch is not
eligible based on the scoring.

With the current implementation we are getting
./scripts/check-kernel-fix -v CVE-2022-49320
Security fix for CVE-2022-49320 bsc#1238394 with CVSS 5.5
= f9a9f43a62a0 ("dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type") merged v5.19-rc1~100^2~37
Fixes: b0cc417c1637 ("dmaengine: Add Xilinx zynqmp dma engine driver support") merged v4.8-rc1~117^2~7^2~2
Experts candidates:  tiwai@suse.com (36) subsystem/role="DRIVERS"
Link: https://git.kernel.org/linus/f9a9f43a62a04ec3183fb0da9226c7706eed0115
SL-16.0: nope_commit_in_base
SLE11-SP4-LTSS: nope_cvss
SLE12-SP3-TD: nope_unaffected
ACTION NEEDED!
SLE12-SP5: MANUAL: backport f9a9f43a62a04ec3183fb0da9226c7706eed0115 (Fixes v4.12)
SLE15-SP6: nope_commit_in_base
SLE15-SP7-GA: nope_cvss
cve/linux-5.14-LTSS: ok_reference_present
cve/linux-5.3-LTSS: nope_cvss
SUSE-2024: nope_commit_in_base
SLE15-SP6-RT: nope_commit_in_base
SLE15-SP6-COCO: nope_commit_in_base
SLE15-SP6-AZURE: nope_commit_in_base
SLE15-SP7: nope_commit_in_base
SLE15-SP2-LTSS: nope_cvss
SLE15-SP3-LTSS: ok_reference_present
SUSE-2024-RT: nope_commit_in_base
SLE15-SP7-RT: nope_commit_in_base
SLE15-SP7-COCO: nope_commit_in_base
SLE15-SP7-AZURE: nope_commit_in_base

With the updated one we are getting a more specific answer for
all branches whether they are eligible or not.

./scripts/check-kernel-fix -v CVE-2022-49320
Security fix for CVE-2022-49320 bsc#1238394 with CVSS 5.5
= f9a9f43a62a0 ("dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type") merged v5.19-rc1~100^2~37
Fixes: b0cc417c1637 ("dmaengine: Add Xilinx zynqmp dma engine driver support") merged v4.8-rc1~117^2~7^2~2
Experts candidates:  tiwai@suse.com (36) subsystem/role="DRIVERS"
Link: https://git.kernel.org/linus/f9a9f43a62a04ec3183fb0da9226c7706eed0115
SL-16.0: nope_commit_in_base
SLE11-SP4-LTSS: nope_unaffected
SLE12-SP3-TD: nope_unaffected
ACTION NEEDED!
SLE12-SP5: MANUAL: backport f9a9f43a62a04ec3183fb0da9226c7706eed0115 (Fixes v4.12)
SLE15-SP6: nope_commit_in_base
SLE15-SP7-GA: nope_commit_in_base
cve/linux-5.14-LTSS: ok_reference_present
cve/linux-5.3-LTSS: missing_commit_nope_cvss
SLE12-SP5-RT: MANUAL: backport f9a9f43a62a04ec3183fb0da9226c7706eed0115 (Fixes v4.12)
	WW CONFIG_XILINX_ZYNQMP_DMA not enabled.
SUSE-2024: nope_commit_in_base
SLE15-SP6-RT: nope_commit_in_base
SLE15-SP6-COCO: nope_commit_in_base
SLE15-SP6-AZURE: nope_commit_in_base
SLE15-SP7: nope_commit_in_base
SLE15-SP4-LTSS: ok_reference_present
SLE15-SP5-LTSS: ok_reference_present
SLE15-SP2-LTSS: missing_commit_nope_cvss
SLE15-SP3-LTSS: ok_reference_present
SUSE-2024-RT: nope_commit_in_base
SLE15-SP7-RT: nope_commit_in_base
SLE15-SP7-COCO: nope_commit_in_base
SLE15-SP7-AZURE: nope_commit_in_base
SLE15-SP4-RT-LTSS: ok_reference_present
SLE15-SP5-RT-LTSS: ok_reference_present
SLE15-SP3-RT-LTSS: ok_reference_present

---

diff --git a/scripts/check-kernel-fix b/scripts/check-kernel-fix
index 68f4a07..e68c8a8 100755
--- a/scripts/check-kernel-fix
+++ b/scripts/check-kernel-fix
@@ -295,6 +295,8 @@ EOF
 # possible
 #
 #   + nope_cvss: doesn't qualify based on the CVSS scoring
+#   		 this could be addedd as a suffix to other states
+#   		 (currently *missing_commit) in verbose mode
 #   + nope_commit_in_base: the fix is already in the base kernel
 #   + nope_unaffected: the fix is not required as the Fixes: commit is not present
 #   + ok_reference_present: the CVE reference is present
@@ -328,13 +330,10 @@ check_branch_state()
     [ -z "$branch" ] && fail "check_branch_state: No branch provided"
     [ -z "$sha" ] && fail "check_branch_state: No sha provided"
 
-    if  ! cvss_affects_branch $branch $cvss
+    local eligible=""
+    cvss_affects_branch $branch $cvss || eligible="_nope_cvss"
+    if  [ -z "$verbose_mode" -a -n "$eligible" ]
     then
-	    if [ -n "$verbose_mode" ]
-	    then
-		    handle_patch_present $branch $sha $references && return
-		    handle_cve_blacklisted $branch $sha $cve && return
-	    fi
 	    set_branch_sha_state $branch $sha "nope_cvss"
 	    return
     fi
@@ -359,7 +358,7 @@ check_branch_state()
 	local affected="$(affected_by_git_fixes "$branch" "$base" $fixes)"
 
 	if [ -n "$affected" ] ; then
-	    set_branch_sha_state $branch $sha "missing_commit:$affected"
+	    set_branch_sha_state $branch $sha "missing_commit$eligible:$affected"
 	    check_for_warnings "$branch" "$conf_file_map" $sha "${files[@]}"
 	else
 	    set_branch_sha_state $branch $sha "nope_unaffected"
@@ -369,7 +368,7 @@ check_branch_state()
     fi
 
     # missing git fixes
-    set_branch_sha_state $branch $sha "maybe_missing_commit:$ref"
+    set_branch_sha_state $branch $sha "maybe_missing_commit$eligible:$ref"
 
     check_for_warnings "$branch" "$conf_file_map" $sha "${files[@]}"
 }
@@ -483,6 +482,12 @@ find_and_print_toplevel_actions()
 	    return
     fi
 
+    if [ -n "$verbose_mode" ]
+    then
+	    print_sha_action $branch $sha $(sed 's@:@ @g' $branch_file)
+	    return
+    fi
+
     # We only need to print an action if all the parents have action=nope|blacklisted
     # because merging branches cannot assume they are the same in that regards. E.g.
     # they might have breaker backported or the blacklist doesn't is not valid in their