From 5ea28e038716d1e2cc78fc840ec1cbf783f4e1b2 Mon Sep 17 00:00:00 2001 From: Michal Hocko Date: Mar 25 2024 14:33:59 +0000 Subject: scripts/check-kernel-fix: add cvss based filtering TODO GA kernels are not settled yet --- diff --git a/scripts/check-kernel-fix b/scripts/check-kernel-fix index 6c209db..cf7dc40 100755 --- a/scripts/check-kernel-fix +++ b/scripts/check-kernel-fix @@ -242,9 +242,31 @@ print_action() fi } +cvss_filter_branch() +{ + local branch="$1" + local cvss="$2" + + local ret=1 + if [[ "$branch" =~ .*EB.* ]] + then + [ $cvss -ge 9 ] && ret=0 + elif [[ "$branch" =~ .*GA.* ]] + then + [ $cvss -ge 7 ] && ret=0 + elif [[ "$branch" =~ .*LTSS.* ]] + then + [ $cvss -ge 7 ] && ret=0 + else + ret=0 + fi + return $ret +} + find_and_print_toplevel_actions() { local branch="$1" + local cvss="${2%%.*}" local action_parameters= local merge_branch= local mb_line= @@ -257,8 +279,32 @@ find_and_print_toplevel_actions() grep "^$branch:" "$branch_state_file" | \ while read line ; do + state=$(echo $line | cut -d: -f3) + + # We only want to print branches which really need CVE fix backported + # CVSS 9+ EB branches + # CVSS 7+ LTSS branches + # Any CVSS for regular branch + # If we just need to add a reference then print everything + if [ -n "$cvss" -a "$state" != "missing_references" ] + then + if ! cvss_filter_branch "$branch" "$cvss" + then + continue + fi + fi + for merge_branch in $(print_merge_branches $branches_conf $branch) ; do + # Make sure merge_branches are in the same cvss scope + if [ -n "$cvss" -a "$state" != "missing_references" ] + then + if ! cvss_filter_branch "$merge_branch" "$cvss" + then + continue + fi + fi + # branch name might include '/', e.g. cve/linux-4.12 mb_line=$(echo -n "$line" | sed -e "s|^$branch:|$merge_branch:|") @@ -267,7 +313,6 @@ find_and_print_toplevel_actions() merge_found=1 fi - state=$(echo $line | cut -d: -f3) mb_state=$(echo $mb_line | cut -d: -f3) if [ "$state" == "missing_references" -o \ @@ -338,7 +383,11 @@ fi cve=$(sha2cve $sha) bsc= -[ -n "$cve" ] && bsc=$(cve2bugzilla $cve) +if [ -n "$cve" ] +then + bsc=$(cve2bugzilla $cve) + cvss=$(cve2cvss $cve) +fi references="$cve $bsc" # Check state of each branch @@ -348,7 +397,7 @@ for_each_build_branch $check_cve "$branches_conf" check_branch_state $sha $refer [ -z "$quiet_mode" ] && echo if [ -z "$show_only_states" ] ; then -for_each_build_branch $check_cve "$branches_conf" find_and_print_toplevel_actions +for_each_build_branch $check_cve "$branches_conf" find_and_print_toplevel_actions $cvss if [ ! -e "$actions_file" ] ; then echo "EVERYTHING IS OK!"