[PR CHECKER] JIRA check for PR Headers #32
Conversation
This is the first start at a parse and check status of vulns in a PR. It requires a jira url, user, token, target merge branch and the current branch name. It will look for VULNS in the CIQ header and check their LTS product versus the target branch, if they're in the correct status and if they have any time logged.
PlaidCat
requested review from
bmastbergen,
kerneltoast,
roxanan1996,
shreeya-patel98 and
thefossguy-ciq
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a JIRA validation system for checking vulnerability tickets in PR commits. The system validates that VULN tickets have correct status, time logging, LTS product alignment with target branches, and CVE consistency between commits and JIRA tickets.
- Adds configuration mapping for JIRA fields and product-to-branch relationships
- Implements comprehensive JIRA ticket validation for vulnerability management
- Provides detailed error and warning reporting for PR compliance
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| release_config.py | Configuration file defining JIRA field mappings and product-to-branch release mappings |
| jira_pr_check.py | Main validation script that parses PR commits, validates VULN tickets against JIRA, and reports compliance issues |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -0,0 +1,325 @@ | |||
| #!/bin/env python3.11 | |||
There was a problem hiding this comment.
The shebang should use '/usr/bin/env python3' instead of '/bin/env python3.11' for better portability across different systems and Python installations.
| #!/bin/env python3.11 | |
| #!/usr/bin/env python3 |
Copilot uses AI. Check for mistakes.
| # Split by common delimiters and extract CVE IDs | ||
| import re | ||
| cve_pattern = r'CVE-\d{4}-\d{4,7}' | ||
| ticket_cves.update(re.findall(cve_pattern, ticket_cve_field, re.IGNORECASE)) | ||
| elif isinstance(ticket_cve_field, list): | ||
| for item in ticket_cve_field: | ||
| if isinstance(item, str): | ||
| import re | ||
| cve_pattern = r'CVE-\d{4}-\d{4,7}' | ||
| ticket_cves.update(re.findall(cve_pattern, item, re.IGNORECASE)) | ||
| else: | ||
| # Try to convert to string | ||
| import re | ||
| cve_pattern = r'CVE-\d{4}-\d{4,7}' | ||
| ticket_cves.update(re.findall(cve_pattern, str(ticket_cve_field), re.IGNORECASE)) |
There was a problem hiding this comment.
The 're' module is imported multiple times within the same scope. Move the import to the top of the file with other imports, and define the CVE pattern as a constant to avoid repetition.
Copilot uses AI. Check for mistakes.
| if hasattr(lts_product_field, 'value'): | ||
| lts_product = lts_product_field.value | ||
| else: | ||
| lts_product = str(lts_product_field) if lts_product_field else None |
There was a problem hiding this comment.
The custom field ID 'customfield_10381' is hardcoded. Consider using the jira_field_map dictionary that's already imported to reference 'LTS Product' field consistently.
Copilot uses AI. Check for mistakes.
| # Get CVEs from JIRA ticket using customfield_10380 | ||
| ticket_cve_field = issue.get_field("customfield_10380") |
There was a problem hiding this comment.
The custom field ID 'customfield_10380' is hardcoded. Consider using the jira_field_map dictionary that's already imported to reference 'CVE' field consistently.
| # Get CVEs from JIRA ticket using customfield_10380 | |
| ticket_cve_field = issue.get_field("customfield_10380") | |
| # Get CVEs from JIRA ticket using CVE field from jira_field_map | |
| ticket_cve_field = issue.get_field(jira_field_map['CVE']) |
Copilot uses AI. Check for mistakes.
|
At first glance, I would have split the code into some functions for better readability and ease for testing. No time for tests now but we need to do that in the future at some point. That's also a reason we should use python more instead of bash, in my opinion. |
|
|
||
| # JIRA custom field mapping | ||
| jira_field_map = { | ||
| "summary": "summary", |
There was a problem hiding this comment.
Shouldn't this be the other way around?
Also, it's not used at all in the jr_pr_check.py script.
3 participants
This is the first start at a parse and check status of vulns in a PR.
It requires a jira url, user, token, target merge branch and the current branch name. It will look for VULNS in the CIQ header and check their LTS product versus the target branch, if they're in the correct status and if they have any time logged.
It will also make sure that the CVE's commit match the VULNS.
Please see this DRAFT PR for a test example:
ctrliq/kernel-src-tree#615 (comment)
After merging this I will fixup the checkout of this temp branch before submitting this to the each of the branches
ctrliq/kernel-src-tree@487b0da
Note this was all ClaudeCode generated iteratively, locally tested and tested with failure conditions in the above draft PR