[CKC] Add CVE verification with --check-cves option #33
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull Request Overview
This pull request adds CVE verification functionality to the kernel commit checker, allowing validation that CVE references in PR commit messages correctly match their upstream counterparts. The change enables cross-referencing with the kernel vulnerabilities database to detect mismatched, missing, or invalid CVE assignments.
Key changes:
- Adds
--check-cvesflag to enable CVE validation against the vulnerabilities database - Implements automatic cloning/updating of the kernel vulns repository
- Integrates CVE information into existing bugfix detection output
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bmastbergen
force-pushed
the
ckc-add-cve-checking
branch
from
15e9a3a to
00cab6a
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Adds ability to verify that CVE references in PR commit messages correctly match the upstream commits they reference. Uses the kernel vulnerabilities database to cross-check CVE assignments against upstream commit hashes. The --check-cves flag enables validation that detects three error conditions: mismatched CVE assignments between PR and upstream commits, CVE references to upstream commits with no CVE assignment, and failures accessing the vulnerabilities database. Output format matches existing checker patterns with support for both plain text and markdown modes.
bmastbergen
force-pushed
the
ckc-add-cve-checking
branch
from
00cab6a to
da974d3
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| def extract_cve_from_message(msg): | ||
| """Extract CVE reference from commit message. Returns CVE ID or None. | ||
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" |
There was a problem hiding this comment.
[nitpick] The docstring example uses CVE-2025-12345 which appears to be a future year. Consider using a more realistic example like CVE-2024-12345 or CVE-2023-12345.
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" | |
| Only matches 'cve CVE-2024-12345', ignores 'cve-bf' and 'cve-pre' variants.""" |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
The future is now copilot! Its 2025!
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| def extract_cve_from_message(msg): | ||
| """Extract CVE reference from commit message. Returns CVE ID or None. | ||
| Only matches 'cve CVE-2025-12345', ignores 'cve-bf' and 'cve-pre' variants.""" | ||
| match = re.search(r'(?<!\S)cve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) |
There was a problem hiding this comment.
The regex pattern uses a negative lookbehind (?<!\S) but the docstring mentions it ignores 'cve-bf' and 'cve-pre' variants. The current pattern would still match 'cve CVE-2025-12345' in 'somecve CVE-2025-12345'. Consider using word boundaries \\bcve\\s+ for clearer intent.
| match = re.search(r'(?<!\S)cve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) | |
| match = re.search(r'\bcve\s+(CVE-\d{4}-\d+)', msg, re.IGNORECASE) |
Copilot uses AI. Check for mistakes.
2 participants
Adds ability to verify that CVE references in PR commit messages correctly match the upstream commits they reference. Uses the kernel vulnerabilities database to cross-check CVE assignments against upstream commit hashes.
The --check-cves flag enables validation that detects three error conditions: mismatched CVE assignments between PR and upstream commits, CVE references to upstream commits with no CVE assignment, and failures accessing the vulnerabilities database. Output format matches existing checker patterns with support for both plain text and markdown modes.
Here is an example github comment from this code:
ctrliq/kernel-src-tree#616 (comment)
This was written by Claude BTW.