Add servicing version diff query to metrics.md

richlander · claude · richlander · commit 26dc2ff74f9a · 2025-12-03T11:50:25.000-08:00
Add query comparing hal-index vs releases-index for calculating the diff between two servicing versions (e.g., 8.0.15 to 8.0.22). The query demonstrates: - Configurable parameters (major version, patch range, severity filter) - CVE severity filtering (CRITICAL, HIGH, MEDIUM, LOW threshold) - Affected products aggregation across the version range - Time gap calculation (days/months behind) The hal-index query is ~15x smaller (~80 KB vs 1,220 KB) and provides severity and affected products data that releases-index cannot offer. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/release-notes/queries/metrics.md b/release-notes/queries/metrics.md
@@ -455,6 +455,7 @@ done | sort -u
 | CVE details (severity, fixes) | ✅ | ❌ | — |
 | Timeline navigation | ✅ | ❌ | — |
 | SDK-first navigation | ✅ | ❌ | — |
+| Version diff (severity, products) | ✅ | ⚠️ Partial | 15x smaller |
 
 ## Cache Coherency
 
@@ -484,6 +485,236 @@ Result: Each file is a consistent snapshot
 
 The HAL `_embedded` pattern ensures that any data referenced within a document is included in that document. There are no "dangling pointers" to data that might not exist in a cached copy of another file.
 
+### Servicing Version Diff
+
+#### Query: "What changed between .NET 8.0.15 and 8.0.22?"
+
+| Schema | Files Required | Total Transfer |
+|--------|----------------|----------------|
+| hal-index | `index.json` → `8.0/index.json` + 3 patch indexes | **~80 KB** |
+| releases-index | `releases-index.json` + `8.0/releases.json` | **1,220 KB** (partial data) |
+
+**hal-index:**
+
+This query requires two passes: first to get the release summaries, then to fetch CVE details for severity filtering and affected products.
+
+```bash
+ROOT="https://raw.githubusercontent.com/dotnet/core/release-index/release-notes/index.json"
+
+# Configuration
+MAJOR_VERSION="8.0"
+FROM_PATCH=15
+TO_PATCH=22
+SEVERITY_FILTER="CRITICAL"  # Minimum severity: CRITICAL, HIGH, MEDIUM, or LOW (all)
+
+# Step 1: Get the major version href
+VERSION_HREF=$(curl -s "$ROOT" | jq -r --arg ver "$MAJOR_VERSION" '._embedded.releases[] | select(.version == $ver) | ._links.self.href')
+
+# Step 2: Get release summaries and security release URLs
+VERSION_DATA=$(curl -s "$VERSION_HREF")
+
+# Extract security release URLs for CVE detail fetching
+SECURITY_HREFS=$(echo "$VERSION_DATA" | jq -r --argjson from "$FROM_PATCH" --argjson to "$TO_PATCH" '
+  [._embedded.releases[] |
+   select((.version | split(".")[2] | tonumber) > $from and (.version | split(".")[2] | tonumber) <= $to) |
+   select(.security) |
+   ._links.self.href] | .[]
+')
+
+# Step 3: Fetch CVE details from each security release and aggregate
+CVE_DETAILS=$(for HREF in $SECURITY_HREFS; do
+  curl -s "$HREF" | jq -c '._embedded.disclosures[]? | {id, cvss_severity, affected_products, title}'
+done | jq -s 'unique_by(.id)')
+
+# Step 4: Generate the diff report with severity-filtered CVE IDs
+echo "$VERSION_DATA" | jq -r --arg major "$MAJOR_VERSION" --argjson from "$FROM_PATCH" --argjson to "$TO_PATCH" \
+  --arg severity "$SEVERITY_FILTER" --argjson cve_details "$CVE_DETAILS" '
+  # Filter releases in range (excluding start, including end)
+  [._embedded.releases[] |
+   select((.version | split(".")[2] | tonumber) > $from and (.version | split(".")[2] | tonumber) <= $to)
+  ] as $releases |
+
+  # Filter CVEs by minimum severity
+  [$cve_details[] | select(
+    ($severity == "LOW") or
+    ($severity == "MEDIUM" and (.cvss_severity == "MEDIUM" or .cvss_severity == "HIGH" or .cvss_severity == "CRITICAL")) or
+    ($severity == "HIGH" and (.cvss_severity == "HIGH" or .cvss_severity == "CRITICAL")) or
+    ($severity == "CRITICAL" and .cvss_severity == "CRITICAL")
+  )] as $filtered_cves |
+
+  # Aggregate affected products across all CVEs
+  [$cve_details[].affected_products // [] | .[]] | unique | sort as $all_products |
+
+  {
+    from_version: "\($major).\($from)",
+    to_version: "\($major).\($to)",
+    from_date: (._embedded.releases[] | select(.version == "\($major).\($from)") | .date | split("T")[0]),
+    to_date: (._embedded.releases[] | select(.version == "\($major).\($to)") | .date | split("T")[0]),
+    total_releases: ($releases | length),
+    security_releases: ([$releases[] | select(.security)] | length),
+    non_security_releases: ([$releases[] | select(.security | not)] | length),
+    total_cves: ([$releases[].cve_records? // [] | .[]] | unique | length),
+    cve_ids: [$filtered_cves[] | .id],
+    cve_severity_filter: $severity,
+    affected_products: $all_products,
+    releases: [$releases[] | {version, date: (.date | split("T")[0]), security, cve_count}]
+  }
+'
+```
+
+**Output:**
+
+```json
+{
+  "from_version": "8.0.15",
+  "to_version": "8.0.22",
+  "from_date": "2025-04-08",
+  "to_date": "2025-11-11",
+  "total_releases": 7,
+  "security_releases": 3,
+  "non_security_releases": 4,
+  "total_cves": 5,
+  "cve_ids": [
+    "CVE-2025-55315"
+  ],
+  "cve_severity_filter": "CRITICAL",
+  "affected_products": [
+    "aspnetcore-runtime",
+    "dotnet-runtime",
+    "windowsdesktop-runtime"
+  ],
+  "releases": [
+    { "version": "8.0.22", "date": "2025-11-11", "security": false, "cve_count": 0 },
+    { "version": "8.0.21", "date": "2025-10-14", "security": true, "cve_count": 3 },
+    { "version": "8.0.20", "date": "2025-09-09", "security": false, "cve_count": 0 },
+    { "version": "8.0.19", "date": "2025-08-05", "security": false, "cve_count": 0 },
+    { "version": "8.0.18", "date": "2025-07-08", "security": false, "cve_count": 0 },
+    { "version": "8.0.17", "date": "2025-06-10", "security": true, "cve_count": 1 },
+    { "version": "8.0.16", "date": "2025-05-22", "security": true, "cve_count": 1 }
+  ]
+}
+```
+
+To include all CVEs regardless of severity:
+
+```bash
+SEVERITY_FILTER="LOW"  # LOW is the minimum, so this includes all CVEs
+```
+
+The script above outputs `from_date` and `to_date`. To calculate the time gap, pipe the output through an additional jq filter:
+
+```bash
+# Pipe the output to calculate days between versions
+... | jq -r '
+  # Parse ISO dates and calculate difference
+  ((.to_date | strptime("%Y-%m-%d") | mktime) -
+   (.from_date | strptime("%Y-%m-%d") | mktime)) / 86400 | floor as $days |
+  . + {
+    days_behind: $days,
+    months_behind: (($days / 30) | floor)
+  }
+'
+```
+
+This adds `days_behind` and `months_behind` to the output:
+
+```json
+{
+  "from_version": "8.0.15",
+  "to_version": "8.0.22",
+  "from_date": "2025-04-08",
+  "to_date": "2025-11-11",
+  "days_behind": 217,
+  "months_behind": 7,
+  ...
+}
+```
+
+**releases-index:**
+
+```bash
+ROOT="https://builds.dotnet.microsoft.com/dotnet/release-metadata/releases-index.json"
+
+# Configuration
+MAJOR_VERSION="8.0"
+FROM_PATCH=15
+TO_PATCH=22
+
+# Step 1: Get the releases.json URL for the major version
+RELEASES_URL=$(curl -s "$ROOT" | jq -r --arg ver "$MAJOR_VERSION" '.["releases-index"][] | select(.["channel-version"] == $ver) | .["releases.json"]')
+
+# Step 2: Filter releases in range and aggregate
+curl -s "$RELEASES_URL" | jq -r --arg major "$MAJOR_VERSION" --argjson from "$FROM_PATCH" --argjson to "$TO_PATCH" '
+  # Filter releases in range (excluding start, including end)
+  [.releases[] | select(
+    (.["release-version"] | split(".")[2] | tonumber) > $from and
+    (.["release-version"] | split(".")[2] | tonumber) <= $to
+  )] as $releases |
+
+  {
+    from_version: "\($major).\($from)",
+    to_version: "\($major).\($to)",
+    from_date: ([.releases[] | select(.["release-version"] == "\($major).\($from)")] | .[0] | .["release-date"]),
+    to_date: ([.releases[] | select(.["release-version"] == "\($major).\($to)")] | .[0] | .["release-date"]),
+    total_releases: ($releases | length),
+    security_releases: ([$releases[] | select(.security)] | length),
+    non_security_releases: ([$releases[] | select(.security | not)] | length),
+    total_cves: ([$releases[].["cve-list"]? // [] | .[]] | unique | length),
+    cve_ids: ([$releases[].["cve-list"]? // [] | .[] | .["cve-id"]] | unique | sort),
+    cve_severity_filter: "(not available)",
+    affected_products: "(not available)",
+    releases: [$releases[] | {
+      version: .["release-version"],
+      date: .["release-date"],
+      security,
+      cve_count: ([.["cve-list"]? // [] | .[]] | length)
+    }]
+  }
+'
+```
+
+**Output:**
+
+```json
+{
+  "from_version": "8.0.15",
+  "to_version": "8.0.22",
+  "from_date": "2025-04-08",
+  "to_date": "2025-11-11",
+  "total_releases": 7,
+  "security_releases": 3,
+  "non_security_releases": 4,
+  "total_cves": 5,
+  "cve_ids": [
+    "CVE-2025-26646",
+    "CVE-2025-30399",
+    "CVE-2025-55247",
+    "CVE-2025-55248",
+    "CVE-2025-55315"
+  ],
+  "cve_severity_filter": "(not available)",
+  "affected_products": "(not available)",
+  "releases": [
+    { "version": "8.0.22", "date": "2025-11-11", "security": false, "cve_count": 0 },
+    { "version": "8.0.21", "date": "2025-10-14", "security": true, "cve_count": 3 },
+    { "version": "8.0.20", "date": "2025-09-09", "security": false, "cve_count": 0 },
+    { "version": "8.0.19", "date": "2025-08-05", "security": false, "cve_count": 0 },
+    { "version": "8.0.18", "date": "2025-07-08", "security": false, "cve_count": 0 },
+    { "version": "8.0.17", "date": "2025-06-10", "security": true, "cve_count": 1 },
+    { "version": "8.0.16", "date": "2025-05-22", "security": true, "cve_count": 1 }
+  ]
+}
+```
+
+**Analysis:**
+
+- **Completeness:** ⚠️ Partial—the releases-index can count releases and list CVE IDs, but cannot provide CVE severity, affected products, or detailed CVE information without fetching external CVE URLs.
+- **Severity filtering:** The hal-index allows filtering `cve_ids` to specific severity levels (CRITICAL, HIGH, etc.) via the `SEVERITY_FILTER` variable, while `total_cves` always shows the complete count.
+- **Affected products:** The hal-index aggregates all affected products across the version range (e.g., `dotnet-runtime`, `aspnetcore-runtime`), enabling teams to identify which components need patching.
+- **Executive reporting:** For CIO/CTO reporting, the hal-index provides actionable data (severity-filtered CVEs, affected products) while the releases-index only provides CVE IDs that require manual lookup.
+
+**Winner:** hal-index (**15x smaller**, with CVE severity filtering and affected products)
+
 ## Summary
 
 | Metric | hal-index | releases-index |
@@ -492,6 +723,7 @@ The HAL `_embedded` pattern ensures that any data referenced within a document i
 | CVE queries (latest security patch) | 52 KB | 1,220 KB |
 | Recent CVEs (last 2 security releases) | 23 KB | 2.5 MB |
 | CVEs in last 12 months | ~90 KB | 2.5 MB |
+| Version diff with severity + products | ~80 KB | 1,220 KB (partial—no severity/products) |
 | Cache coherency | ✅ Atomic | ❌ TTL mismatch risk |
 | Query syntax | snake_case (dot notation) | kebab-case (bracket notation) |
 | Link traversal | `._links.self.href` | `.["releases.json"]` |
