| Message ID | 20231122070121.326276-1-Sai.Sathujoda@toshiba-tsip.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Enable CVE check in isar-cip-core CI | expand |
On 22.11.23 15:01, Sai.Sathujoda@toshiba-tsip.com wrote: > From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com> > > This series of patches enables CVE check in isar-cip-core CI by extracting > the latest dpkg-status files of deployed targets in aws s3 bucket. A weekly > scheduled pipeline runs a cve-checks job which generates CVE reports of respective > targets by using the cve_checker.py script in debian-cve-checker repository [1]. > I understand the scripts and that they can be useful at the point where you are actually instantiating an image. However, I'm not yet sure I'm getting the idea behind doing that test for more or less random snapshot every weekend. Can you elaborate on that? BTW, patch ordering is then wrong because patch 1 uses scripts that are only introduced by later patches. Thanks, Jan
Hi Jan, Sorry for the delayed response. The idea behind this series of patches is to maintain a latest copy of cve-reports for the deployed targets in an s3 location throughout the development cycle. Hence we are not focused on getting cve-reports for a particular snapshot. It is unknown when a new package will be added or existing ones will be removed during the development phase, so we are just generating and maintaining a copy of cve-reports for random snapshots on a weekly schedule. Please confirm if you are convinced with my explanation. If you are OK with it, I will re-order the patches based on previous review comments and send it for review. Thanks and Regards, Sai Ashrith -----Original Message----- From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka via lists.cip-project.org Sent: Friday, November 24, 2023 12:46 PM To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [cip-dev] [isar-cip-core v1 0/3] Enable CVE check in isar-cip-core CI On 22.11.23 15:01, Sai.Sathujoda@toshiba-tsip.com wrote: > From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com> > > This series of patches enables CVE check in isar-cip-core CI by > extracting the latest dpkg-status files of deployed targets in aws s3 > bucket. A weekly scheduled pipeline runs a cve-checks job which > generates CVE reports of respective targets by using the cve_checker.py script in debian-cve-checker repository [1]. > I understand the scripts and that they can be useful at the point where you are actually instantiating an image. However, I'm not yet sure I'm getting the idea behind doing that test for more or less random snapshot every weekend. Can you elaborate on that? BTW, patch ordering is then wrong because patch 1 uses scripts that are only introduced by later patches. Thanks, Jan -- Siemens AG, Technology Linux Expert Center
Hi Sai Ashrith-san, On 01.12.23 19:18, Sai.Sathujoda@toshiba-tsip.com wrote: > Hi Jan, > > Sorry for the delayed response. > > The idea behind this series of patches is to maintain a latest copy of cve-reports for the deployed targets in an s3 location throughout the development cycle. Hence we are not focused on getting cve-reports for a particular snapshot. It is unknown when a new package will be added or existing ones will be removed during the development phase, so we are just generating and maintaining a copy of cve-reports for random snapshots on a weekly schedule. > What is a development cycle in this context? And who would use these reports, and how would that usage look like? > Please confirm if you are convinced with my explanation. If you are OK with it, I will re-order the patches based on previous review comments and send it for review. Sorry, I'm not yet getting the idea, but that may be my fault. I'd like to understand how the reports can help to make sure we are including them optimally - and can explain their usage to others as well. Best regards, Jan > > Thanks and Regards, > Sai Ashrith > > -----Original Message----- > From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka via lists.cip-project.org > Sent: Friday, November 24, 2023 12:46 PM > To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [cip-dev] [isar-cip-core v1 0/3] Enable CVE check in isar-cip-core CI > > On 22.11.23 15:01, Sai.Sathujoda@toshiba-tsip.com wrote: >> From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com> >> >> This series of patches enables CVE check in isar-cip-core CI by >> extracting the latest dpkg-status files of deployed targets in aws s3 >> bucket. A weekly scheduled pipeline runs a cve-checks job which >> generates CVE reports of respective targets by using the cve_checker.py script in debian-cve-checker repository [1]. >> > > I understand the scripts and that they can be useful at the point where you are actually instantiating an image. However, I'm not yet sure I'm getting the idea behind doing that test for more or less random snapshot every weekend. Can you elaborate on that? > > BTW, patch ordering is then wrong because patch 1 uses scripts that are only introduced by later patches. > > Thanks, > Jan > > -- > Siemens AG, Technology > Linux Expert Center >
From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com> This series of patches enables CVE check in isar-cip-core CI by extracting the latest dpkg-status files of deployed targets in aws s3 bucket. A weekly scheduled pipeline runs a cve-checks job which generates CVE reports of respective targets by using the cve_checker.py script in debian-cve-checker repository [1]. [1] https://gitlab.com/cip-playground/debian-cve-checker Sai Sathujoda (3): .gitlab-ci.yml: Add cve-check stage in CI scripts/deploy-cip-core.sh: Upload dpkg-status file to aws s3 bucket scripts/run-cve-checks.sh: Add script to generate CVE report .gitlab-ci.yml | 12 +++++++++++- scripts/deploy-cip-core.sh | 15 ++++++++++++++ scripts/run-cve-checks.sh | 40 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100755 scripts/run-cve-checks.sh