Skip to content

Fix: Update parsing of CVE issue title to use regex-based extraction #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 15, 2025
Merged

Fix: Update parsing of CVE issue title to use regex-based extraction #151

merged 2 commits into from
Aug 15, 2025
+47 −25

Conversation

@4rivappa
Copy link
Contributor

@4rivappa 4rivappa commented Aug 2, 2025

Description

This update replaces the parsing logic with a regex-based approach that:

  • Matches the start of the title to avoid removing CVEs from description
  • Handles in case of multiple leading CVEs separated by commas, colons, or dashes

Resolves #145

Differences between prev JSON and newly generated JSON

diff prev.json new.json

348c348
<             "summary": "Bypass of seccomp profile enforcement ",
---
>             "summary": "Bypass of seccomp profile enforcement",
790c790
<             "summary": "Bearer tokens are revealed in logs",
---
>             "summary": "TOB-K8S-001: Bearer tokens are revealed in logs",
842c842
<             "summary": "container uid changes to root after first restart or if image is already pulled to the node",
---
>             "summary": "v1.14.2, v1.13.6: container uid changes to root after first restart or if image is already pulled to the node",
855c855
<             "summary": "rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()",
---
>             "summary": "v1.12.0-v1.12.4, v1.13.0: rest.AnonymousClientConfig() does not remove the serviceaccount credentials from config created by rest.InClusterConfig()",
868c868
<             "summary": "`kubectl:-http-cache=<world-accessible dir>` creates world-writeable cached schema files",
---
>             "summary": "`kubectl --http-cache=<world-accessible dir>` creates world-writeable cached schema files",

Exception

Raises a LookupError if the title does not start with a valid CVE block.
This will fail the whole fetch-cve-feed.sh bash script run.

Example:

Traceback (most recent call last):
  File "/workspaces/sig-security/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py", line 108, in <module>
    cve_ids, description = parse_cve_title(item['title'])
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/sig-security/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py", line 32, in parse_cve_title
    raise LookupError(f"Title does not start with CVE block: {title}")
LookupError: Title does not start with CVE block:

@4rivappa
fix: update issue title parsing to use regex-based extraction
cee7d2d 
Updated parsing flow:
- Extracts leading CVE block and description,
- Parses CVEs only from the leading block.
- Raises LookupError when leading CVE block is not found.

Signed-off-by: arivappa <4rivappa@proton.me>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 2, 2025
@k8s-ci-robot k8s-ci-robot requested review from PushkarJ and mtardy August 2, 2025 09:49
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 2, 2025
mtardy
mtardy reviewed Aug 15, 2025
View reviewed changes
Copy link
Member

@mtardy mtardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks a lot for that!!

Exception
Raises a LookupError if the title does not start with a valid CVE block.
This will fail the whole fetch-cve-feed.sh bash script run.

Example:

Traceback (most recent call last):
File "/workspaces/sig-security/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py", line 108, in
cve_ids, description = parse_cve_title(item['title'])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/sig-security/sig-security-tooling/cve-feed/hack/fetch-official-cve-feed.py", line 32, in parse_cve_title
raise LookupError(f"Title does not start with CVE block: {title}")
LookupError: Title does not start with CVE block:

Looks nice but if we can just warn instead of fail since it would just be a "one entry issue", and return a non zero error code (so that prow generates a warn email) that would be perfect.

@tabbysable tabbysable mentioned this pull request Aug 15, 2025
Merged
mtardy
mtardy approved these changes Aug 15, 2025
View reviewed changes
Copy link
Member

@mtardy mtardy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks a lot, this looks better, Tabitha updated some of the titles of the issues so now the diff looks like this:

361c361
<             "summary": "Bypass of seccomp profile enforcement ",
---
>             "summary": "Bypass of seccomp profile enforcement",
881c881
<             "summary": "`kubectl:-http-cache=<world-accessible dir>` creates world-writeable cached schema files",
---
>             "summary": "`kubectl --http-cache=<world-accessible dir>` creates world-writeable cached schema files",

Next step would be to print to stderr information about the non_parsable_cve_list so that we can debug this further easily. Thank you!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 15, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Aug 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 4rivappa, mtardy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 15, 2025
@k8s-ci-robot k8s-ci-robot merged commit 5711489 into kubernetes:main Aug 15, 2025
2 checks passed
@4rivappa 4rivappa mentioned this pull request Nov 14, 2025
Open
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PushkarJ PushkarJ Awaiting requested review from PushkarJ

1 more reviewer

@mtardy mtardy mtardy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mtardy mtardy

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Official CVE Feed truncating issue titles with multiple : or -

3 participants

@4rivappa @k8s-ci-robot @mtardy