Skip to content

CVE Feed: Handle recoverable errors #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 15, 2025
Merged

CVE Feed: Handle recoverable errors #154

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
18b1332
propagate python return code through shell to Prow
tabbysable Aug 15, 2025
a070cb5
Add quotes around early exit argument
tabbysable Aug 15, 2025
dd41219
Many little unimportant changes for uniformity and defensive shell co…
tabbysable Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 31 additions & 16 deletions sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ set -o pipefail
# name of the output file
OUTPUT_FILE=official-cve-feed.json

# value to return at end of script
RETURN_VALUE=0

# install python-pip3
apt-get update
apt-get install -y python3-pip
Expand All @@ -28,8 +31,20 @@ apt-get install -y python3-pip
pip3 install requests

# python script to generate official-cve-feed.json
# tee duplicates the output from the script to stdout for logs and the JSON file
python3 fetch-official-cve-feed.py | tee $OUTPUT_FILE
python3 fetch-official-cve-feed.py > "${OUTPUT_FILE}"
EXIT_CODE=$?
if [[ "${EXIT_CODE}" -ne 0 ]]; then
RETURN_VALUE=${EXIT_CODE}
fi

# make the prow job logs always helpful
cat "${OUTPUT_FILE}"

# python returns 7 to indicate recoverable errors
# Exit bash script now if unrecoverable python error
if [[ "${EXIT_CODE}" -ne 0 ]] && [[ "${EXIT_CODE}" -ne 7 ]]; then
exit "${RETURN_VALUE}"
fi

# function to calculate the hash value of official-cve-feed.json
calculate_hash(){
Expand All @@ -46,33 +61,33 @@ calculate_hash(){
# check if official-cve-feed.json blob exists in the bucket
set -e
EXIT_CODE=0
gsutil ls gs://k8s-cve-feed/$OUTPUT_FILE >/dev/null 2>&1 || EXIT_CODE=$?
gsutil ls "gs://k8s-cve-feed/${OUTPUT_FILE}" >/dev/null 2>&1 || EXIT_CODE=$?

# fetch the hash value of existing official-cve-feed.json json, if differs then
# upload the new cve feed data to the existing blob.
if [[ $EXIT_CODE -eq 1 ]]; then
gsutil cp $OUTPUT_FILE gs://k8s-cve-feed
calculate_hash $OUTPUT_FILE > cve-feed-hash
if [[ "${EXIT_CODE}" -eq 1 ]]; then
gsutil cp "${OUTPUT_FILE}" gs://k8s-cve-feed
calculate_hash "${OUTPUT_FILE}" > cve-feed-hash
echo "$(<cve-feed-hash )"
gsutil cp cve-feed-hash gs://k8s-cve-feed
else
echo "Downloading the old hash blob from gcs bucket"
gsutil cp gs://k8s-cve-feed/cve-feed-hash cve-feed-hash
hash=$(<cve-feed-hash )
echo "old hash value: $hash"
echo "old hash value: ${hash}"
echo "Calculate the new hash value of json feed"
new_hash=$(calculate_hash $OUTPUT_FILE)
echo "new hash value : $new_hash "
printf "$new_hash" > cve-feed-hash
new_hash=$(calculate_hash "${OUTPUT_FILE}")
echo "new hash value : ${new_hash}"
echo "${new_hash}" > cve-feed-hash

if [[ $hash == $new_hash ]]; then
printf "Both the hashes have identical contents"
if [[ "${hash}" == "${new_hash}" ]]; then
echo "Both the hashes have identical contents"
else
printf "Both the hash value differ \n"
echo "Uploading the new json feed and hash value to gcs bucket \n"
gsutil cp $OUTPUT_FILE gs://k8s-cve-feed
echo "Both the hash value differ"
echo "Uploading the new json feed and hash value to gcs bucket"
gsutil cp "${OUTPUT_FILE}" gs://k8s-cve-feed
gsutil cp cve-feed-hash gs://k8s-cve-feed/cve-feed-hash
fi
fi


exit "${RETURN_VALUE}"