Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Collect existing fix commits for project-kb #1987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ziadhany wants to merge 2 commits into aboutcode-org:main
base: main
Choose a base branch
Loading
from ziadhany:kb-commits

Conversation

@ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Aug 25, 2025
edited
Loading 

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Add a test for the ProjectKB importer and collect fix commits pipeline.
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany ziadhany requested review from TG1999 and keshav-space and removed request for keshav-space October 15, 2025 14:50
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ziadhany, see some suggestions.

if not commit_id or not repo_url:
continue

commit_url = repo_url.replace(".git", "") + "/commit/" + commit_id
Copy link
Member

@keshav-space keshav-space Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This path is only valid for GitHub repos, are we sure we only have GitHub repos in project kb advisory.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, Project KB Advisory is just one GitHub repository.

Comment on lines +54 to +56
advisories = AdvisoryV2.objects.filter(advisory_id__in=vuln_ids).prefetch_related(
"impacted_packages__affecting_packages"
)
Copy link
Member

@keshav-space keshav-space Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not want to merge the advisory info coming from different source.

for impact in advisory.impacted_packages.all():
for pkg in impact.affecting_packages.all():
codefixes.append(
CodeFixV2(
Copy link
Member

@keshav-space keshav-space Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO we should treat this as an advisory and update impact_package model to hold the fixed and affecting commit.

Copy link
Collaborator Author

@ziadhany ziadhany Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main issue is how to relate a fix commit to an impacted package.
A large portion of existing fix commit databases only provide the CVE-XXXX, the Git commit, and the repository.

IMHO, we should have an advisory, but the code fix should be considered as a reference URL, with an optional relation to the impacted packages. Since we don't know which version or package (purl) is going to be impacted by this commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keshav-space keshav-space keshav-space requested changes

@TG1999 TG1999 Awaiting requested review from TG1999

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /