fix(filter-triage logic): include Mitigated, update the products tally #5481
Conversation
alex-ter
changed the title
alex-ter
force-pushed
the
use-filter-triage-in-test-reqs
branch
from
7911b64 to
91e3214
Compare
|
EDIT: this comment is less relevant now, left here for the context and capturing the chain of thought. See the PR description following the "EDIT" remark for the most up-to-date information. Hmm, thinking more about it, this is probably a WIP material, as having this change without fixing that status code logic and uncommenting the assert related to that in the test leaves us with one that doesn't have any asserts and therefore is not doing its thing properly. Ok then, let's use it as the discussion vehicle - please let me know what you think about that filtering logic addition ( BTW, that logic block I've removed from the test doesn't fully work anyway - those remarks end up in the output JSON without spaces actually (e.g., |
alex-ter
changed the title
alex-ter
force-pushed
the
use-filter-triage-in-test-reqs
branch
from
a291f22 to
2d94d59
Compare
alex-ter
changed the title
|
I believe this is now ready for review. Adjusted the PR description with the final conclusions, leaving the old one in place for context. Please let me know what you think. |
Adjust the --filter-triage switch logic to:
* Account for the Mitigated remark in addition to NotAffected and
FalsePositive, to align with other places doing similar filtering.
* Properly update the products_{with,without}_cve after filtering to
e.g., provide a proper cve-bin-tool exit code.
These changes add the missing pieces of the logic in general and in
particular allow removing the custom filtering block in the
test_requirements.py test and re-enabling the assert checking the
cve-bin-tool's exit status by simply using the filter-triage switch.
Signed-off-by: Alex T. <frozen.and.blue@gmail.com>
alex-ter
force-pushed
the
use-filter-triage-in-test-reqs
branch
from
2d94d59 to
eec4059
Compare
1 participant
EDIT:
I think I've found all the necessary pieces of the puzzle and it all essentially boils down to fixing/adjusting the
--filter-triageswitch logic: take theMitigatedremark into account, and update the product CVE tally.With these corrections, the tool's exit status is now correctly reflecting the triaged CVEs, and the test_requirements.py can be adjusted to get rid of those custom/disabled pieces.
This change is useful beyond that test, so is still meaningful even in view of its potential removal as described in #4294.
Tested this manually by including a dependency with a CVE, and triaging it using the
TRIAGE.json.Let me know what you think.
Original PR description follows for context, but it's less relevant now, the above covers it.
The test_requirements.py test used a custom logic block to implement what is essentially the
--filter-triageswitch now, with one minor difference - theMitigatedpart was omitted from the latter.Add
Mitigatedto the filter-triage list, and use the switch in the test.I've stumbled upon this while reviewing #5465 and a commented out piece mentioning #1752 caught my attention, so I went down the rabbit hole.
That one is still open and I need to gather more information to open either a proposed PR or an issue to discuss it first. There's certainly some logic duplication and discrepancy, and the exit status is still not 0 when all CVEs are marked as mitigated/inapplicable, even though #1752 is closed by now.
While investigating the above I realized we can (and I think - should) get rid of that custom logic block in the test, now that we have a native feature for that. That required an adjustment in the filtering logic itself, but I think
Mitigatedmakes sense in that list - let me know what you think.