[Git][security-tracker-team/security-tracker][master] 5 commits: lts-cve-triage: bookworm is oldstable now

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue Aug 12 22:54:36 BST 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9285fe1f by Sylvain Beucler at 2025-08-12T23:54:30+02:00
lts-cve-triage: bookworm is oldstable now

- - - - -
a0f2bd39 by Sylvain Beucler at 2025-08-12T23:54:30+02:00
lts-cve-triage: from_elts: clarify annotation

- - - - -
d58b9ebe by Sylvain Beucler at 2025-08-12T23:54:30+02:00
bin/tracker_data.py: debug help

- - - - -
a007ae67 by Sylvain Beucler at 2025-08-12T23:54:30+02:00
bin/tracker_data.py: properly sort CVEs, as in the web tracker

- - - - -
be0dd31f by Sylvain Beucler at 2025-08-12T23:54:30+02:00
lts-cve-triage: to_forward: annotate non-actionable items

- - - - -


2 changed files:

- bin/lts-cve-triage.py
- bin/tracker_data.py


Changes:

=====================================
bin/lts-cve-triage.py
=====================================
@@ -29,6 +29,7 @@ import setup_paths
 import sys
 import argparse
 import collections
+import functools
 import re
 from apt_pkg import version_compare
 
@@ -122,7 +123,13 @@ limited_re = re.compile('|'.join(limited))
 
 secupdate_re = re.compile(r'deb\d+u\d+$')
 
-pu_expected = PointUpdateParser.parseNextPointUpdateStable()
+if config.get_release_alias(RELEASES['next_lts']) == 'stable':
+    pu_expected = PointUpdateParser.parseNextPointUpdateStable()
+elif config.get_release_alias(RELEASES['next_lts']) == 'oldstable':
+    pu_expected = PointUpdateParser.parseNextOldstablePointUpdate()
+else:
+    print("Error: {} is neither stable nor oldstable".format(RELEASES['next_lts']))
+    raise SystemExit(1)
 
 def add_to_list(key, pkg, cve, annotation=''):
     assert key in [l[0] for l in LIST_NAMES]
@@ -152,7 +159,10 @@ for pkg in tracker.iterate_packages():
             and (status_in_next_lts.status not in ('resolved', 'not-affected')
                  and (status_in_next_lts.status != 'ignored' or issue.data['releases'].get(RELEASES['next_lts'], {}).get('nodsa_reason', 'ignored') != 'ignored'))
             and issue.name not in pu_expected):
-            add_to_list('to_forward', pkg, issue)
+            note = ''
+            if status_in_next_lts.status == 'open':
+                note += ' [wf secteam triage]'
+            add_to_list('to_forward', pkg, issue, note)
 
         if status_in_lts.status in ('not-affected', 'resolved'):
             continue
@@ -220,7 +230,7 @@ for pkg in tracker_elts.iterate_packages():
             and status_in_lts.urgency != 'unimportant'):
             annotation = issue.data['releases'][RELEASES['lts']]['nodsa_reason']
             if not is_next_lts_fix_explicit(issue):
-                annotation += ' [{next_lts} fix from unstable]'.format(**RELEASES)
+                annotation += ' [{next_lts} fixed via unstable]'.format(**RELEASES)
             add_to_list('from_elts', pkg, issue, annotation)
 
 
@@ -241,7 +251,8 @@ for key, desc in LIST_NAMES:
             colored('{}source-package/{}'.format(TRACKER_LINK_URL, pkg), 'blue'),
         ))
         nb_issues = 0
-        for (cve, annotation) in sorted(lists[key][pkg], key=lambda x: x[0].name):
+        versionrsort = functools.cmp_to_key(lambda a, b: version_compare(b[0].name, a[0].name))
+        for (cve, annotation) in sorted(lists[key][pkg], key=versionrsort):
             # limit very large lists such as linux'
             nb_issues += 1
             if nb_issues > 10:


=====================================
bin/tracker_data.py
=====================================
@@ -22,6 +22,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this file.  If not, see <https://www.gnu.org/licenses/>.
 
+# Note: to manually inspect the JSON output:
+# jq -C . ~/.cache/debian_security_tracker.json | less -R
+# jq -C . ~/.cache/elts_tracker.json | less -R
+
 import functools
 import json
 import os.path



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a238542c71d8d5c13294be82d02586b54d0049d4...be0dd31f380a286da3f73037d452334118ab455d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a238542c71d8d5c13294be82d02586b54d0049d4...be0dd31f380a286da3f73037d452334118ab455d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250812/49f52f74/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list