2.1 KiB
2.1 KiB
Bug ID to CVE Mapping in Changelog Parsing
Module
Scanner
Status
VERIFIED
Description
Regex-based extraction of changelog bug references (Debian Closes: #123456, RHBZ#123456, Launchpad LP: #123456) with deterministic bug-to-CVE correlation for backport evidence metadata.
Implementation Details
- Shared extraction helper:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs- Extracts bug references and bug-to-CVE mappings from changelog text.
- RPM wiring:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs- Applies extractor to RPM changelog entries and emitsvendor.changelogBugRefs/vendor.changelogBugToCves.src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs- SuppliesChangeLogTextentries from RPM metadata.src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cssrc/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs
- DPKG wiring:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs- Reads package changelog files (including.gz), extracts bug mappings, and merges CVE hints.
- Behavioral coverage:
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cssrc/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cssrc/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs
E2E Test Plan
- Verify Debian
Closes: #NNNNNNreferences are extracted and preserved in metadata. - Verify RPM changelog
RHBZ#NNNNNNreferences are extracted. - Verify Launchpad
LP: #NNNNNNreferences are extracted. - Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
- Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.
Verification
- Run:
run-001 - Date (UTC): 2026-02-12
- Artifacts:
docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/