38 lines
2.1 KiB
Markdown
38 lines
2.1 KiB
Markdown
# Bug ID to CVE Mapping in Changelog Parsing
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Regex-based extraction of changelog bug references (Debian `Closes: #123456`, `RHBZ#123456`, Launchpad `LP: #123456`) with deterministic bug-to-CVE correlation for backport evidence metadata.
|
|
|
|
## Implementation Details
|
|
- **Shared extraction helper**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs` - Extracts bug references and bug-to-CVE mappings from changelog text.
|
|
- **RPM wiring**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs` - Applies extractor to RPM changelog entries and emits `vendor.changelogBugRefs` / `vendor.changelogBugToCves`.
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs` - Supplies `ChangeLogText` entries from RPM metadata.
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs`
|
|
- **DPKG wiring**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs` - Reads package changelog files (including `.gz`), extracts bug mappings, and merges CVE hints.
|
|
- **Behavioral coverage**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cs`
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cs`
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs`
|
|
|
|
## E2E Test Plan
|
|
- [x] Verify Debian `Closes: #NNNNNN` references are extracted and preserved in metadata.
|
|
- [x] Verify RPM changelog `RHBZ#NNNNNN` references are extracted.
|
|
- [x] Verify Launchpad `LP: #NNNNNN` references are extracted.
|
|
- [x] Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
|
|
- [x] Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.
|
|
|
|
## Verification
|
|
- Run: `run-001`
|
|
- Date (UTC): 2026-02-12
|
|
- Artifacts: `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`
|