stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md
master 9911b7d73c save checkpoint
2026-02-12 21:02:43 +02:00

2.1 KiB
Raw Blame History

Bug ID to CVE Mapping in Changelog Parsing

Module

Scanner

Status

VERIFIED

Description

Regex-based extraction of changelog bug references (Debian Closes: #123456, RHBZ#123456, Launchpad LP: #123456) with deterministic bug-to-CVE correlation for backport evidence metadata.

Implementation Details

  • Shared extraction helper:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/Helpers/ChangelogBugReferenceExtractor.cs - Extracts bug references and bug-to-CVE mappings from changelog text.
  • RPM wiring:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs - Applies extractor to RPM changelog entries and emits vendor.changelogBugRefs / vendor.changelogBugToCves.
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs - Supplies ChangeLogText entries from RPM metadata.
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs
  • DPKG wiring:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Dpkg/DpkgPackageAnalyzer.cs - Reads package changelog files (including .gz), extracts bug mappings, and merges CVE hints.
  • Behavioral coverage:
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Helpers/ChangelogBugReferenceExtractorTests.cs
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/Dpkg/DpkgChangelogBugCorrelationTests.cs
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.OS.Tests/OsAnalyzerDeterminismTests.cs

E2E Test Plan

  • Verify Debian Closes: #NNNNNN references are extracted and preserved in metadata.
  • Verify RPM changelog RHBZ#NNNNNN references are extracted.
  • Verify Launchpad LP: #NNNNNN references are extracted.
  • Verify bug references are cross-referenced with CVE IDs from the same changelog entry.
  • Verify deterministic metadata and golden snapshot behavior through OS analyzer test runs.

Verification

  • Run: run-001
  • Date (UTC): 2026-02-12
  • Artifacts: docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/