Bug ID to CVE Mapping in Changelog Parsing

Module

Scanner

Status

IMPLEMENTED

Description

Regex-based extraction of bug tracker references (Debian "Closes: #123456", RHBZ#123456, Launchpad "LP: #123456") from changelogs, with cross-reference to CVE IDs for Tier 2 backport evidence.

Implementation Details

Changelog Parsing (OS Analyzers):
- src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/RpmPackageAnalyzer.cs - RPM package analyzer with changelog parsing
- src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeaderParser.cs - Parses RPM headers including changelog entries
- src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmHeader.cs - RPM header model with changelog tags
- src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.Rpm/Internal/RpmTags.cs - RPM tag definitions including changelog-related tags
Pedigree & Commit Mapping:
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/FeedserPedigreeDataProvider.cs - Provides pedigree data including changelog-derived CVE references
- src/Scanner/__Libraries/StellaOps.Scanner.Emit/Pedigree/CommitInfoBuilder.cs - Builds commit info with bug tracker cross-references
Material Changes Integration:
- src/Scanner/__Libraries/StellaOps.Scanner.MaterialChanges/CardGenerators.cs - Generates material change cards including changelog-derived bug-to-CVE mappings

E2E Test Plan

Scan a container image with Debian packages containing changelogs with "Closes: #NNNNNN" references and verify bug IDs are extracted
Scan an image with RPM packages containing changelogs with RHBZ# references and verify extraction
Verify extracted bug IDs are cross-referenced to CVE IDs and appear as Tier 2 backport evidence
Verify the pedigree data includes changelog-derived CVE mappings in the scan report
Verify material change cards reference changelog bug-to-CVE correlations
Verify Launchpad "LP: #NNNNNN" references are extracted from Ubuntu package changelogs

2.0 KiB Raw Blame History