Skip to content

Update golang builder CVE component name to openshift4/openshift-golang-builder#3043

Open
ashwindasr wants to merge 6 commits into
openshift-eng:mainfrom
ashwindasr:update-golang-builder-cve-component
Open

Update golang builder CVE component name to openshift4/openshift-golang-builder#3043
ashwindasr wants to merge 6 commits into
openshift-eng:mainfrom
ashwindasr:update-golang-builder-cve-component

Conversation

@ashwindasr

@ashwindasr ashwindasr commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Update GOLANG_BUILDER_CVE_COMPONENT from openshift-golang-builder-container to openshift4/openshift-golang-builder to match the new JIRA pscomponent name for golang builder security trackers.
  • Introduce GOLANG_BUILDER_BREW_COMPONENT (openshift-golang-builder-container) to preserve the Brew/Konflux package name which remains unchanged.
  • Fix filtering logic in attach_cve_flaws_cli and find_bugs_sweep_cli to correctly handle the new openshift4/ prefix format.
  • Add is_golang_builder_component() helper that accepts both old and new pscomponent names for backward compatibility during migration.
  • Fix is_first_fix_for_tracker / is_first_fix_any to normalize tracker whiteboard_component before comparing against Hydra unfixed components, preventing mismatches when the tracker uses a delivery-repo-format pscomponent.
  • Add fallback in get_cve_unfixed_components to preserve raw delivery-repo names when translation fails.
  • Extend is_valid() filter in find_bugs_golang_cli to also skip delivery-repo-format image trackers (openshift4/...), not just -container suffixed ones, while preserving the golang builder exemption.

Test plan

  • All existing unit tests pass (71/71 in affected test files)
  • New tests for is_golang_builder_component() helper (4 cases)
  • New tests for is_first_fix normalization and fallback (2 cases)
  • Lint and format checks pass (ruff check clean)
  • Verify golang bug sweep works correctly with new pscomponent in a dry-run against a stream assembly
  • Verify update-golang pipeline correctly sweeps builder bugs with the new component name

Made with Cursor

…ng-builder

The JIRA pscomponent for golang builder security trackers is changing from
openshift-golang-builder-container to openshift4/openshift-golang-builder.

Introduce GOLANG_BUILDER_BREW_COMPONENT to preserve the Brew/Konflux package
name (openshift-golang-builder-container) which remains unchanged, and update
GOLANG_BUILDER_CVE_COMPONENT to the new JIRA pscomponent value.

All JIRA bug matching uses the CVE constant; all Brew/Konflux NVR and package
lookups use the Brew constant. Filtering logic in attach_cve_flaws_cli and
find_bugs_sweep_cli is adjusted to handle the new openshift4/ prefix correctly.

Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign locriandev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Split golang-builder identifiers into distinct CVE vs Brew names, add is_golang_builder helper, and update detection, mapping, parent-image parsing, errata NVR validation, pyartcd builder discovery, CLI filtering/help, bzutil normalization, and tests to handle both identifiers and delivery-repo normalization/fallbacks.

Changes

Golang builder component naming refactor

Layer / File(s) Summary
Golang builder component constants
elliott/elliottlib/constants.py
GOLANG_BUILDER_CVE_COMPONENT becomes openshift4/openshift-golang-builder; new GOLANG_BUILDER_BREW_COMPONENT = openshift-golang-builder-container; add is_golang_builder_component.
Utilities: parent-image and builder detection
elliott/elliottlib/util.py, elliott/elliottlib/errata_async.py
Parent-image parsing and go_version construction use the Brew component identifier for builder detection; errata NVR validation checks Brew identifier.
pyartcd builder discovery & pullspec generation
pyartcd/pyartcd/pipelines/update_golang.py, pyartcd/tests/pipelines/test_update_golang.py
Use Brew component constant for Brew/Konflux builder lookups and published pullspec derivation; update tests and expected elliott command component arguments.
find-bugs:golang CLI and detection changes
elliott/elliottlib/cli/find_bugs_golang_cli.py, elliott/tests/test_find_bugs_golang_cli.py
Generalize builder detection with is_golang_builder_component across _is_fixed, filtering, art_managed, rpms-only path; update CLI help text and test defaults.
find-bugs-sweep image categorization
elliott/elliottlib/cli/find_bugs_sweep_cli.py
Treat both Brew and CVE golang-builder identifiers as image trackers; add Brew identifier to image advisory exception package list.
CVE attachment flow and bzutil normalization
elliott/elliottlib/cli/attach_cve_flaws_cli.py, elliott/elliottlib/bzutil.py, elliott/tests/test_bzutil.py
Skip delivery-repo→component translation for golang-builder trackers; Konflux mapping falls back to builder-derived components for golang-builder. Normalize tracker whiteboard components using OCP delivery-repo rules and record unresolved pkg names when mapping fails; add tests for normalization and fallback.
Errata async NVR validation
elliott/elliottlib/errata_async.py
Validate Go builder NVRs against the Brew component identifier when populating golang CVE components.
Tests: normalization and new bzutil cases
elliott/tests/*, pyartcd/tests/*
Update whiteboard normalization expectations, default test components, pyartcd test assertions, and add bzutil tests validating delivery-repo normalization and fallback behavior.

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@elliott/elliottlib/cli/attach_cve_flaws_cli.py`:
- Around line 540-542: Normalize legacy golang-builder tracker names before
branch-specific logic by treating both constants.GOLANG_BUILDER_CVE_COMPONENT
and constants.GOLANG_BUILDER_BREW_COMPONENT as the same golang-builder tracker:
change the is_golang_builder check to something like `is_golang_builder =
whiteboard_component in {constants.GOLANG_BUILDER_CVE_COMPONENT,
constants.GOLANG_BUILDER_BREW_COMPONENT}` and use that variable in the
subsequent `if is_ocp_delivery_repo(whiteboard_component) and not
is_golang_builder` path (and the analogous block around the other occurrence),
so legacy Brew-named trackers are normalized up front and follow the same
mapping/exclusion logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: dc34c9a4-6355-405f-95e3-db99421769c6

📥 Commits

Reviewing files that changed from the base of the PR and between aac11d0 and 5e4189d.

📒 Files selected for processing (10)
  • elliott/elliottlib/cli/attach_cve_flaws_cli.py
  • elliott/elliottlib/cli/find_bugs_golang_cli.py
  • elliott/elliottlib/cli/find_bugs_sweep_cli.py
  • elliott/elliottlib/constants.py
  • elliott/elliottlib/errata_async.py
  • elliott/elliottlib/util.py
  • elliott/tests/test_bzutil.py
  • elliott/tests/test_find_bugs_golang_cli.py
  • pyartcd/pyartcd/pipelines/update_golang.py
  • pyartcd/tests/pipelines/test_update_golang.py

Comment thread elliott/elliottlib/cli/attach_cve_flaws_cli.py Outdated
Add is_golang_builder_component() helper to accept both old
(openshift-golang-builder-container) and new
(openshift4/openshift-golang-builder) pscomponent names during
migration. Replace 8 equality checks across find_bugs_golang,
attach_cve_flaws, and find_bugs_sweep CLIs with the helper.

Fix is_first_fix_for_tracker/is_first_fix_any to normalize the
tracker whiteboard_component via normalize_component_by_ocp_delivery_repo
before comparing against unfixed_components from Hydra.

Add fallback in get_cve_unfixed_components to preserve the raw
delivery-repo name when translation fails, so trackers using
that pscomponent still match.

Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@elliott/elliottlib/cli/find_bugs_golang_cli.py`:
- Around line 489-491: The current check only skips non-builder components that
end with "-container" (the comp.endswith("-container") branch using
constants.is_golang_builder_component), but it must also skip delivery-repo
image trackers like "openshift4/<image>"; update the condition that logs and
returns False (the block using logger.info and return False) to also treat
components that start with "openshift4/" as non-builder image trackers (i.e.,
short-circuit and skip them), preserving the existing
is_golang_builder_component(comp) logic for "-container" names so golang
builders still pass validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 29d89ce5-3fcb-4502-a434-02e3ff070595

📥 Commits

Reviewing files that changed from the base of the PR and between 5e4189d and bf89fe6.

📒 Files selected for processing (6)
  • elliott/elliottlib/bzutil.py
  • elliott/elliottlib/cli/attach_cve_flaws_cli.py
  • elliott/elliottlib/cli/find_bugs_golang_cli.py
  • elliott/elliottlib/cli/find_bugs_sweep_cli.py
  • elliott/elliottlib/constants.py
  • elliott/tests/test_bzutil.py
🚧 Files skipped from review as they are similar to previous changes (2)
  • elliott/elliottlib/constants.py
  • elliott/elliottlib/cli/attach_cve_flaws_cli.py

Comment thread elliott/elliottlib/cli/find_bugs_golang_cli.py Outdated
Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
The is_valid filter only skipped image trackers ending with -container,
but with the transition to delivery-repo pscomponents, non-builder
image trackers like openshift4/<image> would slip through. Add
is_ocp_delivery_repo check to also skip those, preserving the
golang builder exemption.

Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
Comment thread elliott/elliottlib/constants.py Outdated
# Golang builder needs special treatment when associating security tracking bugs with builds:
GOLANG_BUILDER_CVE_COMPONENT = 'openshift-golang-builder-container'
GOLANG_BUILDER_CVE_COMPONENT = 'openshift4/openshift-golang-builder'
GOLANG_BUILDER_BREW_COMPONENT = 'openshift-golang-builder-container'

@thegreyd thegreyd Jun 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would prefer if we don't use the word brew here
since we compute component names for konflux the same way

Maybe just golang_builder_component ?

And openshift4/openshift-golang-builder can be the golang_builder_ocp4_delivery_repo?
there will be an ocp5 one also, have a func wrap this is_golang_builder_delivery_repo ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks - that makes sense. added in 80b30a9

Comment thread elliott/elliottlib/bzutil.py
Rename GOLANG_BUILDER_BREW_COMPONENT to GOLANG_BUILDER_COMPONENT since
Konflux computes component names the same way as Brew.

Rename GOLANG_BUILDER_CVE_COMPONENT to GOLANG_BUILDER_OCP4_DELIVERY_REPO
to clarify it is the OCP4 delivery repo name.

Add is_golang_builder_delivery_repo() for OCP4/OCP5 forward-compatibility.

Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@elliott/elliottlib/errata_async.py`:
- Around line 383-392: In compute_cve_exclusions, the golang CVE detection
currently checks only for constants.GOLANG_BUILDER_OCP4_DELIVERY_REPO and misses
legacy builder names; change the loop over expected_cve_components (variables
expected_brew_components, golang_cve_names) to treat a CVE as golang if any
component in components satisfies
constants.is_golang_builder_component(component) (i.e., use that helper instead
of the single-constant membership test), so golang CVEs get routed through
populate_golang_cve_components and the builder component is not incorrectly
required as a brew component.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f049f706-4e09-4120-969a-854484fb65a5

📥 Commits

Reviewing files that changed from the base of the PR and between ed7c7fc and 80b30a9.

📒 Files selected for processing (10)
  • elliott/elliottlib/cli/find_bugs_golang_cli.py
  • elliott/elliottlib/cli/find_bugs_sweep_cli.py
  • elliott/elliottlib/constants.py
  • elliott/elliottlib/errata_async.py
  • elliott/elliottlib/util.py
  • elliott/tests/test_bzutil.py
  • elliott/tests/test_errata_async.py
  • elliott/tests/test_find_bugs_golang_cli.py
  • elliott/tests/test_find_bugs_sweep_cli.py
  • pyartcd/pyartcd/pipelines/update_golang.py
✅ Files skipped from review due to trivial changes (1)
  • elliott/tests/test_find_bugs_sweep_cli.py
🚧 Files skipped from review as they are similar to previous changes (4)
  • elliott/elliottlib/cli/find_bugs_sweep_cli.py
  • elliott/elliottlib/util.py
  • elliott/tests/test_bzutil.py
  • elliott/elliottlib/cli/find_bugs_golang_cli.py

Comment thread elliott/elliottlib/errata_async.py Outdated
The golang CVE detection was checking for a single constant, missing
legacy builder names during migration. Use the helper to match any
form of the golang builder component.

Co-authored-by: Cursor <cursoragent@cursor.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

@ashwindasr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 12bbef1 link false /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ashwindasr

Copy link
Copy Markdown
Contributor Author

/hold

Might need to confirm with with prodsec

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 17, 2026
@ashwindasr

Copy link
Copy Markdown
Contributor Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 25, 2026
@thegreyd thegreyd added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 25, 2026
# Golang builder needs special treatment when associating security tracking bugs with builds:
GOLANG_BUILDER_CVE_COMPONENT = 'openshift-golang-builder-container'
GOLANG_BUILDER_COMPONENT = 'openshift-golang-builder-container'
GOLANG_BUILDER_OCP4_DELIVERY_REPO = 'openshift4/openshift-golang-builder'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we had discussion around handling openshift5/ here ? If not, then I'd recommend that

@openshift-ci

openshift-ci Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants