Skip to content

ART-21049: Create artcd command for Check Cve Tracker Bug step#3097

Open
tomasdavidorg wants to merge 5 commits into
openshift-eng:mainfrom
tomasdavidorg:ART-21049
Open

ART-21049: Create artcd command for Check Cve Tracker Bug step#3097
tomasdavidorg wants to merge 5 commits into
openshift-eng:mainfrom
tomasdavidorg:ART-21049

Conversation

@tomasdavidorg

@tomasdavidorg tomasdavidorg commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

Summary by CodeRabbit

  • New Features
    • Added a new verify-cve-trackers command to verify CVE tracker coverage for a specified group and assembly using advisory-derived and shipment-derived Jira issue sources.
    • Supports loading releases.yml from a data path, including Git-based refs, and allows text or JSON output with pass/fail status and missing tracker details.
    • Enforces consistency between requested and shipment metadata; exits non-zero when coverage is incomplete.
    • Exposes verify_cve_trackers from the main module for programmatic use.
  • Tests
    • Added unit and end-to-end tests for MR/YAML parsing, issue extraction, missing-tracker detection, and result rendering.

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@tomasdavidorg tomasdavidorg added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 24, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 24, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 24, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 24, 2026

Copy link
Copy Markdown

@tomasdavidorg: This pull request references ART-21049 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ashwindasr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 09968268-d9b0-438e-9411-08305e11d147

📥 Commits

Reviewing files that changed from the base of the PR and between 4b78555 and c802d3a.

📒 Files selected for processing (1)
  • pyartcd/tests/pipelines/test_verify_cve_trackers.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • pyartcd/tests/pipelines/test_verify_cve_trackers.py

Walkthrough

Adds a verify-cve-trackers CLI pipeline that loads assembly and shipment data, compares advisory and shipment Jira coverage against Elliott output, renders JSON or text, and exits non-zero when coverage is incomplete.

Changes

Verify CVE tracker coverage

Layer / File(s) Summary
Entrypoint export and command wiring
pyartcd/pyartcd/__main__.py, pyartcd/pyartcd/pipelines/verify_cve_trackers.py
Exports the new command from the package entrypoint and wires the Click command that invokes the pipeline and exit status.
Shipment and assembly helpers
pyartcd/pyartcd/pipelines/verify_cve_trackers.py
Defines the result model plus helpers for shipment YAML parsing, shipment MR discovery, releases data loading, assembly resolution, Elliott tracker normalization, missing-tracker comparison, and RHSA issue extraction.
Verification pipeline and output rendering
pyartcd/pyartcd/pipelines/verify_cve_trackers.py
Orchestrates advisory and shipment coverage checks, loads Elliott output, validates shipment metadata, and renders JSON or text results.
Helper and pipeline tests
pyartcd/tests/pipelines/test_verify_cve_trackers.py
Exercises shipment helper functions, advisory extraction, shipment MR parsing, result rendering, pipeline execution, and Elliott command handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

  • fgallott

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 1 warning)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error New logs print the full Elliott command (including data-path URLs) and MR URLs on warnings, which can expose internal hostnames or credentials. Redact URLs/credentials in log messages; log only non-sensitive identifiers or sanitized host/path fragments instead of raw command strings and MR URLs.
No-Hardcoded-Secrets ❌ Error Tests pass the literal string "token" to gitlab_token in three places, matching the hardcoded-secrets rule for sensitive-name string literals. Replace those literals with a non-sensitive placeholder constant or mock the token via an env var/fixture that isn’t a secret-like name.
Docstring Coverage ⚠️ Warning Docstring coverage is 2.08% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (8 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding a new artcd command for the CVE tracker bug check step.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/ECB, custom crypto, or secret/token comparison patterns appear in the new command or tests.
Container-Privileges ✅ Passed Changed files are only Python code/tests; no container/K8s manifest edits or privilege-related fields were introduced.
No-Injection-Vectors ✅ Passed No listed injection vectors found: YAML uses safe_load, Elliott is invoked via argv list, and no eval/exec, pickle.loads, shell=True, or os.system appear in touched code.
Ai-Attribution ✅ Passed No AI-tool mentions or AI-attribution trailers appear in the PR commit/message or changed files, so the check is not triggered.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyartcd/pyartcd/__main__.py`:
- Line 52: The new pipeline import for verify_cve_trackers is present but it is
not re-exported through the __all__ list, so it will not be included in wildcard
imports. Update the __all__ definition in __main__.py to add verify_cve_trackers
alongside the other pipeline symbols, keeping the export list consistent with
the import list.

In `@pyartcd/pyartcd/pipelines/verify_cve_trackers.py`:
- Around line 260-272: Both get_rhsa_jira_issues and
get_jira_issues_from_shipment_mr are doing blocking network I/O inside the async
run() coroutine, which will stall the event loop. Update verify_cve_trackers.py
so the calls in run() are executed off the loop, following the pattern used by
_load_releases_yaml (for example, via asyncio.to_thread or equivalent async
wrapper). Keep the existing logic for rhsa_jira_issues, shipment_jira_issues,
shipment_files, mr_group, and mr_assembly, but make sure the blocking fetches
happen in background threads before flatten_elliott_cve_trackers and
find_missing_cve_trackers consume their results.
- Around line 118-121: The per-file exception handling in
get_jira_issues_from_shipment_mr is silently swallowing failures by catching
Exception and continuing, which hides download/parse problems. Update this
branch to log the exception together with the current file path before
continuing, using a logger available to the function (for example by passing one
in or using a module-level logger). Keep the ValueError handling as-is, but make
sure unexpected errors are visible instead of disappearing from processed_files.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dabbbc3f-8e8c-489d-abb6-5cb6a4bd4d9e

📥 Commits

Reviewing files that changed from the base of the PR and between f96dc5f and 3cd05dc.

📒 Files selected for processing (3)
  • pyartcd/pyartcd/__main__.py
  • pyartcd/pyartcd/pipelines/verify_cve_trackers.py
  • pyartcd/tests/pipelines/test_verify_cve_trackers.py

Comment thread pyartcd/pyartcd/__main__.py
Comment thread pyartcd/pyartcd/pipelines/verify_cve_trackers.py
Comment thread pyartcd/pyartcd/pipelines/verify_cve_trackers.py Outdated
rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@tomasdavidorg

Copy link
Copy Markdown
Contributor Author

/test security

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@tomasdavidorg

Copy link
Copy Markdown
Contributor Author

/test security

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@tomasdavidorg: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security c802d3a link false /test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants