Skip to content

feat: add check-advisories to check BRSA fields #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

feat: add check-advisories to check BRSA fields #604

wants to merge 1 commit into from

Conversation

@piyush-jena
Copy link

@piyush-jena piyush-jena commented Nov 26, 2025
edited
Loading

Issue number:

Closes #

Description of changes:
Add check-advisories task

Testing done:
Cropping output for brevity.
Testing it on bottlerocket-core-kit. I introduced an error to test different cases:

[cargo-make] INFO - Running Task: check-advisories
Checking advisories against built RPMs...
Checking advisory: advisories/10.1.0/BRSA-hc1ikaaaqfgw.toml
  Advisory OK: amazon-ssm-agent
Checking advisory: advisories/10.5.0/BRSA-ja1ptrrpkcey.toml
  Advisory OK: libexpat
******
Checking advisory: advisories/2.3.6/BRSA-himt1tjhhps5.toml
  Advisory OK: amazon-ssm-agent
Checking advisory: advisories/2.4.0/BRSA-1pmwbq0axn1v.toml
  WARNING: RPM not found for package: kernel-6.1
  WARNING: RPM not found for package: kernel-5.15
Checking advisory: advisories/2.4.0/BRSA-2yike4lvuqs8.toml
  WARNING: RPM not found for package: kernel-6.1
  WARNING: RPM not found for package: kernel-5.15
******
Checking advisory: advisories/3.2.0/BRSA-tn9tn492mklj.toml
  Advisory OK: libnvidia-container
  Advisory OK: nvidia-container-toolkit
Checking advisory: advisories/3.3.0/BRSA-udcwjbo4nlwj.toml
  Advisory OK: nvidia-container-toolkit
  Advisory OK: libnvidia-container
******
Checking advisory: advisories/9.1.0/BRSA-yrtutyr4c95s.toml
  ADVISORY VIOLATION:
    Advisory: advisories/9.1.0/BRSA-yrtutyr4c95s.toml
    CVE: BRSA-yrtutyr4c95s
    RPM: bottlerocket-iputils
    Found: epoch=0, version=20250605, release=1.1763982627.21bc4104.br1
    Required: epoch=1, version=20250605
******
Error while executing command, exit code: 1
Error: Command was unsuccessful, exit code 105
make: *** [Makefile:46: build] Error 1

I had to fix the advisories in the earlier versions because they didn't have patched-epoch field. We can plan on either defaulting to 0 here or add those fields in the advisories.

Testing it on bottlerocket-kernel-kit.

Checking advisory: advisories/1.0.6/BRSA-xllgj5w5lj5x.toml
  Advisory OK: kernel-6.1
  Advisory OK: kernel-6.1
  WARNING: RPM not found for package: bottlerocket-kernel-6.1
Checking advisory: advisories/1.0.7/BRSA-edhp8onrudst.toml
  WARNING: RPM not found for package: kernel-5.15
  WARNING: RPM not found for package: bottlerocket-kernel-5.15
Checking advisory: advisories/1.0.7/BRSA-hyiqpdbm9eve.toml
  WARNING: RPM not found for package: kernel-5.15
  WARNING: RPM not found for package: bottlerocket-kernel-5.15
Checking advisory: advisories/1.0.7/BRSA-ivzwmzklr5el.toml
  WARNING: RPM not found for package: kernel-5.10
  WARNING: RPM not found for package: kernel-5.15
  WARNING: RPM not found for package: bottlerocket-kernel-5.10
  WARNING: RPM not found for package: bottlerocket-kernel-5.15
******
Checking advisory: advisories/4.3.3/BRSA-6dfap5ynaqk3.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.3/BRSA-djsljhck18cr.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.3/BRSA-ijs50tlmfnnu.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.3/BRSA-krlczybuqokb.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.3/BRSA-v1svnbbvzcpi.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.3/BRSA-zc1olgtco3s2.toml
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.1-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r570
  Advisory OK: kmod-6.12-nvidia-r580
  Advisory OK: kmod-6.12-nvidia-r580
Checking advisory: advisories/4.3.4/BRSA-2uq7otsimmgp.toml
  Advisory OK: kernel-6.1
  Advisory OK: kernel-6.1
******
[cargo-make] INFO - Running Task: build-kit
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.02s
[cargo-make] INFO - Build Done in 64.55 seconds.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@piyush-jena piyush-jena force-pushed the check-advisories branch 3 times, most recently from 7651bc6 to c76aea2 Compare November 28, 2025 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@piyush-jena