multiple fixes in cve-corrector and extractor#14
Merged
Conversation
danielturull
changed the title
…handling Two issues causing agent failures in integration tests: 1. cve_corrector --continue used 'git status --porcelain' to detect conflicts, but ANY dirty file (including autotools-generated configure, config.guess) triggered a false 'Conflicts still present' error. Fix: check specifically for unmerged entries (U/DD/AA in porcelain status) rather than any non-empty output. 2. Monorepo subprojects/ prefix (used by gstreamer) not handled in _expand_path_variants. The agent works on gst/isomp4/qtdemux.c but the allowed list only has subprojects/gst-plugins-good/gst/isomp4/qtdemux.c. revert_unauthorized_changes then removes the agent's work. Fix: strip subprojects/<name>/ prefix when expanding path variants. Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
get_repo_subdir() only checked for CMakeLists.txt, configure.ac, configure, and meson.build as root build markers. Python projects (with setup.py, setup.cfg, pyproject.toml at root) were not recognized, causing false monorepo detection when an ancillary subdirectory like launcher/ contained a CMakeLists.txt. This caused CVE-2025-47273 (python3-setuptools) to fail: the corrector incorrectly set strip_level=2 and subdir=launcher, then git-am failed with 'lacks filename information when removing 3 leading pathname components'. Fix: expand build_files set to include Python, Rust, Go, and Makefile project markers at root level. Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
When the devtool branch has commits that were squash-merged (e.g. PR merges), the CVE branch may include cherry-picked individual commits from that PR. format-patch original-version..CVE produces patches for ALL commits including those already on devtool, causing git-am to fail. Fix with two improvements: 1. Use devtool (or merge-base) as the format-patch base instead of original-version, so only CVE-specific commits are captured. 2. When git-am fails at all strip levels, fall back to direct cherry-pick of CVE commits onto the devtool branch. This fixes CVE-2025-47273 (python3-setuptools) where a merged PR reorganized package_index.py and made the format-patch output incompatible with the devtool branch layout. Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Scope git ls-files output to the current recipe's directory when renaming patches. Previously, untracked patches from other recipes were counted, causing incorrect -N suffixes (e.g. CVE-XXXX-2.patch instead of CVE-XXXX.patch for a single-patch fix). Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
When both git-am (all strip levels) and direct cherry-pick fail to transfer the CVE fix to the devtool branch, fall back to git-apply with --3way. This handles cases where the devtool branch has diverged significantly (e.g. squash-merged PRs that changed file content) but the patch can still be applied with fuzz. Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Plugins that provide CVE input were rejected with 'At least one input source required' because is_enabled() was called before setup(), and the old heuristic excluded sources with empty names or names in the data-source list. Add is_input_source attribute to CveSource base class. Plugins that provide CVE input set is_input_source=True and implement is_enabled() purely from parsed args (no setup() dependency). Assisted-by: Kiro:claude-opus-4.6 Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
danielturull
force-pushed
the
fix/plugin-input-source-validation
branch
from
7799fd5 to
6b7ab68
Compare
- Remove unused variable assignment in cve_agent/session.py (F841) - Rename ambiguous variable 'l' to 'ln' in cherry_pick.py (E741) - Remove duplicate import block in test_patch.py (F811, I001) Assisted-by: Kiro:claude-opus-4.6 Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
danielturull
force-pushed
the
fix/plugin-input-source-validation
branch
from
6b7ab68 to
e4da696
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Plugins that provide CVE input were rejected with 'At least one input
source required' because is_enabled() was called before setup(), and
the old heuristic excluded sources with empty names or names in the
data-source list.
Changes:
is_input_sourceattribute toCveSourcebase classis_input_sourceplugins directlyTesting: