ci: Add 5-days grace period

CagriYonca · CagriYonca · commit 971c0fa57e9f · 2026-05-26T11:29:40.000+02:00
Signed-off-by: Cagri Yonca &lt;cagri@ibm.com&gt;
diff --git a/.tekton/.currency/scripts/generate_report.py b/.tekton/.currency/scripts/generate_report.py
@@ -1,7 +1,7 @@
 # Standard Libraries
 import json
 import re
-from datetime import datetime
+from datetime import datetime, timezone
 
 import pandas as pd
 
@@ -26,6 +26,43 @@ def estimate_days_behind(release_date):
     return (datetime.today().date() - datetime.strptime(release_date, "%Y-%m-%d").date()).days
 
 
+def check_if_update_allowed(package_name, latest_version, grace_period_days=5):
+    """
+    Check if enough time has passed since the latest version was released.
+    Returns True if grace_period_days have passed, False otherwise.
+    This implements zero-day protection by waiting before flagging updates.
+    """
+    url = f"{PIP_INDEX_URL}/{package_name}/json"
+    response = requests.get(url)
+    
+    if response.status_code != 200:
+        print(f"[{package_name}] Package not found on PyPI.")
+        return False
+        
+    data = response.json()
+    releases = data["releases"].get(latest_version)
+    
+    if not releases:
+        print(f"[{package_name}] No release info found for version {latest_version}.")
+        return False
+        
+    # Get the upload time from the first file in the release
+    upload_time_str = releases[0]["upload_time_iso_8601"]
+    
+    # Parse the date and compare with current time
+    upload_time = datetime.fromisoformat(upload_time_str.replace("Z", "+00:00"))
+    now = datetime.now(timezone.utc)
+    
+    age = now - upload_time
+    
+    if age.days >= grace_period_days:
+        print(f"[{package_name}] Version {latest_version} released {age.days} days ago. UPDATE APPROVED.")
+        return True
+    else:
+        print(f"[{package_name}] Version {latest_version} only {age.days} days old. WAITING for zero-day protection.")
+        return False
+
+
 def get_upstream_version(dependency, last_supported_version):
     """Get the latest version available upstream"""
     last_supported_version_release_date = "Not found"
@@ -129,16 +166,23 @@ def get_last_supported_version(tekton_ci_output, dependency):
 
 
 def is_up_to_date(
-    last_supported_version, latest_version, last_supported_version_release_date
+    package_name, last_supported_version, latest_version, last_supported_version_release_date
 ):
-    """Check if the supported package is up-to-date"""
+    """Check if the supported package is up-to-date, considering grace period for zero-day protection"""
     if Version(last_supported_version) >= Version(latest_version):
         up_to_date = "Yes"
         days_behind = 0
     else:
-        up_to_date = "No"
-        days_behind = estimate_days_behind(last_supported_version_release_date)
-
+        # Check if grace period has passed for the latest version
+        # This protects against zero-day vulnerabilities by waiting 5 days
+        if check_if_update_allowed(package_name, latest_version):
+            up_to_date = "No"
+            days_behind = estimate_days_behind(last_supported_version_release_date)
+        else:
+            # Grace period not elapsed - treat as up-to-date for now
+            up_to_date = "Yes (Grace Period)"
+            days_behind = 0
+    
     return up_to_date, days_behind
 
 def taskrun_filter(taskrun):
@@ -264,7 +308,7 @@ def main():
         )
 
         up_to_date, days_behind = is_up_to_date(
-            last_supported_version, latest_version, last_supported_version_release_date
+            package, last_supported_version, latest_version, last_supported_version_release_date
         )
 
         item.update(
