shiftstack
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cve-jira-processing/README.md‎
Lines changed: 386 additions & 0 deletions b/‎cve-jira-processing/README.md‎
Lines changed: 386 additions & 0 deletions
@@ -6,3 +6,5 @@
 
 # ignore cloud credentials
 /bot/cloud-credentials.json
+
+__pycache__/
@@ -0,0 +1,386 @@
+# CVE Jira Processing
+
+Tools for processing CVE Vulnerability issues in Jira. Queries Jira for unprocessed CVEs, creates tracking structures, and establishes dependency chains across versions.
+
+The script is **idempotent** - it can be run multiple times safely without creating duplicate issues.
+
+## Setup
+
+1. Install dependencies:
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+2. Set environment variables:
+   ```bash
+   export JIRA_API_TOKEN="your-api-token"
+   export JIRA_SERVER="https://issues.redhat.com"  # optional, this is the default
+   ```
+
+## Scripts
+
+| Script | Description |
+|--------|-------------|
+| `dup_cve.py` | Main script for CVE processing |
+| `manage_task_cves.py` | Manage CVEs linked to a task (update fields, close, set release notes) |
+| `inspect_issues.py` | Inspect issues - show status and links |
+| `reset_cves.py` | Remove processed labels to allow reprocessing |
+
+## Usage
+
+### dup_cve.py - Main Processing Script
+
+```bash
+# Dry run - see what would be done without making changes
+python dup_cve.py --dry-run
+
+# Process CVEs for real
+python dup_cve.py
+
+# Process only a specific CVE
+python dup_cve.py --cve CVE-2024-1234
+
+# Verbose output for debugging
+python dup_cve.py --dry-run -v
+
+# Use a custom config file
+python dup_cve.py --config /path/to/config.yaml
+```
+
+### inspect_issues.py - Inspect Issues
+
+```bash
+# Inspect specific issues
+python inspect_issues.py OCPBUGS-12345 OSASINFRA-67890
+
+# Inspect issues from a file
+python inspect_issues.py -f issues.txt
+
+# Combine both
+python inspect_issues.py OCPBUGS-12345 -f more_issues.txt
+```
+
+### manage_task_cves.py - Manage CVEs Linked to a Task
+
+```bash
+# See what CVEs are linked to a task
+python manage_task_cves.py OSASINFRA-12345 --dry-run
+
+# Close all linked CVEs with defaults (status=Closed, resolution=Done)
+python manage_task_cves.py OSASINFRA-12345
+
+# Transition to a different status
+python manage_task_cves.py OSASINFRA-12345 --status ON_QA
+
+# Close with custom comment and resolution
+python manage_task_cves.py OSASINFRA-12345 --comment "Fixed in OCPBUGS-99999" --resolution "Fixed"
+
+# Set release note fields when closing (using defaults: type=CVE, status=Proposed)
+python manage_task_cves.py OSASINFRA-12345 \
+  --release-note-text "This CVE was addressed upstream." \
+  --release-note-type \
+  --release-note-status
+
+# Set release note fields with custom values
+python manage_task_cves.py OSASINFRA-12345 \
+  --release-note-text "This CVE was addressed upstream." \
+  --release-note-type "Bug Fix" \
+  --release-note-status "Done"
+
+# Update release notes without transitioning (no status change)
+python manage_task_cves.py OSASINFRA-12345 --no-transition \
+  --release-note-text "This CVE was addressed upstream." \
+  --release-note-type \
+  --release-note-status
+
+# Add a patch link to CVEs
+python manage_task_cves.py OSASINFRA-12345 \
+  --patch-url "https://github.com/org/repo/pull/123" \
+  --patch-title "Fix for CVE-2024-1234"
+
+# Transition CVEs to POST and task to POST
+python manage_task_cves.py OSASINFRA-12345 --status POST --task-status POST
+
+# Close CVEs and the parent task
+python manage_task_cves.py OSASINFRA-12345 --close-task
+
+# Close CVEs and task with patch link on both
+python manage_task_cves.py OSASINFRA-12345 --close-task \
+  --patch-url "https://github.com/org/repo/pull/123"
+
+# Close task with custom resolution
+python manage_task_cves.py OSASINFRA-12345 \
+  --task-status Closed --task-resolution "Won't Fix"
+```
+
+### reset_cves.py - Reset Processed Labels
+
+```bash
+# Dry run - see what would be reset
+python reset_cves.py --dry-run
+
+# Actually remove labels
+python reset_cves.py
+
+# Reset only a specific CVE
+python reset_cves.py --cve CVE-2024-1234
+
+# Reset issues from a file
+python reset_cves.py -f issues.txt
+
+# Also remove dependency and duplicate links
+python reset_cves.py -f issues.txt --remove-links
+
+# Transition issues back to ASSIGNED status
+python reset_cves.py -f issues.txt --reassign
+
+# Full reset: remove label, links, and reassign
+python reset_cves.py -f issues.txt --remove-links --reassign
+```
+
+## Processing Flow
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 1. Query unprocessed CVEs                                   │
+│    - Status: New or Assigned                                │
+│    - No processed label                                     │
+│    - Matching configured downstream components              │
+└─────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────┐
+│ 2. Group by {component}:{cve_id}                            │
+└─────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────┐
+│ 3. For each CVE group:                                      │
+│    a. Find/create Epic in OSASINFRA                         │
+│    b. Query ALL CVEs for this CVE ID (version detection)    │
+│    c. Calculate range: min(CVE versions) → max(available)   │
+└─────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────┐
+│ 4. For each version in range:                               │
+│    ├─ Create Task in OSASINFRA (with Epic Link)             │
+│    ├─ If CVEs exist:                                        │
+│    │   ├─ Link Task to CVEs (is caused by)                  │
+│    │   ├─ Set Target Backport Versions = Affects Version/s  │
+│    │   └─ Add processed label to all CVEs                   │
+│    └─ If NO CVEs:                                           │
+│        ├─ Create ON_QA Bug in OCPBUGS                       │
+│        └─ Link Task → is related to → Bug                   │
+└─────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────┐
+│ 5. Create dependency chain (older depends on newer):        │
+│    4.12 → depends on → 4.13 → depends on → 4.14             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## JQL Queries Used
+
+### 1. Initial Query - Find Unprocessed CVEs
+
+```sql
+project = OCPBUGS AND type = Vulnerability
+AND ("Downstream Component Name" ~ "comp1" OR "Downstream Component Name" ~ "comp2" ...)
+AND labels != "{cve_processed_label}"
+AND status IN (New, Assigned)
+AND "CVE ID" ~ "{cve_filter}"  -- only if --cve flag provided
+```
+
+### 2. Secondary Query - Find All Related CVEs
+
+```sql
+project = OCPBUGS AND type = Vulnerability
+AND "CVE ID" ~ "{cve_id}"
+AND ("Downstream Component Name" ~ "comp1" OR ...)
+AND (status != Closed OR resolution IN (Duplicate, "Won't Do", "Not a Bug"))
+```
+
+### 3. Find Existing Epic
+
+```sql
+project = OSASINFRA AND type = Epic
+AND summary ~ "\"{cve_id} - {component}\""
+```
+
+### 4. Find Existing Task
+
+```sql
+project = OSASINFRA AND type = Task
+AND summary ~ "\"{cve_id} - {component} - {version}\""
+```
+
+### 5. Find Existing Bug
+
+```sql
+project = OCPBUGS AND type = Bug
+AND summary ~ "\"{cve_id} - {component} - {version}\""
+```
+
+## Issue Structure Created
+
+```
+OSASINFRA:
+├── Epic: CVE-2024-1234 - openstack-cinder
+│   ├── Task: CVE-2024-1234 - openstack-cinder - 4.12 (Epic Link)
+│   │   └── is caused by: CVE (Vulnerability) for 4.12
+│   ├── Task: CVE-2024-1234 - openstack-cinder - 4.13 (Epic Link)
+│   │   └── is caused by: CVE (Vulnerability) for 4.13
+│   ├── Task: CVE-2024-1234 - openstack-cinder - 4.14 (Epic Link)
+│   │   └── is related to: ON_QA Bug (no CVE reported)
+│   └── Task: CVE-2024-1234 - openstack-cinder - 4.15 (Epic Link)
+│       └── is related to: ON_QA Bug (no CVE reported)
+
+OCPBUGS (only created where no CVE exists):
+├── Bug: CVE-2024-1234 - openstack-cinder - 4.14 (ON_QA)
+└── Bug: CVE-2024-1234 - openstack-cinder - 4.15 (ON_QA)
+
+Dependency Chain (older depends on newer):
+CVE-4.12 → depends on → CVE-4.13 → depends on → Bug-4.14 → depends on → Bug-4.15
+```
+
+## Link Types Used
+
+| Source | Link Type | Target | Description |
+|--------|-----------|--------|-------------|
+| Task | Epic Link (field) | Epic | Tasks belong to the Epic |
+| Task | is related to | Bug (ON_QA) | Task linked to created bug |
+| Task | is caused by | CVE | Task is caused by the CVE |
+| Older issue | depends on | Newer issue | Dependency chain |
+
+## Fields Set on Created Issues
+
+### Epics (in OSASINFRA)
+
+| Field | Value |
+|-------|-------|
+| Project | OSASINFRA |
+| Issue Type | Epic |
+| Summary | `{CVE ID} - {component}` |
+| Epic Name | `{CVE ID} - {component}` |
+| Security Level | Red Hat Employee |
+| Assignee | User running the script |
+| Description | `Grouping epic for bugs related to {CVE ID} - {component}` |
+
+### Tasks (in OSASINFRA)
+
+| Field | Value |
+|-------|-------|
+| Project | OSASINFRA |
+| Issue Type | Task |
+| Summary | `{CVE ID} - {component} - {version}` |
+| Security Level | Red Hat Employee |
+| Assignee | User running the script |
+| Epic Link | Link to parent Epic |
+
+### ON_QA Bugs (in OCPBUGS)
+
+| Field | Value |
+|-------|-------|
+| Project | OCPBUGS |
+| Issue Type | Bug |
+| Summary | `{CVE ID} - {component} - {version}` |
+| Component/s | Inherited from source CVE issues |
+| Target Version | `{version}.z` (e.g., 4.14.z) |
+| Security Level | Red Hat Employee |
+| Assignee | User running the script |
+| Status | Transitioned to ON_QA |
+
+## Version Range Logic
+
+- **Minimum version**: Lowest version with a reported CVE
+- **Maximum version**: Latest available target version in Jira
+- All versions in between get a Task in OSASINFRA
+- Versions without a CVE get an ON_QA Bug in OCPBUGS for QA verification
+
+## Idempotency
+
+The script can be run multiple times safely:
+
+- **Existing Epics** are reused (searched by summary)
+- **Existing Tasks** are reused (searched by summary)
+- **Existing Bugs** are reused (searched by summary)
+- **Already-processed CVEs** are identified by the processed label and skipped
+
+## Files
+
+| File | Description |
+|------|-------------|
+| `dup_cve.py` | Main script for CVE processing |
+| `manage_task_cves.py` | Utility to manage CVEs linked to a task |
+| `inspect_issues.py` | Utility to inspect issue status and links |
+| `reset_cves.py` | Utility to remove processed labels |
+| `lib/jira_client.py` | Jira API client wrapper |
+| `lib/jira_formatter.py` | Field formatting utilities for Jira API requests |
+| `config.yaml` | Configuration file (component mappings, labels) |
+
+## Configuration
+
+The `config.yaml` file contains:
+
+- **cve_processed_label**: Label applied to processed CVE issues
+- **repo_to_component**: Mapping of downstream repository names to component names
+
+The script queries for Vulnerabilities matching the downstream components defined in `repo_to_component`.
+
+To add support for new components, add entries to the `repo_to_component` section:
+
+```yaml
+repo_to_component:
+  openshift4/ose-new-component-rhel9: openshift/new-component
+```
+
+## Example Output
+
+```
+2025-01-15 10:30:00 - Loaded config from config.yaml
+2025-01-15 10:30:00 - Configured components: ['openshift4/ose-cloud-provider-openstack-rhel9', ...]
+2025-01-15 10:30:01 - Found 50 numeric target versions
+2025-01-15 10:30:01 - Querying Jira for Vulnerabilities...
+2025-01-15 10:30:05 - Found 7 unprocessed Vulnerabilities
+2025-01-15 10:30:05 - Found 2 CVE groups
+
+2025-01-15 10:30:05 - Processing CVE group: openstack-cinder:CVE-2024-1234
+2025-01-15 10:30:05 -   CVE: CVE-2024-1234, Component: openstack-cinder
+2025-01-15 10:30:05 -   Found CVEs in versions: ['4.12', '4.13']
+2025-01-15 10:30:05 -   Processing versions: ['4.12', '4.13', '4.14', '4.15', '4.16']
+2025-01-15 10:30:06 -   Created Epic: OSASINFRA-99999
+2025-01-15 10:30:07 -   Version 4.12:
+2025-01-15 10:30:07 -     Created task: OSASINFRA-100000
+2025-01-15 10:30:07 -     2 CVEs (1 new)
+2025-01-15 10:30:07 -     OCPBUGS-11111 (already processed)
+2025-01-15 10:30:08 -     Linked: OCPBUGS-22222
+2025-01-15 10:30:09 -   Version 4.13:
+2025-01-15 10:30:09 -     Created task: OSASINFRA-100001
+2025-01-15 10:30:09 -     1 CVEs (1 new)
+2025-01-15 10:30:09 -     Linked: OCPBUGS-33333
+2025-01-15 10:30:10 -   Version 4.14:
+2025-01-15 10:30:10 -     Created task: OSASINFRA-100002
+2025-01-15 10:30:10 -     No CVEs, creating ON_QA bug
+2025-01-15 10:30:11 -     Created bug: OCPBUGS-100003
+2025-01-15 10:30:11 -     Transitioned OCPBUGS-100003 to ON_QA
+...
+
+======================================================================
+  SUMMARY (DRY RUN - no changes made)
+======================================================================
+
+  TOTALS
+  ----------------------------------------
+  Epics:        2 (1 existing, 1 to create)
+  Tasks:       10 (3 existing, 7 to create)
+  Bugs:         6 (0 existing, 6 to create)
+  CVEs:         5 to link
+
+  DETAILS BY CVE GROUP
+  ----------------------------------------
+  [CVE-2024-1234] openstack-cinder
+    Epic: OSASINFRA-99999
+    Tasks (5): OSASINFRA-100000, OSASINFRA-100001, ... OSASINFRA-100004
+    Bugs (3): OCPBUGS-100003, OCPBUGS-100004, OCPBUGS-100005
+    CVEs (2): OCPBUGS-11111, OCPBUGS-22222
+
+======================================================================
+```