Update CvesIssue#cve_id to use labels
What does this MR do and why?
In !2654 (merged), we added a method to fetch the CVE ID from CVES issue comments. After asking AppSec and Vulnerability Research, I learned that a more reliable way to fetch the ID is by using the cve::...
label. This MR updates the cve_id
method to use the label rather than searching the comments. So it effectively reverts !2654 (merged) and implements the new logic.
Related to gitlab-com/gl-infra/delivery#19665 (closed)
Testing
I was able to test this locally but removed all identifying IDs from this example:
~/workspace/gitlab-org/release-tools (delivery19665-cve-id-take2 ✔) RELEASE_BOT_PRODUCTION_TOKEN=REDACTED be pry --gem
[1] pry(main)> cve_project_id = 12345
[2] pry(main)> issue = ReleaseTools::GitlabClient.issues(cve_project_id).second
=> #<Gitlab::ObjectifiedHash...
[3] pry(main)> cve_issue = ReleaseTools::Security::CvesIssue.new(issue)
=> #<ReleaseTools::Security::CvesIssue:....
[4] pry(main)> cve_issue.cve_id
=> "CVE-1234-1234"
Content
- Update CvesIssue#cve_id to use labels
Updates CvesIssue#cve_id to use the scoped CVE:: label rather than comments when finding the cve_id.
Author Check-list
- [-] Has documentation been updated?
Edited by Steve Abrams