Introduction

When issues are found in software (being them security or not), it is not always trivial to find and keep track of all products and versions that could potentially be affected by them. This is even more difficult when one is not familiar with the code base at hand and could lead to mistakes in the assessment. Some time ago, there was a project proposed (named PaSe) that aimed at using text search to find places where patches are or can be applied.

Project Description

This hackweek project uses PaSe as a base for expanding on the scope to allow for a more automated code assessment. The ideas:

• Periodically index all sources from a given product
• Monitor an input stream of changes (patches added to packages of a given project, for example)
• Report other places where there is a match for the code (either applied or not applied)
• Validate if matching patches can really be applied

Goals for this Hackweek

• Define and implement code to generate the pool of sources to be indexed
• If not yet done, containerize PaSe to make it easier to deploy
• Define and implement a feed of changes we want to scan (factory changes, bugzilla patches, etc…)
• Implement a service to consume the feed of changes and report results
• Implement a dashboard of results
• Expand the service to try to apply the patch (in dry mode or in a sandbox copy of the sources)

Summary of achievements

We had ambitious goals, much more than we could implement in a week, here is what we managed to actually deliver:

• PaSe containerization
• Use codemirror in PaSe's frontend
• Source repository fetcher for openSUSE repos
• Initial implementation of a Patch Store
• Handle repositories with duplicated packages correctly
• Initial implementation of a Bugzilla Patch Crawler

As such, the project is incomplete (it's really only a start), but we (@gboiko and @otilloy) intend to continue it after Hack Week, as time permits.