Active development on this repository has stopped. Feel free to reach out if you're interested in reactivating it.
This tool shall help identify commits in current source tree that are
- available remote on the same branch
- available in the parent branch
and are likely to contain bugfixes.
When you're using a 3rd party components in your project it's hard to balance between keeping it safe and tested against keeping in touch with upstream/mainline, especially when you have to decide if the code is as safe as possible.
Most would rely here on CVE-notifications for the used component and the corresponding version.
I was watching the 2019's keynote of Greg Kroah-Hartman at Embedded Linux Conference Europe in Lyon where he said, that most issues don't even get a CVE entry anymore, they will just be fixed with a commit in upstream (at least for the kernel).
This is somehow hard to maintain, as mostly you simply don't want to change the feature-set (as this has been tested and approved) but need the bug- and issue-fixes from that project.
That is where this tool comes into play - It performs automatic checks if there are upstream fixes available - and if so, if they only contain fixes and NOT features.
Ensurecvs, helps you to ensure and you're using the best of the used content versioning system
- It extracts the currently used commit from the local repository clone
- this can be overridden by specifying
--srcrev
or--srctag
in command line
- this can be overridden by specifying
- It extracts the currently used branch from the local repository clone
- this can be overridden by specifying
--srcbranch
in command line
- this can be overridden by specifying
- It gets all remote available commits in current branch
- It gets all commits made to 'master' since current branch has been branched off (an alternative branch to 'master' can be specified by using
--upstream
in command line)- it filters all commits out, that might have been cherry-picked in current branch
- all the remaining commits are classified regarding their commit message
- commits that are classified to be likely bugfixes are presented at the console (STDOUT)
usage: ensurecsv [-h] [--srcbranch SRCBRANCH]
[--srcrev SRCREV | --srctag SRCTAG] [--upstream UPSTREAM]
localdir
Ensure that you're using the most secure source code
positional arguments:
localdir Path to local repo
optional arguments:
-h, --help show this help message and exit
--srcbranch SRCBRANCH
Use explicitly given branch
--srcrev SRCREV Use explicitly given source revision
--srctag SRCTAG Use explicitly given tag
--upstream UPSTREAM Use explicitly given branch as upstream
simply run
pip3 install ensurecvs
- git clone this repository
- cd to <clone folder>/ensurecvs
- Install the needed requirements by running
pip3 install -r requirements.txt
- run
python3 setup.py build install
(possibly 'sudo' is needed)
The tool will return
[branch] commit <commit hash>:'<commit message>' is likely to contain bugfixes
e.g.
[master] commit 173dfc1c07c9fa901a91adbc9bf8fd41961b9837:'Fix compile issue with python-astor' is likely to contain bugfixes
that means that commit 173dfc1c07c9fa901a91adbc9bf8fd41961b9837 currently to be found in branch master is likely to contain a bugfix that isn't yet used in the currently selected branch
Currently only git-repositories are supported
If you have interest in one or more of the following topics, feel free to get in contact with me
- better commit classification (maybe with something like this here)
- better documentation
- changeset code analysis for better commit classification
- check on out-of-tree patches in local code
- compare the changeset diff for cherry-pick analysis
- streamline code
- svn-repository support
Feel free to add issues or pull requests