test commit

Signed-off-by: Piyush Jena <[email protected]>

Author: piyush-jena

.github/workflows/check-advisories.yaml

@@ -0,0 +1,164 @@
+name: RPM Advisory Build & Verify
+
+on:
+  push:
+    paths:
+      - 'advisories/**/BRSA-*.toml'
+  pull_request:
+    paths:
+      - 'advisories/**/BRSA-*.toml'
+
+jobs:
+  find-changes:
+    name: Find Changed Advisories
+    runs-on: ubuntu-latest
+    outputs:
+      changed_files: ${{ steps.changed-files.outputs.all_changed_files || '[]' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          json: true
+          escape_json: false
+          files_ignore_deleted_files: true
+          files: |
+            advisories/staging/**.toml
+      - name: List all changed advisories files
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: |
+          for file in ${ALL_CHANGED_FILES}; do
+            echo "$file was changed"
+          done
+  build-and-verify:
+    name: Build & Verify
+    needs: find-changes
+    runs-on: ubuntu-latest
+
+    # Only run this job if the 'find-changes' job actually found files
+    if: needs.find-changes.outputs.changed_files != '[]'
+    strategy:
+      fail-fast: false # Don't cancel all jobs if one file fails
+      matrix:
+        advisory_file: ${{ fromJson(needs.find-changes.outputs.changed_files) }}
+    steps:
+      - name: Install yq (for parsing TOML)
+        run: |
+          echo "Installing yq..."
+          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
+          sudo chmod +x /usr/bin/yq
+          yq --version
+      - run: sudo apt -y install rpm jq build-essential openssl libssl-dev pkg-config liblz4-tool
+        shell: bash
+      - run: cargo install cargo-make
+        shell: bash
+      # This installs twoliter.
+      - run: make prep
+      # This fetches any external kit dependencies.
+      - run: make fetch
+      # This fetches Rust crate and Go module dependencies.
+      - run: make twoliter fetch
+      # This builds the current packages and kits.
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Build, Find, and Verify RPMs
+        run: |
+          #!/usr/bin/env bash
+
+          version=$(yq -o tsv '.release-version' Twoliter.toml)
+          echo "Processing advisory: ${{ matrix.advisory_file }}"
+          if [[ ! -f "${{ matrix.advisory_file }}" ]]; then
+            echo "::warning::File ${{ matrix.advisory_file }} does not exist. Skipping."
+            exit 0
+          fi
+
+          errors_found=false
+          while IFS=$'\t' read -r package_name package_version package_epoch; do
+              spec_file="packages/${package_name}/${package_name}.spec"
+              if [[ -f "${spec_file}" ]]; then
+                  actual_epoch=$(grep -E "^Epoch:" "${spec_file}" | sed 's/Epoch:[[:space:]]*//' || echo "0")
+                  [[ -z "${actual_epoch}" ]] && actual_epoch="0"
+              fi
+
+              echo "Package Name:     ${package_name}"
+              echo "Package Version : ${package_version}"
+              echo "Package Epoch:    ${package_epoch}"
+
+              PACKAGE="${package_name}" make twoliter build-package
+
+              RPM_DIR="build/rpms/$pkg_name"
+              if [ ! -d "$RPM_DIR" ]; then
+                echo "::error::RPM directory $RPM_DIR not found after build."
+                exit 1
+              fi
+
+              # Check that at least one RPM was produced
+              RPM_COUNT=$(find "$RPM_DIR" -name "*.rpm" | wc -l)
+              if [ "$RPM_COUNT" -eq 0 ]; then
+                echo "::error::No RPM files found in $RPM_DIR for package $pkg_name"
+                exit 1
+              fi
+
+              echo "Found $RPM_COUNT RPM(s) in $RPM_DIR. Verifying all..."
+
+              find "$RPM_DIR" -name "*.rpm" -print0 | while IFS= read -r -d '' RPM_FILE; do
+
+                echo "--- Verifying RPM: $RPM_FILE ---"
+
+                # --- 4. Extract info from the RPM file ---
+                # Use rpm --queryformat to get the exact fields
+                # %{EPOCH} returns "(none)" if not set, so we must handle that.
+                RPM_EPOCH_RAW=$(rpm -q --queryformat '%{EPOCH}' -p "$RPM_FILE")
+                RPM_VERSION=$(rpm -q --queryformat '%{VERSION}' -p "$RPM_FILE")
+
+                # Default epoch to 0 if it's not set in the RPM
+                RPM_EPOCH=0
+                if [ "$RPM_EPOCH_RAW" != "(none)" ] && [ -n "$RPM_EPOCH_RAW" ]; then
+                  RPM_EPOCH="$RPM_EPOCH_RAW"
+                fi
+
+                echo "  Found RPM Version: $RPM_VERSION"
+                echo "  Found RPM Epoch:   $RPM_EPOCH"
+
+                # --- 5. Compare RPM info to advisory info ---
+                # Check 1: Epoch
+                if [ "$RPM_EPOCH" != "${package_epoch}" ]; then
+                  echo "::error::Epoch mismatch for $RPM_FILE!"
+                  echo "  Advisory requires epoch: ${package_epoch}"
+                  echo "  Built RPM has epoch:   $RPM_EPOCH"
+                  exit 1
+                fi
+
+                # Check 2: Version
+                if [ "$RPM_VERSION" != "${package_version}" ]; then
+                  echo "::error::Version mismatch for $RPM_FILE!"
+                  echo "  Advisory requires version: ${package_version}"
+                  echo "  Built RPM has version:   $RPM_VERSION"
+                  exit 1
+                fi
+
+                echo "  SUCCESS: RPM $RPM_FILE matches advisory."
+
+              done # End of RPMs loop
+
+              echo "All $RPM_COUNT RPM(s) for $pkg_name verified successfully."
+              echo
+
+              if [ ${package_epoch} -ne ${actual_epoch} ]; then
+                  echo "ERROR in ${file}: Package ${package_name} has epoch ${package_epoch}, should be ${actual_epoch}"
+                  errors_found=true
+              fi
+          done < <(yq -o tsv '.advisory.products[] | [ .["package-name"], .["patched-version"], .["patched-epoch"] ]' ${{ matrix.advisory_file }})
+
+          if ${errors_found}; then
+              echo "Advisory validation FAILED!"
+              exit 1
+          else
+              echo "Advisory validation PASSED!"
+          fi

.github/workflows/validate-brsa.yml

@@ -0,0 +1,21 @@
+name: Validate Epoch field in BRSA
+on:
+  pull_request:
+    branches: [develop]
+    paths:
+      # Bottlerocket Security Advisories
+      - 'advisories/**'
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # Install dependencies for twoliter and cargo-make.
+      - name: Install yq (for parsing TOML)
+        run: |
+          echo "Installing yq..."
+          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
+          sudo chmod +x /usr/bin/yq
+          yq --version
+      - run: ./tools/check-advisories
+

.github/workflows/verify-signature.yml

@@ -0,0 +1,21 @@
+name: Enforce Signed Commits
+
+on:
+  pull_request:
+    branches: [develop]
+
+jobs:
+  check_signed_commits:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Verify all commits in push are signed
+        run: |
+          git log ${{ github.event.before }}..${{ github.sha }} --pretty="%H %G?" --no-merges | while read commit_hash signature_status; do
+            if [ "$signature_status" != "U" ]; then
+              echo "Error: Unsigned commit found: $commit_hash"
+              exit 1
+            fi
+          done

advisories/staging/BRSA-mavhpoajhdy8.toml

@@ -0,0 +1,28 @@
+[advisory]
+id = "BRSA-mavhpoajhdy8"
+title = "containerd CVE-2024-25621"
+cve = "CVE-2024-25621"
+severity = "moderate"
+description = """
+An overly broad default permission vulnerability was found in containerd. Directory paths /var/lib/containerd, /run/containerd/io.containerd.grpc.v1.cri and /run/containerd/io.containerd.sandbox.controller.v1.shim were all created with incorrect permissions."""
+
+[[advisory.products]]
+package-name = "containerd-1.7"
+patched-version = "1.7.29"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "containerd-2.0"
+patched-version = "2.0.7"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "containerd-2.1"
+patched-version = "2.1.5"
+patched-epoch = "0"
+
+[updateinfo]
+author = "kssessio"
+issue-date = 2025-11-13T15:40:31Z
+arches = ["x86_64", "aarch64"]
+version = "11.0.0"

advisories/staging/BRSA-s6xothqqu5vw.toml

@@ -0,0 +1,27 @@
+[advisory]
+id = "BRSA-s6xothqqu5vw"
+title = "containerd CVE-2025-64329"
+cve = "CVE-2025-64329"
+severity = "moderate"
+description = "A bug was found in containerd's CRI Attach implementation that causes goroutine leaks. Repetitive calls to CRI Attach can exhaust memory on the host."
+
+[[advisory.products]]
+package-name = "containerd-1.7"
+patched-version = "1.7.29"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "containerd-2.0"
+patched-version = "2.0.7"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "containerd-2.1"
+patched-version = "2.1.5"
+patched-epoch = "0"
+
+[updateinfo]
+author = "kssessio"
+issue-date = 2025-11-13T15:40:31Z
+arches = ["x86_64", "aarch64"]
+version = "11.0.0"

tools/check-advisories

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+yq --version
+version=$(yq -o tsv '.release-version' Twoliter.toml)
+readarray -t files < <(find advisories/${version} advisories/staging -name "BRSA-*.toml")
+
+errors_found=false
+for file in "${files[@]}"; do
+    while IFS=$'\t' read -r package_name package_version package_epoch; do
+        spec_file="packages/${package_name}/${package_name}.spec"
+        if [[ -f "${spec_file}" ]]; then
+            actual_epoch=$(grep -E "^Epoch:" "${spec_file}" | sed 's/Epoch:[[:space:]]*//' || echo "0")
+            [[ -z "${actual_epoch}" ]] && actual_epoch="0"
+        fi
+
+        echo "Package Name:     ${package_name}"
+        echo "Package Version : ${package_version}"
+        echo "Package Epoch:    ${package_epoch}"
+
+        if [ ${package_epoch} -ne ${actual_epoch} ]; then
+            echo "ERROR in ${file}: Package ${package_name} has epoch ${package_epoch}, should be ${actual_epoch}"
+            errors_found=true
+        fi
+    done < <(yq -o tsv '.advisory.products[] | [ .["package-name"], .["patched-version"], .["patched-epoch"] ]' ${file})
+done
+
+if ${errors_found}; then
+    echo "Advisory validation FAILED!"
+    exit 1
+else
+    echo "Advisory validation PASSED!"
+fi