setup & extract commands rework

[fgyanz]

Hi team!

The current version of klp-build is stable and reliable enough for us to start thinking of integrating it into our CI; hence automating certain parts of the livepatch creation cycle.

A most needed one is bugzilla integration, which would be a major improvement in our workflow. For every bug meant to be livepatched, klp-build would be run automatically against them and report whether we are affected or not. However, for this to work we need to slightly rework the setup commands.

setup

In order to automate the step of "finding vulnerable codestreams" I believe we need to simplify this command. Currently, the setup does:

• Finding vulnerable codestreams
• Downloading the vulnerable codestreams
• Analyzing the binaries of the vulnerable codestreams

Each of this phases are quite complex, thus requiring many cmdline arguments, which have to be passed in the setup.
E.g:

klp-build  setup  --name  bsc1197597  --cve  2022-1048  --mod  snd-pcm  --conf  CONFIG_SND_PCM  --file-funcs
sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5' --archs x86_64 ppc64le

A possible solution could be to separate each step into its own command:

• scan: Finding vulnerable codestreams
  klp-build scan --name bsc1197597 --cve 2022-1048
• update: Download all/specified codestreams
  klp-build update --filter "15.5u28"
• "Analyzing the binaries of the vulnerable codestreams" could be added to the extract command.

extract

If we decide to go this route, it might be a good time to also rename this command to something more appropriate.
Possible options are:

• create
• make
• build

TL;DR Rework the commands so that they look something like this:

# Find vulnerable codestreams
$ klp-build  scan  --name  bsc1197597  --cve  2022-1048

# Download all/specified codestreams
$ klp-build  update  --filter "15.5u28"

# Create the livepatch
$ klp-build  create  --name  bsc1197597  --cve  2022-1048  --mod  snd-pcm  --conf  CONFIG_SND_PCM  --file-funcs
sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5' --archs x86_64 ppc64le
--type ccp --workers 16

What do you think? Any better ideas?

Thanks

[marcosps]

About the scan subcommand, I think that it should be doing both, checking the vulnerable branches and checking the individual codestreams, but for it to work it needs to also download the missing codestreams data.

We could maybe have only scan and create:

scan being the processo that would only check the codestreams/branches, download the fixes, and creating the codestreams.json file.

create would then first check if there is already a codestreams.json, and if not it will first run the scan process. After that it will do the checks that we already do as part of the setup, and then later execute the extract part.

I liked the create name, since I wasn't able to find about other subcommand good verb other than build and do :)

[marcosps]

I'll start by decoupling some functions from Config and Setup classes, so we can start using them in different classes as needed.

[marcosps]

The tests code was changed, now I'm planning to start decoupling everything from Config, so it would be much better to create the scan subcommand after that!

[fgyanz]

Hi @marcosps ! The scan subcommand was been successfully merged in 2adbead and works great. The next step would be to combine setup and extract, but that's less important. What do you think we should do with this issue? Do we keep it open until someone implements the create command?

[marcosps]

I think so, this would be great after we finally deal with the more annoying issues, like the multiple LPs support.