Add resolved-in-version override for CVE-2025-63389 on Ollama#48525
Add resolved-in-version override for CVE-2025-63389 on Ollama#48525dantecatalfamo wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
WalkthroughThis change adds a fallback mechanism for resolving fixed versions of CVEs where NVD only provides a 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
server/vulnerabilities/nvd/cve_test.go (1)
1126-1138: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd a fixture that actually contains the versionEndIncluding-only CVE record.
These cases use the 2022 test dictionary, so
CVE-2025-63389is absent and the test only proves fallback on missing feed data. Add a small in-memory/fixture CVE entry withversionEndIncludingand noversionEndExcludingto cover the intended path. Based on PR objectives, the expected behavior is specifically for NVD’s versionEndIncluding-only Ollama record.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@server/vulnerabilities/nvd/cve_test.go` around lines 1126 - 1138, The “versionEndIncluding-only CVE uses resolved version override” case in cve_test.go is currently relying on missing 2022 dictionary data instead of the intended NVD record. Update the test setup around the relevant CVE lookup path so the fixture/data source actually includes a CVE entry for CVE-2025-63389 with versionEndIncluding present and versionEndExcluding absent, then keep the assertion against the resolved Ollama version. Use the existing cve_test table case and the NVD test dictionary/fixture helpers in this file to make the test cover the real versionEndIncluding-only path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@server/vulnerabilities/nvd/cve_test.go`:
- Around line 1126-1138: The “versionEndIncluding-only CVE uses resolved version
override” case in cve_test.go is currently relying on missing 2022 dictionary
data instead of the intended NVD record. Update the test setup around the
relevant CVE lookup path so the fixture/data source actually includes a CVE
entry for CVE-2025-63389 with versionEndIncluding present and
versionEndExcluding absent, then keep the assertion against the resolved Ollama
version. Use the existing cve_test table case and the NVD test
dictionary/fixture helpers in this file to make the test cover the real
versionEndIncluding-only path.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4e5753b1-dd4f-42d3-9437-b25e608fac62
📒 Files selected for processing (4)
changes/44800-ollama-resolved-in-versionserver/vulnerabilities/nvd/cpe_matching_rules.goserver/vulnerabilities/nvd/cve.goserver/vulnerabilities/nvd/cve_test.go
CI Feedback 🧐A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #48525 +/- ##
==========================================
+ Coverage 67.22% 67.83% +0.61%
==========================================
Files 3394 3419 +25
Lines 228363 232080 +3717
Branches 11910 11910
==========================================
+ Hits 153516 157434 +3918
+ Misses 61013 60382 -631
- Partials 13834 14264 +430
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
mostlikelee
left a comment
There was a problem hiding this comment.
Looks like a sensible approach to me, but also curious what this looks like to override in the feed. That fix wouldn't require a fleet release and new override pattern.
Related issue: Resolves #44800
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
Testing
Summary by CodeRabbit
Bug Fixes
Tests