Skip to content

Fixed false positive CVE on emacs-common on Ubuntu.#39895

Draft
getvictor wants to merge 1 commit intomainfrom
victor/39370-emacs-false-positive
Draft

Fixed false positive CVE on emacs-common on Ubuntu.#39895
getvictor wants to merge 1 commit intomainfrom
victor/39370-emacs-false-positive

Conversation

@getvictor
Copy link
Member

@getvictor getvictor commented Feb 15, 2026
edited by coderabbitai bot
Loading

Related issue: Resolves #39370

Checklist for submitter

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.

Testing

  • Added/updated automated tests
  • QA'd all new/changed functionality manually

Summary by CodeRabbit

  • Bug Fixes

    • Fixed false positive CVE detection for emacs-common on Ubuntu.
    • Improved vulnerability version matching accuracy for Debian and RPM packages by properly handling version format variations.

  • Tests

    • Added test coverage for version format handling in vulnerability detection.

@getvictor getvictor requested a review from Copilot February 15, 2026 00:20
@getvictor
Copy link
Member Author

getvictor commented Feb 15, 2026

@coderabbitai full review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 15, 2026

✅ Actions performed

Full review triggered.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 15, 2026

Walkthrough

This pull request addresses a false positive CVE detection for Debian packages with epoch prefixes in their version strings. Changes include adding logic to indexed_cpe_item.go to strip epoch prefixes (e.g., 1:) from package versions before CPE string generation, specifically for deb and rpm package sources. A regex pattern is introduced to identify and remove these prefixes. A corresponding test is added to indexed_cpe_item_test.go to verify epoch stripping behavior across different package sources and version formats.

🚥 Pre-merge checks | ✅ 5 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: fixing a false positive CVE detection for emacs-common on Ubuntu, which directly matches the PR's primary objective.
Description check ✅ Passed The description includes required items (related issue #39370, changes file added, automated tests added, manual QA performed) but lacks detail on the actual technical fix and database/configuration considerations.
Linked Issues check ✅ Passed The code changes address the core issue by implementing epoch prefix stripping for deb/rpm package versions, which resolves the false positive CVE for emacs-common with version 1:29.3+1-1ubuntu2.
Out of Scope Changes check ✅ Passed All changes are directly related to fixing the false positive CVE issue: adding changes file, modifying CPE parsing logic to strip epoch prefixes, and adding comprehensive test coverage.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch victor/39370-emacs-false-positive

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments
server/vulnerabilities/nvd/indexed_cpe_item_test.go (1)

10-64: Good test coverage with table-driven tests.

The test cases cover the key scenarios well: deb with epoch, rpm with epoch, deb without epoch, and non-deb source.

One minor observation: test case 4 ("non-deb source does not strip epoch-like prefix") — the name says the prefix is not stripped, but the 1: in "1:2.3.4" is still transformed to 1. by sanitizeVersion. The test validates that the epoch-stripping code path isn't taken, which is correct, but the name could be slightly clearer (e.g., "non-deb source leaves version for sanitizeVersion to handle").

Consider adding a test case where the version has a multi-digit epoch (e.g., "10:1.2.3") to confirm the regex handles it.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a false positive CVE detection issue for the emacs-common package on Ubuntu. The root cause was that Debian/RPM package versions include an "epoch" prefix (e.g., "1:" in "1:29.3+1-1ubuntu2") which is package manager metadata, not part of the upstream software version. When matching against the NVD CPE database, this epoch was being misinterpreted as part of the version number, causing incorrect CVE matches.

Changes:

  • Added epoch prefix stripping for deb_packages and rpm_packages sources in CPE string formatting
  • Created comprehensive unit tests covering epoch stripping scenarios
  • Added changelog entry for the fix

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
server/vulnerabilities/nvd/indexed_cpe_item.go Added logic to strip epoch prefix (e.g., "1:") from version strings for deb_packages and rpm_packages before CPE matching, with clear documentation explaining why
server/vulnerabilities/nvd/indexed_cpe_item_test.go New test file with comprehensive test cases covering epoch stripping for deb/rpm packages, packages without epochs, and non-deb/rpm sources
changes/39370-emacs-false-positive Changelog entry documenting the fix for users

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov
Copy link

codecov bot commented Feb 15, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.26%. Comparing base (de55ecf) to head (12d86e8).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #39895      +/-   ##
==========================================
- Coverage   66.27%   66.26%   -0.01%     
==========================================
  Files        2439     2439              
  Lines      195446   195449       +3     
  Branches     8615     8615              
==========================================
- Hits       129528   129511      -17     
- Misses      54189    54204      +15     
- Partials    11729    11734       +5
Flag Coverage Δ
backend 68.06% <100.00%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Vulnerability false positive: emacs-common

1 participant

@getvictor