stale action items in action needed list?
Hello,
While viewing the tracker page for package asterisk, I saw that there are open security issues for bookworm and trixie in the tracker action needed panel, but all links in the action item list lead to security-tracker.debian.org pages which do not mention either codename.
These security issues were addressed in bug #1032092 and bug #1059303, so my expectation is that these action items are removed.
When I feed the current UpdateSecurityIssuesTask.DISTRIBUTIONS_URL json and the UpdateSecurityIssuesTask.CVE_DATA_URL (trimmed down to asterisk only) into a modified UpdateSecurityIssuesTaskTests module it produces summary of all zeroes. This leads me to believe it's an ActionItem caching issue.
After some investigation, I think ActionItems can get stuck / stale.
Here's my theory for the bookworm action items:
- 2023-01-16: Package in bookworm
- 2023-02-27: #1032092 opens (3 CVEs)
- ----------: 3 ActionItems added "debian-security-issue-in-bookworm"
- 2023-03-28: Package removed from bookworm
- 2023-12-19: #1032092 is closed
- ----------: 3 ActionItems is not cleaned up
I'm not sure how the trixie action item got there, but I believe it is also stale. Bug #1059303 was open from 2023-12-22 to 2024-06-07 and had 2 CVEs. Asterisk was in only unstable for all that time as far as I can tell. The action item was created on 2023-10-22 and was last updated the same day.
Thanks,
Martin
Originally reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090074