Given a Chrome Releases blog post URL (chromereleases.googleblog.com), extract every CVE/bug and find the underlying Gerrit CL that fixed it by searching the local Chromium checkout and sub-repos. Use when asked to map Chrome security release notes to fixing CLs, or to find which commits correspond to CVEs in a Chrome stable update.
Maps every security fix in a Chrome Releases blog post to the Gerrit CL(s) that fixed it.
$ARGUMENTS — a https://chromereleases.googleblog.com/... URL. If empty, ask the user for one.
The blog HTML buries bug IDs inside <a> tags, so strip tags first. Run:
curl -sL "$URL" | python3 -c '
import sys, re, html
t = re.sub(r"<[^>]+>", " ", sys.stdin.read())
t = re.sub(r"\s+", " ", html.unescape(t))
seen = set()
for m in re.finditer(r"\[\s*(\d{6,})\s*\]\s*(Critical|High|Medium|Low)\s*(CVE-\d{4}-\d+):\s*([^.]+?)\.", t):
if m.group(3) in seen: continue
seen.add(m.group(3))
print(f"{m.group(3)}|{m.group(1)}|{m.group(2)}|{m.group(4).strip()}")
' > /tmp/cve_bugs.txt
cat /tmp/cve_bugs.txt
If this yields nothing, the page may have changed format — fall back to grep -oE 'CVE-[0-9]{4}-[0-9]+' and grep -oE 'crbug\.com/[0-9]+' and pair them by order.
Search git history in the Chromium checkout and relevant sub-repos for commits whose Bug: or Fixed: footer references the bug ID, then extract the Reviewed-on: Gerrit URL.
Repo selection by component keyword:
third_party/anglethird_party/skiathird_party/pdfiumthird_party/dawnv8. (chromium/src)Always also fall back to . if the hinted repo has no match.
cd /root/src/electron/src # chromium root (parent of electron/)
lookup() {
local bug="$1" repos="$2"
for repo in $repos . v8 third_party/skia third_party/angle third_party/pdfium third_party/dawn; do
local hits
hits=$(git -C "$repo" log --all --since='6 months ago' -E \
--grep="(Bug|Fixed):.*\\b${bug}\\b" --format='%H' 2>/dev/null | sort -u)
[[ -z "$hits" ]] && continue
while read -r h; do
git -C "$repo" log -1 --format='%B' "$h" | grep '^Reviewed-on:' | sed 's/^/ /'
echo " ↳ $(git -C "$repo" log -1 --format='%s' "$h")"
done <<<"$hits"
return 0
done
echo " (not found locally)"
}
Drive it from /tmp/cve_bugs.txt. Prefer the non-[M1xx]-prefixed commit subject as the canonical main CL; the [M1xx] ones are branch cherry-picks.
For any bug with no local hit:
git -C <repo> fetch origin then re-search --remotes (fix may be newer than the checkout).curl -s "https://chromium-review.googlesource.com/changes/?q=bug:${BUG}&n=10" | tail -n +2 | python3 -m json.tool (also try skia-review, pdfium-review, dawn-review, aomedia-review).b/ bug format (Skia, Graphite, Dawn): These repos reference bugs as b/<id> in commit messages rather than Bug: <id> footers. The Gerrit bug: query will return nothing. Use message:<id> search instead:
curl -s "https://skia-review.googlesource.com/changes/?q=message:${BUG}&n=5" | tail -n +2
dawn-review.googlesource.com when the component is Dawn.[M1xx] merge CLs are found, query the CL detail for cherry_pick_of_change to find the original main CL number:
curl -s "https://chromium-review.googlesource.com/changes/${CL_NUM}?o=CURRENT_REVISION" | tail -n +2 | python3 -c "
import sys, json
d = json.load(sys.stdin)
print(d.get('cherry_pick_of_change', 'none'))
"
Roll CLs — skip and find the upstream fix: For components whose fixes land in upstream repos (PDFium, Dawn, Skia, Graphite, libaom, libvpx, ffmpeg), the chromium-review hit will be a Roll src/third_party/... commit. Do not report the roll CL as the fix. Instead, query the component's own Gerrit instance directly for the actual fixing CL:
pdfium-review.googlesource.com (use bug: or message: query)dawn-review.googlesource.com (use message: query — uses b/ format)skia-review.googlesource.com (use message: query — uses b/ format)aomedia-review.googlesource.comOnly if the upstream Gerrit instance returns no results should you fall back to reporting the roll CL — in that case, include the roll CL and note that the actual fix is upstream but the specific CL could not be identified.
Multiple Reviewed-on: lines in one commit body: cherry-picks keep the original line plus a new one. The first Reviewed-on: is the original CL.
A bug may have multiple distinct fix CLs (fix + follow-up hardening) — list all of them.
Produce a markdown table per severity level: CVE | Bug | Component | Fix CL (main). Link bugs as https://crbug.com/<id>. Save raw output (including all branch merges) to /tmp/cve_cls.txt and mention the path.