[libvirt] [security-notice PATCH 3/9] scripts: add ability to handle a fixed commit hash
Ján Tomko
jtomko at redhat.com
Fri Jun 14 11:04:38 UTC 2019
On Mon, May 13, 2019 at 12:52:00PM +0100, Daniel P. Berrangé wrote:
>Currently when given a broken commit hash we assume everything newer
>than this is broken. If we are retroactively recording info on a flaw that
>is already fixed in git though, we might know a fixed commit hash. Use
>this info to know when to stop reporting broken tags and branches.
>
>Note this only works for branches containing the original primary fixed
>commit. This does not try to identify cherry-picks to branches.
>
>Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
>---
> scripts/report-vulnerable-tags.pl | 74 +++++++++++++++++++++++++++----
> 1 file changed, 66 insertions(+), 8 deletions(-)
>
>diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
>index 8a6c2e4..431a7bf 100644
>--- a/scripts/report-vulnerable-tags.pl
>+++ b/scripts/report-vulnerable-tags.pl
>@@ -5,15 +5,18 @@ use warnings;
>
> use Sort::Versions;
>
>-if (int(@ARGV) != 1) {
>- die "syntax: $0 CHANGESET\n";
>+if (int(@ARGV) != 1 && int(@ARGV) != 2) {
>+ die "syntax: $0 BROKEN-CHANGESET [FIXED-CHANGESET]\n";
> }
>
>-my $changeset = shift @ARGV;
>+my $broken = shift @ARGV;
>+my $fixed = shift @ARGV;
>
> # branch name to hash with keys
> # - brokenchanges -> list of commit ids
> # - brokentags -> hash of tag names to '1'
>+# - fixedchanges -> list of commit ids
>+# - fixedtags -> hash of tag names to '1'
> my %branches;
>
> # tag name to '0' (fixed) or '1' (broken)
>@@ -68,11 +71,22 @@ sub add_branch {
> return if exists $branches{$name};
>
> $branches{$name} = {
>- "brokenchanges" => [$changeset],
>+ "brokenchanges" => [$broken],
> "brokentags" => {},
>+ "fixedchanges" => [],
>+ "fixedtags" => {},
> };
> }
>
>+sub delete_branch {
>+ my $name = shift @_;
>+
>+ if (int(keys %{$branches{$name}->{"brokentags"}})) {
>+ print "Branch $name shouldn't have broken tags\n";
^ TAB
>+ }
>+ delete $branches{$name};
>+}
>+
> sub add_broken_tag {
> my $branch = shift @_;
> my $tag = shift @_;
>@@ -81,16 +95,51 @@ sub add_broken_tag {
> $branches{$branch}->{"brokentags"}->{$tag} = 1;
> }
>
>+sub add_fixed_tag {
>+ my $branch = shift @_;
>+ my $tag = shift @_;
>+
>+ $tags{$tag} = 0;
>+ $branches{$branch}->{"fixedtags"}->{$tag} = 1;
>+}
>+
>+sub add_fixed_commit {
>+ my $branch = shift @_;
>+ my $commit = shift @_;
>+
>+ push @{$branches{$branch}->{"fixedchanges"}}, $commit;
>+}
>+
> add_branch("master");
>
>+if (defined $fixed) {
>+ # Mark any tags containing the fix as known so they
>+ # get excluded when later finding vulnerable tags
>+ for my $tag (get_tags("--contains", $fixed)) {
>+ $tags{$tag} = 0;
^ indentation
>+ }
>+
>+
>+ # Record the first tag in master which has the fix, if any
>+ my @fixedtags = sort versioncmp get_tags("--contains", $fixed, "--merged", "master");
>+ if (int(@fixedtags)) {
>+ add_fixed_tag("master", $fixedtags[0]);
^ TAB
>+ }
>+
>+ add_fixed_commit("master", $fixed);
>+}
>+
> # Most tags live on master so lets get them first
>-for my $tag (get_tags("--contains", $changeset, "--merged", "master")) {
>+for my $tag (get_tags("--contains", $broken, "--merged", "master")) {
>+
>+ next if exists $tags{$tag};
>+
> add_broken_tag("master", $tag);
> }
>
> # Now we need slower work to find branches for
> # few remaining tags
>-for my $tag (get_tags("--contains", $changeset)) {
>+for my $tag (get_tags("--contains", $broken)) {
>
> next if exists $tags{$tag};
>
>@@ -117,6 +166,12 @@ for my $branch (get_branches($broken)) {
> add_branch($branch);
> }
>
>+if (defined $fixed) {
>+ for my $branch (get_branches($fixed)) {
>+ delete_branch($branch);
^ TAB
>+ }
>+}
>+
> foreach my $branch (sort versioncmp keys %branches) {
> print " <branch>\n";
> print " <name>$branch</name>\n";
Reviewed-by: Ján Tomko <jtomko at redhat.com>
Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190614/9bac10d5/attachment-0001.sig>
More information about the libvir-list
mailing list