[libvirt] [security-notice PATCH 5/9] scripts: allow for notices to have multiple commit hashes
Daniel P. Berrangé
berrange at redhat.com
Mon May 13 11:52:02 UTC 2019
Sometimes a bug may be introduced across multiple commits, or fixed
across multiple commits. We must thus honour the full list of commits.
There might not even be a broken commit listed yet.
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
scripts/report-vulnerable-tags.pl | 73 ++++++++++++++++++-------------
1 file changed, 43 insertions(+), 30 deletions(-)
diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
index 3a94721..59859b1 100644
--- a/scripts/report-vulnerable-tags.pl
+++ b/scripts/report-vulnerable-tags.pl
@@ -9,7 +9,9 @@ if (int(@ARGV) != 1) {
die "syntax: $0 NOTICE.XML\n";
}
+my @broken;
my $broken;
+my @fixed;
my $fixed;
my $notice = shift @ARGV;
my @notice;
@@ -28,15 +30,22 @@ for my $line (<NOTICE>) {
} elsif ($master) {
if ($line =~ m,<change state="(vulnerable|fixed)">([a-zA-Z0-9]+)</change>,) {
if ($1 eq "vulnerable") {
- $broken = $2;
+ push @broken, $2;
} else {
- $fixed = $2;
+ push @fixed, $2;
}
}
}
}
close NOTICE;
+if (int(@broken)) {
+ $broken = $broken[0];
+}
+if (int(@fixed)) {
+ $fixed = $fixed[$#fixed];
+}
+
# branch name to hash with keys
# - brokenchanges -> list of commit ids
# - brokentags -> hash of tag names to '1'
@@ -96,7 +105,7 @@ sub add_branch {
return if exists $branches{$name};
$branches{$name} = {
- "brokenchanges" => [$broken],
+ "brokenchanges" => [@broken],
"brokentags" => {},
"fixedchanges" => [],
"fixedtags" => {},
@@ -151,44 +160,48 @@ if (defined $fixed) {
add_fixed_tag("master", $fixedtags[0]);
}
- add_fixed_commit("master", $fixed);
+ for my $commit (@fixed) {
+ add_fixed_commit("master", $commit);
+ }
}
-# Most tags live on master so lets get them first
-for my $tag (get_tags("--contains", $broken, "--merged", "master")) {
+if (defined $broken) {
+ # Most tags live on master so lets get them first
+ for my $tag (get_tags("--contains", $broken, "--merged", "master")) {
- next if exists $tags{$tag};
+ next if exists $tags{$tag};
- add_broken_tag("master", $tag);
-}
+ add_broken_tag("master", $tag);
+ }
+
+ # Now we need slower work to find branches for
+ # few remaining tags
+ for my $tag (get_tags("--contains", $broken)) {
-# Now we need slower work to find branches for
-# few remaining tags
-for my $tag (get_tags("--contains", $broken)) {
+ next if exists $tags{$tag};
- next if exists $tags{$tag};
+ my @tagbranches = get_branches($tag);
+ if (int(@tagbranches) == 0) {
+ if ($tag eq "v2.1.0") {
+ @tagbranches = ("master")
+ } else {
+ print "Tag $tag doesn't appear in any branch\n";
+ next;
+ }
+ }
- my @tagbranches = get_branches($tag);
- if (int(@tagbranches) == 0) {
- if ($tag eq "v2.1.0") {
- @tagbranches = ("master")
- } else {
- print "Tag $tag doesn't appear in any branch\n";
- next;
+ if (int(@tagbranches) > 1) {
+ print "Tag $tag appears in multiple branches\n";
}
- }
+ my $branch = $tagbranches[0];
- if (int(@tagbranches) > 1) {
- print "Tag $tag appears in multiple branches\n";
+ add_branch($branch);
+ add_broken_tag($branch, $tag);
}
- my $branch = $tagbranches[0];
- add_branch($branch);
- add_broken_tag($branch, $tag);
-}
-
-for my $branch (get_branches($broken)) {
- add_branch($branch);
+ for my $branch (get_branches($broken)) {
+ add_branch($branch);
+ }
}
if (defined $fixed) {
--
2.21.0
More information about the libvir-list
mailing list