[libvirt] [security-notice PATCH 8/9] scripts: fuzzy matching on subject to identify unannotated cherry picks

[Daniel P. Berrangé]

Sometimes fixes are mistakenly cherry picked into branches without using
the '-x' flag to record the cherry pick master commit. Add fuzzy
matching based on subject line to attempt to identify these fixes on
branches.

Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
 scripts/report-vulnerable-tags.pl | 46 +++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
index 6a0f7dc..c37416d 100644
--- a/scripts/report-vulnerable-tags.pl
+++ b/scripts/report-vulnerable-tags.pl
@@ -121,6 +121,38 @@ sub get_cherry_picks {
     return %cherrypicks;
 }
 
+sub get_fuzzy_picks {
+    my $branch = shift @_;
+    my $tag = shift @_;
+
+    my %subjects;
+
+    for my $commit (@fixed) {
+	open GIT, "-|", "git", "show", "--no-patch", "--format=%s", $commit
+	    or die "cannot query 'git show --no-patch --format=%s $commit': $!";
+	my $subject = <GIT>;
+	chomp $subject;
+	close GIT;
+
+	$subjects{$subject} = $commit;
+    }
+
+    open GIT, "-|", "git", "log", "--format=%H %s", "$tag..origin/$branch" or
+	die "cannot query 'git log --format='%h %s' $tag..origin/$branch': $!\n";
+
+    my $commit;
+    my %fuzzypicks;
+    while (<GIT>) {
+	if (/([a-zA-Z0-9]+)\s(.*)$/) {
+	    if (exists $subjects{$2}) {
+		$fuzzypicks{$subjects{$2}} = $1;
+	    }
+	}
+    }
+
+    return %fuzzypicks;
+}
+
 sub add_branch {
     my $name = shift @_;
 
@@ -226,6 +258,20 @@ if (defined $fixed) {
 	    }
 	}
 
+	if (int(@missing)) {
+	    my @unfixed = @missing;
+	    my %fuzzypicks = get_fuzzy_picks($branch, $basetag);
+	    @missing = ();
+	    for my $commit (@unfixed) {
+		if (exists $fuzzypicks{$commit}) {
+		    my $fuzzy = $fuzzypicks{$commit};
+		    add_fixed_commit($branch, $fuzzy);
+		} else {
+		    push @missing, $commit;
+		}
+	    }
+	}
+
 	# If all fixes on master exist on branch, then
 	# identify any tags holding the last cherry-pick
 	# so the branch gets marked as non-vulnerable.
-- 
2.21.0