Re: [libvirt] [security-notice PATCH 4/9] scripts: change to update notice files inplace

Instead of printing out a snippet which then has to be cut and pasted into the notice file, directly read the template notice file and update it in place with new branch/tag info. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- scripts/report-vulnerable-tags.pl | 66 ++++++++++++++++++++++++------- 1 file changed, 52 insertions(+), 14 deletions(-)

diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl index 431a7bf..3a94721 100644 --- a/scripts/report-vulnerable-tags.pl +++ b/scripts/report-vulnerable-tags.pl @@ -5,12 +5,37 @@ use warnings; use Sort::Versions; -if (int(@ARGV) != 1 && int(@ARGV) != 2) { - die "syntax: $0 BROKEN-CHANGESET [FIXED-CHANGESET]\n"; +if (int(@ARGV) != 1) { + die "syntax: $0 NOTICE.XML\n"; } -my $broken = shift @ARGV; -my $fixed = shift @ARGV; +my $broken; +my $fixed; +my $notice = shift @ARGV; +my @notice; + +open NOTICE, $notice or die "cannot read $notice: $!"; +my $master; +my $discard; +for my $line (<NOTICE>) { + push @notice, $line unless $discard; + if ($line =~ m,<repository>,) { + $discard = 1; + } elsif ($line =~ m,<name>master</name>,) { + $master = 1; + } elsif ($line =~ m,</branch>,) { + $master = 0; + } elsif ($master) { + if ($line =~ m,<change state="(vulnerable|fixed)">([a-zA-Z0-9]+)</change>,) { + if ($1 eq "vulnerable") { + $broken = $2; + } else { + $fixed = $2; + } + } + } +} +close NOTICE; # branch name to hash with keys # - brokenchanges -> list of commit ids @@ -154,7 +179,7 @@ for my $tag (get_tags("--contains", $broken)) { } if (int(@tagbranches) > 1) { - print "Tag $tag appears in multiple branches\n"; + print "Tag $tag appears in multiple branches\n";

} my $branch = $tagbranches[0];