[libvirt] [security-notice PATCH 8/9] scripts: fuzzy matching on subject to identify unannotated cherry picks
Sometimes fixes are mistakenly cherry picked into branches without using
the '-x' flag to record the cherry pick master commit. Add fuzzy
matching based on subject line to attempt to identify these fixes on
branches.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
scripts/report-vulnerable-tags.pl | 46 +++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
index 6a0f7dc..c37416d 100644
--- a/scripts/report-vulnerable-tags.pl
+++ b/scripts/report-vulnerable-tags.pl
@@ -121,6 +121,38 @@ sub get_cherry_picks {
return %cherrypicks;
}
+sub get_fuzzy_picks {
+ my $branch = shift @_;
+ my $tag = shift @_;
+
+ my %subjects;
+
+ for my $commit (@fixed) {
+ open GIT, "-|", "git", "show", "--no-patch",
"--format=%s", $commit
+ or die "cannot query 'git show --no-patch --format=%s $commit':
$!";
+ my $subject = <GIT>;
+ chomp $subject;
+ close GIT;
+
+ $subjects{$subject} = $commit;
+ }
+
+ open GIT, "-|", "git", "log", "--format=%H
%s", "$tag..origin/$branch" or
+ die "cannot query 'git log --format='%h %s' $tag..origin/$branch':
$!\n";
+
+ my $commit;
+ my %fuzzypicks;
+ while (<GIT>) {
+ if (/([a-zA-Z0-9]+)\s(.*)$/) {
+ if (exists $subjects{$2}) {
+ $fuzzypicks{$subjects{$2}} = $1;
+ }
+ }
+ }
+
+ return %fuzzypicks;
+}
+
sub add_branch {
my $name = shift @_;
@@ -226,6 +258,20 @@ if (defined $fixed) {
}
}
+ if (int(@missing)) {
+ my @unfixed = @missing;
+ my %fuzzypicks = get_fuzzy_picks($branch, $basetag);
+ @missing = ();
+ for my $commit (@unfixed) {
+ if (exists $fuzzypicks{$commit}) {
+ my $fuzzy = $fuzzypicks{$commit};
+ add_fixed_commit($branch, $fuzzy);
+ } else {
+ push @missing, $commit;
+ }
+ }
+ }
+
# If all fixes on master exist on branch, then
# identify any tags holding the last cherry-pick
# so the branch gets marked as non-vulnerable.
--
2.21.0