The current logic for checking cve tag is not correct. It errors out if and only if the patch contains a line which begins with CVE-YYYY-XXXX and contains nothing else.
It will not error out if the patch contains no CVE information, nor will it error out if the patch contains line like below. 'Fix CVE-YYYY-XXXX' I can see that the cve tag checking logic tries to ensure the patch contains something like 'CVE: CVE-YYYY-XXXX'. So fix to implement such logic. Signed-off-by: Chen Qi <[email protected]> --- tests/test_patch_cve.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/test_patch_cve.py b/tests/test_patch_cve.py index 39e7267..df6fe46 100644 --- a/tests/test_patch_cve.py +++ b/tests/test_patch_cve.py @@ -22,7 +22,6 @@ import re class CVE(base.Base): re_cve_pattern = re.compile("CVE\-\d{4}\-\d+", re.IGNORECASE) - re_cve_payload_pattern = re.compile("\+CVE\-\d{4}\-\d+", re.IGNORECASE) re_cve_payload_tag = re.compile("\+CVE:(\s+CVE\-\d{4}\-\d+)+") def setUp(self): @@ -39,10 +38,12 @@ class CVE(base.Base): def test_cve_tag_format(self): for commit in CVE.commits: if self.re_cve_pattern.search(commit.shortlog) or self.re_cve_pattern.search(commit.commit_message): + tag_found = False for line in commit.payload.splitlines(): - # first match is lax but second strict - if self.re_cve_payload_pattern.match(line): - if not self.re_cve_payload_tag.match(line): - self.fail('Missing or incorrectly formatted CVE tag in included patch file', - 'Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"', - commit) + if self.re_cve_payload_tag.match(line): + tag_found = True + break + if not tag_found: + self.fail('Missing or incorrectly formatted CVE tag in included patch file', + 'Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"', + commit) -- 2.7.4 -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
