[libvirt] [security-notice PATCH 4/9] scripts: change to update notice files inplace

Daniel P. Berrangé berrange at redhat.com
Mon May 13 11:52:01 UTC 2019


Instead of printing out a snippet which then has to be cut and pasted
into the notice file, directly read the template notice file and
update it in place with new branch/tag info.

Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
 scripts/report-vulnerable-tags.pl | 66 ++++++++++++++++++++++++-------
 1 file changed, 52 insertions(+), 14 deletions(-)

diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-tags.pl
index 431a7bf..3a94721 100644
--- a/scripts/report-vulnerable-tags.pl
+++ b/scripts/report-vulnerable-tags.pl
@@ -5,12 +5,37 @@ use warnings;
 
 use Sort::Versions;
 
-if (int(@ARGV) != 1 && int(@ARGV) != 2) {
-    die "syntax: $0 BROKEN-CHANGESET [FIXED-CHANGESET]\n";
+if (int(@ARGV) != 1) {
+    die "syntax: $0 NOTICE.XML\n";
 }
 
-my $broken = shift @ARGV;
-my $fixed = shift @ARGV;
+my $broken;
+my $fixed;
+my $notice = shift @ARGV;
+my @notice;
+
+open NOTICE, $notice or die "cannot read $notice: $!";
+my $master;
+my $discard;
+for my $line (<NOTICE>) {
+    push @notice, $line unless $discard;
+    if ($line =~ m,<repository>,) {
+	$discard = 1;
+    } elsif ($line =~ m,<name>master</name>,) {
+	$master = 1;
+    } elsif ($line =~ m,</branch>,) {
+	$master = 0;
+    } elsif ($master) {
+	if ($line =~ m,<change state="(vulnerable|fixed)">([a-zA-Z0-9]+)</change>,) {
+	    if ($1 eq "vulnerable") {
+		$broken = $2;
+	    } else {
+		$fixed = $2;
+	    }
+	}
+    }
+}
+close NOTICE;
 
 # branch name to hash with keys
 #   - brokenchanges -> list of commit ids
@@ -154,7 +179,7 @@ for my $tag (get_tags("--contains", $broken)) {
     }
 
     if (int(@tagbranches) > 1) {
-        print "Tag $tag appears in multiple branches\n";
+	print "Tag $tag appears in multiple branches\n";
     }
     my $branch = $tagbranches[0];
 
@@ -172,21 +197,34 @@ if (defined $fixed) {
     }
 }
 
+open NOTICE, ">$notice.tmp" or die "cannot create $notice.tmp: $!";
+foreach my $line (@notice) {
+    print NOTICE $line;
+}
+
 foreach my $branch (sort versioncmp keys %branches) {
-    print "    <branch>\n";
-    print "      <name>$branch</name>\n";
+    print NOTICE "    <branch>\n";
+    print NOTICE "      <name>$branch</name>\n";
+
     foreach my $tag (sort versioncmp keys %{$branches{$branch}->{"brokentags"}}) {
-        print "      <tag state=\"vulnerable\">$tag</tag>\n";
+        print NOTICE "      <tag state=\"vulnerable\">$tag</tag>\n";
     }
-    foreach my $commit (@{$branches{$branch}->{"brokenchanges"}}) {
-	print "      <change state=\"vulnerable\">$commit</change>\n";
+    foreach my $change (@{$branches{$branch}->{"brokenchanges"}}) {
+	print NOTICE "      <change state=\"vulnerable\">$change</change>\n";
     }
 
     foreach my $tag (sort versioncmp keys %{$branches{$branch}->{"fixedtags"}}) {
-        print "      <tag state=\"fixed\">$tag</tag>\n";
+        print NOTICE "      <tag state=\"fixed\">$tag</tag>\n";
     }
-    foreach my $commit (@{$branches{$branch}->{"fixedchanges"}}) {
-	print "      <change state=\"fixed\">$commit</change>\n";
+    foreach my $change (@{$branches{$branch}->{"fixedchanges"}}) {
+	print NOTICE "      <change state=\"fixed\">$change</change>\n";
     }
-    print "    </branch>\n";
+    print NOTICE "    </branch>\n";
 }
+
+print NOTICE "  </product>\n";
+print NOTICE "\n";
+print NOTICE "</security-notice>\n";
+close NOTICE;
+
+rename "$notice.tmp", "$notice" or die "cannot replace $notice: $!";
-- 
2.21.0




More information about the libvir-list mailing list