The current logic for checking cve tag is not correct. It errors
out if and only if the patch contains a line which begins with
CVE-YYYY-XXXX and contains nothing else.

It will not error out if the patch contains no CVE information, nor
will it error out if the patch contains line like below.

'Fix CVE-YYYY-XXXX'

I can see that the cve tag checking logic tries to ensure the patch
contains something like 'CVE: CVE-YYYY-XXXX'. So fix to implement such
logic.

Signed-off-by: Chen Qi <***@windriver.com>
---
tests/test_patch_cve.py | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/tests/test_patch_cve.py b/tests/test_patch_cve.py
index 39e7267..df6fe46 100644
--- a/tests/test_patch_cve.py
+++ b/tests/test_patch_cve.py
@@ -22,7 +22,6 @@ import re
class CVE(base.Base):

re_cve_pattern = re.compile("CVE\-\d{4}\-\d+", re.IGNORECASE)
- re_cve_payload_pattern = re.compile("\+CVE\-\d{4}\-\d+", re.IGNORECASE)
re_cve_payload_tag = re.compile("\+CVE:(\s+CVE\-\d{4}\-\d+)+")

def setUp(self):
@@ -39,10 +38,12 @@ class CVE(base.Base):
def test_cve_tag_format(self):
for commit in CVE.commits:
if self.re_cve_pattern.search(commit.shortlog) or self.re_cve_pattern.search(commit.commit_message):
+ tag_found = False
for line in commit.payload.splitlines():
- # first match is lax but second strict
- if self.re_cve_payload_pattern.match(line):
- if not self.re_cve_payload_tag.match(line):
- self.fail('Missing or incorrectly formatted CVE tag in included patch file',
- 'Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"',
- commit)
+ if self.re_cve_payload_tag.match(line):
+ tag_found = True
+ break
+ if not tag_found:
+ self.fail('Missing or incorrectly formatted CVE tag in included patch file',
+ 'Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"',
+ commit)