From 97364f551805210c4938faf6cd531fce1e3e0a81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 18 Jan 2021 14:57:47 +0100 Subject: [PATCH] Flag missing CVE identifiers Make Danger ensure that if a merge request fixes a security issue then that merge request includes a CHANGES entry and a release note, both of which contain a CVE identifier. --- dangerfile.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/dangerfile.py b/dangerfile.py index 1c9177d7b4..9e34b33dc5 100644 --- a/dangerfile.py +++ b/dangerfile.py @@ -25,6 +25,9 @@ def added_lines(target_branch, paths): added_lines.append(line) return added_lines +def lines_containing(lines, string): + return [l for l in lines if bytes(string, 'utf-8') in l] + issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]') release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)') @@ -197,3 +200,21 @@ if release_notes_changed: identifiers_found = filter(issue_or_mr_id_regex.search, notes_added_lines) if notes_added_lines and not any(identifiers_found): warn('No valid issue/MR identifiers found in added release notes.') +else: + notes_added_lines = [] + +############################################################################### +# CVE IDENTIFIERS +############################################################################### +# +# FAIL if the merge request adds a CHANGES entry of type [security] and a CVE +# identifier is missing from either the added CHANGES entry or the added +# release note. + +if lines_containing(changes_added_lines, '[security]'): + if not lines_containing(changes_added_lines, '(CVE-20'): + fail('This merge request fixes a security issue. ' + 'Please add a CHANGES entry which includes a CVE identifier.') + if not lines_containing(notes_added_lines, 'CVE-20'): + fail('This merge request fixes a security issue. ' + 'Please add a release note which includes a CVE identifier.')