[tor-commits] [tor-browser-spec/master] Bug 40010: Use full patch diff for code audit

Fri Mar 19 21:16:19 UTC 2021

commit 49b2b716aaa4fdc186202584fefccbc1ce62c479
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Thu Jan 21 21:23:21 2021 +0000

    Bug 40010: Use full patch diff for code audit
---
 audits/java_audit.sh | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/audits/java_audit.sh b/audits/java_audit.sh
index 1417011..b1183eb 100644
--- a/audits/java_audit.sh
+++ b/audits/java_audit.sh
@@ -11,6 +11,7 @@ OLD=$2
 NEW=$3
 
 SCOPE="java" # string: this is the java audit
+EXT="java kt"
 
 declare -a KEYWORDS
 
@@ -62,21 +63,28 @@ KEYWORDS+=("::get\(")
 
 cd $REPO_DIR
 
-if [ ! -f "release-${OLD}-${NEW}.diff" ];
-then
-  echo "Diffing release-${OLD}-${NEW}.diff"
-  git diff --color=always --color-moved $OLD $NEW -U20 > release-${OLD}-${NEW}.diff
-fi
-
-echo "Done with diff"
-
+# Step 1: Generate match pattern based on in-scope keywords
 function join_by { local d=$1; shift; local f=$1; shift; printf %s "$f" "${@/#/$d}"; }
 GREP_LINE="$(join_by \| ${KEYWORDS[@]})"
 
+# Step 2: Obtain patches for all in-scope files where a keyword is present
+echo "Diffing patches-${OLD}-${NEW}-${SCOPE}.diff"
+path=
+for ext in ${EXT}; do
+    path="${path} *.${ext}"
+done
+# Exclude Deleted and Unmerged files from diff
+DIFF_FILTER=ACMRTXB
+git diff --color=always --color-moved --diff-filter="${DIFF_FILTER}" -U20 -G"${GREP_LINE}" $OLD $NEW -- ${path} > patches-${OLD}-${NEW}-${SCOPE}.diff
+
+# Step 3: Highlight the keyword with an annoying, flashing color
 export GREP_COLOR="05;37;41"
+# Capture the entire file and/or overlap with the previous match, add GREP_COLOR highlighting
+egrep -A10000 -B10000 --color=always "${GREP_LINE}" patches-${OLD}-${NEW}-${SCOPE}.diff > keywords-$OLD-$NEW-$SCOPE.diff
 
-# XXX: Arg this sometimes misses file context
-egrep -A40 -B40 --color=always "${GREP_LINE}" release-${OLD}-${NEW}.diff > keywords-${OLD}-${NEW}-$SCOPE.diff
+# Add a 'XXX MATCH XXX' at the end of each matched line, easily searchable.
+sed -i 's/\(\x1b\[05;37;41.*\)/\1    XXX MATCH XXX/' keywords-$OLD-$NEW-$SCOPE.diff
 
+# Step 4: Review the code changes
 echo "Diff generated. View it with:"
 echo "  less -R $REPO_DIR/keywords-$OLD-$NEW-$SCOPE.diff"



