Ignore 'No CVE' warning if NOCVE reason was provided in notes

2024-10-29 18:07:27 +01:00 · 2018-08-30 10:46:26 -05:00 · 2018-08-30 10:46:26 -05:00 · e753eddb6b
commit e753eddb6b
parent e5106b54db
1 changed files with 16 additions and 2 deletions
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@ -140,6 +140,7 @@ class Msftidy
  def check_ref_identifiers
    in_super     = false
    in_refs      = false
+    in_notes     = false
    cve_assigned = false

    @lines.each do |line|
@ -153,6 +154,10 @@ class Msftidy
      if in_super and line =~ /["']References["'][[:space:]]*=>/
        in_refs = true
      elsif in_super and in_refs and line =~ /^[[:space:]]+\],*/m
+        in_refs = false
+      elsif in_super and line =~ /["']Notes["'][[:space:]]*=>/
+        in_notes = true
+      elsif in_super and in_notes and line =~ /^[[:space:]]+\},*/m
        break
      elsif in_super and in_refs and line =~ /[^#]+\[[[:space:]]*['"](.+)['"][[:space:]]*,[[:space:]]*['"](.+)['"][[:space:]]*\]/
        identifier = $1.strip.upcase
@ -178,7 +183,7 @@ class Msftidy
          warn("Invalid WPVDB reference") if value !~ /^\d+$/
        when 'PACKETSTORM'
          warn("Invalid PACKETSTORM reference") if value !~ /^\d+$/
-        when 'URL' || 'AKA'
+        when 'URL'
          if value =~ /^https?:\/\/cvedetails\.com\/cve/
            warn("Please use 'CVE' for '#{value}'")
          elsif value =~ /^https?:\/\/www\.securityfocus\.com\/bid\//
@ -194,12 +199,21 @@ class Msftidy
          elsif value =~ /^https?:\/\/(?:[^\.]+\.)?packetstormsecurity\.(?:com|net|org)\//
            warn("Please use 'PACKETSTORM' for '#{value}'")
          end
+        when 'AKA'
+          warn("Please include AKA values in the 'notes' section, rather than in 'references'.")
        end
      end
+
+      # If a NOCVE reason was provided in notes, ignore the fact that the references might lack a CVE
+      if in_super and in_notes and line =~ /^[[:space:]]+["']NOCVE["'][[:space:]]+=>[[:space:]]+\[*["'](.+)["']\]*/
+        cve_assigned = true
+      end
    end

    # This helps us track when CVEs aren't assigned
-    info('No CVE references found. Please check before you land!') unless cve_assigned
+    unless cve_assigned
+      info('No CVE references found. Please check before you land!')
+    end
  end

  def check_self_class