Rules for Patches and Git Commits
Developers must write and commit one patch per unique vulnerability at a time. It is forbidden to commit patches addressing multiple vulnerabilities at once.
After preparing a patch, developers commit the patch to the repository using a commit string message with a specific format. The format below allows our platform to map patches to vulnerability reports when calculating fix-it points.
The commit string message format has three parts:
- The first part is the string
patch
followed by a white space; - The second part is a comma-separated list of the issue IDs addressed by the patch followed by the character
:
. The issue IDs are those duplicated issues reporting the same unique vulnerability. If Team A and Team B open two issues, e.g., issue #6 and issue #9, then the second part is the string#6, #9:
. If the patch addresses a vulnerability reported by only one team, say issue #13, then the second part of the string is#13:
; - The third part is a text string of developers’ choice.
For example, if issues #6 and #9 report the same cross-site scripting vulnerability in a parameter X
, the commit message is patch #6, #9: cross-site scripting in parameter X
. Developers could use the string as follows:
$ git commit -m "patch #6, #9: cross-site scripting in parameter X"