Rules for Patches and Git Commits
Developers must write and commit one patch per unique vulnerability at a time. It is forbidden to commit patches addressing multiple vulnerabilities at once.
After preparing a patch, developers commit the patch to the repository using a commit string message with a specific format. The format below allows our platform to map patches to vulnerability reports when calculating fix-it points.
The commit string message format has three parts:
- The first part is the string
patchfollowed by a white space;
- The second part is a comma-separated list of the issue IDs addressed by the patch followed by the character
:. The issue IDs are those duplicated issues reporting the same unique vulnerability. If Team A and Team B open two issues, e.g., issue #6 and issue #9, then the second part is the string
#6, #9:. If the patch addresses a vulnerability reported by only one team, say issue #13, then the second part of the string is
- The third part is a text string of developers’ choice.
For example, if issues #6 and #9 report the same cross-site scripting vulnerability in a parameter
X, the commit message is
patch #6, #9: cross-site scripting in parameter X. Developers could use the string as follows:
$ git commit -m "patch #6, #9: cross-site scripting in parameter X"