Fix issue hash collision for missing-patch-file antipatterns

abadawi591 · abadawi591 · commit ebd36df0226f · 2025-10-28T10:07:44.000-07:00
CRITICAL BUG: Multiple patch files with same CVE got same issue_hash PROBLEM: Patch descriptions like: - 'CVE-2025-11111.patch' → extracted CVE-2025-11111 → hash: nginx-CVE-2025-11111-missing-patch-file - 'CVE-2025-11111-and-CVE-2025-22222.patch' → extracted CVE-2025-11111 (first match) → SAME hash! Both antipatterns got the SAME issue_hash, so challenging one marked BOTH as challenged. IMPACT: User challenged 1 antipattern out of 10, but Azure Function saw: - issue_lifecycle had 10 entries - But 2 shared same hash (hash collision) - Challenging nginx-CVE-2025-11111-missing-patch-file marked BOTH as challenged - If there were multiple collisions, could mark many as challenged - total=10, challenged=10 → unchallenged=0 → Removed 'radar-issues-detected' label ❌ ROOT CAUSE: _extract_key_identifier() prioritized CVE extraction over patch filename. For missing-patch-file, the patch FILENAME is the unique identifier, not the CVE. FIX: Check antipattern.id == 'missing-patch-file' FIRST, extract full patch filename. This ensures each patch file gets a unique hash: - 'CVE-2025-11111.patch' → nginx-CVE-2025-11111-missing-patch-file - 'CVE-2025-11111-and-CVE-2025-22222.patch' → nginx-CVE-2025-11111-and-CVE-2025-22222-missing-patch-file - 'security-fix.patch' → nginx-security-fix-missing-patch-file Now each patch file has a unique hash, preventing false positive challenges.
diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py b/.pipelines/prchecks/CveSpecFilePRCheck/AntiPatternDetector.py
@@ -149,15 +149,22 @@ def _extract_key_identifier(self, antipattern: 'AntiPattern') -> str:
         Returns:
             Stable identifier string
         """
-        # Try to extract CVE number first (most common)
+        # For missing-patch-file, use patch filename as identifier (most specific)
+        # This prevents hash collisions when multiple patches reference same CVE
+        if antipattern.id == "missing-patch-file":
+            patch_match = re.search(r"(?:Patch file |')([A-Za-z0-9_.-]+\.patch)", antipattern.description)
+            if patch_match:
+                return patch_match.group(1).replace('.patch', '')  # e.g., "CVE-2085-88888" from "CVE-2085-88888.patch"
+        
+        # Try to extract CVE number (for CVE-related antipatterns)
         cve_match = re.search(r'CVE-\d{4}-\d+', antipattern.description)
         if cve_match:
             return cve_match.group(0)  # e.g., "CVE-2085-88888"
         
-        # Extract patch filename
+        # Extract patch filename (fallback for other patch-related issues)
         patch_match = re.search(r"(?:Patch file |')([A-Za-z0-9_.-]+\.patch)", antipattern.description)
         if patch_match:
-            return patch_match.group(1)  # e.g., "CVE-2085-88888.patch"
+            return patch_match.group(1).replace('.patch', '')  # e.g., "CVE-2085-88888"
         
         # For changelog entries, try to extract meaningful text
         entry_match = re.search(r"entry '([^']+)'", antipattern.description)
