Child pages
  • Coding Style and Guidelines

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated guidance on security fix commit messages

...

  1. Start with the JIRA issue ID for the story or bug, and, if used, the ID of the crucible review for the code.
  2. State in up to 50 chars how this commit changes the product. Begin with a capital letter and don’t end with a full stop. Write as if completing the sentence "If applied, this commit will..."

  3. If you really need to provide further info in the commit message (info about the fix should be captured in the JIRA issue), then leave a blank line below the summary before adding the details.

...

AME-9876 Add new authentication module for device authConcerning security issue,

Security fixes

Ideally the commit message should not contain the for a security fix should only contain the JIRA issue ID. You may also optionally provide a simple description of the general area of the fix. Example: OPENAM-6053, but you must not mention any details of the vulnerability.

Good examples:

OPENAM-12345

OPENAM-12345 Fix email service.

OPENAM-12345 Adjust LDAP connection settings.

Bad examples:

OPENAM-12345 Eliminate XSS in /json/sessions endpoint - mentions a specific vulnerability and/or endpoint

OPENAM-12345 Fix issue reported by customer - customers often report security issues, so this is a red flag

OPENAM-12345 JWT validation - NB even something as simple as this should be avoided as bugs in validation are almost always security issues

If in doubt, leave it out!