asf-tooling opened a new issue, #966:
URL: https://github.com/apache/tooling-trusted-releases/issues/966
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The release vote logic validator is designed to ensure that `vote_resolved`
cannot be set without `vote_started` being set first. However, a catch-all
pattern match `(_, _)` appears before the intended validation case, causing the
function to always return `True` regardless of the actual state. This
undermines the documented business rule that 'cannot have vote_resolved without
vote_started' and compromises data integrity.
### Details
**Affected Files and Lines:**
- `atr/validate.py:245-260` - Vote logic validation with incorrect pattern
order
The catch-all pattern `(_, _)` matches all cases before the specific
validation case `(None, _)` can be evaluated, making the validation ineffective.
### Recommended Remediation
Reorder pattern match cases to place `(None, _)` case before the catch-all
`(_, _)` case, and uncomment the intended validation logic:
```python
match (release.vote_started, release.vote_resolved):
case (None, None):
# No vote started, no vote resolved - valid
pass
case (datetime(), None):
# Vote started but not resolved - valid
pass
case (None, _):
# Vote resolved without being started - INVALID
return False, "Cannot have vote_resolved without vote_started"
case (datetime(), datetime()):
# Both set - valid
pass
```
Add unit tests covering all four state combinations: (None, None),
(datetime, None), (None, datetime), (datetime, datetime). Consider adding a SQL
CHECK constraint as defense-in-depth. Run `validate.everything()` against
production data to identify existing inconsistencies.
### Acceptance Criteria
- [ ] Pattern match cases reordered
- [ ] Validation logic uncommented
- [ ] Unit tests cover all state combinations
- [ ] SQL CHECK constraint considered
- [ ] Production data validated
- [ ] Unit test verifying the fix
### References
- Source reports: L2:2.1.2.md
- Related findings: None
- ASVS sections: 2.1.2
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
