From 18b1332f6e6e1ef28b42d128d7777127e92f1ce1 Mon Sep 17 00:00:00 2001
From: Tabitha Sable <tabitha.c.sable@gmail.com>
Date: Fri, 15 Aug 2025 12:05:43 -0500
Subject: [PATCH 1/3] propagate python return code through shell to Prow

---
 .../cve-feed/hack/fetch-cve-feed.sh           | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
index a73e193..0c28b23 100755
--- a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
+++ b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
@@ -20,6 +20,9 @@ set -o pipefail
 # name of the output file
 OUTPUT_FILE=official-cve-feed.json
 
+# value to return at end of script
+RETURN_VALUE=0
+
 # install python-pip3
 apt-get update
 apt-get install -y python3-pip
@@ -28,8 +31,20 @@ apt-get install -y python3-pip
 pip3 install requests
 
 # python script to generate official-cve-feed.json 
-# tee duplicates the output from the script to stdout for logs and the JSON file
-python3 fetch-official-cve-feed.py | tee $OUTPUT_FILE
+python3 fetch-official-cve-feed.py > "${OUTPUT_FILE}"
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+    RETURN_VALUE=$EXIT_CODE
+fi
+
+# make the prow job logs always helpful
+cat "${OUTPUT_FILE}"
+
+# python returns 7 to indicate recoverable errors
+# Exit bash script now if unrecoverable python error
+if [ $EXIT_CODE -ne 0 ] && [ $EXIT_CODE -ne 7 ]; then
+    exit $RETURN_VALUE
+fi
 
 # function to calculate the hash value of official-cve-feed.json 
 calculate_hash(){
@@ -75,4 +90,4 @@ else
     fi
 fi
 
-
+exit "${RETURN_VALUE}"

From a070cb57aa89c78b93d49824ab850e24e0f1e36e Mon Sep 17 00:00:00 2001
From: Tabitha Sable <tabitha.c.sable@gmail.com>
Date: Fri, 15 Aug 2025 12:48:23 -0500
Subject: [PATCH 2/3] Add quotes around early exit argument

---
 sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
index 0c28b23..9b598d5 100755
--- a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
+++ b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
@@ -43,7 +43,7 @@ cat "${OUTPUT_FILE}"
 # python returns 7 to indicate recoverable errors
 # Exit bash script now if unrecoverable python error
 if [ $EXIT_CODE -ne 0 ] && [ $EXIT_CODE -ne 7 ]; then
-    exit $RETURN_VALUE
+    exit "${RETURN_VALUE}"
 fi
 
 # function to calculate the hash value of official-cve-feed.json 

From dd412190936ff0349aff103af2330df3efefe57f Mon Sep 17 00:00:00 2001
From: Tabitha Sable <tabitha.c.sable@gmail.com>
Date: Fri, 15 Aug 2025 15:37:32 -0500
Subject: [PATCH 3/3] Many little unimportant changes for uniformity and
 defensive shell coding

---
 .../cve-feed/hack/fetch-cve-feed.sh           | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
index 9b598d5..80ae29d 100755
--- a/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
+++ b/sig-security-tooling/cve-feed/hack/fetch-cve-feed.sh
@@ -33,8 +33,8 @@ pip3 install requests
 # python script to generate official-cve-feed.json 
 python3 fetch-official-cve-feed.py > "${OUTPUT_FILE}"
 EXIT_CODE=$?
-if [ $EXIT_CODE -ne 0 ]; then
-    RETURN_VALUE=$EXIT_CODE
+if [[ "${EXIT_CODE}" -ne 0 ]]; then
+    RETURN_VALUE=${EXIT_CODE}
 fi
 
 # make the prow job logs always helpful
@@ -42,7 +42,7 @@ cat "${OUTPUT_FILE}"
 
 # python returns 7 to indicate recoverable errors
 # Exit bash script now if unrecoverable python error
-if [ $EXIT_CODE -ne 0 ] && [ $EXIT_CODE -ne 7 ]; then
+if [[ "${EXIT_CODE}" -ne 0 ]] && [[ "${EXIT_CODE}" -ne 7 ]]; then
     exit "${RETURN_VALUE}"
 fi
 
@@ -61,31 +61,31 @@ calculate_hash(){
 # check if official-cve-feed.json blob exists in the bucket
 set -e
 EXIT_CODE=0
-gsutil ls gs://k8s-cve-feed/$OUTPUT_FILE >/dev/null 2>&1 || EXIT_CODE=$?
+gsutil ls "gs://k8s-cve-feed/${OUTPUT_FILE}" >/dev/null 2>&1 || EXIT_CODE=$?
 
 # fetch the hash value of existing official-cve-feed.json json, if differs then
 # upload the new cve feed data to the existing blob.
-if [[ $EXIT_CODE -eq 1  ]]; then 
-    gsutil cp $OUTPUT_FILE gs://k8s-cve-feed
-    calculate_hash $OUTPUT_FILE > cve-feed-hash
+if [[ "${EXIT_CODE}" -eq 1  ]]; then 
+    gsutil cp "${OUTPUT_FILE}" gs://k8s-cve-feed
+    calculate_hash "${OUTPUT_FILE}" > cve-feed-hash
     echo "$(<cve-feed-hash )"
     gsutil cp cve-feed-hash gs://k8s-cve-feed
 else 
     echo "Downloading the old hash blob from gcs bucket"
     gsutil cp gs://k8s-cve-feed/cve-feed-hash cve-feed-hash
     hash=$(<cve-feed-hash )
-    echo "old hash value: $hash"
+    echo "old hash value: ${hash}"
     echo "Calculate the new hash value of json feed"
-    new_hash=$(calculate_hash $OUTPUT_FILE)
-    echo "new hash value : $new_hash "
-    printf "$new_hash" > cve-feed-hash
+    new_hash=$(calculate_hash "${OUTPUT_FILE}")
+    echo "new hash value : ${new_hash}"
+    echo "${new_hash}" > cve-feed-hash
 
-    if [[  $hash == $new_hash ]]; then
-        printf "Both the hashes have identical contents"
+    if [[  "${hash}" == "${new_hash}" ]]; then
+        echo "Both the hashes have identical contents"
     else
-        printf "Both the hash value differ \n"
-        echo "Uploading the new json feed and hash value to gcs bucket \n"
-        gsutil cp $OUTPUT_FILE gs://k8s-cve-feed
+        echo "Both the hash value differ"
+        echo "Uploading the new json feed and hash value to gcs bucket"
+        gsutil cp "${OUTPUT_FILE}" gs://k8s-cve-feed
         gsutil cp cve-feed-hash gs://k8s-cve-feed/cve-feed-hash
     fi
 fi