|SUCCESS| devtools: fix SPDX tag check

[dpdklab at iol.unh.edu]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/163393

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-04-29

I'll review this DPDK patch focusing on correctness, coding style, API compliance, and guideline violations.

---

**Commit:** (from patch file header - git sha not directly available)
**Author:** Thomas Monjalon <thomas at monjalon.net>
**Subject:** devtools: fix SPDX tag check

This patch fixes a sed command issue in the SPDX tag checking script where
file paths containing slashes would break the sed command when used as
pattern delimiters.

> diff --git a/devtools/check-spdx-tag.sh b/devtools/check-spdx-tag.sh
> index 2390941c74..f0fcddf0d3 100755
> --- a/devtools/check-spdx-tag.sh
> +++ b/devtools/check-spdx-tag.sh
> @@ -41,7 +41,7 @@ check_spdx() {
>      files_without_spdx=$(cat $tmpfile)
>      git grep -LE '(/\*|#|;|\.\.) *SPDX-License-Identifier: [A-Z(]' -- $no_license_list > $tmpfile
>      for file in $files_without_spdx ; do
> -	sed -i "/^$file$/d" $tmpfile
> +	sed -i "\|^$file$|d" $tmpfile

Does this code introduce a command injection vulnerability? If $file
contains the pipe character '|' followed by shell commands, would this
execute arbitrary code? The file variable comes from files_without_spdx
which originates from git grep output, but should this still be sanitized
or quoted differently to prevent potential shell expansion?

Also, does this code still fail if $file contains the pipe character '|'
literally as part of a valid filename? While uncommon, POSIX allows '|' in
filenames, which would break the sed pattern matching here.

>      done
>  
>      warnings=$(($warnings + $(wc -l < $tmpfile)))