summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJon Szymaniak <jon.szymaniak.foss@gmail.com>2018-05-09 16:45:10 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-05-15 10:56:49 +0100
commitdd5bf3e4d2ad66d8572d622a147cea1a8fddb40d (patch)
tree267de8f712e36545e7266ef63e1e59f3d8b8c7dd
parent00cf91aacc8e11aedad967742a59d45724619c97 (diff)
downloadpoky-dd5bf3e4d2ad66d8572d622a147cea1a8fddb40d.tar.gz
cve-check.bbclass: detect CVE IDs listed on multiple lines
Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line. cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. (From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd) Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass10
1 files changed, 6 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 537659df12..4d998388b4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
146 with open(patch_file, "r", encoding="iso8859-1") as f: 146 with open(patch_file, "r", encoding="iso8859-1") as f:
147 patch_text = f.read() 147 patch_text = f.read()
148 148
149 # Search for the "CVE: " line 149 # Search for one or more "CVE: " lines
150 match = cve_match.search(patch_text) 150 text_match = False
151 if match: 151 for match in cve_match.finditer(patch_text):
152 # Get only the CVEs without the "CVE: " tag 152 # Get only the CVEs without the "CVE: " tag
153 cves = patch_text[match.start()+5:match.end()] 153 cves = patch_text[match.start()+5:match.end()]
154 for cve in cves.split(): 154 for cve in cves.split():
155 bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) 155 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
156 patched_cves.add(cve) 156 patched_cves.add(cve)
157 elif not fname_match: 157 text_match = True
158
159 if not fname_match and not text_match:
158 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 160 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
159 161
160 return patched_cves 162 return patched_cves