From dd5bf3e4d2ad66d8572d622a147cea1a8fddb40d Mon Sep 17 00:00:00 2001 From: Jon Szymaniak Date: Wed, 9 May 2018 16:45:10 -0500 Subject: cve-check.bbclass: detect CVE IDs listed on multiple lines Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line. cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. (From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd) Signed-off-by: Jon Szymaniak Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'meta/classes/cve-check.bbclass') diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 537659df12..4d998388b4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -146,15 +146,17 @@ def get_patches_cves(d): with open(patch_file, "r", encoding="iso8859-1") as f: patch_text = f.read() - # Search for the "CVE: " line - match = cve_match.search(patch_text) - if match: + # Search for one or more "CVE: " lines + text_match = False + for match in cve_match.finditer(patch_text): # Get only the CVEs without the "CVE: " tag cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) patched_cves.add(cve) - elif not fname_match: + text_match = True + + if not fname_match and not text_match: bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) return patched_cves -- cgit v1.2.3-54-g00ecf