Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line.
cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. Signed-off-by: Jon Szymaniak <[email protected]> --- meta/classes/cve-check.bbclass | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index bc2f03f7dd..86e6a0ae90 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -146,15 +146,17 @@ def get_patches_cves(d): with open(patch_file, "r", encoding="iso8859-1") as f: patch_text = f.read() - # Search for the "CVE: " line - match = cve_match.search(patch_text) - if match: + # Search for one or more "CVE: " lines + text_match = False + for match in cve_match.finditer(patch_text): # Get only the CVEs without the "CVE: " tag cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) patched_cves.add(cve) - elif not fname_match: + text_match = True + + if not fname_match and not text_match: bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) return patched_cves -- 2.14.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
