Actually, the test I added was wrong, I was asserting equal to
set("CVE-2023-33460") instead of {"CVE-2023-33460"} in my test case.

Back to square one...

Colin

On Sat, Jan 11, 2025 at 9:25 AM Colin <colinmca...@gmail.com> wrote:

> Hi Peter,
>
> I'm currently looking at this. I added CVE-2023-33460.patch to
> test_parse_cve_from_patch_contents and ran oe-selftest. I see the issue why
> these patches are no longer being marked as solved.
>
> 2025-01-11 15:17:33,396 - oe-selftest - INFO -
> ======================================================================
> 2025-01-11 15:17:33,396 - oe-selftest - INFO - FAIL:
> test_parse_cve_from_patch_contents (cve_check.CVECheck)
> 2025-01-11 15:17:33,397 - oe-selftest - INFO -
> ----------------------------------------------------------------------
> 2025-01-11 15:17:33,397 - oe-selftest - INFO - Traceback (most recent call
> last):
>   File
> "/home/colin/development/yocto/poky/meta/lib/oeqa/selftest/cases/cve_check.py",
> line 209, in test_parse_cve_from_patch_contents
>     self.assertEqual(
> AssertionError: Items in the first set but not the second:
> 'CVE-2023-33460'
> Items in the second set but not the first:
> 'E'
> '2'
> 'V'
> 'C'
> '-'
> '0'
> '4'
> '3'
> '6'
>
> 2025-01-11 15:17:33,397 - oe-selftest - INFO -
> ----------------------------------------------------------------------
> 2025-01-11 15:17:33,397 - oe-selftest - INFO - Ran 1 test in 0.247s
> 2025-01-11 15:17:33,398 - oe-selftest - INFO - FAILED
> 2025-01-11 15:17:33,398 - oe-selftest - INFO -  (failures=1)
> 2025-01-11 15:17:46,988 - oe-selftest - INFO - RESULTS:
> 2025-01-11 15:17:46,988 - oe-selftest - INFO - RESULTS -
> cve_check.CVECheck.test_parse_cve_from_patch_contents: FAILED (0.02s)
> 2025-01-11 15:17:46,996 - oe-selftest - INFO - SUMMARY:
> 2025-01-11 15:17:46,996 - oe-selftest - INFO - oe-selftest () - Ran 1 test
> in 0.249s
> 2025-01-11 15:17:46,996 - oe-selftest - INFO - oe-selftest - FAIL -
> Required tests failed (successes=0, skipped=0, failures=1, errors=0)
>
> For some reason the CVE string itself is getting put into a set, instead
> of the full string being placed into a set. I'll track down where this is
> happening and push up a fix, including adding this update to the test.
>
> Not sure why I didn't add a test case with a single CVE ID in the patch
> contents...This was my mistake and I apologize. Sorry for any
> inconveniences I caused.
>
> Best,
> Colin
>
> On Fri, Jan 10, 2025 at 3:26 AM Marko, Peter <peter.ma...@siemens.com>
> wrote:
>
>> Looking at the reopened CVEs in meta-oe, I can't understand why are some
>> reported.
>>
>> $ grep -rI CVE-2023-33460 ./
>> ./meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch:CVE:
>> CVE-2023-33460
>> ./meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb:
>>  file://CVE-2023-33460.patch \
>> $ grep -rI CVE-2020-29074 ./
>> ./meta-oe/recipes-graphics/x11vnc/files/CVE-2020-29074.patch:CVE:
>> CVE-2020-29074
>> ./meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb:
>>  file://CVE-2020-29074.patch \
>>
>> These look good to me, but they are not matched anymore and show as open.
>>
>> Peter
>>
>> > -----Original Message-----
>> > From: openembedded-core@lists.openembedded.org <openembedded-
>> > c...@lists.openembedded.org> On Behalf Of Peter Marko via
>> > lists.openembedded.org
>> > Sent: Friday, January 10, 2025 10:21
>> > To: colinmca...@gmail.com; openembedded-core@lists.openembedded.org
>> > Subject: Re: [OE-core] [PATCH v2 1/1] cve-check: Rework patch parsing
>> >
>> > Or should we rather rename all those patches which violate current code?
>> > What is then the meaning of CVE: tag within the patch if it's not used
>> but it's
>> > enforced?
>> > We should probably remove cve_payload_tag handling from
>> > test_cve_tag_format...
>> >
>> > Peter
>> >
>> > > -----Original Message-----
>> > > From: openembedded-core@lists.openembedded.org <openembedded-
>> > > c...@lists.openembedded.org> On Behalf Of Peter Marko via
>> > > lists.openembedded.org
>> > > Sent: Friday, January 10, 2025 9:34
>> > > To: colinmca...@gmail.com; openembedded-
>> > c...@lists.openembedded.org
>> > > Subject: Re: [OE-core] [PATCH v2 1/1] cve-check: Rework patch parsing
>> > >
>> > > Hello,
>> > >
>> > > This patch has caused a regression in detecting cve patches.
>> > > Master jumped by 32 CVEs after merging this commit.
>> > > These are for sure patched but it's not detected anymore.
>> > > See https://valkyrie.yocto.io/pub/non-release/patchmetrics/
>> > > (master should be identical to scarthgap/styhead except for kernel
>> CVEs)
>> > >
>> > > Reports cannot be used anymore for picking CVEs for TODO list.
>> > > So this patch should be reverted or fixed.
>> > >
>> > > Peter
>> > >
>> > > > -----Original Message-----
>> > > > From: openembedded-core@lists.openembedded.org <openembedded-
>> > > > c...@lists.openembedded.org> On Behalf Of Colin McAllister via
>> > > > lists.openembedded.org
>> > > > Sent: Monday, December 30, 2024 20:22
>> > > > To: openembedded-core@lists.openembedded.org
>> > > > Cc: Colin McAllister <colinmca...@gmail.com>
>> > > > Subject: [OE-core] [PATCH v2 1/1] cve-check: Rework patch parsing
>> > > >
>> > > > The cve_check functionality to parse CVE IDs from the patch
>> filename and
>> > > > patch contents have been reworked to improve parsing and also
>> utilize
>> > > > tests. This ensures that the parsing works as intended.
>> > > >
>> > > > Additionally, the new patched_cves dict has a few issues I tried to
>> fix
>> > > > as well. If multiple patch files exist for a single CVE ID, only the
>> > > > last one will show up with the "resource" key. The value for the
>> > > > "resource" key has been updated to hold a list and return all patch
>> > > > files associated with a given CVE ID. Also, at the end of
>> > > > get_patch_cves, CVE_STATUS can overwrite an existing entry in the
>> dict.
>> > > > This could cause an issue, for example, if a CVE has been addressed
>> via
>> > > > a patch, but a CVE_STATUS line also exists that ignores the given
>> CVE
>> > > > ID. A warning has been added if this ever happens.
>> > > >
>> > > > Signed-off-by: Colin McAllister <colinmca...@gmail.com>
>> > > > ---
>> > > >
>> > > > I noticed that there are some patches, especially in older verisons
>> of
>> > > > Yocto, where the "CVE: " tag was used with multiple CVE IDs in
>> different
>> > > > formats, like "CVE-YYYY-XXXX & CVE-YYYY-XXXX" or
>> > > > "CVE-YYYY-XXXX, CVE-YYYY-XXXX". Currently, only space-delimited CVE
>> > > > IDs will be parsed, but documentation doesn't indicate that is the
>> only
>> > > > supported format. I figured it'd be nice to update the code to be
>> able
>> > > > to support multiple formats, that way this patch could be
>> backported to
>> > > > fix those patches. I also wanted to add unit tests to ensure the
>> patch
>> > > > parsing behavior is preserved.
>> > > >
>> > > > I'd also like to update the patch filename parsing to parse
>> multiple CVE
>> > > > IDs from the filename, but based on the comments, it seems like
>> there
>> > > > was a reason why only the last CVE ID is extracted from the
>> filename.
>> > > > I'd be happy to submit a V2 patch or an additional patch to update
>> the
>> > > > function if that sounds good for the maintainers.
>> > > >
>> > > > V2 Changes:
>> > > > I mistakenly created this patch without fb3f440 applied. I updated
>> > > > get_patched_cves to return a dict instead of a set.
>> > > >
>> > > > I also improved the docstrings for these new functions to be more
>> > > > descriptive and also specify the return types.
>> > > >
>> > > > I also found a few issues with the dictionary object created by
>> > > > get_patched_cves that have now been addressed in this commit.
>> > > >
>> > > >  meta/lib/oe/cve_check.py                  | 166 ++++++++++++------
>> > > >  meta/lib/oeqa/selftest/cases/cve_check.py | 205
>> > > > ++++++++++++++++++++++
>> > > >  2 files changed, 317 insertions(+), 54 deletions(-)
>> > > >
>> > > > diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
>> > > > index 280f9f613d..85a899a880 100644
>> > > > --- a/meta/lib/oe/cve_check.py
>> > > > +++ b/meta/lib/oe/cve_check.py
>> > > > @@ -5,9 +5,11 @@
>> > > >  #
>> > > >
>> > > >  import collections
>> > > > -import re
>> > > > -import itertools
>> > > >  import functools
>> > > > +import itertools
>> > > > +import os.path
>> > > > +import re
>> > > > +import oe.patch
>> > > >
>> > > >  _Version = collections.namedtuple(
>> > > >      "_Version", ["release", "patch_l", "pre_l", "pre_v"]
>> > > > @@ -71,76 +73,132 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
>> > > >      return _release, _patch, _pre
>> > > >
>> > > >
>> > > > -def get_patched_cves(d):
>> > > > +def parse_cve_from_filename(patch_filename):
>> > > >      """
>> > > > -    Get patches that solve CVEs using the "CVE: " tag.
>> > > > +    Parses CVE ID from the filename
>> > > > +
>> > > > +    Matches the last "CVE-YYYY-ID" in the file name, also if
>> written
>> > > > +    in lowercase. Possible to have multiple CVE IDs in a single
>> > > > +    file name, but only the last one will be detected from the
>> file name.
>> > > > +
>> > > > +    Returns the last CVE ID foudn in the filename. If no CVE ID is
>> found
>> > > > +    an empty string is returned.
>> > > >      """
>> > > > +    cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d{4,})",
>> > > > re.IGNORECASE)
>> > > >
>> > > > -    import re
>> > > > -    import oe.patch
>> > > > +    # Check patch file name for CVE ID
>> > > > +    fname_match = cve_file_name_match.search(patch_filename)
>> > > > +    return fname_match.group(1).upper() if fname_match else ""
>> > > >
>> > > > -    cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+")
>> > > >
>> > > > -    # Matches the last "CVE-YYYY-ID" in the file name, also if
>> written
>> > > > -    # in lowercase. Possible to have multiple CVE IDs in a single
>> > > > -    # file name, but only the last one will be detected from the
>> file name.
>> > > > -    # However, patch files contents addressing multiple CVE IDs are
>> > > supported
>> > > > -    # (cve_match regular expression)
>> > > > -    cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)",
>> > > re.IGNORECASE)
>> > > > +def parse_cves_from_patch_contents(patch_contents):
>> > > > +    """
>> > > > +    Parses CVE IDs from patch contents
>> > > >
>> > > > +    Matches all CVE IDs contained on a line that starts with "CVE:
>> ". Any
>> > > > +    delimiter (',', '&', "and", etc.) can be used without any
>> issues. Multiple
>> > > > +    "CVE:" lines can also exist.
>> > > > +
>> > > > +    Returns a set of all CVE IDs found in the patch contents.
>> > > > +    """
>> > > > +    cve_ids = set()
>> > > > +    cve_match = re.compile(r"CVE-\d{4}-\d{4,}")
>> > > > +    # Search for one or more "CVE: " lines
>> > > > +    for line in patch_contents.split("\n"):
>> > > > +        if not line.startswith("CVE:"):
>> > > > +            continue
>> > > > +        cve_ids.update(cve_match.findall(line))
>> > > > +    return cve_ids
>> > > > +
>> > > > +
>> > > > +def parse_cves_from_patch_file(patch_file):
>> > > > +    """
>> > > > +    Parses CVE IDs associated with a particular patch file, using
>> both the
>> > > > filename
>> > > > +    and patch contents.
>> > > > +
>> > > > +    Returns a set of all CVE IDs found in the patch filename and
>> contents.
>> > > > +    """
>> > > > +    cve_ids = set()
>> > > > +    filename_cve = parse_cve_from_filename(patch_file)
>> > > > +    if filename_cve:
>> > > > +        bb.debug(2, "Found %s from patch file name %s" %
>> (filename_cve,
>> > > > patch_file))
>> > > > +        cve_ids.add(parse_cve_from_filename(patch_file))
>> > > > +
>> > > > +    # Remote patches won't be present and compressed patches won't
>> be
>> > > > +    # unpacked, so say we're not scanning them
>> > > > +    if not os.path.isfile(patch_file):
>> > > > +        bb.note("%s is remote or compressed, not scanning content"
>> %
>> > > > patch_file)
>> > > > +        return cve_ids
>> > > > +
>> > > > +    with open(patch_file, "r", encoding="utf-8") as f:
>> > > > +        try:
>> > > > +            patch_text = f.read()
>> > > > +        except UnicodeDecodeError:
>> > > > +            bb.debug(
>> > > > +                1,
>> > > > +                "Failed to read patch %s using UTF-8 encoding"
>> > > > +                " trying with iso8859-1" % patch_file,
>> > > > +            )
>> > > > +            f.close()
>> > > > +            with open(patch_file, "r", encoding="iso8859-1") as f:
>> > > > +                patch_text = f.read()
>> > > > +
>> > > > +    cve_ids.update(parse_cves_from_patch_contents(patch_text))
>> > > > +
>> > > > +    if not cve_ids:
>> > > > +        bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>> > > > +    else:
>> > > > +        bb.debug(2, "Patch %s solves %s" % (patch_file, ",
>> > > > ".join(sorted(cve_ids))))
>> > > > +
>> > > > +    return cve_ids
>> > > > +
>> > > > +
>> > > > +def get_patched_cves(d):
>> > > > +    """
>> > > > +    Determines the CVE IDs that have been solved by either patches
>> > incuded
>> > > > within
>> > > > +    SRC_URI or by setting CVE_STATUS.
>> > > > +
>> > > > +    Returns a dictionary with the CVE IDs as keys and an associated
>> > dictonary
>> > > > of
>> > > > +    relevant metadata as the value.
>> > > > +    """
>> > > >      patched_cves = {}
>> > > >      patches = oe.patch.src_patches(d)
>> > > >      bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
>> > > > +
>> > > > +    # Check each patch file
>> > > >      for url in patches:
>> > > >          patch_file = bb.fetch.decodeurl(url)[2]
>> > > > -
>> > > > -        # Check patch file name for CVE ID
>> > > > -        fname_match = cve_file_name_match.search(patch_file)
>> > > > -        if fname_match:
>> > > > -            cve = fname_match.group(1).upper()
>> > > > -            patched_cves[cve] = {"abbrev-status": "Patched",
>> "status": "fix-file-
>> > > > included", "resource": patch_file}
>> > > > -            bb.debug(2, "Found %s from patch file name %s" % (cve,
>> > patch_file))
>> > > > -
>> > > > -        # Remote patches won't be present and compressed patches
>> won't be
>> > > > -        # unpacked, so say we're not scanning them
>> > > > -        if not os.path.isfile(patch_file):
>> > > > -            bb.note("%s is remote or compressed, not scanning
>> content" %
>> > > > patch_file)
>> > > > -            continue
>> > > > -
>> > > > -        with open(patch_file, "r", encoding="utf-8") as f:
>> > > > -            try:
>> > > > -                patch_text = f.read()
>> > > > -            except UnicodeDecodeError:
>> > > > -                bb.debug(1, "Failed to read patch %s using UTF-8
>> encoding"
>> > > > -                        " trying with iso8859-1" %  patch_file)
>> > > > -                f.close()
>> > > > -                with open(patch_file, "r", encoding="iso8859-1")
>> as f:
>> > > > -                    patch_text = f.read()
>> > > > -
>> > > > -        # Search for one or more "CVE: " lines
>> > > > -        text_match = False
>> > > > -        for match in cve_match.finditer(patch_text):
>> > > > -            # Get only the CVEs without the "CVE: " tag
>> > > > -            cves = patch_text[match.start()+5:match.end()]
>> > > > -            for cve in cves.split():
>> > > > -                bb.debug(2, "Patch %s solves %s" % (patch_file,
>> cve))
>> > > > -                patched_cves[cve] = {"abbrev-status": "Patched",
>> "status": "fix-
>> > file-
>> > > > included", "resource": patch_file}
>> > > > -                text_match = True
>> > > > -
>> > > > -        if not fname_match and not text_match:
>> > > > -            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>> > > > +        for cve_id in parse_cves_from_patch_file(patch_file):
>> > > > +            if cve_id not in patched_cves:
>> > > > +                {
>> > > > +                    "abbrev-status": "Patched",
>> > > > +                    "status": "fix-file-included",
>> > > > +                    "resource": [patch_file],
>> > > > +                }
>> > > > +            else:
>> > > > +                patched_cves[cve_id]["resource"].append(patch_file)
>> > > >
>> > > >      # Search for additional patched CVEs
>> > > > -    for cve in (d.getVarFlags("CVE_STATUS") or {}):
>> > > > -        decoded_status = decode_cve_status(d, cve)
>> > > > +    for cve_id in d.getVarFlags("CVE_STATUS") or {}:
>> > > > +        decoded_status = decode_cve_status(d, cve_id)
>> > > >          products = d.getVar("CVE_PRODUCT")
>> > > > -        if has_cve_product_match(decoded_status, products) == True:
>> > > > -            patched_cves[cve] = {
>> > > > +        if has_cve_product_match(decoded_status, products):
>> > > > +            if cve_id in patched_cves:
>> > > > +                bb.warn(
>> > > > +                    'CVE_STATUS[%s] = "%s" is overwriting previous
>> status of "%s:
>> > > %s"'
>> > > > +                    % (
>> > > > +                        cve_id,
>> > > > +                        d.getVarFlag("CVE_STATUS", cve_id),
>> > > > +                        patched_cves[cve_id]["abbrev-status"],
>> > > > +                        patched_cves[cve_id]["status"],
>> > > > +                    )
>> > > > +                )
>> > > > +            patched_cves[cve_id] = {
>> > > >                  "abbrev-status": decoded_status["mapping"],
>> > > >                  "status": decoded_status["detail"],
>> > > >                  "justification": decoded_status["description"],
>> > > >                  "affected-vendor": decoded_status["vendor"],
>> > > > -                "affected-product": decoded_status["product"]
>> > > > +                "affected-product": decoded_status["product"],
>> > > >              }
>> > > >
>> > > >      return patched_cves
>> > > > diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
>> > > > b/meta/lib/oeqa/selftest/cases/cve_check.py
>> > > > index 3dd3e89d3e..511e4b81b4 100644
>> > > > --- a/meta/lib/oeqa/selftest/cases/cve_check.py
>> > > > +++ b/meta/lib/oeqa/selftest/cases/cve_check.py
>> > > > @@ -120,6 +120,211 @@ class CVECheck(OESelftestTestCase):
>> > > >          self.assertEqual(has_cve_product_match(status, "test
>> glibca:glibc"),
>> > > True)
>> > > >          self.assertEqual(has_cve_product_match(status,
>> "glibca:glibc test"),
>> > > True)
>> > > >
>> > > > +    def test_parse_cve_from_patch_filename(self):
>> > > > +        from oe.cve_check import parse_cve_from_filename
>> > > > +
>> > > > +        # Patch filename without CVE ID
>> > > > +
>> self.assertEqual(parse_cve_from_filename("0001-test.patch"), "")
>> > > > +
>> > > > +        # Patch with single CVE ID
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2022-12345.patch"),
>> "CVE-2022-
>> > > > 12345"
>> > > > +        )
>> > > > +
>> > > > +        # Patch with multiple CVE IDs
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2022-41741-CVE-2022-
>> > > > 41742.patch"),
>> > > > +            "CVE-2022-41742",
>> > > > +        )
>> > > > +
>> > > > +        # Patches with CVE ID and appended text
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2023-3019-0001.patch"),
>> "CVE-
>> > > > 2023-3019"
>> > > > +        )
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2024-21886-1.patch"),
>> "CVE-
>> > 2024-
>> > > > 21886"
>> > > > +        )
>> > > > +
>> > > > +        # Patch with CVE ID and prepended text
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("grep-CVE-2012-5667.patch"),
>> "CVE-
>> > > 2012-
>> > > > 5667"
>> > > > +        )
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("0001-CVE-2012-5667.patch"),
>> "CVE-
>> > > > 2012-5667"
>> > > > +        )
>> > > > +
>> > > > +        # Patch with CVE ID and both prepended and appended text
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename(
>> > > > +                "0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565-
>> > > 0001.patch"
>> > > > +            ),
>> > > > +            "CVE-2021-3565",
>> > > > +        )
>> > > > +
>> > > > +        # Only grab the last CVE ID in the filename
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2012-5667-CVE-2012-
>> > > 5668.patch"),
>> > > > +            "CVE-2012-5668",
>> > > > +        )
>> > > > +
>> > > > +        # Test invalid CVE ID with incorrect length (must be at
>> least 4 digits)
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2024-001.patch"),
>> > > > +            "",
>> > > > +        )
>> > > > +
>> > > > +        # Test valid CVE ID with very long length
>> > > > +        self.assertEqual(
>> > > > +            parse_cve_from_filename("CVE-2024-
>> > > > 0000000000000000000000001.patch"),
>> > > > +            "CVE-2024-0000000000000000000000001",
>> > > > +        )
>> > > > +
>> > > > +    def test_parse_cve_from_patch_contents(self):
>> > > > +        import textwrap
>> > > > +        from oe.cve_check import parse_cves_from_patch_contents
>> > > > +
>> > > > +        # Standard patch file excerpt without any patches
>> > > > +        self.assertEqual(
>> > > > +            parse_cves_from_patch_contents(
>> > > > +                textwrap.dedent("""\
>> > > > +            remove "*" for root since we don't have a /etc/shadow
>> so far.
>> > > > +
>> > > > +            Upstream-Status: Inappropriate [configuration]
>> > > > +
>> > > > +            Signed-off-by: Scott Garman <scott.a.gar...@intel.com>
>> > > > +
>> > > > +            --- base-passwd/passwd.master~nobash
>> > > > +            +++ base-passwd/passwd.master
>> > > > +            @@ -1,4 +1,4 @@
>> > > > +            -root:*:0:0:root:/root:/bin/sh
>> > > > +            +root::0:0:root:/root:/bin/sh
>> > > > +            daemon:*:1:1:daemon:/usr/sbin:/bin/sh
>> > > > +            bin:*:2:2:bin:/bin:/bin/sh
>> > > > +            sys:*:3:3:sys:/dev:/bin/sh
>> > > > +            """)
>> > > > +            ),
>> > > > +            set(),
>> > > > +        )
>> > > > +
>> > > > +        # Patch file with multiple CVE IDs (space-separated)
>> > > > +        self.assertEqual(
>> > > > +            parse_cves_from_patch_contents(
>> > > > +                textwrap.dedent("""\
>> > > > +                There is an assertion in function
>> _cairo_arc_in_direction().
>> > > > +
>> > > > +                CVE: CVE-2019-6461 CVE-2019-6462
>> > > > +                Upstream-Status: Pending
>> > > > +                Signed-off-by: Ross Burton <ross.bur...@intel.com>
>> > > > +
>> > > > +                diff --git a/src/cairo-arc.c b/src/cairo-arc.c
>> > > > +                index 390397bae..1bde774a4 100644
>> > > > +                --- a/src/cairo-arc.c
>> > > > +                +++ b/src/cairo-arc.c
>> > > > +                @@ -186,7 +186,8 @@ _cairo_arc_in_direction
>> (cairo_t          *cr,
>> > > > +                    if (cairo_status (cr))
>> > > > +                        return;
>> > > > +
>> > > > +                -    assert (angle_max >= angle_min);
>> > > > +                +    if (angle_max < angle_min)
>> > > > +                +       return;
>> > > > +
>> > > > +                    if (angle_max - angle_min > 2 * M_PI *
>> MAX_FULL_CIRCLES) {
>> > > > +                    angle_max = fmod (angle_max - angle_min, 2 *
>> M_PI);
>> > > > +            """),
>> > > > +            ),
>> > > > +            {"CVE-2019-6461", "CVE-2019-6462"},
>> > > > +        )
>> > > > +
>> > > > +        # Patch file with multiple CVE IDs (comma-separated w/
>> both space
>> > and
>> > > > no space)
>> > > > +        self.assertEqual(
>> > > > +            parse_cves_from_patch_contents(
>> > > > +                textwrap.dedent("""\
>> > > > +                There is an assertion in function
>> _cairo_arc_in_direction().
>> > > > +
>> > > > +                CVE: CVE-2019-6461,CVE-2019-6462, CVE-2019-6463
>> > > > +                Upstream-Status: Pending
>> > > > +                Signed-off-by: Ross Burton <ross.bur...@intel.com>
>> > > > +
>> > > > +                diff --git a/src/cairo-arc.c b/src/cairo-arc.c
>> > > > +                index 390397bae..1bde774a4 100644
>> > > > +                --- a/src/cairo-arc.c
>> > > > +                +++ b/src/cairo-arc.c
>> > > > +                @@ -186,7 +186,8 @@ _cairo_arc_in_direction
>> (cairo_t          *cr,
>> > > > +                    if (cairo_status (cr))
>> > > > +                        return;
>> > > > +
>> > > > +                -    assert (angle_max >= angle_min);
>> > > > +                +    if (angle_max < angle_min)
>> > > > +                +       return;
>> > > > +
>> > > > +                    if (angle_max - angle_min > 2 * M_PI *
>> MAX_FULL_CIRCLES) {
>> > > > +                    angle_max = fmod (angle_max - angle_min, 2 *
>> M_PI);
>> > > > +
>> > > > +            """),
>> > > > +            ),
>> > > > +            {"CVE-2019-6461", "CVE-2019-6462", "CVE-2019-6463"},
>> > > > +        )
>> > > > +
>> > > > +        # Patch file with multiple CVE IDs (&-separated)
>> > > > +        self.assertEqual(
>> > > > +            parse_cves_from_patch_contents(
>> > > > +                textwrap.dedent("""\
>> > > > +                There is an assertion in function
>> _cairo_arc_in_direction().
>> > > > +
>> > > > +                CVE: CVE-2019-6461 & CVE-2019-6462
>> > > > +                Upstream-Status: Pending
>> > > > +                Signed-off-by: Ross Burton <ross.bur...@intel.com>
>> > > > +
>> > > > +                diff --git a/src/cairo-arc.c b/src/cairo-arc.c
>> > > > +                index 390397bae..1bde774a4 100644
>> > > > +                --- a/src/cairo-arc.c
>> > > > +                +++ b/src/cairo-arc.c
>> > > > +                @@ -186,7 +186,8 @@ _cairo_arc_in_direction
>> (cairo_t          *cr,
>> > > > +                    if (cairo_status (cr))
>> > > > +                        return;
>> > > > +
>> > > > +                -    assert (angle_max >= angle_min);
>> > > > +                +    if (angle_max < angle_min)
>> > > > +                +       return;
>> > > > +
>> > > > +                    if (angle_max - angle_min > 2 * M_PI *
>> MAX_FULL_CIRCLES) {
>> > > > +                    angle_max = fmod (angle_max - angle_min, 2 *
>> M_PI);
>> > > > +            """),
>> > > > +            ),
>> > > > +            {"CVE-2019-6461", "CVE-2019-6462"},
>> > > > +        )
>> > > > +
>> > > > +        # Patch file with multiple lines with CVE IDs
>> > > > +        self.assertEqual(
>> > > > +            parse_cves_from_patch_contents(
>> > > > +                textwrap.dedent("""\
>> > > > +                There is an assertion in function
>> _cairo_arc_in_direction().
>> > > > +
>> > > > +                CVE: CVE-2019-6461 & CVE-2019-6462
>> > > > +
>> > > > +                CVE: CVE-2019-6463 & CVE-2019-6464
>> > > > +                Upstream-Status: Pending
>> > > > +                Signed-off-by: Ross Burton <ross.bur...@intel.com>
>> > > > +
>> > > > +                diff --git a/src/cairo-arc.c b/src/cairo-arc.c
>> > > > +                index 390397bae..1bde774a4 100644
>> > > > +                --- a/src/cairo-arc.c
>> > > > +                +++ b/src/cairo-arc.c
>> > > > +                @@ -186,7 +186,8 @@ _cairo_arc_in_direction
>> (cairo_t          *cr,
>> > > > +                    if (cairo_status (cr))
>> > > > +                        return;
>> > > > +
>> > > > +                -    assert (angle_max >= angle_min);
>> > > > +                +    if (angle_max < angle_min)
>> > > > +                +       return;
>> > > > +
>> > > > +                    if (angle_max - angle_min > 2 * M_PI *
>> MAX_FULL_CIRCLES) {
>> > > > +                    angle_max = fmod (angle_max - angle_min, 2 *
>> M_PI);
>> > > > +
>> > > > +            """),
>> > > > +            ),
>> > > > +            {"CVE-2019-6461", "CVE-2019-6462", "CVE-2019-6463",
>> "CVE-
>> > > > 2019-6464"},
>> > > > +        )
>> > > >
>> > > >      def test_recipe_report_json(self):
>> > > >          config = """
>> > > > --
>> > > > 2.34.1
>>
>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#209669): 
https://lists.openembedded.org/g/openembedded-core/message/209669
Mute This Topic: https://lists.openembedded.org/mt/110347357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to