[oe-commits] [openembedded-core] 21/46: cve-check.bbclass: detect CVE IDs listed on multiple lines

git at git.openembedded.org git at git.openembedded.org
Tue May 15 09:57:50 UTC 2018 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master
in repository openembedded-core.

commit 8fb70ce2df66fc8404395ecbe66a75d0038f22dd
Author: Jon Szymaniak <jon.szymaniak.foss at gmail.com>
AuthorDate: Wed May 9 16:45:10 2018 -0500

    cve-check.bbclass: detect CVE IDs listed on multiple lines
    
    Some backported patches fix multiple CVEs and list the corresponding
    identifiers on multiple lines, rather than on a single line.
    
    cve-check.bbclass yields false positive warnings when CVE IDs are
    presented on multiple lines because re.search() returns only
    the first match.
    
    An example of this behavior may be found when running do_cve_check() on
    the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
    is reported to be patched by commit de57fd8, despite the patch including
    fixes for a total of 9 CVEs.
    
    This is resolved by iterating over all regular expression matches,
    rather than just the first.
    
    Signed-off-by: Jon Szymaniak <jon.szymaniak.foss at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
---
 meta/classes/cve-check.bbclass | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 537659d..4d99838 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
                 with open(patch_file, "r", encoding="iso8859-1") as f:
                     patch_text = f.read()
 
-        # Search for the "CVE: " line
-        match = cve_match.search(patch_text)
-        if match:
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
             # Get only the CVEs without the "CVE: " tag
             cves = patch_text[match.start()+5:match.end()]
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
-        elif not fname_match:
+                text_match = True
+
+        if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
     return patched_cves

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list