[oe-commits] [openembedded-core] 24/29: cve-check.bbclass: detect CVE IDs listed on multiple lines

git at git.openembedded.org git at git.openembedded.org
Thu Sep 27 11:18:29 UTC 2018 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch sumo
in repository openembedded-core.

commit 1c6ae927ca8acc1e5f362b1424b2c6a5da1e8be9
Author: Jon Szymaniak <jon.szymaniak.foss at gmail.com>
AuthorDate: Wed May 9 16:45:10 2018 -0500

    cve-check.bbclass: detect CVE IDs listed on multiple lines
    
    Some backported patches fix multiple CVEs and list the corresponding
    identifiers on multiple lines, rather than on a single line.
    
    cve-check.bbclass yields false positive warnings when CVE IDs are
    presented on multiple lines because re.search() returns only
    the first match.
    
    An example of this behavior may be found when running do_cve_check() on
    the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
    is reported to be patched by commit de57fd8, despite the patch including
    fixes for a total of 9 CVEs.
    
    This is resolved by iterating over all regular expression matches,
    rather than just the first.
    
    (From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd)
    
    Signed-off-by: Jon Szymaniak <jon.szymaniak.foss at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta/classes/cve-check.bbclass | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 537659d..4d99838 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
                 with open(patch_file, "r", encoding="iso8859-1") as f:
                     patch_text = f.read()
 
-        # Search for the "CVE: " line
-        match = cve_match.search(patch_text)
-        if match:
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
             # Get only the CVEs without the "CVE: " tag
             cves = patch_text[match.start()+5:match.end()]
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
-        elif not fname_match:
+                text_match = True
+
+        if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
     return patched_cves

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list