cve-check.bbclass: detect CVE IDs listed on multiple lines

Some backported patches fix multiple CVEs and list the corresponding
identifiers on multiple lines, rather than on a single line.

cve-check.bbclass yields false positive warnings when CVE IDs are
presented on multiple lines because re.search() returns only
the first match.

An example of this behavior may be found when running do_cve_check() on
the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
is reported to be patched by commit de57fd8, despite the patch including
fixes for a total of 9 CVEs.

This is resolved by iterating over all regular expression matches,
rather than just the first.

Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>

1 files changed, 6 insertions, 4 deletions

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 537659df12..4d998388b4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -146,15 +146,17 @@ def get_patches_cves(d):
                 with open(patch_file, "r", encoding="iso8859-1") as f:
                     patch_text = f.read()
 
-        # Search for the "CVE: " line
-        match = cve_match.search(patch_text)
-        if match:
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
             # Get only the CVEs without the "CVE: " tag
             cves = patch_text[match.start()+5:match.end()]
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
-        elif not fname_match:
+                text_match = True
+
+        if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
     return patched_cves