cve-check.bbclass: detect CVE IDs listed on multiple lines
Some backported patches fix multiple CVEs and list the corresponding
identifiers on multiple lines, rather than on a single line.
cve-check.bbclass yields false positive warnings when CVE IDs are
presented on multiple lines because re.search() returns only
the first match.
An example of this behavior may be found when running do_cve_check() on
the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
is reported to be patched by commit
de57fd8, despite the patch including
fixes for a total of 9 CVEs.
This is resolved by iterating over all regular expression matches,
rather than just the first.
(From OE-Core rev:
8fb70ce2df66fc8404395ecbe66a75d0038f22dd)
Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
