update: print warnings for all KnownVulns found

Some baby steps towards making the KnownVuln stuff more visible.

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 02382d2b941933de287f9dd4ae86a28f22e27b6b..e548df43d845540d5d61de3fff9814cb361fd8a8 100644 (file)
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -500,6 +500,8 @@ def has_known_vulnerability(filename):
     http://www.saurik.com/id/17
     """
 
+    found_vuln = False
+
     # statically load this pattern
     if not hasattr(has_known_vulnerability, "pattern"):
         has_known_vulnerability.pattern = re.compile(b'.*OpenSSL ([01][0-9a-z.-]+)')
@@ -524,14 +526,15 @@ def has_known_vulnerability(filename):
                         else:
                             logging.warning(_('"{path}" contains outdated {name} ({version})')
                                             .format(path=filename, name=name, version=version))
-                            return True
+                            found_vuln = True
                         break
             elif name == 'AndroidManifest.xml' or name == 'classes.dex' or name.endswith('.so'):
                 if name in files_in_apk:
-                    return True
+                    logging.warning(_('{apkfilename} has multiple {name} files, looks like Master Key exploit!')
+                                    .format(apkfilename=filename, name=name))
+                    found_vuln = True
                 files_in_apk.add(name)
-
-    return False
+    return found_vuln
 
 
 def insert_obbs(repodir, apps, apks):