From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Matsunaga-Shinji <shin.matsunaga@fujitsu.com>
Cc: "'openembedded-core@lists.openembedded.org'"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] About the judgment result of the CVE check tool
Date: Fri, 2 Dec 2022 12:06:32 +0200 [thread overview]
Message-ID: <Y4nOKM0flT4HTGsR@nuoska> (raw)
In-Reply-To: <TY2PR01MB328952DEF46146B2AF44F25292179@TY2PR01MB3289.jpnprd01.prod.outlook.com>
Hi,
On Fri, Dec 02, 2022 at 09:55:37AM +0000, Matsunaga-Shinji wrote:
> Hi, I'm Shinji.
>
> I have a question about the judgment result of the CVE check tool.
>
> If the version of the package "pv" cannot be compared to the version retrieved from NVD("version_start" or "version_end"),
> there is a vulnerability for which the judgment result is "Patched".(e.g. CVE-2020-15117)
>
> If you can't compare versions, I think it should be judged as "Unpatched"
> Why does the CVE check tool judge "Patched"?
"git" is just as valid for a version number as "1.1.12". Both can
contain both numbers and letters. There are some rules how to compare
them to get "greater than", "equal" and "less than" results so I assume
that "git" is considered greater than "1.1.12".
For example Debian dpkg says that "git" is greater than "1.1.12":
$ dpkg --compare-versions "git" gt "1.0.2a"
dpkg: warning: version 'git' has bad syntax: version number does not start with digit
$ echo $?
0
So the tool does work correctly, though the version "git" is wrong and
recipe maintainer should fix this to be based on the upstream release
version numbers, and if not possible, set the upstream and CVE database
compatible version number via CVE_VERSION variable.
Setting PV to "git" is not wrong, but just bad, really bad practice
which breaks among other things yocto cve-check.bbclass.
Cheers,
-Mikko
> Examples of judgment results:
>
> LAYER: meta-qti-base-prop
> PACKAGE NAME: synergy
> PACKAGE VERSION: git
> CVE: CVE-2020-15117
> CVE STATUS: Patched
>
> Examples of logs:
>
> "WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
>
> log output location:
>
> https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
>
>
> 富士通(株) ISS事本
> Linuxソフトウェア事業部 アプライアンス技術部
> 松永 慎司 / Matsunaga Shinji
> e-mail:shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174231): https://lists.openembedded.org/g/openembedded-core/message/174231
> Mute This Topic: https://lists.openembedded.org/mt/95403021/7159507
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2022-12-02 10:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-02 9:55 About the judgment result of the CVE check tool Shinji Matsunaga (Fujitsu)
2022-12-02 10:06 ` Mikko Rapeli [this message]
2022-12-02 10:09 ` [OE-core] " Mikko Rapeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4nOKM0flT4HTGsR@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=shin.matsunaga@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.