[Buildroot] [PATCH 1/1] support/scripts/cve: replace distutils with looseversion

[Buildroot] [PATCH 1/1] support/scripts/cve: replace distutils with looseversion

[Anton Bengtsson via buildroot]

The package 'distutils' was removed in Python 3.12 (https://docs.python.org/3/library/distutils.html)
and looseversion appears to be a good drop-in replacement for distutils.version.LooseVersion,
see https://pypi.org/project/looseversion/.

Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
---
 support/scripts/cve.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index ba41762fa0..63372c3273 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -19,11 +19,11 @@
 
 import datetime
 import os
-import distutils.version
 import json
 import subprocess
 import sys
 import operator
+from looseversion import LooseVersion
 
 sys.path.append('utils/')
 
@@ -190,7 +190,7 @@ class CVE:
         by this CVE.
         """
 
-        pkg_version = distutils.version.LooseVersion(version)
+        pkg_version = LooseVersion(version)
         if not hasattr(pkg_version, "version"):
             print("Cannot parse package '%s' version '%s'" % (name, version))
             pkg_version = None
@@ -202,7 +202,7 @@ class CVE:
         # version, as they might be different due to
         # <pkg>_CPE_ID_VERSION
         else:
-            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
+            pkg_version = LooseVersion(cpe_version(cpeid))
 
         for cpe in self.each_cpe():
             if not cpe_matches(cpe['id'], cpeid):
@@ -214,7 +214,7 @@ class CVE:
 
             if cpe['v_start']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
+                    cve_affected_version = LooseVersion(cpe['v_start'])
                     inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
@@ -226,7 +226,7 @@ class CVE:
 
             if cpe['v_end']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
+                    cve_affected_version = LooseVersion(cpe['v_end'])
                     inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] support/scripts/cve: replace distutils with looseversion

[Arnout Vandecappelle via buildroot]

  Hi Anton,

On 11/09/2025 14:12, Anton Bengtsson via buildroot wrote:
> The package 'distutils' was removed in Python 3.12 (https://docs.python.org/3/library/distutils.html)
> and looseversion appears to be a good drop-in replacement for distutils.version.LooseVersion,
> see https://pypi.org/project/looseversion/.

  The problem is that looseversion is not in the standard lib. We try as much as 
possible to depend only on the standard lib. Obviously that is not possible any 
more since distutils is _also_ no longer in the standard lib.

  We have a few scripts that have some external dependencies. Mostly in the 
tests. Otherwise it's (I think) only check-package that depends on flake8 and 
python-magic.

  So, probably OK to move to looseversion, but then we need two additional changes:

- support/docker/Dockerfile must be updated to include it;
- cve.py should get a header like check-package has so that dependencies can be 
handled by uv. Cfr. commit message of commit 
6ffcdb52e80b63e68c890aed52ff7f4d00e079b8.


  Regards,
  Arnout

> 
> Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
> ---
>   support/scripts/cve.py | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/support/scripts/cve.py b/support/scripts/cve.py
> index ba41762fa0..63372c3273 100755
> --- a/support/scripts/cve.py
> +++ b/support/scripts/cve.py
> @@ -19,11 +19,11 @@
>   
>   import datetime
>   import os
> -import distutils.version
>   import json
>   import subprocess
>   import sys
>   import operator
> +from looseversion import LooseVersion
>   
>   sys.path.append('utils/')
>   
> @@ -190,7 +190,7 @@ class CVE:
>           by this CVE.
>           """
>   
> -        pkg_version = distutils.version.LooseVersion(version)
> +        pkg_version = LooseVersion(version)
>           if not hasattr(pkg_version, "version"):
>               print("Cannot parse package '%s' version '%s'" % (name, version))
>               pkg_version = None
> @@ -202,7 +202,7 @@ class CVE:
>           # version, as they might be different due to
>           # <pkg>_CPE_ID_VERSION
>           else:
> -            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
> +            pkg_version = LooseVersion(cpe_version(cpeid))
>   
>           for cpe in self.each_cpe():
>               if not cpe_matches(cpe['id'], cpeid):
> @@ -214,7 +214,7 @@ class CVE:
>   
>               if cpe['v_start']:
>                   try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
> +                    cve_affected_version = LooseVersion(cpe['v_start'])
>                       inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
>                   except TypeError:
>                       return self.CVE_UNKNOWN
> @@ -226,7 +226,7 @@ class CVE:
>   
>               if cpe['v_end']:
>                   try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
> +                    cve_affected_version = LooseVersion(cpe['v_end'])
>                       inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
>                   except TypeError:
>                       return self.CVE_UNKNOWN

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] support/scripts/cve: replace distutils with looseversion

[Anton Bengtsson via buildroot]

The package 'distutils' was removed in Python 3.12[1] and looseversion[2]
appears to be a good drop-in replacement for distutils.version.LooseVersion.

Also added inline script requirements suitable for uv, similar to the one
added for utils/check-package in 6ffcdb52e80b63e68c890aed52ff7f4d00e079b8.

[1] https://docs.python.org/3/library/distutils.html
[2] https://pypi.org/project/looseversion

Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>

---
Changes v1 -> v2:
  - Added inline scripts requirements for uv                (suggested by Arnout)
  - Added python3-looseversion to support/docker/Dockerfile (suggested by Arnout)

Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
---
 support/scripts/cve.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index ba41762fa0..524f08f48f 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -16,14 +16,20 @@
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# /// script
+# dependencies = [
+#     "looseversion==1.3.0",
+# ]
+# ///
 
 import datetime
 import os
-import distutils.version
 import json
 import subprocess
 import sys
 import operator
+from looseversion import LooseVersion
 
 sys.path.append('utils/')
 
@@ -190,7 +196,7 @@ class CVE:
         by this CVE.
         """
 
-        pkg_version = distutils.version.LooseVersion(version)
+        pkg_version = LooseVersion(version)
         if not hasattr(pkg_version, "version"):
             print("Cannot parse package '%s' version '%s'" % (name, version))
             pkg_version = None
@@ -202,7 +208,7 @@ class CVE:
         # version, as they might be different due to
         # <pkg>_CPE_ID_VERSION
         else:
-            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
+            pkg_version = LooseVersion(cpe_version(cpeid))
 
         for cpe in self.each_cpe():
             if not cpe_matches(cpe['id'], cpeid):
@@ -214,7 +220,7 @@ class CVE:
 
             if cpe['v_start']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
+                    cve_affected_version = LooseVersion(cpe['v_start'])
                     inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
@@ -226,7 +232,7 @@ class CVE:
 
             if cpe['v_end']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
+                    cve_affected_version = LooseVersion(cpe['v_end'])
                     inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] support/docker/Dockerfile: add python3-looseversion

[Anton Bengtsson via buildroot]

Required by support/scripts/cve.py after the migration from 'distutils'
to 'looseversion', since the former was removed in Python 3.12.

Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
---
 support/docker/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/support/docker/Dockerfile b/support/docker/Dockerfile
index e7677ac6a9..82e1942505 100644
--- a/support/docker/Dockerfile
+++ b/support/docker/Dockerfile
@@ -59,6 +59,7 @@ RUN apt-get -o APT::Retries=3 install -y --no-install-recommends \
         openssh-server \
         python3 \
         python3-flake8 \
+        python3-looseversion \
         python3-magic \
         python3-nose2 \
         python3-pexpect \
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] support/scripts/cve: replace distutils with looseversion

[Thomas Perale via buildroot]

Hi Anton,

In reply of:
> The package 'distutils' was removed in Python 3.12[1] and looseversion[2]
> appears to be a good drop-in replacement for distutils.version.LooseVersion.
> 
> Also added inline script requirements suitable for uv, similar to the one
> added for utils/check-package in 6ffcdb52e80b63e68c890aed52ff7f4d00e079b8.
> 
> [1] https://docs.python.org/3/library/distutils.html
> [2] https://pypi.org/project/looseversion
> 
> Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
> 

On my system I'm running python 3.13 which deprecated `distutils`. I didn't ran
into any error running the `cve.py` until now. The reason for this looks to be
that the `distutils` library is provided by setuptools on my system.

```
>>> import distutils
>>> print(distutils.__file__)
/usr/lib/python3.13/site-packages/setuptools/_distutils/__init__.py
```

Is there any reason to not use setuptools because I think there is an higher
chance that a user have setuptools installed rather than `looseversion` (I
didn't had it installed for instance).

Other than that I tested your changes by comparing the output of two SBOMs
(before and after applying your changes) that were passed to `cve-check`
analysis.

Both had the same vulnerability set so to me this indeed shows that
looseversion is a proper replacement.

Reviewed-By: Thomas Perale <thomas.perale@mind.be>

Best Regards,
PERALE Thomas

> ---
> Changes v1 -> v2:
>   - Added inline scripts requirements for uv                (suggested by Arnout)
>   - Added python3-looseversion to support/docker/Dockerfile (suggested by Arnout)
> 
> Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
> ---
>  support/scripts/cve.py | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/support/scripts/cve.py b/support/scripts/cve.py
> index ba41762fa0..524f08f48f 100755
> --- a/support/scripts/cve.py
> +++ b/support/scripts/cve.py
> @@ -16,14 +16,20 @@
>  # You should have received a copy of the GNU General Public License
>  # along with this program; if not, write to the Free Software
>  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +#
> +# /// script
> +# dependencies = [
> +#     "looseversion==1.3.0",
> +# ]
> +# ///
>  
>  import datetime
>  import os
> -import distutils.version
>  import json
>  import subprocess
>  import sys
>  import operator
> +from looseversion import LooseVersion
>  
>  sys.path.append('utils/')
>  
> @@ -190,7 +196,7 @@ class CVE:
>          by this CVE.
>          """
>  
> -        pkg_version = distutils.version.LooseVersion(version)
> +        pkg_version = LooseVersion(version)
>          if not hasattr(pkg_version, "version"):
>              print("Cannot parse package '%s' version '%s'" % (name, version))
>              pkg_version = None
> @@ -202,7 +208,7 @@ class CVE:
>          # version, as they might be different due to
>          # <pkg>_CPE_ID_VERSION
>          else:
> -            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
> +            pkg_version = LooseVersion(cpe_version(cpeid))
>  
>          for cpe in self.each_cpe():
>              if not cpe_matches(cpe['id'], cpeid):
> @@ -214,7 +220,7 @@ class CVE:
>  
>              if cpe['v_start']:
>                  try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
> +                    cve_affected_version = LooseVersion(cpe['v_start'])
>                      inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
>                  except TypeError:
>                      return self.CVE_UNKNOWN
> @@ -226,7 +232,7 @@ class CVE:
>  
>              if cpe['v_end']:
>                  try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
> +                    cve_affected_version = LooseVersion(cpe['v_end'])
>                      inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
>                  except TypeError:
>                      return self.CVE_UNKNOWN
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] support/scripts/cve: replace distutils with looseversion

[Thomas Petazzoni via buildroot]

Hello Thomas, Hello Anton,

On Tue, Jan 06, 2026 at 11:15:06PM +0100, Thomas Perale via buildroot wrote:

> On my system I'm running python 3.13 which deprecated `distutils`. I didn't ran
> into any error running the `cve.py` until now. The reason for this looks to be
> that the `distutils` library is provided by setuptools on my system.

On my system with Python 3.14, pkg-stats also works fine.

> Is there any reason to not use setuptools because I think there is an higher
> chance that a user have setuptools installed rather than `looseversion` (I
> didn't had it installed for instance).

I agree, but then, why did you provide your:

> Reviewed-By: Thomas Perale <thomas.perale@mind.be>

 ?

Since your question is important, and as far as I can see, has not
received feedback from Anton.

For the time being, I've marked the series as Changes
Requested. Anton, let us know if you have some feedback.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] support/scripts/cve: replace distutils with looseversion

[Vincent Fazio]

> -----Original Message-----
> From: buildroot <buildroot-bounces@buildroot.org> On Behalf Of Thomas
> Perale via buildroot
> Sent: Tuesday, January 6, 2026 4:15 PM
> To: Anton Bengtsson <anton.bengtsson@plejd.com>
> Cc: Thomas Perale <thomas.perale@mind.be>; buildroot@buildroot.org
> Subject: [External] - Re: [Buildroot] [PATCH v2 1/2] support/scripts/cve:
> replace distutils with looseversion
> 
> Hi Anton,
> 
> In reply of:
> > The package 'distutils' was removed in Python 3.12[1] and looseversion[2]
> > appears to be a good drop-in replacement for distutils.version.LooseVersion.
> >
> > Also added inline script requirements suitable for uv, similar to the one
> > added for utils/check-package in
> 6ffcdb52e80b63e68c890aed52ff7f4d00e079b8.
> >
> > [1] https://docs.python.org/3/library/distutils.html
> > [2] https://pypi.org/project/looseversion
> >
> > Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
> >
> 
> On my system I'm running python 3.13 which deprecated `distutils`. I didn't
> ran
> into any error running the `cve.py` until now. The reason for this looks to be
> that the `distutils` library is provided by setuptools on my system.
> 
> ```
> >>> import distutils
> >>> print(distutils.__file__)
> /usr/lib/python3.13/site-packages/setuptools/_distutils/__init__.py
> ```
> 
> Is there any reason to not use setuptools because I think there is an higher
> chance that a user have setuptools installed rather than `looseversion` (I
> didn't had it installed for instance).

I don't think it's safe to assume `setuptools` is available since it is not
present in virtual environments made by `python3 -m venv` though maybe we're
expecting this script to be run within some container that does provide
setuptools?

Even if we used setuptools, it's supposed to emit a deprecation warning when
constructing a LooseVersion object.

python3 -c "import distutils.version; distutils.version.LooseVersion('1.2.3.4')"
<string>:1: DeprecationWarning: distutils Version classes are deprecated. Use packaging.version instead.

If we don't move to a non-deprecated package, like looseversion, then we could
use the `suppress_known_deprecation` context manager to suppress the messages.
I'm a little surprised if these have not been seen already.

The chances that setuptools removes LooseVersion is probably very slim as it's
basically intercepting all old distutils functions for old packages, but either
way, the script technically has a dependency on a library that's not in the
stdlib so requires either a system level package to be installed or a venv with
dependencies.

AFAICT, `packaging.version` is not a suitable replacement for the CVE script
because `packaging` is reserved for python packaging semantics.

> 
> Other than that I tested your changes by comparing the output of two SBOMs
> (before and after applying your changes) that were passed to `cve-check`
> analysis.
> 
> Both had the same vulnerability set so to me this indeed shows that
> looseversion is a proper replacement.
> 
> Reviewed-By: Thomas Perale <thomas.perale@mind.be>
> 
> Best Regards,
> PERALE Thomas
> 
> > ---
> > Changes v1 -> v2:
> >   - Added inline scripts requirements for uv                (suggested by Arnout)
> >   - Added python3-looseversion to support/docker/Dockerfile (suggested by
> Arnout)
> >
> > Signed-off-by: Anton Bengtsson <anton.bengtsson@plejd.com>
> > ---
> >  support/scripts/cve.py | 16 +++++++++++-----
> >  1 file changed, 11 insertions(+), 5 deletions(-)
> >
> > diff --git a/support/scripts/cve.py b/support/scripts/cve.py
> > index ba41762fa0..524f08f48f 100755
> > --- a/support/scripts/cve.py
> > +++ b/support/scripts/cve.py
> > @@ -16,14 +16,20 @@
> >  # You should have received a copy of the GNU General Public License
> >  # along with this program; if not, write to the Free Software
> >  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
> USA
> > +#
> > +# /// script
> > +# dependencies = [
> > +#     "looseversion==1.3.0",
> > +# ]
> > +# ///
> >
> >  import datetime
> >  import os
> > -import distutils.version
> >  import json
> >  import subprocess
> >  import sys
> >  import operator
> > +from looseversion import LooseVersion
> >
> >  sys.path.append('utils/')
> >
> > @@ -190,7 +196,7 @@ class CVE:
> >          by this CVE.
> >          """
> >
> > -        pkg_version = distutils.version.LooseVersion(version)
> > +        pkg_version = LooseVersion(version)
> >          if not hasattr(pkg_version, "version"):
> >              print("Cannot parse package '%s' version '%s'" % (name, version))
> >              pkg_version = None
> > @@ -202,7 +208,7 @@ class CVE:
> >          # version, as they might be different due to
> >          # <pkg>_CPE_ID_VERSION
> >          else:
> > -            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
> > +            pkg_version = LooseVersion(cpe_version(cpeid))
> >
> >          for cpe in self.each_cpe():
> >              if not cpe_matches(cpe['id'], cpeid):
> > @@ -214,7 +220,7 @@ class CVE:
> >
> >              if cpe['v_start']:
> >                  try:
> > -                    cve_affected_version =
> distutils.version.LooseVersion(cpe['v_start'])
> > +                    cve_affected_version = LooseVersion(cpe['v_start'])
> >                      inrange = ops.get(cpe['op_start'])(pkg_version,
> cve_affected_version)
> >                  except TypeError:
> >                      return self.CVE_UNKNOWN
> > @@ -226,7 +232,7 @@ class CVE:
> >
> >              if cpe['v_end']:
> >                  try:
> > -                    cve_affected_version =
> distutils.version.LooseVersion(cpe['v_end'])
> > +                    cve_affected_version = LooseVersion(cpe['v_end'])
> >                      inrange = ops.get(cpe['op_end'])(pkg_version,
> cve_affected_version)
> >                  except TypeError:
> >                      return self.CVE_UNKNOWN
> > --
> > 2.51.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot