From: Gregory CLEMENT <gregory.clement@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v3 8/8] package/pkg-utils/cve.py: Manage case when package version doesn't exist
Date: Fri, 24 Jul 2020 17:43:56 +0200 [thread overview]
Message-ID: <20200724154356.2607639-9-gregory.clement@bootlin.com> (raw)
In-Reply-To: <20200724154356.2607639-1-gregory.clement@bootlin.com>
Until now, when a package didn't report a version, then the CVE
comparison was just skipped. It leads most of the time to declare the
package not affected by the CVE.
Instead of it, report the CVE_UNKNOWN status in order to be aware that
the CVE related to this package has to be checked.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
---
support/scripts/cve.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 4e83ac8961..83daf6b089 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -193,6 +193,7 @@ class CVE:
if (self.identifier in cve_ignore_list):
return self.CVE_DOESNT_AFFECT
+ unknown_pkg_version = False
for cpe in self.each_cpe():
affected = True
if cpe['product'] != name:
@@ -205,6 +206,7 @@ class CVE:
pkg_version = distutils.version.LooseVersion(version)
if not hasattr(pkg_version, "version"):
print("Cannot parse package '%s' version '%s'" % (name, version))
+ unknown_pkg_version = True
continue
if cpe['v_start']:
@@ -224,4 +226,8 @@ class CVE:
return self.CVE_UNKNOWN
if (affected):
return self.CVE_AFFECTS
- return self.CVE_DOESNT_AFFECT
+
+ if unknown_pkg_version:
+ return self.CVE_UNKNOWN
+ else:
+ return self.CVE_DOESNT_AFFECT
--
2.27.0
next prev parent reply other threads:[~2020-07-24 15:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 15:43 [Buildroot] [PATCH v3 0/8] Improving CVE reporting Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 1/8] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-08-28 7:18 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 2/8] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-08-28 7:34 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 3/8] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-08-28 8:51 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 4/8] support/script: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-08-28 9:03 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 5/8] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-29 18:03 ` Matthew Weber
2020-08-28 9:45 ` Thomas Petazzoni
2020-07-24 15:43 ` [Buildroot] [PATCH v3 6/8] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-24 15:43 ` [Buildroot] [PATCH v3 7/8] support/script/cve-checker: " Gregory CLEMENT
2020-07-24 15:43 ` Gregory CLEMENT [this message]
2020-07-28 7:52 ` [Buildroot] [PATCH v3 0/8] Improving CVE reporting Thomas Petazzoni
2020-07-28 22:07 ` Titouan Christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200724154356.2607639-9-gregory.clement@bootlin.com \
--to=gregory.clement@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox