From: Gregory CLEMENT <gregory.clement@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching
Date: Thu, 05 Nov 2020 15:55:56 +0100 [thread overview]
Message-ID: <87d00r97k3.fsf@BL-laptop> (raw)
In-Reply-To: <20201104145145.1316167-10-thomas.petazzoni@bootlin.com>
Hello Thomas,
> - def affects(self, name, version, cve_ignore_list):
> + def affects(self, name, version, cve_ignore_list, cpeid=None):
> """
> True if the Buildroot Package object passed as argument is affected
> by this CVE.
> @@ -199,8 +220,12 @@ class CVE:
> print("Cannot parse package '%s' version '%s'" % (name, version))
> pkg_version = None
>
> + # if we don't have a cpeid, build one based on name and version
> + if not cpeid:
> + cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
> +
> for cpe in self.each_cpe():
> - if cpe['product'] != name:
> + if not cpe_matches(cpe['id'], cpeid):
> continue
Here you compare the full cpeid including the version to the cpeid
associated to the CVE. But if the CVE is about a range of version (using
versionStartIncluding for instance), then this test may file was
actually the package would be affected because the version is inside the
range of version affected.
Or maybe I missed something in this case could you point me where I am
wrong ?
Gregory
> if not cpe['v_start'] and not cpe['v_end']:
> return self.CVE_AFFECTS
> diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
> index 0a48cf9581..f357cbe1b6 100755
--
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com
next prev parent reply other threads:[~2020-11-05 14:55 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-04 14:51 [Buildroot] [PATCH 00/10] Introduce CPE ID matching for CVEs Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 01/10] support/scripts/cve.py: properly match CPEs with version '*' Thomas Petazzoni
2020-11-04 16:45 ` Matthew Weber
2020-11-04 16:54 ` Thomas Petazzoni
2020-11-26 15:32 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 02/10] support/scripts/cve-checker: parse arguments earlier Thomas Petazzoni
2020-11-26 15:32 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 03/10] package/pkg-generic.mk: add CPE ID related package variables Thomas Petazzoni
2020-11-04 17:03 ` Matthew Weber
2020-11-05 17:02 ` Thomas Petazzoni
2020-11-12 7:40 ` Heiko Thiery
2020-11-26 15:34 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 04/10] docs/manual: document <pkg>_CPE_ID variables Thomas Petazzoni
2020-11-04 17:06 ` Matthew Weber
2020-11-12 7:36 ` Heiko Thiery
2020-11-26 15:36 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 05/10] package/pkg-utils.mk: expose CPE ID in show-info when available Thomas Petazzoni
2020-11-04 17:09 ` Matthew Weber
2020-11-12 7:44 ` Heiko Thiery
2020-11-26 15:37 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 06/10] support/testing/tests/core/test_cpeid: new test Thomas Petazzoni
2020-11-04 17:12 ` Matthew Weber
2020-11-26 15:37 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 07/10] support/scripts/cve-checker: show CPE ID in results Thomas Petazzoni
2020-11-04 17:20 ` Matthew Weber
2020-11-26 15:38 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 08/10] support/script/pkg-stats: " Thomas Petazzoni
2020-11-04 17:18 ` Matthew Weber
2020-11-05 17:01 ` Thomas Petazzoni
2020-11-05 17:20 ` Matthew Weber
2020-11-12 7:59 ` Heiko Thiery
2021-01-11 22:37 ` Arnout Vandecappelle
2021-01-12 15:23 ` Thomas Petazzoni
2020-11-04 14:51 ` [Buildroot] [PATCH 09/10] support/scripts/{pkg-stats, cve.py, cve-checker}: support CPE ID based matching Thomas Petazzoni
2020-11-04 18:33 ` Matthew Weber
2020-11-05 8:46 ` Peter Korsgaard
2020-11-05 8:55 ` Thomas Petazzoni
2020-11-05 14:55 ` Gregory CLEMENT [this message]
2020-11-05 16:59 ` Thomas Petazzoni
2020-11-06 14:48 ` Gregory CLEMENT
2020-11-04 14:51 ` [Buildroot] [PATCH 10/10] package: provide CPE ID details for numerous packages Thomas Petazzoni
2020-11-04 15:42 ` Alexander Dahl
2020-11-04 15:49 ` Thomas Petazzoni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d00r97k3.fsf@BL-laptop \
--to=gregory.clement@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox