From: Gregory CLEMENT <gregory.clement@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2 3/9] support/scripts/cve.py: Switch to JSON 1.1
Date: Thu, 23 Jul 2020 14:23:43 +0200 [thread overview]
Message-ID: <87wo2u1kts.fsf@FE-laptop> (raw)
In-Reply-To: <ca9bdc90-8572-1d6a-19d7-48f7fd6db65e@railnova.eu>
> Hello Gregory,
>
Hello Titouan,
>
> On 10/07/20 13:22, Gregory CLEMENT wrote:
>> In 2019, the JSON vulnerability feeds switched from version 1.0 to
>> 1.1.
>
> [--SNIP--]
>
>> + def parse_node(self, node):
>> + """
>> + Parse the node inside the configurations section to extract the
>> + cpe information usefull to know if a product is affected by
>> + the CVE. Actually only the product name and the version
>> + descriptor are needed, but we also provide the vendor name.
>> + """
>> +
>> + # The node containing the cpe entries matching the CVE can also
>> + # contain sub-nodes, so we need to manage it.
>> + for child in node.get('children', ()):
>> + self.parse_node(child)
>
>
> This doesn't do anything, because the values yielded in the recursive
> call to self.parse_node() are not used. The generator should be consumed
> like this (Python 2 and 3)
>
> for child in node.get('children', ()):
> for parsed_node in self.parse_node(child):
> yield parsed_node
>
> or with a more recent syntax (Python >=3.4)
>
> for child in node.get('children', ()):
> yield from self.parse_node(child)
>
>
> Also, if I understand correctly, this does not check if the CPE nodes
> have to be ORed or ANDed.
>
> Some time ago, I looked into the switch to the v1.1 of the NVD files,
> but somehow lamely forgot about it afterwards. This is the function I
> came up with to determine if a package at a given version would match a
> certain tree of CPE rules: http://paste.awesom.eu/Dxcv , maybe that
> could help.
Thanks for the feedback, I will fix this according your remarks.
Gregory
>
> Best regards,
>
> Titouan
--
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com
next prev parent reply other threads:[~2020-07-23 12:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 11:22 [Buildroot] [PATCH 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 1/9] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 2/9] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 3/9] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 4/9] package/pkg-utils: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 5/9] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 6/9] package/pkg-utils: cve.py: Handle exception when version comparison fails Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 8/9] support/script/cve-checker: " Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH 9/9] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 0/9] Improving CVE reporting Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 1/9] support/script/pkg-stat: Handle exception when version comparison fails Gregory CLEMENT
2020-07-12 19:32 ` Thomas Petazzoni
2020-07-10 11:22 ` [Buildroot] [PATCH v2 2/9] support/scripts: Turn CVE check into a module Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 3/9] support/scripts/cve.py: Switch to JSON 1.1 Gregory CLEMENT
2020-07-12 19:44 ` Titouan Christophe
2020-07-23 12:23 ` Gregory CLEMENT [this message]
2020-07-10 11:22 ` [Buildroot] [PATCH v2 4/9] package/pkg-utils: show-info: report the list of the CVEs ignored Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 5/9] support/script: Make CVE class independent of the Pacakage class Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 6/9] support/scripts: Add a per configuration CVE checker Gregory CLEMENT
2020-07-10 12:41 ` Matthew Weber
2020-07-10 11:22 ` [Buildroot] [PATCH v2 7/9] support/script/pkg-stats: Manage the CVEs that need to be check Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 8/9] support/script/cve-checker: " Gregory CLEMENT
2020-07-10 11:22 ` [Buildroot] [PATCH v2 9/9] package/pkg-utils/cve.py: Manage case when package version doesn't exist Gregory CLEMENT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wo2u1kts.fsf@FE-laptop \
--to=gregory.clement@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox