About the judgment result of the CVE check tool

About the judgment result of the CVE check tool

[Shinji Matsunaga (Fujitsu)]

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]

Hi, I'm Shinji.

I have a question about the judgment result of the CVE check tool.

If the version of the package "pv" cannot be compared to the version retrieved from NVD("version_start" or "version_end"),
there is a vulnerability for which the judgment result is "Patched".(e.g. CVE-2020-15117)

If you can't compare versions, I think it should be judged as "Unpatched"
Why does the CVE check tool judge "Patched"?

Examples of judgment results:

　LAYER: meta-qti-base-prop
　PACKAGE NAME: synergy
　PACKAGE VERSION: git
　CVE: CVE-2020-15117
　CVE STATUS: Patched

Examples of logs:

"WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"

log output location:

　https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346


富士通(株) ISS事本
Linuxソフトウェア事業部 アプライアンス技術部
松永 慎司 / Matsunaga Shinji
e-mail：shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>


[-- Attachment #2: Type: text/html, Size: 6396 bytes --]

Re: [OE-core] About the judgment result of the CVE check tool

[Mikko Rapeli]

Hi,

On Fri, Dec 02, 2022 at 09:55:37AM +0000, Matsunaga-Shinji wrote:
> Hi, I'm Shinji.
> 
> I have a question about the judgment result of the CVE check tool.
> 
> If the version of the package "pv" cannot be compared to the version retrieved from NVD("version_start" or "version_end"),
> there is a vulnerability for which the judgment result is "Patched".(e.g. CVE-2020-15117)
> 
> If you can't compare versions, I think it should be judged as "Unpatched"
> Why does the CVE check tool judge "Patched"?

"git" is just as valid for a version number as "1.1.12". Both can
contain both numbers and letters. There are some rules how to compare
them to get "greater than", "equal" and "less than" results so I assume
that "git" is considered greater than "1.1.12".

For example Debian dpkg says that "git" is greater than "1.1.12":

$ dpkg --compare-versions "git" gt "1.0.2a"
dpkg: warning: version 'git' has bad syntax: version number does not start with digit
$ echo $?
0

So the tool does work correctly, though the version "git" is wrong and
recipe maintainer should fix this to be based on the upstream release
version numbers, and if not possible, set the upstream and CVE database
compatible version number via CVE_VERSION variable.

Setting PV to "git" is not wrong, but just bad, really bad practice
which breaks among other things yocto cve-check.bbclass.

Cheers,

-Mikko

> Examples of judgment results:
> 
> 　LAYER: meta-qti-base-prop
> 　PACKAGE NAME: synergy
> 　PACKAGE VERSION: git
> 　CVE: CVE-2020-15117
> 　CVE STATUS: Patched
> 
> Examples of logs:
> 
> "WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
> 
> log output location:
> 
> 　https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
> 
> 
> 富士通(株) ISS事本
> Linuxソフトウェア事業部 アプライアンス技術部
> 松永 慎司 / Matsunaga Shinji
> e-mail：shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174231): https://lists.openembedded.org/g/openembedded-core/message/174231
> Mute This Topic: https://lists.openembedded.org/mt/95403021/7159507
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core] About the judgment result of the CVE check tool

[Mikko Rapeli]

Hi,

On Fri, Dec 02, 2022 at 09:55:37AM +0000, Matsunaga-Shinji wrote:
> Hi, I'm Shinji.
> 
> I have a question about the judgment result of the CVE check tool.
> 
> If the version of the package "pv" cannot be compared to the version retrieved from NVD("version_start" or "version_end"),
> there is a vulnerability for which the judgment result is "Patched".(e.g. CVE-2020-15117)
> 
> If you can't compare versions, I think it should be judged as "Unpatched"
> Why does the CVE check tool judge "Patched"?
> 
> Examples of judgment results:
> 
> 　LAYER: meta-qti-base-prop
> 　PACKAGE NAME: synergy
> 　PACKAGE VERSION: git
> 　CVE: CVE-2020-15117
> 　CVE STATUS: Patched

And, status "Pached" should mean that a .patch file to fix the issue is
applied, or if CVE_CHECK_REPORT_PATCHED is set. If that is not the case,
then something is indeed wrong.

Cheers,

-Mikko
> 
> Examples of logs:
> 
> "WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
> 
> log output location:
> 
> 　https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
> 
> 
> 富士通(株) ISS事本
> Linuxソフトウェア事業部 アプライアンス技術部
> 松永 慎司 / Matsunaga Shinji
> e-mail：shin.matsunaga@fujitsu.com<mailto:shin.matsunaga@fujitsu.com>
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174231): https://lists.openembedded.org/g/openembedded-core/message/174231
> Mute This Topic: https://lists.openembedded.org/mt/95403021/7159507
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>