On Thu, Mar 4, 2021 at 4:44 AM Lee Chee Yang <[email protected]> wrote: > > From: Lee Chee Yang <[email protected]> > > version string from NVD might not constant all the time, cast them to > Version whenever possible while compare for equal operator. > > CVE-2010-0426 > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*" > > CVE-2010-1646 > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*" > > Signed-off-by: Lee Chee Yang <[email protected]> > --- > meta/classes/cve-check.bbclass | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 112ee3379d..e0c8321e99 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -269,8 +269,15 @@ def check_cves(d, patched_cves): > (_, _, _, version_start, operator_start, version_end, > operator_end) = row > #bb.debug(2, "Evaluating row " + str(row)) > > - if (operator_start == '=' and pv == version_start) or > version_start == '-': > + if version_start == '-': > + # '-' can be any version
I had an extended email exchange with the database maintainers about the use/meaning of '-' Here is their final word (which left me quite unsatisfied in its ambiguity) "In general, the '-' is used when affected versions of a product are unknown. If affected versions are stated, and there is no fix available, the configuration would be up to (including) the latest stated affected version. I would also like to add that '-' also means N/A, so not necessarily only when affected versions are unknown, which may help to clear your confusion." Using '-' to signify either "we don't know" or "not applicable" seems quite wrong to me :-( But that's the way it is. > vulnerable = True > + elif operator_start == '=': > + # it could be unexpected version string which cannot be > parse, compare them string to string only in such case > + try: > + vulnerable = (Version(pv,suffix) == > Version(version_start,suffix)) > + except: > + vulnerable = (pv == version_start) > else: > if operator_start: > try: > -- > 2.17.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#148939): https://lists.openembedded.org/g/openembedded-core/message/148939 Mute This Topic: https://lists.openembedded.org/mt/81077950/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
