Right, as Steve said the semantics here are somewhat vague, and we should err on the side of caution.
Changes like this make me think that we *really* need to expand the test suite with every change. Add in some CVEs to the suite that demonstrate the problem, with comments explaining what should happen, so that we don't regress as the logic gets more convoluted. The other patches in the series are fine, but this one I think does need some test cases. Ross On Thu, 4 Mar 2021 at 15:07, Steve Sakoman <[email protected]> wrote: > > On Thu, Mar 4, 2021 at 4:44 AM Lee Chee Yang <[email protected]> wrote: > > > > From: Lee Chee Yang <[email protected]> > > > > version string from NVD might not constant all the time, cast them to > > Version whenever possible while compare for equal operator. > > > > CVE-2010-0426 > > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*" > > > > CVE-2010-1646 > > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*" > > > > Signed-off-by: Lee Chee Yang <[email protected]> > > --- > > meta/classes/cve-check.bbclass | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > > index 112ee3379d..e0c8321e99 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -269,8 +269,15 @@ def check_cves(d, patched_cves): > > (_, _, _, version_start, operator_start, version_end, > > operator_end) = row > > #bb.debug(2, "Evaluating row " + str(row)) > > > > - if (operator_start == '=' and pv == version_start) or > > version_start == '-': > > + if version_start == '-': > > + # '-' can be any version > > I had an extended email exchange with the database maintainers about > the use/meaning of '-' > > Here is their final word (which left me quite unsatisfied in its ambiguity) > > "In general, the '-' is used when affected versions of a product are > unknown. If affected versions are stated, and there is no fix > available, the configuration would be up to (including) the latest > stated affected version. I would also like to add that '-' also means > N/A, so not necessarily only when affected versions are unknown, which > may help to clear your confusion." > > Using '-' to signify either "we don't know" or "not applicable" seems > quite wrong to me :-( But that's the way it is. > > > vulnerable = True > > + elif operator_start == '=': > > + # it could be unexpected version string which cannot > > be parse, compare them string to string only in such case > > + try: > > + vulnerable = (Version(pv,suffix) == > > Version(version_start,suffix)) > > + except: > > + vulnerable = (pv == version_start) > > else: > > if operator_start: > > try: > > -- > > 2.17.1 > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#149600): https://lists.openembedded.org/g/openembedded-core/message/149600 Mute This Topic: https://lists.openembedded.org/mt/81077950/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
