[Buildroot] [PATCH v2 3/9] support/scripts/cve.py: Switch to JSON 1.1
Titouan Christophe
titouan.christophe at railnova.eu
Sun Jul 12 19:44:16 UTC 2020
Hello Gregory,
On 10/07/20 13:22, Gregory CLEMENT wrote:
> In 2019, the JSON vulnerability feeds switched from version 1.0 to
> 1.1.
[--SNIP--]
> + def parse_node(self, node):
> + """
> + Parse the node inside the configurations section to extract the
> + cpe information usefull to know if a product is affected by
> + the CVE. Actually only the product name and the version
> + descriptor are needed, but we also provide the vendor name.
> + """
> +
> + # The node containing the cpe entries matching the CVE can also
> + # contain sub-nodes, so we need to manage it.
> + for child in node.get('children', ()):
> + self.parse_node(child)
This doesn't do anything, because the values yielded in the recursive
call to self.parse_node() are not used. The generator should be consumed
like this (Python 2 and 3)
for child in node.get('children', ()):
for parsed_node in self.parse_node(child):
yield parsed_node
or with a more recent syntax (Python >=3.4)
for child in node.get('children', ()):
yield from self.parse_node(child)
Also, if I understand correctly, this does not check if the CPE nodes
have to be ORed or ANDed.
Some time ago, I looked into the switch to the v1.1 of the NVD files,
but somehow lamely forgot about it afterwards. This is the function I
came up with to determine if a package at a given version would match a
certain tree of CPE rules: http://paste.awesom.eu/Dxcv , maybe that
could help.
Best regards,
Titouan
More information about the buildroot
mailing list