[Buildroot] [PATCH v3 8/8] package/pkg-utils/cve.py: Manage case when package version doesn't exist

Gregory CLEMENT gregory.clement at bootlin.com
Fri Jul 24 15:43:56 UTC 2020


Until now, when a package didn't report a version, then the CVE
comparison was just skipped. It leads most of the time to declare the
package not affected by the CVE.

Instead of it, report the CVE_UNKNOWN status in order to be aware that
the CVE related to this package has to be checked.

Signed-off-by: Gregory CLEMENT <gregory.clement at bootlin.com>
---
 support/scripts/cve.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 4e83ac8961..83daf6b089 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -193,6 +193,7 @@ class CVE:
         if (self.identifier in cve_ignore_list):
             return self.CVE_DOESNT_AFFECT
 
+        unknown_pkg_version = False
         for cpe in self.each_cpe():
             affected = True
             if cpe['product'] != name:
@@ -205,6 +206,7 @@ class CVE:
             pkg_version = distutils.version.LooseVersion(version)
             if not hasattr(pkg_version, "version"):
                 print("Cannot parse package '%s' version '%s'" % (name, version))
+                unknown_pkg_version = True
                 continue
 
             if cpe['v_start']:
@@ -224,4 +226,8 @@ class CVE:
                         return self.CVE_UNKNOWN
             if (affected):
                 return self.CVE_AFFECTS
-        return self.CVE_DOESNT_AFFECT
+
+        if unknown_pkg_version:
+            return self.CVE_UNKNOWN
+        else:
+            return self.CVE_DOESNT_AFFECT
-- 
2.27.0



More information about the buildroot mailing list