[Buildroot] [PATCH v3 0/8] Improving CVE reporting

Thomas Petazzoni thomas.petazzoni at bootlin.com
Tue Jul 28 07:52:27 UTC 2020

Hello Grégory,

On Fri, 24 Jul 2020 17:43:48 +0200
Gregory CLEMENT <gregory.clement at bootlin.com> wrote:

> Titouan also mentioned that CPE nodes can be ORed or ANDed and I
> confirm it. So I had a closer look on it. First found there are
> children node only with the AND operator. Then most of the time the
> AND associate a version of product than could be affected with a
> version of another product which usually provide service to the first
> one such as an operating system. Or we could have the association of a
> software and an hardware. Having an application in the second part of
> the AND can happen but is very rare.
> Supporting these features will make the code more complex. By just
> parsing the node recursively without applying the AND condition, we
> could have some false positive CVE. But at least we won't miss CVE and
> the case were it would be useful for buildroot should be very scarce.

Could you give some specific example of where those AND operators with
child nodes are used ? This would help understand what are the
situations that make use of this.


Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering

More information about the buildroot mailing list