[Buildroot] [PATCH] package/plg-utils: escape \ in generated legal-info
Peter Korsgaard
peter at korsgaard.com
Sun Feb 7 09:35:44 UTC 2021
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> In the output of legal-info, which is JSON-formatted, we include the
> CPI_ID (when it is valid).
> For xerces, the CPE_IS contains two sequences aof \+ (which is exactly
> what is present in the NIST DB, [0]).
> However, in JSON, like in C, \ escapes the following character; only a
> very limited set of characters are valid to escape: " \ / b f n r t u.
> Escaping any other character is invalid. Conformant JSON parser will
> choke on invalid sequences, and so does not the json python module:
> File "/usr/lib/python2.7/json/decoder.py", line 380, in raw_decode
> obj, end = self.scan_once(s, idx)
> ValueError: Invalid \escape: line 1 column 608554 (char 608553)
> We fix that be globally escaping \ in our json output, in the generic
> sanitsing macro.
> [0] https://nvd.nist.gov/products/cpe/detail/645?namingFormat=2.3&orderBy=CPEURI&keyword=xerces&status=FINAL
I still wonder if it wouldn't be better to not have the backslashes in
the variable and do whatever escaping is needed inside the CVE logic,
but OK - We need a quick fix and this solves it.
Perhaps we should add a gitlab test to verify that we generate valid
json, E.G. by piping it to jq (or similar).
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list