Re: [Buildroot] [git commit] support/scripts/pkg-stats: account for unsure CVEs

From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [git commit] support/scripts/pkg-stats: account for unsure CVEs
Date: Thu, 27 Jan 2022 17:47:11 +0100	[thread overview]
Message-ID: <87o83xazxs.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20220109162602.909E582A93@busybox.osuosl.org> (Thomas Petazzoni's message of "Sun, 9 Jan 2022 17:31:55 +0100")

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > commit: https://git.buildroot.net/buildroot/commit/?id=a206bbc5fe3453f8763268261c4a7aa6ba2c275d
 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

 > The .affects() method of the CVE class in support/scripts/cve.py can
 > return 3 values: CVE_AFFECTS, CVE_DOESNT_AFFECT and CVE_UNKNOWN.

 > We of course properly account for CVEs where .affects() return
 > CVE_AFFECTS, but the ones for which CVE_UNKNOWN is returned are
 > currently ignored, and therefore treated as if they did not affect the
 > package.

 > However CVE_UNKNOWN in fact indicates that the v_start/v_end fields of
 > the CPE entry could not be parsed by
 > distutils.version.LooseVersion(). Instead of ignoring such cases, this
 > commit adds support for the concept of "unsure CVEs", which will be
 > listed next to CVEs known to affect the package, so that we are aware
 > of them and can investigate the version issue.

 > Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot