[Buildroot] [Bug 13366] New: make pkg-stats: unrelated CVEs linked to linux package

[Buildroot] [Bug 13366] New: make pkg-stats: unrelated CVEs linked to linux package

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=13366

            Bug ID: 13366
           Summary: make pkg-stats: unrelated CVEs linked to linux package
           Product: buildroot
           Version: 2020.11
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at buildroot.uclibc.org
          Reporter: seems.deviant at gmail.com
                CC: buildroot at uclibc.org
  Target Milestone: ---

Created attachment 8701
  --> https://bugs.busybox.net/attachment.cgi?id=8701&action=edit
hypertext

Steps to reproduce:

$ cat <<EOF > .config
> BR2_LINUX_KERNEL=y
> BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
> EOF

$ make pkg-stats

In my case, there are 110 CVEs linked to linux package, while most of them or
none at all are related.

The last three entries in CVEs column:

https://security-tracker.debian.org/tracker/CVE-2013-2032 - mediawiki
https://security-tracker.debian.org/tracker/CVE-2014-3250 - puppet
https://security-tracker.debian.org/tracker/CVE-2014-4909 - transmission

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 13366] make pkg-stats: unrelated CVEs linked to linux package

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=13366

--- Comment #1 from Thomas Petazzoni <thomas.petazzoni@bootlin.com> ---
Thanks a lot for your bug report! Could you try with the patch series at
https://patchwork.ozlabs.org/project/buildroot/list/?series=218648 applied, and
see if it improves things ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 13366] make pkg-stats: unrelated CVEs linked to linux package

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=13366

--- Comment #2 from Aleksandr Makarov <seems.deviant@gmail.com> ---
The mentioned patch series seems to help with the CVEs flood for linux package.

However, I find it odd to see in which order the CVEs column gets sorted now: 

- In ascending order: "yellow - orange - green", but i'd expect "orange -
yellow - green"
- In descending order: "green - orange - yellow" instead of "green - yellow -
orange"

(See attached image for illustration)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 13366] make pkg-stats: unrelated CVEs linked to linux package

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=13366

--- Comment #3 from Aleksandr Makarov <seems.deviant@gmail.com> ---
(The screenshot is 0.5M, attaching the link to external storage)
https://imgur.com/a/LNEyaHR

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 13366] make pkg-stats: unrelated CVEs linked to linux package

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=13366

--- Comment #4 from Thomas Petazzoni <thomas.petazzoni@bootlin.com> ---
Thanks for your feedback. This sorting is just doing alphabetic sorting I
believe, so it doesn't make much sense for CVEs. It's a bit like sorting the
"Current version" or "Latest version" columns: it doesn't do anything useful.
We should perhaps disable the sorting on some columns.

-- 
You are receiving this mail because:
You are on the CC list for the bug.