Hi, I'm Shinji.
I have a question about the judgment result of the CVE check tool.
If the version of the package "pv" cannot be compared to the version retrieved
from NVD("version_start" or "version_end"),
there is a vulnerability for which the judgment result is "Patched".(e.g.
CVE-2020-15117)
If you can't compare versions, I think it should be judged as "Unpatched"
Why does the CVE check tool judge "Patched"?
Examples of judgment results:
LAYER: meta-qti-base-prop
PACKAGE NAME: synergy
PACKAGE VERSION: git
CVE: CVE-2020-15117
CVE STATUS: Patched
Examples of logs:
"WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
log output location:
https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
富士通(株) ISS事本
Linuxソフトウェア事業部 アプライアンス技術部
松永 慎司 / Matsunaga Shinji
e-mail:[email protected]<mailto:[email protected]>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174231):
https://lists.openembedded.org/g/openembedded-core/message/174231
Mute This Topic: https://lists.openembedded.org/mt/95403021/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
