Re: [OE-core] About the judgment result of the CVE check tool

Fri, 02 Dec 2022 02:06:40 -0800 

Hi,

On Fri, Dec 02, 2022 at 09:55:37AM +0000, Matsunaga-Shinji wrote:
> Hi, I'm Shinji.
> 
> I have a question about the judgment result of the CVE check tool.
> 
> If the version of the package "pv" cannot be compared to the version 
> retrieved from NVD("version_start" or "version_end"),
> there is a vulnerability for which the judgment result is "Patched".(e.g. 
> CVE-2020-15117)
> 
> If you can't compare versions, I think it should be judged as "Unpatched"
> Why does the CVE check tool judge "Patched"?

"git" is just as valid for a version number as "1.1.12". Both can
contain both numbers and letters. There are some rules how to compare
them to get "greater than", "equal" and "less than" results so I assume
that "git" is considered greater than "1.1.12".

For example Debian dpkg says that "git" is greater than "1.1.12":

$ dpkg --compare-versions "git" gt "1.0.2a"
dpkg: warning: version 'git' has bad syntax: version number does not start with 
digit
$ echo $?
0

So the tool does work correctly, though the version "git" is wrong and
recipe maintainer should fix this to be based on the upstream release
version numbers, and if not possible, set the upstream and CVE database
compatible version number via CVE_VERSION variable.

Setting PV to "git" is not wrong, but just bad, really bad practice
which breaks among other things yocto cve-check.bbclass.

Cheers,

-Mikko

> Examples of judgment results:
> 
>  LAYER: meta-qti-base-prop
>  PACKAGE NAME: synergy
>  PACKAGE VERSION: git
>  CVE: CVE-2020-15117
>  CVE STATUS: Patched
> 
> Examples of logs:
> 
> "WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
> 
> log output location:
> 
>  
> https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
> 
> 
> 富士通(株) ISS事本
> Linuxソフトウェア事業部 アプライアンス技術部
> 松永 慎司 / Matsunaga Shinji
> e-mail:[email protected]<mailto:[email protected]>
> 

> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174233): 
https://lists.openembedded.org/g/openembedded-core/message/174233
Mute This Topic: https://lists.openembedded.org/mt/95403021/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to