Hi,
On Fri, Dec 02, 2022 at 09:55:37AM +0000, Matsunaga-Shinji wrote:
> Hi, I'm Shinji.
>
> I have a question about the judgment result of the CVE check tool.
>
> If the version of the package "pv" cannot be compared to the version
> retrieved from NVD("version_start" or "version_end"),
> there is a vulnerability for which the judgment result is "Patched".(e.g.
> CVE-2020-15117)
>
> If you can't compare versions, I think it should be judged as "Unpatched"
> Why does the CVE check tool judge "Patched"?
>
> Examples of judgment results:
>
> LAYER: meta-qti-base-prop
> PACKAGE NAME: synergy
> PACKAGE VERSION: git
> CVE: CVE-2020-15117
> CVE STATUS: Patched
And, status "Pached" should mean that a .patch file to fix the issue is
applied, or if CVE_CHECK_REPORT_PATCHED is set. If that is not the case,
then something is indeed wrong.
Cheers,
-Mikko
>
> Examples of logs:
>
> "WARNING: synergy: Failed to compare git < 1.12.0 for CVE-2020-15117"
>
> log output location:
>
>
> https://github.com/openembedded/openembedded-core/blob/master/meta/classes/cve-check.bbclass#L346
>
>
> 富士通(株) ISS事本
> Linuxソフトウェア事業部 アプライアンス技術部
> 松永 慎司 / Matsunaga Shinji
> e-mail:[email protected]<mailto:[email protected]>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#174234):
https://lists.openembedded.org/g/openembedded-core/message/174234
Mute This Topic: https://lists.openembedded.org/mt/95403021/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
