Re: [OE-core] [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison"

Matsunaga-Shinji Mon, 22 Jan 2024 22:28:10 -0800

Hi, Ross,

What does "too common an issue" mean?
Is it okay to ignore the misjudgment by the following cases?


e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = 
"1.2"

Regards,
Shinji

-----Original Message-----
From: Matsunaga, Shinji/松永 慎司 
Sent: Tuesday, January 16, 2024 10:47 AM
To: '[email protected]' <[email protected]>
Cc: '[email protected]' 
<[email protected]>
Subject: RE: [PATCH] Revert "cve-check: Modify judgment processing using "=" in 
version comparison"

Hi, Ross,

What do you think about the following?

Regards,
Shinji

-----Original Message-----
From: Matsunaga, Shinji/松永 慎司 
Sent: Thursday, December 28, 2023 10:59 AM
To: '[email protected]' <[email protected]>
Cc: [email protected]
Subject: RE: [PATCH] Revert "cve-check: Modify judgment processing using "=" in 
version comparison"

Hi, Ross,

What does "too common an issue" mean?
Is it okay to ignore the misjudgment by the following cases?

e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = 
"1.2"

Regards,
Shinji

-----Original Message-----
From: [email protected] <[email protected]> 
Sent: Wednesday, December 6, 2023 2:19 AM
To: [email protected]
Cc: Matsunaga, Shinji/松永 慎司 <[email protected]>
Subject: [PATCH] Revert "cve-check: Modify judgment processing using "=" in 
version comparison"

From: Ross Burton <[email protected]>

This change introduced a warning if version comparisons failed, but this is far 
too common an issue in data that we don't control, so this shouldn't cause a 
warning:

WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare 
1.16.5 = branch_1-9 for CVE-2009-4029
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m1 for CVE-2010-4539
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m2 for CVE-2010-4539
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m3 for CVE-2010-4539
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m4\/m5 for CVE-2010-4539
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m1 for CVE-2010-4644
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m2 for CVE-2010-4644
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m3 for CVE-2010-4644
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m4\/m5 for CVE-2010-4644
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m1 for CVE-2011-0715
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m2 for CVE-2011-0715
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m3 for CVE-2011-0715
WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
1.14.2 = m4\/m5 for CVE-2011-0715
WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = 
branch_1-9 for CVE-2009-4029
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s for CVE-2003-0577
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s for CVE-2004-0982
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s for CVE-2004-1284
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s_r11 for CVE-2006-3355
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s for CVE-2007-0578
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s_r11 for CVE-2007-0578
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s for CVE-2009-1301
WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
pre0.59s_r11 for CVE-2009-1301

This reverts commit a1989e4197178c2431ceca499e0b4876b233b131.

Signed-off-by: Ross Burton <[email protected]>
---
 meta/classes/cve-check.bbclass | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass 
index 086d87687f4..5191d043030 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -375,7 +375,6 @@ def check_cves(d, patched_cves):
                         try:
                             vulnerable_start =  (operator_start == '>=' and 
Version(pv,suffix) >= Version(version_start,suffix))
                             vulnerable_start |= (operator_start == '>' and 
Version(pv,suffix) > Version(version_start,suffix))
-                            vulnerable_start |= (operator_start == '=' and 
Version(pv,suffix) == Version(version_start,suffix))
                         except:
                             bb.warn("%s: Failed to compare %s %s %s for %s" %
                                     (product, pv, operator_start, 
version_start, cve))
--
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194204): 
https://lists.openembedded.org/g/openembedded-core/message/194204
Mute This Topic: https://lists.openembedded.org/mt/102996216/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison"

Reply via email to