> From: Marta Rybczynska <[email protected]> > Sent: Friday, August 9, 2024 12:45 > To: Marko, Peter (ADV D EU SK BFS1) <[email protected]> > Cc: [email protected]; Marta Rybczynska > <[email protected]> > Subject: Re: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected > product/vendor in CVE_STATUS > > > On Fri, Aug 9, 2024 at 9:07 AM Marko, Peter > > <mailto:[email protected]> wrote: > > > -----Original Message----- > > > From: mailto:[email protected] <openembedded- > > > mailto:[email protected]> On Behalf Of Marta Rybczynska via > > > http://lists.openembedded.org > > > Sent: Friday, August 9, 2024 8:24 > > > To: mailto:[email protected] > > > Cc: Marta Rybczynska <mailto:[email protected]> > > > Subject: [OE-core] [RFC][PATCH 1/2] cve-check: encode affected > > > product/vendor in CVE_STATUS > > > <snip> > > > - status_split = status.split(':', 1) > > > - detail = status_split[0] > > > - description = status_split[1].strip() if (len(status_split) > 1) > > > else "" > > > + status_split = status.split(':', 3) > > > > This effectively forbids usage of ":" in CVE_STATUS. > > Since "grep -RI 'CVE_STATUS.*:.*:'" already yiealds 8 results for oe-core + > > meta-oe, this is not a good idea. > > I'd propose to keep the original split and check the first word of the > > second part; something like: > > > > if status_split[1].strip().startswith('cpe:'): > > extracted_cpe, status_split[1] = status_split[1].strip().split(' ', 1) > > # fourth part is important here to not keep possible trailing ":" in > >product > > extracted_cpe_split = extracted_cpe.split(':', 4) > > status_out['vendor'] = "*" if len(extracted_cpe_split) == 2 or > >len(extracted_cpe_split[2] == 0) else extracted_cpe_split[1] > > status_out['product'] = extracted_cpe_split[2] if > >len(extracted_cpe_split) >= 3 and len(extracted_cpe_split[2] > 0) else > >extracted_cpe_split[1] > > else: > > status_out['vendor'] = "*" > > status_out['product'] = "*" > > A valid point indeed. The "cpe:" prefix is a good idea. However, I think that > splitting on ' ' isn't a very good idea either. > What about assuming that: if you give the "cpe:" part, then you always give > both vendor and product. What will be valable > ignored:cpe:*:*:some description > ignored:cpe:*:*:some description:: > ignored:cpe:vendor:product:some description:: > > but not > ignored:cpe:product:some description:: > > Kind regards, > Marta
Sure, why not, it's your patch. I just wanted to point out a problem. Kind Regards, Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203164): https://lists.openembedded.org/g/openembedded-core/message/203164 Mute This Topic: https://lists.openembedded.org/mt/107803913/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
