Judgment processing of vulnerable using "=" compares characters as strings rather than numbers, and misjudges "cases that do not match in strings but do match in numbers" as "Patched". (e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2")
Therefore, if the comparison operator used in the judgment processing of vulnerable is "=", add numeric comparison processing. Signed-off-by: Shinji Matsunaga <shin.matsun...@fujitsu.com> Signed-off-by: Shunsuke Tokumoto <s-tokum...@fujitsu.com> --- meta/classes/cve-check.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5191d04303..086d87687f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -375,6 +375,7 @@ def check_cves(d, patched_cves): try: vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) + vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) -- 2.42.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#195902): https://lists.openembedded.org/g/openembedded-core/message/195902 Mute This Topic: https://lists.openembedded.org/mt/104462613/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-