Judgment processing of vulnerable using "=" compares characters as strings
rather than numbers,
and misjudges "cases that do not match in strings but do match in numbers" as
"Patched".
(e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD)
= "1.2")
Therefore, if the comparison operator used in the judgment processing of
vulnerable is "=",
add numeric comparison processing.
Signed-off-by: Shinji Matsunaga <shin.matsun...@fujitsu.com>
Signed-off-by: Shunsuke Tokumoto <s-tokum...@fujitsu.com>
---
meta/classes/cve-check.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5191d04303..086d87687f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -375,6 +375,7 @@ def check_cves(d, patched_cves):
try:
vulnerable_start = (operator_start == '>=' and
Version(pv,suffix) >= Version(version_start,suffix))
vulnerable_start |= (operator_start == '>' and
Version(pv,suffix) > Version(version_start,suffix))
+ vulnerable_start |= (operator_start == '=' and
Version(pv,suffix) == Version(version_start,suffix))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start,
version_start, cve))
--
2.42.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#195902):
https://lists.openembedded.org/g/openembedded-core/message/195902
Mute This Topic: https://lists.openembedded.org/mt/104462613/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
