Hi, Le 20/02/2024 à 06:03, Matsunaga-Shinji via lists.openembedded.org a écrit : > Judgment processing of vulnerable using "=" compares characters as strings > rather than numbers, > and misjudges "cases that do not match in strings but do match in numbers" as > "Patched". > (e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with > NVD) = "1.2") > > Therefore, if the comparison operator used in the judgment processing of > vulnerable is "=", > add numeric comparison processing. > > Signed-off-by: Shinji Matsunaga <shin.matsun...@fujitsu.com> > Signed-off-by: Shunsuke Tokumoto <s-tokum...@fujitsu.com> > --- > meta/classes/cve-check.bbclass | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 5191d04303..086d87687f 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -375,6 +375,7 @@ def check_cves(d, patched_cves): > try: > vulnerable_start = (operator_start == '>=' and > Version(pv,suffix) >= Version(version_start,suffix)) > vulnerable_start |= (operator_start == '>' and > Version(pv,suffix) > Version(version_start,suffix)) > + vulnerable_start |= (operator_start == '=' and > Version(pv,suffix) == Version(version_start,suffix)) > except: > bb.warn("%s: Failed to compare %s %s %s for %s" % > (product, pv, operator_start, > version_start, cve))
As far as I can tell, this patch is the same that was: * merged in commit 291bc9e96a1f ("cve-check: Modify judgment processing using "=" in version comparison") * and reverted in commit 028b6f62263c ("Revert "cve-check: Modify judgment processing using "=" in version comparison"") (poky.git SHA1s) I am not a maintainer but I whould say that you need to adress the warnings in the revert commit message: > This change introduced a warning if version comparisons failed, but this is > far too common an issue in data that we don't control, so this shouldn't > cause a warning: > > WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare > 1.16.5 = branch_1-9 for CVE-2009-4029 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m1 for CVE-2010-4539 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m2 for CVE-2010-4539 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m3 for CVE-2010-4539 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m4\/m5 for CVE-2010-4539 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m1 for CVE-2010-4644 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m2 for CVE-2010-4644 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m3 for CVE-2010-4644 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m4\/m5 for CVE-2010-4644 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m1 for CVE-2011-0715 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m2 for CVE-2011-0715 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m3 for CVE-2011-0715 > WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare > 1.14.2 = m4\/m5 for CVE-2011-0715 > WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 > = branch_1-9 for CVE-2009-4029 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s for CVE-2003-0577 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s for CVE-2004-0982 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s for CVE-2004-1284 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s_r11 for CVE-2006-3355 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s for CVE-2007-0578 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s_r11 for CVE-2007-0578 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s for CVE-2009-1301 > WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = > pre0.59s_r11 for CVE-2009-1301 Regards, -- Yoann Congal Smile ECS - Tech Expert
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#195956): https://lists.openembedded.org/g/openembedded-core/message/195956 Mute This Topic: https://lists.openembedded.org/mt/104462613/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-