Re: [OE-core] [PATCH] cve-check: Modify judgment processing using "=" in version comparison

Tue, 20 Feb 2024 23:08:45 -0800 

Hi,

Le 20/02/2024 à 06:03, Matsunaga-Shinji via lists.openembedded.org a écrit :
> Judgment processing of vulnerable using "=" compares characters as strings 
> rather than numbers,
> and misjudges "cases that do not match in strings but do match in numbers" as 
> "Patched".
> (e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with 
> NVD) = "1.2")
> 
> Therefore, if the comparison operator used in the judgment processing of 
> vulnerable is "=",
> add numeric comparison processing.
> 
> Signed-off-by: Shinji Matsunaga <shin.matsun...@fujitsu.com>
> Signed-off-by: Shunsuke Tokumoto <s-tokum...@fujitsu.com>
> ---
>  meta/classes/cve-check.bbclass | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 5191d04303..086d87687f 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -375,6 +375,7 @@ def check_cves(d, patched_cves):
>                          try:
>                              vulnerable_start =  (operator_start == '>=' and 
> Version(pv,suffix) >= Version(version_start,suffix))
>                              vulnerable_start |= (operator_start == '>' and 
> Version(pv,suffix) > Version(version_start,suffix))
> +                            vulnerable_start |= (operator_start == '=' and 
> Version(pv,suffix) == Version(version_start,suffix))
>                          except:
>                              bb.warn("%s: Failed to compare %s %s %s for %s" %
>                                      (product, pv, operator_start, 
> version_start, cve))

As far as I can tell, this patch is the same that was:
* merged in commit 291bc9e96a1f ("cve-check: Modify judgment processing using 
"=" in version comparison")
* and reverted in commit 028b6f62263c ("Revert "cve-check: Modify judgment 
processing using "=" in version comparison"")
(poky.git SHA1s)

I am not a maintainer but I whould say that you need to adress the warnings in 
the revert commit message:
>  This change introduced a warning if version comparisons failed, but this is 
> far too common an issue in data that we don't control, so this shouldn't 
> cause a warning:
> 
> WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare 
> 1.16.5 = branch_1-9 for CVE-2009-4029
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m1 for CVE-2010-4539
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m2 for CVE-2010-4539
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m3 for CVE-2010-4539
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m4\/m5 for CVE-2010-4539
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m1 for CVE-2010-4644
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m2 for CVE-2010-4644
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m3 for CVE-2010-4644
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m4\/m5 for CVE-2010-4644
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m1 for CVE-2011-0715
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m2 for CVE-2011-0715
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m3 for CVE-2011-0715
> WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 
> 1.14.2 = m4\/m5 for CVE-2011-0715
> WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 
> = branch_1-9 for CVE-2009-4029
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s for CVE-2003-0577
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s for CVE-2004-0982
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s for CVE-2004-1284
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s_r11 for CVE-2006-3355
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s for CVE-2007-0578
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s_r11 for CVE-2007-0578
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s for CVE-2009-1301
> WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = 
> pre0.59s_r11 for CVE-2009-1301

Regards,
-- 
Yoann Congal
Smile ECS - Tech Expert

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#195956): 
https://lists.openembedded.org/g/openembedded-core/message/195956
Mute This Topic: https://lists.openembedded.org/mt/104462613/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to