mirror of
https://git.busybox.net/buildroot.git
synced 2024-11-23 21:43:30 +08:00
support/scripts/cve.py: properly match CPEs with version '*'
Currently, when the version encoded in a CPE is '-', we assume all versions are affected, but when it's '*' with no further range information, we assume no version is affected. This doesn't make sense, so instead, we handle '*' and '-' in the same way. If there's no version information available in the CVE CPE ID, we assume all versions are affected. This increases quite a bit the number of CVEs and package affected: - "total-cves": 302, - "pkg-cves": 100, + "total-cves": 597, + "pkg-cves": 135, For example, CVE-2007-4476 has a CPE ID of: cpe:2.3🅰️gnu:tar:*:*:*:*:*:*:*:* So it should be taken into account. In this specific case, it is combined with an AND with CPE ID cpe:2.3⭕suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since we don't support this kind of matching, we'd better be on the safe side, and report this CVE as affecting tar, do an analysis of the CVE impact, and document it in TAR_IGNORE_CVES. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
parent
3f2ccb4682
commit
1ff7f003e1
@ -144,10 +144,6 @@ class CVE:
|
||||
# Version is defined, this is a '=' match
|
||||
op_start = '='
|
||||
v_start = version
|
||||
elif version == '-':
|
||||
# no version information is available
|
||||
op_start = '='
|
||||
v_start = version
|
||||
else:
|
||||
# Parse start version, end version and operators
|
||||
if 'versionStartIncluding' in cpe:
|
||||
@ -206,11 +202,8 @@ class CVE:
|
||||
for cpe in self.each_cpe():
|
||||
if cpe['product'] != name:
|
||||
continue
|
||||
if cpe['v_start'] == '-':
|
||||
return self.CVE_AFFECTS
|
||||
if not cpe['v_start'] and not cpe['v_end']:
|
||||
print("No CVE affected version")
|
||||
continue
|
||||
return self.CVE_AFFECTS
|
||||
if not pkg_version:
|
||||
continue
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user