mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-26 13:53:43 +08:00
e3ef352ef6
This commit modifies cve.py, as well as its users cve-checker and pkg-stats to support CPE ID based matching, for packages that have CPE ID information. One of the non-trivial thing is that we can't simply iterate over all CVEs, and then iterate over all our packages to see which packages have CPE ID information that match the CPEs affected by the CVE. Indeed, this is an O(n^2) operation. So instead, we do a pre-filtering of packages potentially affected. In check_package_cves(), we build a cpe_product_pkgs dict that associates a CPE product name to the packages that have this CPE product name. The CPE product name is either derived from the CPE information provided by the package if available, and otherwise we use the package name, which is what was used prior to this patch. And then, when we look at CVEs, we only consider the packages that have a CPE product name matching the CPE products affected by the CVEs. This is done in check_package_cve_affects(). Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> |
||
---|---|---|
.. | ||
config-fragments | ||
dependencies | ||
docker | ||
download | ||
gnuconfig | ||
kconfig | ||
legal-info | ||
libtool | ||
misc | ||
scripts | ||
testing |