cve-check: replace Looseversion with custom version class

The way distutils.version.LooseVersion compare version are tricky, it treat all these ( "1.0-beta2", "1.0-rc1", "1.0A", "1.0p2" and "1.0pre1") as greater version than "1.0". This might be right for "1.0A" and "1.0p1" but not for the rest, also these version could be confusing, the "p" in "1.0p1" can be "pre" or "patched" version or even other meaning. Replace Looseversion with custom class, it uses regex to capture common version format like "1.1.1" or tag format using date like "2020-12-12" as release section, check for following known string/tags ( beta, rc, pre, dev, alpha, preview) as pre-release section, any other trailing characters are difficult to understand/define so ignore them. Compare release section and pre-release section saperately. included selftest for the version class. [YOCTO#14127] (From OE-Core rev: 6ced85e9ddd3569240f1e8b82130d1ac0fffbc40) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-01-22 18:07:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-23 17:08:54 +0000
commit: 3807c6d9a78ac8ade24c9c69cfe2b9624c49a20d (patch)
tree: 28f45b7c903d0477dd2bda97a361548903cb62dd /meta/classes/cve-check.bbclass
parent: 2485beac6806bca183054e1497f0f79456e4d9c2 (diff)
download: poky-3807c6d9a78ac8ade24c9c69cfe2b9624c49a20d.tar.gz
1 files changed, 5 insertions, 5 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index d843e7c4ac..646cc879dd 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -206,7 +206,7 @@ def check_cves(d, patched_cves):
    """
    Connect to the NVD database and find unpatched cves.
    """
-    from distutils.version import LooseVersion
+    from oe.cve_check import Version
    pn = d.getVar("PN")
    real_pv = d.getVar("PV")
@@ -263,8 +263,8 @@ def check_cves(d, patched_cves):
                else:
                    if operator_start:
                        try:
-                            vulnerable_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+                            vulnerable_start =  (operator_start == '>=' and Version(pv) >= Version(version_start))
-                            vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                            vulnerable_start |= (operator_start == '>' and Version(pv) > Version(version_start))
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_start, version_start, cve))
@@ -274,8 +274,8 @@ def check_cves(d, patched_cves):
                    if operator_end:
                        try:
-                            vulnerable_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+                            vulnerable_end  = (operator_end == '<=' and Version(pv) <= Version(version_end) )
-                            vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                            vulnerable_end |= (operator_end == '<' and Version(pv) < Version(version_end) )
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_end, version_end, cve))
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-01-22 18:07:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-23 17:08:54 +0000
commit	3807c6d9a78ac8ade24c9c69cfe2b9624c49a20d (patch)
tree	28f45b7c903d0477dd2bda97a361548903cb62dd /meta/classes/cve-check.bbclass
parent	2485beac6806bca183054e1497f0f79456e4d9c2 (diff)
download	poky-3807c6d9a78ac8ade24c9c69cfe2b9624c49a20d.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index d843e7c4ac..646cc879dd 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -206,7 +206,7 @@ def check_cves(d, patched_cves):
206	"""	206	"""
207	Connect to the NVD database and find unpatched cves.	207	Connect to the NVD database and find unpatched cves.
208	"""	208	"""
209	from distutils.version import LooseVersion	209	from oe.cve_check import Version
210		210
211	pn = d.getVar("PN")	211	pn = d.getVar("PN")
212	real_pv = d.getVar("PV")	212	real_pv = d.getVar("PV")
@@ -263,8 +263,8 @@ def check_cves(d, patched_cves):
263	else:	263	else:
264	if operator_start:	264	if operator_start:
265	try:	265	try:
266	vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))	266	vulnerable_start = (operator_start == '>=' and Version(pv) >= Version(version_start))
267	vulnerable_start \|= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))	267	vulnerable_start \|= (operator_start == '>' and Version(pv) > Version(version_start))
268	except:	268	except:
269	bb.warn("%s: Failed to compare %s %s %s for %s" %	269	bb.warn("%s: Failed to compare %s %s %s for %s" %
270	(product, pv, operator_start, version_start, cve))	270	(product, pv, operator_start, version_start, cve))
@@ -274,8 +274,8 @@ def check_cves(d, patched_cves):
274		274
275	if operator_end:	275	if operator_end:
276	try:	276	try:
277	vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))	277	vulnerable_end = (operator_end == '<=' and Version(pv) <= Version(version_end) )
278	vulnerable_end \|= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))	278	vulnerable_end \|= (operator_end == '<' and Version(pv) < Version(version_end) )
279	except:	279	except:
280	bb.warn("%s: Failed to compare %s %s %s for %s" %	280	bb.warn("%s: Failed to compare %s %s %s for %s" %
281	(product, pv, operator_end, version_end, cve))	281	(product, pv, operator_end, version_end, cve))