diff options
author | Geoffrey GIRY <geoffrey.giry@smile.fr> | 2023-03-28 12:23:49 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-30 12:30:38 +0100 |
commit | 81740facf458a5a3326c0cfca20ebf75d8fe91d0 (patch) | |
tree | 7fd393837325a5d81c8fc38eeb5911c45c751ab2 /meta/classes/cve-check.bbclass | |
parent | e8693364c59e627bf667c5ecc790beb2a59b6dd8 (diff) | |
download | poky-81740facf458a5a3326c0cfca20ebf75d8fe91d0.tar.gz |
cve-check: Fix false negative version issue
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
[YOCTO #14127]
Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
(From OE-Core rev: 7d00f6ec578084a0a0e5caf36241d53036d996c4)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 41fdf8363f..5e2da56046 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -260,7 +260,7 @@ def check_cves(d, patched_cves): | |||
260 | """ | 260 | """ |
261 | Connect to the NVD database and find unpatched cves. | 261 | Connect to the NVD database and find unpatched cves. |
262 | """ | 262 | """ |
263 | from oe.cve_check import Version | 263 | from oe.cve_check import Version, convert_cve_version |
264 | 264 | ||
265 | pn = d.getVar("PN") | 265 | pn = d.getVar("PN") |
266 | real_pv = d.getVar("PV") | 266 | real_pv = d.getVar("PV") |
@@ -324,6 +324,9 @@ def check_cves(d, patched_cves): | |||
324 | if cve in cve_ignore: | 324 | if cve in cve_ignore: |
325 | ignored = True | 325 | ignored = True |
326 | 326 | ||
327 | version_start = convert_cve_version(version_start) | ||
328 | version_end = convert_cve_version(version_end) | ||
329 | |||
327 | if (operator_start == '=' and pv == version_start) or version_start == '-': | 330 | if (operator_start == '=' and pv == version_start) or version_start == '-': |
328 | vulnerable = True | 331 | vulnerable = True |
329 | else: | 332 | else: |