diff options
| author |   Geoffrey GIRY <geoffrey.giry@smile.fr> | 2023-03-28 12:23:49 +0200 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2023-04-03 07:16:26 -1000 |
| commit | eb439b1283b60e6665694ff28c89fbd633eda6b0 (patch) | |
| tree | 284041ee4341ec44aeb6523e05615900c1717357 /meta/classes/cve-check.bbclass | |
| parent | d17f4c741c66268ce54ff89be2be9b0402c98df2 (diff) | |
| download | openembedded-core-contrib-eb439b1283b60e6665694ff28c89fbd633eda6b0.tar.gz | |
cve-check: Fix false negative version issue
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
[YOCTO #14127]
Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7d00f6ec578084a0a0e5caf36241d53036d996c4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 87a59d5c6d..05b9cb47dc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -253,7 +253,7 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - from oe.cve_check import Version + from oe.cve_check import Version, convert_cve_version pn = d.getVar("PN") real_pv = d.getVar("PV") @@ -317,6 +317,9 @@ def check_cves(d, patched_cves): if cve in cve_whitelist: ignored = True + version_start = convert_cve_version(version_start) + version_end = convert_cve_version(version_end) + if (operator_start == '=' and pv == version_start) or version_start == '-': vulnerable = True else: |