| Message ID | 20231205171839.1693642-1-ross.burton@arm.com |
|---|---|
| State | Accepted, archived |
| Commit | c7c7dbdd5474002cfd9ec24864e77a0df2b790ea |
| Headers | show |
| Series | Revert "cve-check: Modify judgment processing using "=" in version comparison" | expand |
Hi, Ross, What does "too common an issue" mean? Is it okay to ignore the misjudgment by the following cases? e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2" Regards, Shinji -----Original Message----- From: ross.burton@arm.com <ross.burton@arm.com> Sent: Wednesday, December 6, 2023 2:19 AM To: openembedded-core@lists.openembedded.org Cc: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> Subject: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" From: Ross Burton <ross.burton@arm.com> This change introduced a warning if version comparisons failed, but this is far too common an issue in data that we don't control, so this shouldn't cause a warning: WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2011-0715 WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2003-0577 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-0982 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-1284 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2006-3355 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2009-1301 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2009-1301 This reverts commit a1989e4197178c2431ceca499e0b4876b233b131. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes/cve-check.bbclass | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 086d87687f4..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -375,7 +375,6 @@ def check_cves(d, patched_cves): try: vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) - vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) -- 2.34.1
Hi, Ross, What do you think about the following? Regards, Shinji -----Original Message----- From: Matsunaga, Shinji/松永 慎司 Sent: Thursday, December 28, 2023 10:59 AM To: 'ross.burton@arm.com' <ross.burton@arm.com> Cc: openembedded-core@lists.openembedded.org Subject: RE: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" Hi, Ross, What does "too common an issue" mean? Is it okay to ignore the misjudgment by the following cases? e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2" Regards, Shinji -----Original Message----- From: ross.burton@arm.com <ross.burton@arm.com> Sent: Wednesday, December 6, 2023 2:19 AM To: openembedded-core@lists.openembedded.org Cc: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> Subject: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" From: Ross Burton <ross.burton@arm.com> This change introduced a warning if version comparisons failed, but this is far too common an issue in data that we don't control, so this shouldn't cause a warning: WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2011-0715 WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2003-0577 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-0982 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-1284 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2006-3355 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2009-1301 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2009-1301 This reverts commit a1989e4197178c2431ceca499e0b4876b233b131. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes/cve-check.bbclass | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 086d87687f4..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -375,7 +375,6 @@ def check_cves(d, patched_cves): try: vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) - vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) -- 2.34.1
Hi, Ross, What does "too common an issue" mean? Is it okay to ignore the misjudgment by the following cases? e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2" Regards, Shinji -----Original Message----- From: Matsunaga, Shinji/松永 慎司 Sent: Tuesday, January 16, 2024 10:47 AM To: 'ross.burton@arm.com' <ross.burton@arm.com> Cc: 'openembedded-core@lists.openembedded.org' <openembedded-core@lists.openembedded.org> Subject: RE: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" Hi, Ross, What do you think about the following? Regards, Shinji -----Original Message----- From: Matsunaga, Shinji/松永 慎司 Sent: Thursday, December 28, 2023 10:59 AM To: 'ross.burton@arm.com' <ross.burton@arm.com> Cc: openembedded-core@lists.openembedded.org Subject: RE: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" Hi, Ross, What does "too common an issue" mean? Is it okay to ignore the misjudgment by the following cases? e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2" Regards, Shinji -----Original Message----- From: ross.burton@arm.com <ross.burton@arm.com> Sent: Wednesday, December 6, 2023 2:19 AM To: openembedded-core@lists.openembedded.org Cc: Matsunaga, Shinji/松永 慎司 <shin.matsunaga@fujitsu.com> Subject: [PATCH] Revert "cve-check: Modify judgment processing using "=" in version comparison" From: Ross Burton <ross.burton@arm.com> This change introduced a warning if version comparisons failed, but this is far too common an issue in data that we don't control, so this shouldn't cause a warning: WARNING: automake-native-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4539 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2010-4644 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m1 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m2 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m3 for CVE-2011-0715 WARNING: subversion-1.14.2-r0 do_cve_check: subversion: Failed to compare 1.14.2 = m4\/m5 for CVE-2011-0715 WARNING: automake-1.16.5-r0 do_cve_check: automake: Failed to compare 1.16.5 = branch_1-9 for CVE-2009-4029 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2003-0577 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-0982 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2004-1284 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2006-3355 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2007-0578 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s for CVE-2009-1301 WARNING: mpg123-1.32.3-r0 do_cve_check: mpg123: Failed to compare 1.32.3 = pre0.59s_r11 for CVE-2009-1301 This reverts commit a1989e4197178c2431ceca499e0b4876b233b131. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes/cve-check.bbclass | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 086d87687f4..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -375,7 +375,6 @@ def check_cves(d, patched_cves): try: vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) - vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) -- 2.34.1
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 086d87687f4..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -375,7 +375,6 @@ def check_cves(d, patched_cves): try: vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) - vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve))