cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning

add CVE_VERSION_SUFFIX to indicate the version suffix type, currently works in two value, "alphabetical" if the version string uses single alphabetical character suffix as incremental release, blank to not consider the unidentified suffixes. This can be expand when more suffix pattern identified. refactor cve_check.Version class to use functools and add parameter to handle suffix condition. Also update testcases to cover new changes. (From OE-Core rev: 5dfd5ad5144708b474ef31eaa89a846c57be8ac0) (From OE-Core rev: 73f8c25a44ee33866a8fa61824437285cea96249) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 86b42289bd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-06-02 13:29:49 +00:00 · 2021-01-29 11:51:15 +08:00
parent 76e69a2391
commit aaf7efefba
3 changed files with 39 additions and 24 deletions
@@ -53,6 +53,9 @@ CVE_CHECK_PN_WHITELIST ?= ""
 #
 CVE_CHECK_WHITELIST ?= ""

+# set to "alphabetical" for version using single alphabetical character as increament release
+CVE_VERSION_SUFFIX ??= ""
+
 python cve_save_summary_handler () {
    import shutil
    import datetime
@@ -210,6 +213,7 @@ def check_cves(d, patched_cves):

    pn = d.getVar("PN")
    real_pv = d.getVar("PV")
+    suffix = d.getVar("CVE_VERSION_SUFFIX")

    cves_unpatched = []
    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -263,8 +267,8 @@ def check_cves(d, patched_cves):
                else:
                    if operator_start:
                        try:
-                            vulnerable_start =  (operator_start == '>=' and Version(pv) >= Version(version_start))
-                            vulnerable_start |= (operator_start == '>' and Version(pv) > Version(version_start))
+                            vulnerable_start =  (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
+                            vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_start, version_start, cve))
@@ -274,8 +278,8 @@ def check_cves(d, patched_cves):

                    if operator_end:
                        try:
-                            vulnerable_end  = (operator_end == '<=' and Version(pv) <= Version(version_end) )
-                            vulnerable_end |= (operator_end == '<' and Version(pv) < Version(version_end) )
+                            vulnerable_end  = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
+                            vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_end, version_end, cve))