From: Matsunaga-Shinji <shin.matsunaga@fujitsu.com>
Date: Wed, 29 Nov 2023 02:19:15 +0000 (+0900)
Subject: cve-check: Modify judgment processing using "=" in version comparison
X-Git-Tag: yocto-5.2~4441
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1989e4197178c2431ceca499e0b4876b233b131;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

cve-check: Modify judgment processing using "=" in version comparison

Judgment processing of vulnerable using "=" compares characters as strings rather than numbers,
and misjudges "cases that do not match in strings but do match in numbers" as "Patched".
(e.g. PV = "1.2.0" and Vulnerabilities Affected Versions (registered with NVD) = "1.2")

Therefore, if the comparison operator used in the judgment processing of vulnerable is "=",
add numeric comparison processing.

Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5191d043030..086d87687f4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -375,6 +375,7 @@ def check_cves(d, patched_cves):
                         try:
                             vulnerable_start =  (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
                             vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
+                            vulnerable_start |= (operator_start == '=' and Version(pv,suffix) == Version(version_start,suffix))
                         except:
                             bb.warn("%s: Failed to compare %s %s %s for %s" %
                                     (product, pv, operator_start, version_start, cve))