[Buildroot] [PATCH v2 3/9] support/scripts/cve.py: Switch to JSON 1.1
Gregory CLEMENT
gregory.clement at bootlin.com
Thu Jul 23 12:23:43 UTC 2020
> Hello Gregory,
>
Hello Titouan,
>
> On 10/07/20 13:22, Gregory CLEMENT wrote:
>> In 2019, the JSON vulnerability feeds switched from version 1.0 to
>> 1.1.
>
> [--SNIP--]
>
>> + def parse_node(self, node):
>> + """
>> + Parse the node inside the configurations section to extract the
>> + cpe information usefull to know if a product is affected by
>> + the CVE. Actually only the product name and the version
>> + descriptor are needed, but we also provide the vendor name.
>> + """
>> +
>> + # The node containing the cpe entries matching the CVE can also
>> + # contain sub-nodes, so we need to manage it.
>> + for child in node.get('children', ()):
>> + self.parse_node(child)
>
>
> This doesn't do anything, because the values yielded in the recursive
> call to self.parse_node() are not used. The generator should be consumed
> like this (Python 2 and 3)
>
> for child in node.get('children', ()):
> for parsed_node in self.parse_node(child):
> yield parsed_node
>
> or with a more recent syntax (Python >=3.4)
>
> for child in node.get('children', ()):
> yield from self.parse_node(child)
>
>
> Also, if I understand correctly, this does not check if the CPE nodes
> have to be ORed or ANDed.
>
> Some time ago, I looked into the switch to the v1.1 of the NVD files,
> but somehow lamely forgot about it afterwards. This is the function I
> came up with to determine if a package at a given version would match a
> certain tree of CPE rules: http://paste.awesom.eu/Dxcv , maybe that
> could help.
Thanks for the feedback, I will fix this according your remarks.
Gregory
>
> Best regards,
>
> Titouan
--
Gregory Clement, Bootlin
Embedded Linux and Kernel engineering
http://bootlin.com
More information about the buildroot
mailing list