[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-10-25

Matthew Weber matthew.weber at rockwellcollins.com
Thu Nov 5 15:24:44 UTC 2020


Peter,


On Wed, Nov 4, 2020 at 2:04 PM Peter Korsgaard <peter at korsgaard.com> wrote:
>
> >>>>> "Matthew" == Matthew Weber <matthew.weber at rockwellcollins.com> writes:
>
>  > Tudor,
>  > On Mon, Oct 26, 2020 at 4:08 AM Tudor Holton <tudor at tudorholton.com> wrote:
>  >>
>  >> Hi all,
>  >>
>  >> The CVE listed below appears only to relate to openjdk6 and openjdk7.
>  >> The current package builds openjdk11.0.8 or openjdk14.0.2.
>  >>
>
>  > The vulnerability database must not be mapping the impacted versions
>  > correctly (ie.  CVE is applicable to which CPE or range of CPE
>  > versions).   When I look at
>  > https://nvd.nist.gov/vuln/detail/CVE-2013-0169 , I see specific
>  > entries for 1.6 / 1.7 / 1.8 and an entry of
>  > cpe:2.3:a:oracle:openjdk:-:*:*:*:*:*:*:* .  I wonder if we are
>  > incorrectly string matching that "-" as a version?  +Gregory  any
>  > ideas?
>
> Yes, I believe we do so since:
>
> commit 008ca2c583cb9dc70cd30c5318b3b1cbef57b06a
> Author: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> Date:   Thu Aug 27 18:55:08 2020 +0200
>
>     support/scripts/pkg-stats: consider "-" as a wildcard when doing CVE version matching
>
>     Some CVE entries in the NVD database have version_value set to "-",
>     which seems to indicate that it applies to all versions of the
>     software project, or that they don't really know which versions are
>     affected, and which are not.
>
>     So, for the benefit of doubt, it seems more appropriate to consider
>     such CVEs as affecting our packages.
>
>     This makes the total number of CVEs affecting our next branch jump
>     from 141 CVEs to 658 CVEs, but that number will go back down once we
>     switch to the JSON 1.1 schema. Indeed, in the JSON 1.0 schema, there
>     are often cases where a version_value is set to "=" *and* specific
>     versions are set to.
>
>     Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
>
>
> How should a '-' be interpreted?
>

Buildroot is doing it correctly by assuming all versions.  In the CVE
dictionary entry they should be listing out all impacted versions if
there is a subset and not all.  I believe sometimes they set '-' just
to be sure someone will look at it and narrow down to the applicable
set.

Matt



More information about the buildroot mailing list