[Buildroot] [PATCH 1/1] support/scripts/cve: replace distutils with looseversion

Thu Sep 11 12:12:35 UTC 2025

The package 'distutils' was removed in Python 3.12 (https://docs.python.org/3/library/distutils.html)
and looseversion appears to be a good drop-in replacement for distutils.version.LooseVersion,
see https://pypi.org/project/looseversion/.

Signed-off-by: Anton Bengtsson <anton.bengtsson at plejd.com>
---
 support/scripts/cve.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index ba41762fa0..63372c3273 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -19,11 +19,11 @@
 
 import datetime
 import os
-import distutils.version
 import json
 import subprocess
 import sys
 import operator
+from looseversion import LooseVersion
 
 sys.path.append('utils/')
 
@@ -190,7 +190,7 @@ class CVE:
         by this CVE.
         """
 
-        pkg_version = distutils.version.LooseVersion(version)
+        pkg_version = LooseVersion(version)
         if not hasattr(pkg_version, "version"):
             print("Cannot parse package '%s' version '%s'" % (name, version))
             pkg_version = None
@@ -202,7 +202,7 @@ class CVE:
         # version, as they might be different due to
         # <pkg>_CPE_ID_VERSION
         else:
-            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
+            pkg_version = LooseVersion(cpe_version(cpeid))
 
         for cpe in self.each_cpe():
             if not cpe_matches(cpe['id'], cpeid):
@@ -214,7 +214,7 @@ class CVE:
 
             if cpe['v_start']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
+                    cve_affected_version = LooseVersion(cpe['v_start'])
                     inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
@@ -226,7 +226,7 @@ class CVE:
 
             if cpe['v_end']:
                 try:
-                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
+                    cve_affected_version = LooseVersion(cpe['v_end'])
                     inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
                 except TypeError:
                     return self.CVE_UNKNOWN
-- 
2.51.0

