Message ID | 20200724154356.2607639-1-gregory.clement@bootlin.com |
---|---|
Headers | show |
Series | Improving CVE reporting | expand |
Hello Grégory, On Fri, 24 Jul 2020 17:43:48 +0200 Gregory CLEMENT <gregory.clement@bootlin.com> wrote: > Titouan also mentioned that CPE nodes can be ORed or ANDed and I > confirm it. So I had a closer look on it. First found there are > children node only with the AND operator. Then most of the time the > AND associate a version of product than could be affected with a > version of another product which usually provide service to the first > one such as an operating system. Or we could have the association of a > software and an hardware. Having an application in the second part of > the AND can happen but is very rare. > > Supporting these features will make the code more complex. By just > parsing the node recursively without applying the AND condition, we > could have some false positive CVE. But at least we won't miss CVE and > the case were it would be useful for buildroot should be very scarce. Could you give some specific example of where those AND operators with child nodes are used ? This would help understand what are the situations that make use of this. Thanks! Thomas
Hello all, On 28/07/20 09:52, Thomas Petazzoni wrote: > > Could you give some specific example of where those AND operators with > child nodes are used ? This would help understand what are the > situations that make use of this. > > Thanks! > > Thomas > See for example CVE-2019-3699 (https://nvd.nist.gov/vuln/detail/CVE-2019-3699). This is about a vulnerability of privoxy when it runs on OpenSuse. This CVE is currently detected for the privoxy package on http://autobuild.buildroot.net/stats/ I have extracted the NVD entry from the NVD 2019 json file for convenience: http://paste.awesom.eu/ibNy . The matching CPEs are logically declared as follows: AND( privoxy:privoxy <3.0.28-lp151.1.1, opensuse:leap:15.1 ) They seem to use this to indicate if a particular distribution/OS is vulnerable to the CVE. Titouan