@@ -193,6 +193,7 @@ class CVE:
if (self.identifier in cve_ignore_list):
return self.CVE_DOESNT_AFFECT
+ unknown_pkg_version = False
for cpe in self.each_cpe():
affected = True
if cpe['product'] != name:
@@ -205,6 +206,7 @@ class CVE:
pkg_version = distutils.version.LooseVersion(version)
if not hasattr(pkg_version, "version"):
print("Cannot parse package '%s' version '%s'" % (name, version))
+ unknown_pkg_version = True
continue
if cpe['v_start']:
@@ -224,4 +226,8 @@ class CVE:
return self.CVE_UNKNOWN
if (affected):
return self.CVE_AFFECTS
- return self.CVE_DOESNT_AFFECT
+
+ if unknown_pkg_version:
+ return self.CVE_UNKNOWN
+ else:
+ return self.CVE_DOESNT_AFFECT
Until now, when a package didn't report a version, then the CVE comparison was just skipped. It leads most of the time to declare the package not affected by the CVE. Instead of it, report the CVE_UNKNOWN status in order to be aware that the CVE related to this package has to be checked. Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com> --- support/scripts/cve.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)