aboutsummaryrefslogtreecommitdiff
path: root/support
diff options
context:
space:
mode:
authorGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2020-12-04 16:45:59 +0100
committerGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2021-01-04 21:38:35 +0100
commit78d7521f8230928d5839d1e6ec07d297440fcf02 (patch)
tree671bbea498d4466a76fc33d3beb5ecb09b466d34 /support
parente3ef352ef677b26d91aad02272468a5048589bb3 (diff)
downloadbuildroot-78d7521f8230928d5839d1e6ec07d297440fcf02.tar.gz
buildroot-78d7521f8230928d5839d1e6ec07d297440fcf02.tar.bz2
support/scripts/pkg-stats: ignore packages with no valid infra and no version for CVE checking
Virtual packages (with in pkg-stats speak have "no valid infrastructure") and packages that have no version specified cannot be used for CVE checking. They trigger a bunch of warnings from the CVE checking code, as it cannot parse their version: they don't have any version. So instead, we simply skip those packages. A follow-up commit will improve the reporting to be able to distinguish those packages from packages that have seen their CVEs checked and don't have any reported. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Diffstat (limited to 'support')
-rwxr-xr-xsupport/scripts/pkg-stats4
1 files changed, 4 insertions, 0 deletions
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index 100c7750d3..9ec4d645e6 100755
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -570,6 +570,10 @@ def check_package_cves(nvd_path, packages):
cpe_product_pkgs = defaultdict(list)
for pkg in packages:
+ if not pkg.has_valid_infra:
+ continue
+ if not pkg.current_version:
+ continue
if pkg.cpeid:
cpe_product = cvecheck.cpe_product(pkg.cpeid)
cpe_product_pkgs[cpe_product].append(pkg)