diff options
| author |  Thomas Petazzoni <thomas.petazzoni@bootlin.com> | 2020-12-04 16:45:59 +0100 |
|---|---|---|
| committer | Thomas Petazzoni <thomas.petazzoni@bootlin.com> | 2021-01-04 21:38:35 +0100 |
| commit | 78d7521f8230928d5839d1e6ec07d297440fcf02 (patch) | |
| tree | 671bbea498d4466a76fc33d3beb5ecb09b466d34 /support | |
| parent | e3ef352ef677b26d91aad02272468a5048589bb3 (diff) | |
| download | buildroot-78d7521f8230928d5839d1e6ec07d297440fcf02.tar.gz buildroot-78d7521f8230928d5839d1e6ec07d297440fcf02.tar.bz2 | |
support/scripts/pkg-stats: ignore packages with no valid infra and no version for CVE checking
Virtual packages (with in pkg-stats speak have "no valid
infrastructure") and packages that have no version specified cannot be
used for CVE checking. They trigger a bunch of warnings from the CVE
checking code, as it cannot parse their version: they don't have any
version. So instead, we simply skip those packages.
A follow-up commit will improve the reporting to be able to
distinguish those packages from packages that have seen their CVEs
checked and don't have any reported.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Diffstat (limited to 'support')
| -rwxr-xr-x | support/scripts/pkg-stats | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats index 100c7750d3..9ec4d645e6 100755 --- a/support/scripts/pkg-stats +++ b/support/scripts/pkg-stats @@ -570,6 +570,10 @@ def check_package_cves(nvd_path, packages): cpe_product_pkgs = defaultdict(list) for pkg in packages: + if not pkg.has_valid_infra: + continue + if not pkg.current_version: + continue if pkg.cpeid: cpe_product = cvecheck.cpe_product(pkg.cpeid) cpe_product_pkgs[cpe_product].append(pkg) |