From 62b647c4e5da5cfab4f20ba96de74d1a6ccc16ff Mon Sep 17 00:00:00 2001 From: Simon Diepold Date: Fri, 6 Oct 2023 16:25:40 +0200 Subject: [PATCH 1/2] feat: improved support for unknown version matches --- cve_bin_tool/cve_scanner.py | 72 +++++++++++++++++---------------- cve_bin_tool/version_scanner.py | 10 +++++ 2 files changed, 47 insertions(+), 35 deletions(-) diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py index e2d4b22202..cfc2b942f4 100644 --- a/cve_bin_tool/cve_scanner.py +++ b/cve_bin_tool/cve_scanner.py @@ -104,7 +104,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): parsed_version, parsed_version_between = self.canonical_convert(product_info) # If canonical form of version numbering not found, exit if parsed_version == "UNKNOWN": - return + pass self.cursor.execute(query, [vendor, product_info.product, str(parsed_version)]) @@ -147,45 +147,47 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): # check the start range passes_start = False - if ( - version_start_including is not self.RANGE_UNSET - and parsed_version >= parse_version(version_start_including) - ): - passes_start = True - - if ( - version_start_excluding is not self.RANGE_UNSET - and parsed_version > parse_version(version_start_excluding) - ): - passes_start = True - - if ( - version_start_including is self.RANGE_UNSET - and version_start_excluding is self.RANGE_UNSET - ): - # then there is no start range so just say true + if parsed_version == "UNKNOWN": passes_start = True + else: + if ( + version_start_including is not self.RANGE_UNSET + and parsed_version >= parse_version(version_start_including) + ): + passes_start = True + if ( + version_start_excluding is not self.RANGE_UNSET + and parsed_version > parse_version(version_start_excluding) + ): + passes_start = True - # check the end range - passes_end = False - if ( - version_end_including is not self.RANGE_UNSET - and parsed_version <= parse_version(version_end_including) - ): + if ( + version_start_including is self.RANGE_UNSET + and version_start_excluding is self.RANGE_UNSET + ): + # then there is no start range so just say true + passes_start = True + if parsed_version == "UNKNOWN": passes_end = True + else: + if ( + version_end_including is not self.RANGE_UNSET + and parsed_version <= parse_version(version_end_including) + ): + passes_end = True - if ( - version_end_excluding is not self.RANGE_UNSET - and parsed_version < parse_version(version_end_excluding) - ): - passes_end = True + if ( + version_end_excluding is not self.RANGE_UNSET + and parsed_version < parse_version(version_end_excluding) + ): + passes_end = True - if ( - version_end_including is self.RANGE_UNSET - and version_end_excluding is self.RANGE_UNSET - ): - # then there is no end range so it passes - passes_end = True + if ( + version_end_including is self.RANGE_UNSET + and version_end_excluding is self.RANGE_UNSET + ): + # then there is no end range so it passes + passes_end = True # if it fits into both ends of the range, add the cve number if passes_start and passes_end: cve_list.append(cve_number) diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py index 58bfd4891f..b5307e70ec 100644 --- a/cve_bin_tool/version_scanner.py +++ b/cve_bin_tool/version_scanner.py @@ -265,6 +265,16 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]: yield ScanInfo( ProductInfo(vendor, product, version), file_path ) + # else for unknown versions add if identified to package + elif "is" in result["is_or_contains"]: + file_path = "".join(self.file_stack) + self.logger.debug( + f'{file_path} {result["is_or_contains"]} {dummy_checker_name} {version}' + ) + for vendor, product in checker.VENDOR_PRODUCT: + yield ScanInfo( + ProductInfo(vendor, product, version), file_path + ) self.logger.debug(f"Done scanning file: {filename}") From 4d0eb1f5c72346a025e8ed0e0f86976d66828f14 Mon Sep 17 00:00:00 2001 From: Simon Diepold Date: Fri, 6 Oct 2023 17:27:20 +0200 Subject: [PATCH 2/2] fix: added missing line --- cve_bin_tool/cve_scanner.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py index cfc2b942f4..a302cc97b0 100644 --- a/cve_bin_tool/cve_scanner.py +++ b/cve_bin_tool/cve_scanner.py @@ -167,6 +167,9 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): ): # then there is no start range so just say true passes_start = True + + # check the end range + passes_end = False if parsed_version == "UNKNOWN": passes_end = True else: