Skip to content

Commit

Permalink
feat: improved support for unknown version matches
Browse files Browse the repository at this point in the history
  • Loading branch information
@sw-sdiepold
sw-sdiepold committed Oct 6, 2023
1 parent 2847879 commit 62b647c
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 35 deletions.
72 changes: 37 additions & 35 deletions cve_bin_tool/cve_scanner.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
parsed_version, parsed_version_between = self.canonical_convert(product_info)
# If canonical form of version numbering not found, exit
if parsed_version == "UNKNOWN":
return
pass

self.cursor.execute(query, [vendor, product_info.product, str(parsed_version)])

Expand Down Expand Up @@ -147,45 +147,47 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):

# check the start range
passes_start = False
if (
version_start_including is not self.RANGE_UNSET
and parsed_version >= parse_version(version_start_including)
):
passes_start = True

if (
version_start_excluding is not self.RANGE_UNSET
and parsed_version > parse_version(version_start_excluding)
):
passes_start = True

if (
version_start_including is self.RANGE_UNSET
and version_start_excluding is self.RANGE_UNSET
):
# then there is no start range so just say true
if parsed_version == "UNKNOWN":
passes_start = True
else:
if (
version_start_including is not self.RANGE_UNSET
and parsed_version >= parse_version(version_start_including)
):
passes_start = True
if (
version_start_excluding is not self.RANGE_UNSET
and parsed_version > parse_version(version_start_excluding)
):
passes_start = True

# check the end range
passes_end = False
if (
version_end_including is not self.RANGE_UNSET
and parsed_version <= parse_version(version_end_including)
):
if (
version_start_including is self.RANGE_UNSET
and version_start_excluding is self.RANGE_UNSET
):
# then there is no start range so just say true
passes_start = True
if parsed_version == "UNKNOWN":
passes_end = True
else:
if (
version_end_including is not self.RANGE_UNSET
and parsed_version <= parse_version(version_end_including)
):
passes_end = True

if (
version_end_excluding is not self.RANGE_UNSET
and parsed_version < parse_version(version_end_excluding)
):
passes_end = True
if (
version_end_excluding is not self.RANGE_UNSET
and parsed_version < parse_version(version_end_excluding)
):
passes_end = True

if (
version_end_including is self.RANGE_UNSET
and version_end_excluding is self.RANGE_UNSET
):
# then there is no end range so it passes
passes_end = True
if (
version_end_including is self.RANGE_UNSET
and version_end_excluding is self.RANGE_UNSET
):
# then there is no end range so it passes
passes_end = True
# if it fits into both ends of the range, add the cve number
if passes_start and passes_end:
cve_list.append(cve_number)
Expand Down
10 changes: 10 additions & 0 deletions cve_bin_tool/version_scanner.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,16 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]:
yield ScanInfo(
ProductInfo(vendor, product, version), file_path
)
# else for unknown versions add if identified to package
elif "is" in result["is_or_contains"]:
file_path = "".join(self.file_stack)
self.logger.debug(
f'{file_path} {result["is_or_contains"]} {dummy_checker_name} {version}'
)
for vendor, product in checker.VENDOR_PRODUCT:
yield ScanInfo(
ProductInfo(vendor, product, version), file_path
)

self.logger.debug(f"Done scanning file: {filename}")

Expand Down

0 comments on commit 62b647c

Please sign in to comment.