Connect to the NVD database and find unpatched cves.
"""
import ast, csv, tempfile, subprocess, io
+ from distutils.version import LooseVersion
cves_unpatched = []
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
conn = sqlite3.connect(db_file)
c = conn.cursor()
- query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
+ query = """SELECT * FROM PRODUCTS WHERE
+ (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
+ (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
for idx in range(len(bpn)):
- for row in c.execute(query % (bpn[idx],pv)):
+ for row in c.execute(query.format(bpn[idx],pv)):
cve = row[1]
+ version = row[4]
+
+ try:
+ discardVersion = LooseVersion(version) < LooseVersion(pv)
+ except:
+ discardVersion = True
+
if pv in cve_whitelist.get(cve,[]):
bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
+ elif discardVersion:
+ bb.debug(2, "Do not consider version %s " % (version))
else:
cves_unpatched.append(cve)
bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
