support/scripts/pkg-stats: ignore packages with no valid infra and no version for CVE checking

Virtual packages (with in pkg-stats speak have "no valid infrastructure") and packages that have no version specified cannot be used for CVE checking. They trigger a bunch of warnings from the CVE checking code, as it cannot parse their version: they don't have any version. So instead, we simply skip those packages. A follow-up commit will improve the reporting to be able to distinguish those packages from packages that have seen their CVEs checked and don't have any reported. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-12-04 16:45:59 +01:00 · 2020-12-04 16:45:59 +01:00 · 78d7521f82
commit 78d7521f82
parent e3ef352ef6
1 changed files with 4 additions and 0 deletions
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@ -570,6 +570,10 @@ def check_package_cves(nvd_path, packages):

    cpe_product_pkgs = defaultdict(list)
    for pkg in packages:
+        if not pkg.has_valid_infra:
+            continue
+        if not pkg.current_version:
+            continue
        if pkg.cpeid:
            cpe_product = cvecheck.cpe_product(pkg.cpeid)
            cpe_product_pkgs[cpe_product].append(pkg)