support/scripts/cve.py: use proper CPE ID version when available

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d06bf96097) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-12 21:41:25 +02:00 · 2021-04-12 21:41:25 +02:00 · 89297fc9ee
commit 89297fc9ee
parent 534c912f3c
1 changed files with 5 additions and 0 deletions
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@ -229,6 +229,11 @@ class CVE:
        # if we don't have a cpeid, build one based on name and version
        if not cpeid:
            cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
+        # if we have a cpeid, use its version instead of the package
+        # version, as they might be different due to
+        # <pkg>_CPE_ID_VERSION
+        else:
+            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))

        for cpe in self.each_cpe():
            if not cpe_matches(cpe['id'], cpeid):