support/scripts/pkg-stats: consider "-" as a wildcard when doing CVE version matching

Some CVE entries in the NVD database have version_value set to "-",
which seems to indicate that it applies to all versions of the
software project, or that they don't really know which versions are
affected, and which are not.

So, for the benefit of doubt, it seems more appropriate to consider
such CVEs as affecting our packages.

This makes the total number of CVEs affecting our next branch jump
from 141 CVEs to 658 CVEs, but that number will go back down once we
switch to the JSON 1.1 schema. Indeed, in the JSON 1.0 schema, there
are often cases where a version_value is set to "=" *and* specific
versions are set to.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/support/scripts/pkg-stats b/support/scripts/pkg-stats
index e642147b9806f7cc3e4b4f6f5bd545e2a96cee25..4673c71d1a3049252a4c7bfcb8969b0595606992 100755 (executable)
--- a/support/scripts/pkg-stats
+++ b/support/scripts/pkg-stats
@@ -370,7 +370,9 @@ class CVE:
 
             for v in product['version']['version_data']:
                 if v["version_affected"] == "=":
-                    if br_pkg.current_version == v["version_value"]:
+                    if v["version_value"] == "-":
+                        return CVE_AFFECTS
+                    elif br_pkg.current_version == v["version_value"]:
                         return CVE_AFFECTS
                 elif v["version_affected"] == "<=":
                     pkg_version = distutils.version.LooseVersion(br_pkg.current_version)