False Positives in cve_scan_v2
Closed this issue · 3 comments
jaredhanson11 commented
Due to inconsistency of version numbers across distros, current logic reports 4.2.10-6.el7_2 as more updated than 4.2.10-6.2.el7_2.
Ex:
----------
Compliance:
0%
Failure:
|_
----------
libsmbclient-4.2.10-6.el7_2:
----------
affected_pkg:
libsmbclient
affected_version:
4.2.10-6.el7_2
cve_list:
- CVE-2016-2114
- CVE-2016-2111
- CVE-2016-2112
- CVE-2016-2110
- CVE-2016-2118
- CVE-2015-5370
- CVE-2016-2115
- CVE-2016-2113
description:
Critical ipa Security Update
href:
http://lists.centos.org/pipermail/centos-announce/2016-April/021814.html
local_version:
4.2.10-6.2.el7_2
reporter:
CentOS Project
score:
0.0
|_
----------
samba-common-libs-4.2.10-6.el7_2:
----------
affected_pkg:
samba-common-libs
affected_version:
4.2.10-6.el7_2
cve_list:
- CVE-2016-2114
- CVE-2016-2111
- CVE-2016-2112
- CVE-2016-2110
- CVE-2016-2118
- CVE-2015-5370
- CVE-2016-2115
- CVE-2016-2113
description:
Critical ipa Security Update
href:
http://lists.centos.org/pipermail/centos-announce/2016-April/021814.html
local_version:
4.2.10-6.2.el7_2
reporter:
CentOS Project
score:
0.0
basepi commented
Weren't we stripping the el7 stuff to fix these types of issues?
basepi commented
We discussed this in meatspace, I think we're just going to split out the el7 piece to compare separately, like we currently do with dashes, iirc.
jaredhanson11 commented
Fixed with #175