Discussion: expat and libexpect conflict on checkers #1694
Comments
|
I think the expat checker has always been about libexpat. It's one that was written long before this was open sourced, back when we were mostly looking for compiled-in libraries. I'd say we should just change the docstrings to make it more clear but not worry about adding separate checkers for the console utilities unless someone really wants to. Do the console binaries even have separate CVEs that would be worth finding? The library is where the bulk of the work is done so I'd assume this is where the significant CVEs are most likely to occur. We could potentially change the checker name too, but that would be a breaking change for folk who might have it explicitly enabled or disabled, so I wouldn't bother with that unless this is actually causing a problem for someone. We could maybe consider doing that change at some time when we're making bigger breaking changes to the interface, but I'm not expecting any of those for the next release at this time. |
|
Thanks @terriko, I understand. |
|
It should be noted that the only valid CPE ID for expat is |
Rename expat checker to libexpat to make it more clear that the checker extracts libexpat version Fix intel#1694 Signed-off-by: Fabrice Fontaine <[email protected]>
Rename expat checker to libexpat to make it more clear that the checker extracts libexpat version Fix intel#1694 Signed-off-by: Fabrice Fontaine <[email protected]>
Rename expat checker to libexpat to make it more clear that the checker extracts libexpat version Fix #1694 Signed-off-by: Fabrice Fontaine <[email protected]>
As discussed in this issue, we decided to modify
CONTAINS_PATTERNSforexpat.but the checker of
cve_bin_tool.checkers.expat.ExpatCheckerisn't directly related toexpatbinaries.listed
CONTAINS_PATTERNS(example:"requested feature requires XML_DTD support in Expat") andVENDER_PRODUCT(example:("libexpat_project", "libexpat")) are related tolibexpat, which is included in expat packages binaries in all of RPM repositories also, but not in any DEB repository (in DEB repos libexpat1 has it's own package).DEB packages only are only providing the
xmlfw(expat terminal utility) with a dependency to a specific version oflibexpat.However the CVE links listed in docstring of checker module is also related to libexpect.
Should we modify the
ExpatCheckerto exact parameters of exact packages binaries and add another checker namedLibexpatChecker?or forgot about expat and implement a checker only for
libexpat?The text was updated successfully, but these errors were encountered: