Python bundles pip, but does not track CVEs reported against it.
Add an explicit CPE to be able to detect CVEs affecting pip version
bundled with Python.
Currently it is a manual process of keeping the version in sync with
the one used in Python.
The CVE-2018-20225 is essentially marked as ignored. It is not fixed
upstream, and other users like Debian are also essentially ignoring
this CVE:
https://security-tracker.debian.org/tracker/CVE-2018-20225
Pull Request: https://projects.blender.org/blender/blender/pulls/125648
The mnemonic for the remark Ignored has been split into False Positive
and Not Affected in the recent version of cve_bin_tool, preventing it
from properly parsing the CVS file and not being able to do proper
report.
Use Not Affected, as it is seems to be the closest to what Ignored was
used for in our case.
Pull Request: https://projects.blender.org/blender/blender/pulls/125645
After the last library update cve_check still reported some false positives.
One GMP issues was mitigated with a patch in the library update. The others
are ignored, with a description explaining why they do not affect Blender.
Ref D16269, T101403
This change adds support for intels cve-bin-tool [1]
in the deps builder. This adds 2 new targets to the
builder that do not build automatically but can be
build on demand when required.
`make cve_check` will output to the console.
`make cve_check_html` will output a html file that
can be shared with other people.
Requirements:
- A working installation of cve-bin-tool on the system
Not required but higly recommended:
- Obtaining a key from the nvd [2] to speed up the
database download. you can pass the key to cmake
using `-DCVE_CHECK_NVD_KEY=your_api_key`
[1] https://github.com/intel/cve-bin-tool
[2] https://nvd.nist.gov/developers/request-an-api-key
Reviewed By: brecht
Differential Revision: https://developer.blender.org/D16160
