Add version list to affected versions, if no range is specified

merlin-sievers · merlin-sievers · commit 84fc30d620ff · 2025-04-23T13:42:38.000+02:00
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -57,6 +57,7 @@ def __init__(
         self.products_without_cve = 0
         self.all_cve_data = defaultdict(CVEData)
         self.all_cve_version_info = dict()
+        self.all_cve_version_list = dict()
         self.check_exploits = check_exploits
         self.exploits_list = exploits_list
         self.disabled_sources = disabled_sources
@@ -136,6 +137,15 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
 
         cve_list = list(map(lambda x: x[0], self.cursor.fetchall()))
 
+        for cve_number in cve_list:
+            query = """
+            SELECT version FROM cve_range
+            WHERE CVE_number=? AND versionStartIncluding='' AND versionStartExcluding='' AND versionEndIncluding='' AND versionEndExcluding=''
+            """
+            self.cursor.execute(query, [cve_number])
+            affected_versions = list(set(map(lambda x: x[0], self.cursor.fetchall())))
+            self.all_cve_version_info[cve_number] = VersionInfo('','','','', affected_versions)
+
         # Check for any ranges
         query = """
         SELECT
@@ -208,6 +218,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
                     start_excluding=version_start_excluding,
                     end_including=version_end_including,
                     end_excluding=version_end_excluding,
+                    version_list=[],
                 )
 
         product_info_data: CVEData | None = self.all_cve_data.get(product_info)
@@ -252,6 +263,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
                             self.logger.debug(
                                 f"{row['cve_number']} already reported from {c.data_source}"
                             )
+                            self.logger.debug(c)
                             duplicate_found = True
                             break
 
diff --git a/cve_bin_tool/output_engine/util.py b/cve_bin_tool/output_engine/util.py
@@ -123,7 +123,7 @@ def format_version_range(version_info: VersionInfo) -> str:
     Reference for Interval terminologies: https://en.wikipedia.org/wiki/Interval_(mathematics)
     """
 
-    (start_including, start_excluding, end_including, end_excluding) = version_info
+    (start_including, start_excluding, end_including, end_excluding, version_list) = version_info
     if start_including and end_including:
         return f"[{start_including} - {end_including}]"
     if start_including and end_excluding:
@@ -140,6 +140,8 @@ def format_version_range(version_info: VersionInfo) -> str:
         return f"<= {end_including}"
     if end_excluding:
         return f"< {end_excluding}"
+    if version_list:
+        return 'list: ' + ", ".join(version_list)
     return "-"
 
 
diff --git a/cve_bin_tool/util.py b/cve_bin_tool/util.py
@@ -246,6 +246,7 @@ class VersionInfo(NamedTuple):
     start_excluding: str
     end_including: str
     end_excluding: str
+    version_list: list[str]
 
 
 class CVEData(DefaultDict[str, Union[List[CVE], Set[str]]]):
