fix: improve openssh signature (#2684)

Update openssh signature to avoid catching OpenSSH_2.5 strings, etc. This will avoid false positives with all putty test packages While at it, add debian and OpenWRT test packages Signed-off-by: Fabrice Fontaine <[email protected]>
intel · Feb 13, 2023 · f8333d7 · f8333d7
1 parent d1a5072
commit f8333d7
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 6 deletions.
diff --git a/cve_bin_tool/checkers/openssh.py b/cve_bin_tool/checkers/openssh.py
@@ -28,5 +28,5 @@ class OpensshChecker(Checker):
         r"slogin",
         r"sshd",
     ]
-    VERSION_PATTERNS = [r"OpenSSH_([0-9]+\.[0-9]+[0-9a-z\s]*)"]
+    VERSION_PATTERNS = [r"\r?\nOpenSSH_([0-9]+\.[0-9]+(\.[0-9]+)?p[0-9]+)(?:\r?\n| )"]
     VENDOR_PRODUCT = [("openbsd", "openssh")]
diff --git a/test/condensed-downloads/openssh-client_6.7p1-5+deb8u4_amd64.deb.tar.gz b/test/condensed-downloads/openssh-client_6.7p1-5+deb8u4_amd64.deb.tar.gz
diff --git a/test/condensed-downloads/openssh-client_8.0p1-1_x86_64.ipk.tar.gz b/test/condensed-downloads/openssh-client_8.0p1-1_x86_64.ipk.tar.gz
diff --git a/test/test_data/openssh.py b/test/test_data/openssh.py
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 mapping_test_data = [
-    {"product": "openssh", "version": "6.9", "version_strings": ["OpenSSH_6.9"]}
+    {"product": "openssh", "version": "6.8p1", "version_strings": ["OpenSSH_6.8p1"]}
 ]
 package_test_data = [
     {
@@ -11,5 +11,19 @@
         "product": "openssh",
         "version": "6.8p1",
         "other_products": [],
-    }
+    },
+    {
+        "url": "http://ftp.fr.debian.org/debian/pool/main/o/openssh/",
+        "package_name": "openssh-client_6.7p1-5+deb8u4_amd64.deb",
+        "product": "openssh",
+        "version": "6.7p1",
+        "other_products": [],
+    },
+    {
+        "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+        "package_name": "openssh-client_8.0p1-1_x86_64.ipk",
+        "product": "openssh",
+        "version": "8.0p1",
+        "other_products": ["putty"],
+    },
 ]
diff --git a/test/test_data/putty.py b/test/test_data/putty.py
@@ -11,20 +11,20 @@
         "package_name": "putty-0.77-1.3.aarch64.rpm",
         "product": "putty",
         "version": "0.77",
-        "other_products": ["openssh"],
+        "other_products": [],
     },
     {
         "url": "http://rpmfind.net/linux/opensuse/ports/armv6hl/tumbleweed/repo/oss/armv6hl/",
         "package_name": "putty-0.77-1.3.armv6hl.rpm",
         "product": "putty",
         "version": "0.77",
-        "other_products": ["openssh"],
+        "other_products": [],
     },
     {
         "url": "http://ftp.fr.debian.org/debian/pool/main/p/putty/",
         "package_name": "putty_0.70-6_arm64.deb",
         "product": "putty",
         "version": "0.70",
-        "other_products": ["openssh"],
+        "other_products": [],
     },
 ]