Skip to content

fix: update libevent pattern for android (#5441) #5446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jackulau wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: update libevent pattern for android (#5441) #5446

jackulau wants to merge 2 commits into from

Conversation

@jackulau
Copy link

@jackulau jackulau commented Dec 10, 2025
edited
Loading

Add pattern to detect libevent version in Android libraries where the version string format differs from standard Linux binaries.

  • Add FILENAME_PATTERNS to match libevent library files
  • Add VERSION_PATTERN to match Android format where version appears before "Active events:" diagnostic string
  • Add test case for Android libevent format

Summary

Addresses #5441 - Android libevent library not detected by CVE-bin-tool.

  • Added FILENAME_PATTERNS to match libevent library files
  • Added new VERSION_PATTERN to detect version in Android binaries where the version string is standalone
  • Added test case for Android libevent format

Details

The existing patterns required the string libevent using: to be adjacent to the version, which is not the case in Android binaries. In Android's libevent.so, the version string 2.1.8-stable appears standalone between other diagnostic strings.

The new pattern:

r"([0-9]+\.[0-9]+\.[0-9]+)-stable\r?\nActive events:"

Matches:

  • Confirmed pattern detects version 2.1.8

Test plan

  • Run pytest -k libevent to validate test cases

@jackulau jackulau mentioned this pull request Dec 10, 2025
Open
@jackulau
fix: update libevent pattern for android (ossf#5441)
483c864 
Add pattern to detect libevent version in Android libraries where the
version string format differs from standard Linux binaries.

- Add FILENAME_PATTERNS to match libevent library files
- Add VERSION_PATTERN with word boundary to match formats like
  "libevent-2.1.8-stable" while avoiding false positives
- Add test case for Android libevent format
@jackulau jackulau force-pushed the 5441_libevent branch 2 times, most recently from 6b7696a to b8a6c8b Compare December 12, 2025 03:43
@jackulau
fix: update libevent pattern for android
8e810ac 
Update VERSION_PATTERN to handle null byte separators in Android
libevent binaries.

- Change pattern to match null byte (\x00) separators
- Handle optional "Inserted events:" between version and "Active events:"
- Add test cases for Android libevent formats

Tested on Android API 28, 29, 30, 34

Partial fix for ossf#5441

Signed-off-by: Jack <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jackulau