| Message ID | 20241210114839.1579228-4-marta.rybczynska@ygreky.com |
|---|---|
| State | New |
| Headers | show |
| Series | cve-check: use the more stable old feed | expand |
This should probably be made configurable so we can switch to a source which is reliable/available/up-to-date at time of build.
Maybe something like
CVE_CHECK_DB_FETCHER ?= "cve-update-db-native2"
CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('CVE_CHECK_DB_FETCHER') == 'cve-update-nvd2-native' else 'nvdcve_1-3.db'}"
do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack"
Peter
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Marta Rybczynska via
> lists.openembedded.org
> Sent: Tuesday, December 10, 2024 12:48
> To: openembedded-core@lists.openembedded.org
> Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
> Subject: [OE-core] [RFC 3/3] cve-check: revert to old NVD feed
>
> Use the old NVD feed
>
> Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
> ---
> meta/classes/cve-check.bbclass | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 6e10dd915a..7cc2248faf 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -31,7 +31,7 @@
> CVE_PRODUCT ??= "${BPN}"
> CVE_VERSION ??= "${PV}"
>
> -CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
> +CVE_CHECK_DB_FILENAME ?= "nvdcve_1-3.db"
> CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
> CVE_CHECK_DB_FILE ?=
> "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
> CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
> @@ -182,7 +182,7 @@ python do_cve_check () {
> }
>
> addtask cve_check before do_build
> -do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
> +do_cve_check[depends] = "cve-update-db-native2:do_unpack"
> do_cve_check[nostamp] = "1"
>
> python cve_check_cleanup () {
> --
> 2.45.2
On Tue, Dec 10, 2024 at 1:33 PM Marko, Peter <Peter.Marko@siemens.com> wrote: > This should probably be made configurable so we can switch to a source > which is reliable/available/up-to-date at time of build. > > Maybe something like > CVE_CHECK_DB_FETCHER ?= "cve-update-db-native2" > CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if > d.getVar('CVE_CHECK_DB_FETCHER') == 'cve-update-nvd2-native' else > 'nvdcve_1-3.db'}" > do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack" > > You're right here. There will be an additional variable in the next version of the patch adding yet another source, so that you can choose from three of them. Kind regards, Marta
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6e10dd915a..7cc2248faf 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -31,7 +31,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" -CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" +CVE_CHECK_DB_FILENAME ?= "nvdcve_1-3.db" CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" @@ -182,7 +182,7 @@ python do_cve_check () { } addtask cve_check before do_build -do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" +do_cve_check[depends] = "cve-update-db-native2:do_unpack" do_cve_check[nostamp] = "1" python cve_check_cleanup () {
Use the old NVD feed Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> --- meta/classes/cve-check.bbclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)