| Message ID | 20241224102557.9300-5-marta.rybczynska@ygreky.com |
|---|---|
| State | New |
| Headers | show |
| Series | Allow choosing the NVD feed | expand |
On 24 Dec 2024, at 10:25, Marta Rybczynska via lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org> wrote: There’s an inconsistency: > Set the NVD_DB_VERSION variable to choose feed: > NVD2 (default) - the NVD feed with API version 2 > NVD1 - the NVD JSON feed (deprecated) > FKIE - the FKIE-CAD feed reconstruction “NVD1” > +# Possible database sources: NVD1, NVD2, FKIE > +NVD_DB_VERSION ?= "NVD2" “NVD1” > + if nvd_database_type not in ("NVD", "NVD2", "FKIE”): “NVD” I’m thinking “NVD1” should be used everywhere. If you set it as the documentation says then every recipe throws a warning, which is quite the pastebomb. Might be better to make it bb.fatal() and tell the user to fix their typo? Ross
Hi, Also I ran the scanner against core-image-sato for each of the feeds and interestingly nvd2 was the only one to report CVE-1999-0524. Do you have any idea why this might be? That said, a fetch taking a minute or so instead of almost an hour is a great improvement! Cheers, Ross > On 14 Jan 2025, at 17:54, Ross Burton via lists.openembedded.org <ross.burton=arm.com@lists.openembedded.org> wrote: > > On 24 Dec 2024, at 10:25, Marta Rybczynska via lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org> wrote: > > There’s an inconsistency: > >> Set the NVD_DB_VERSION variable to choose feed: >> NVD2 (default) - the NVD feed with API version 2 >> NVD1 - the NVD JSON feed (deprecated) >> FKIE - the FKIE-CAD feed reconstruction > > “NVD1” > >> +# Possible database sources: NVD1, NVD2, FKIE >> +NVD_DB_VERSION ?= "NVD2" > > “NVD1” > >> + if nvd_database_type not in ("NVD", "NVD2", "FKIE”): > > “NVD” > > I’m thinking “NVD1” should be used everywhere. > > If you set it as the documentation says then every recipe throws a warning, which is quite the pastebomb. Might be better to make it bb.fatal() and tell the user to fix their typo? > > Ross > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#209811): https://lists.openembedded.org/g/openembedded-core/message/209811 > Mute This Topic: https://lists.openembedded.org/mt/110270325/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hello, This one is simple. cve-update-db-native is starting from 2002, while cve-update-nvd2-native from the beginning of the database, so 1999. We might unify this, but I do not consider it priority. Kind regards, Marta On Wed, Jan 15, 2025 at 1:23 PM Ross Burton <Ross.Burton@arm.com> wrote: > Hi, > > Also I ran the scanner against core-image-sato for each of the feeds and > interestingly nvd2 was the only one to report CVE-1999-0524. Do you have > any idea why this might be? > > That said, a fetch taking a minute or so instead of almost an hour is a > great improvement! > > Cheers, > Ross > > > On 14 Jan 2025, at 17:54, Ross Burton via lists.openembedded.org > <ross.burton=arm.com@lists.openembedded.org> wrote: > > > > On 24 Dec 2024, at 10:25, Marta Rybczynska via lists.openembedded.org > <rybczynska=gmail.com@lists.openembedded.org> wrote: > > > > There’s an inconsistency: > > > >> Set the NVD_DB_VERSION variable to choose feed: > >> NVD2 (default) - the NVD feed with API version 2 > >> NVD1 - the NVD JSON feed (deprecated) > >> FKIE - the FKIE-CAD feed reconstruction > > > > “NVD1” > > > >> +# Possible database sources: NVD1, NVD2, FKIE > >> +NVD_DB_VERSION ?= "NVD2" > > > > “NVD1” > > > >> + if nvd_database_type not in ("NVD", "NVD2", "FKIE”): > > > > “NVD” > > > > I’m thinking “NVD1” should be used everywhere. > > > > If you set it as the documentation says then every recipe throws a > warning, which is quite the pastebomb. Might be better to make it > bb.fatal() and tell the user to fix their typo? > > > > Ross > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#209811): > https://lists.openembedded.org/g/openembedded-core/message/209811 > > Mute This Topic: https://lists.openembedded.org/mt/110270325/6875888 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > ross.burton@arm.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
I've submitted the v3. It fixes the typo, upgrades the warning to erroronce, but still defaults to NVD2. One other change is the move to different database file names for each feed. There might be slight transitional differences between them depending on the synchronization time. A merge between sources that are not in sync could cause strange errors. Kind regards, Marta On Tue, Jan 14, 2025 at 6:54 PM Ross Burton <Ross.Burton@arm.com> wrote: > On 24 Dec 2024, at 10:25, Marta Rybczynska via lists.openembedded.org > <rybczynska=gmail.com@lists.openembedded.org> wrote: > > There’s an inconsistency: > > > Set the NVD_DB_VERSION variable to choose feed: > > NVD2 (default) - the NVD feed with API version 2 > > NVD1 - the NVD JSON feed (deprecated) > > FKIE - the FKIE-CAD feed reconstruction > > “NVD1” > > > +# Possible database sources: NVD1, NVD2, FKIE > > +NVD_DB_VERSION ?= "NVD2" > > “NVD1” > > > + if nvd_database_type not in ("NVD", "NVD2", "FKIE”): > > “NVD” > > I’m thinking “NVD1” should be used everywhere. > > If you set it as the documentation says then every recipe throws a > warning, which is quite the pastebomb. Might be better to make it > bb.fatal() and tell the user to fix their typo? > > Ross
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6e10dd915a..4bd9af4abf 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -31,7 +31,11 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" -CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" +# Possible database sources: NVD1, NVD2, FKIE +NVD_DB_VERSION ?= "NVD2" + +CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db'}" +CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}" CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" @@ -114,6 +118,11 @@ python () { d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) else: bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) + + nvd_database_type = d.getVar("NVD_DB_VERSION") + if nvd_database_type not in ("NVD", "NVD2", "FKIE"): + d.setVar("NVD_DB_VERSION", "NVD2") + bb.warn("Malformed NVD_DB_VERSION, resetting to NVD2") } def generate_json_report(d, out_path, link_path): @@ -182,7 +191,7 @@ python do_cve_check () { } addtask cve_check before do_build -do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" +do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack" do_cve_check[nostamp] = "1" python cve_check_cleanup () {
Allow choice of one of three feeds and update task dependencies accordingly. All feeds contain data from NVD. Set the NVD_DB_VERSION variable to choose feed: NVD2 (default) - the NVD feed with API version 2 NVD1 - the NVD JSON feed (deprecated) FKIE - the FKIE-CAD feed reconstruction Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> --- meta/classes/cve-check.bbclass | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)