| Message ID | 20260129211012.623827-3-valentin.boudevin@gmail.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | generate-cve-exclusions: Add a .bbclass | expand |
On Thu Jan 29, 2026 at 10:10 PM CET, vboudevin via lists.openembedded.org wrote: > This recipe is in charge of cloning and setting the cvelistv5 > repository: https://github.com/CVEProject/cvelistV5 > > The variable CVELISTV5_USE_AUTOREV can be used to use AUTOREV to use the > latest available commit on the remote repository and stay > up-to-date with the latest CVE information available. > > AUTOREV would make the build non-deterministic, turned off by default. > > Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com> > --- Hi Valentin, As for the other series, you have to add a maintainer entry for the new recipe. Thanks, Mathieu
On Thu, 2026-01-29 at 16:10 -0500, vboudevin via lists.openembedded.org wrote: > This recipe is in charge of cloning and setting the cvelistv5 > repository: https://github.com/CVEProject/cvelistV5 > > The variable CVELISTV5_USE_AUTOREV can be used to use AUTOREV to use the > latest available commit on the remote repository and stay > up-to-date with the latest CVE information available. > > AUTOREV would make the build non-deterministic, turned off by default. > > Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com> > --- > .../cvelistv5-native/cvelistv5-native_git.bb | 24 +++++++++++++++++++ > 1 file changed, 24 insertions(+) > create mode 100644 meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb > > diff --git a/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb > new file mode 100644 > index 0000000000..f25dda9f3d > --- /dev/null > +++ b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb > @@ -0,0 +1,24 @@ > +SUMMARY = "CVE List V5" > +DESCRIPTION = "Official CVE List. It is a catalog of all CVE Records identified by, or reported to, the CVE Program. \ > +The cvelistV5 repository hosts downloadable files of CVE Records in the CVE Record Format." > +HOMEPAGE = "https://github.com/CVEProject/cvelistV5" > +LICENSE = "cve-tou" > +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/cve-tou;md5=4f7e96b3094e80e66b53359a8342c7f8" > + > +inherit native allarch > + > +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https" > +CVELISTV5_USE_AUTOREV ?= "0" > +CVELISTV5_DEFAULT_SRCREV ?= "644ce1758db1773336ebebb6a0da90e132da0eb7" > + > +python __anonymous () { > + if d.getVar("CVELISTV5_USE_AUTOREV") == "1": > + d.setVar("SRCREV", d.getVar("AUTOREV")) > + else: > + d.setVar("SRCREV", d.getVar("CVELISTV5_DEFAULT_SRCREV")) > +} > + > +do_install(){ > + install -d ${D}${datadir}/cvelistv5-native > + cp -r ${UNPACKDIR}/cvelistv5-git/* ${D}${datadir}/cvelistv5-native/ > +} Why add a CVELISTV5_DEFAULT_SRCREV variable when this is a standard usage of autorev? SRCREV = "644ce1758db1773336ebebb6a0da90e132da0eb7" and then users can set: SRCREV:pn-cvelistv5-native = "${AUTROREV}" if they want it, just the same as any other recipe? Cheers, Richard
I wanted to indicate that the recipe is not meant to be used with a fixed commit with a deterministic approach.
Having ${AUTOREV} by default can lead to many offline issues.
I guess the correct implementation would be to specify, in the documentation, the need for "SRCREV:pn-cvelistv5-native = "${AUTOREV}"" to stay up-to-date with CVE data, and also add this information in a comment inside the recipe.
Thank you for your feedback
Hello, Cve-check already has variables disabling the database download. Maybe a rework of the variable set can be an option ti make sure that either both download, or both dont. It requires a bit of design, however. Kind regards Marta On Mon, 2 Feb 2026, 14:48 vboudevin via lists.openembedded.org, <valentin.boudevin=gmail.com@lists.openembedded.org> wrote: > I wanted to indicate that the recipe is not meant to be used with a fixed > commit with a deterministic approach. > > Having ${AUTOREV} by default can lead to many offline issues. > > I guess the correct implementation would be to specify, in the > documentation, the need for "SRCREV:pn-cvelistv5-native = "${AUTOREV}"" to > stay up-to-date with CVE data, and also add this information in a comment > inside the recipe. > > Thank you for your feedback > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#230352): > https://lists.openembedded.org/g/openembedded-core/message/230352 > Mute This Topic: https://lists.openembedded.org/mt/117534181/5827677 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > rybczynska@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hello Martha,
Thanks for the feedback.
As I understand, you are referring to CVE_DB_UPDATE_INTERVAL, which can be set to a negative value to disable the download.
I have already tried using a custom "do_fetch" task with a git fetch/pull attempt, as well as with a fixed commit reference in failing scenarios.
But, it seems that I can't avoid a parsing issue if the SRCREV is set to ${AUTOREV} with the build machine not connected to any network (due to a failed attempt to resolve the latest commit hash).
A new .bbclass seems appropriate (e.g., non_deterministic_native.bbclass) to handle natives recipes that require an up-to-date git database.
Adding a non-deterministic class to fetch the latest available commit seems a necessary tool for CVE, as you always want to look at the latest available information (e.g., I have a PR also open for improve_kernel_cve, which has the same issue).
This class could be used to redefine fetch and unpack mechanisms provided by the "base" class, as you did with cve-update-nvd2-native.
It would take a default commit as a reference (e.g., "644ce1758db1773336ebebb6a0da90e132da0eb7"), which won't break the build without any network. In addition, the new do_fetch task would try at the same time to pull the latest available commit if any network is available.
But I don't think I want to handle this mechanism in my current PR. It may be preferable to keep it in a future dedicated one. I would prefer to have my boilerplate merge first with a fixed SRCREV.
diff --git a/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb new file mode 100644 index 0000000000..f25dda9f3d --- /dev/null +++ b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb @@ -0,0 +1,24 @@ +SUMMARY = "CVE List V5" +DESCRIPTION = "Official CVE List. It is a catalog of all CVE Records identified by, or reported to, the CVE Program. \ +The cvelistV5 repository hosts downloadable files of CVE Records in the CVE Record Format." +HOMEPAGE = "https://github.com/CVEProject/cvelistV5" +LICENSE = "cve-tou" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/cve-tou;md5=4f7e96b3094e80e66b53359a8342c7f8" + +inherit native allarch + +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https" +CVELISTV5_USE_AUTOREV ?= "0" +CVELISTV5_DEFAULT_SRCREV ?= "644ce1758db1773336ebebb6a0da90e132da0eb7" + +python __anonymous () { + if d.getVar("CVELISTV5_USE_AUTOREV") == "1": + d.setVar("SRCREV", d.getVar("AUTOREV")) + else: + d.setVar("SRCREV", d.getVar("CVELISTV5_DEFAULT_SRCREV")) +} + +do_install(){ + install -d ${D}${datadir}/cvelistv5-native + cp -r ${UNPACKDIR}/cvelistv5-git/* ${D}${datadir}/cvelistv5-native/ +}
This recipe is in charge of cloning and setting the cvelistv5 repository: https://github.com/CVEProject/cvelistV5 The variable CVELISTV5_USE_AUTOREV can be used to use AUTOREV to use the latest available commit on the remote repository and stay up-to-date with the latest CVE information available. AUTOREV would make the build non-deterministic, turned off by default. Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com> --- .../cvelistv5-native/cvelistv5-native_git.bb | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb