| Message ID | 20250824145316.1098911-1-peter.marko@siemens.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | vulnerabilities: update nvdcve file name | expand |
Hi Peter, On 8/24/25 4:53 PM, Peter Marko via lists.yoctoproject.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > The filename is outdated as its version was already bumped and there are > also different files for different feed choices. > Use glob to match any available file. > When did this become possible? I see a new fetcher in fb62c4c3dbca4e58f7ce6cf29d4b630a06411a97 ("cve-update-nvd2-native: new CVE database fetcher") which is already in mickledore so would be a candidate for backporting to walnascar and scarthgap. > Also the directory changed to CVE_CHECK2 meanwhile, so Update it, too. > This changed in dd249921a5d6b8e472242b57415de3f210dc81f1 ("cve-update-db-native: update structure") apparently, which is part of walnascar so would be a candidate for backport to walnascar. I think separate commits would be nice so we can backport the glob to scarthgap too and have the CVE_CHECK2 backported to walnascar only. Cheers, Quentin
Hello, I just wanted to say that I'm back from vacation and will try to submit patches for LTS branches still this week. Peter > -----Original Message----- > From: Quentin Schulz <quentin.schulz@cherry.de> > Sent: Monday, September 1, 2025 11:51 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; > docs@lists.yoctoproject.org > Subject: Re: [docs] [PATCH] vulnerabilities: update nvdcve file name > > Hi Peter, > > On 8/24/25 4:53 PM, Peter Marko via lists.yoctoproject.org wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > The filename is outdated as its version was already bumped and there are > > also different files for different feed choices. > > Use glob to match any available file. > > > > When did this become possible? I see a new fetcher in > fb62c4c3dbca4e58f7ce6cf29d4b630a06411a97 ("cve-update-nvd2-native: new > CVE database fetcher") which is already in mickledore so would be a > candidate for backporting to walnascar and scarthgap. > > > Also the directory changed to CVE_CHECK2 meanwhile, so Update it, too. > > > > This changed in dd249921a5d6b8e472242b57415de3f210dc81f1 > ("cve-update-db-native: update structure") apparently, which is part of > walnascar so would be a candidate for backport to walnascar. > > I think separate commits would be nice so we can backport the glob to > scarthgap too and have the CVE_CHECK2 backported to walnascar only. > > Cheers, > Quentin
On Tue Sep 16, 2025 at 12:39 PM CEST, Peter Marko via lists.yoctoproject.org wrote: > Hello, > > I just wanted to say that I'm back from vacation and will try to submit patches for LTS branches still this week. I backported this patch to walnascar, as part of the pull request from Friday last week. I think you could send a separate patch for the new fetcher on scarthgap if you have the time. Thanks! Regards, Antonin
On Sun, 24 Aug 2025 16:53:16 +0200, Peter Marko wrote: > The filename is outdated as its version was already bumped and there are > also different files for different feed choices. > Use glob to match any available file. > > Also the directory changed to CVE_CHECK2 meanwhile, so Update it, too. > > > [...] Applied, thanks! [1/1] vulnerabilities: update nvdcve file name commit: a2f18cb23183401d9d8e2fd4499d164ef8d86e44 Best regards,
> -----Original Message----- > From: Antonin Godard <antonin.godard@bootlin.com> > Sent: Tuesday, September 16, 2025 13:07 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; Quentin > Schulz <quentin.schulz@cherry.de>; docs@lists.yoctoproject.org > Subject: Re: [docs] [PATCH] vulnerabilities: update nvdcve file name > > On Tue Sep 16, 2025 at 12:39 PM CEST, Peter Marko via lists.yoctoproject.org > wrote: > > Hello, > > > > I just wanted to say that I'm back from vacation and will try to submit patches > for LTS branches still this week. > > I backported this patch to walnascar, as part of the pull request from Friday > last week. > > I think you could send a separate patch for the new fetcher on scarthgap if you > have the time. I have now sent patches for scarthgap and kirkstone. Sorry for the delay. Peter > > Thanks! > > Regards, > Antonin > > -- > Antonin Godard, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
On Sat Oct 11, 2025 at 11:37 PM CEST, Peter Marko via lists.yoctoproject.org wrote: > > >> -----Original Message----- >> From: Antonin Godard <antonin.godard@bootlin.com> >> Sent: Tuesday, September 16, 2025 13:07 >> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; Quentin >> Schulz <quentin.schulz@cherry.de>; docs@lists.yoctoproject.org >> Subject: Re: [docs] [PATCH] vulnerabilities: update nvdcve file name >> >> On Tue Sep 16, 2025 at 12:39 PM CEST, Peter Marko via lists.yoctoproject.org >> wrote: >> > Hello, >> > >> > I just wanted to say that I'm back from vacation and will try to submit patches >> for LTS branches still this week. >> >> I backported this patch to walnascar, as part of the pull request from Friday >> last week. >> >> I think you could send a separate patch for the new fetcher on scarthgap if you >> have the time. > > I have now sent patches for scarthgap and kirkstone. > Sorry for the delay. > > Peter Thanks, I applied these on the -next branches. Antonin
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 5331a63991..6cc7f04944 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst @@ -318,7 +318,7 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: The CVE database is stored in :term:`DL_DIR` and can be inspected using ``sqlite3`` command as follows:: - sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 + sqlite3 downloads/CVE_CHECK2/nvd*.db .dump | grep CVE-2021-37462 When analyzing CVEs, it is recommended to: