On 12 Oct 2022, at 08:25, Alberto Pianon via lists.openembedded.org <[email protected]> wrote: > > It iterates over NIST CVE db years, but if some year fail to download, it > goes on anyway, and it still merges the successful downloads into > nvdcve_1.1.db, without returning error. > > IMHO this is a severe issue because it may silently lead to false negatives > in the CVE check. If some downloads fail due to timeouts or other connection > problems, cve-check should retry a number of times, and if any download still > fails, cve-update-db-native do_fecth should fail, and it turn all > do_cve_check tasks should fail, since doing a CVE check against a > corrupted/incomplete CVE database is clearly useless
Yes, that’s a bug. Please do file a bug (bugzilla.yoctoproject.org), and ideally send a patch if you can. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171668): https://lists.openembedded.org/g/openembedded-core/message/171668 Mute This Topic: https://lists.openembedded.org/mt/94276393/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
