Reported as https://bugzilla.yoctoproject.org/show_bug.cgi?id=14929
On Wed, Oct 12, 2022 at 6:29 PM Ross Burton <ross.bur...@arm.com> wrote: > > On 12 Oct 2022, at 08:25, Alberto Pianon via lists.openembedded.org > <alberto=pianon...@lists.openembedded.org> wrote: > > > > It iterates over NIST CVE db years, but if some year fail to download, it > > goes on anyway, and it still merges the successful downloads into > > nvdcve_1.1.db, without returning error. > > > > IMHO this is a severe issue because it may silently lead to false negatives > > in the CVE check. If some downloads fail due to timeouts or other > > connection problems, cve-check should retry a number of times, and if any > > download still fails, cve-update-db-native do_fecth should fail, and it > > turn all do_cve_check tasks should fail, since doing a CVE check against a > > corrupted/incomplete CVE database is clearly useless > > Yes, that’s a bug. > > Please do file a bug (bugzilla.yoctoproject.org), and ideally send a patch if > you can. > > Ross > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171681): https://lists.openembedded.org/g/openembedded-core/message/171681 Mute This Topic: https://lists.openembedded.org/mt/94276393/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
