Re: [OE-core] [PATCH] cve-check: Add versioned CVSS vector strings

Mathieu Dubois-Briand via lists.openembedded.org Mon, 02 Dec 2024 03:33:56 -0800

On Sat, Nov 30, 2024 at 05:50:38PM +0000, Colin McAllister via 
lists.openembedded.org wrote:
> Currently, cve-check includes a vector string for each CVE included in
> the issue list for each package. This vector string is the lowest
> CVSS version that's available. For example, if a CVE has both a v2 and
> v3.1 vector strint, the v2 vector string is only included.
> 
> This patch adds each supported vector string (v2, v3, and v4). For v3,
> v3.1 is preferred over v3. If a vector string is not available for a
> given verison, the string will default to "UNKNOWN".
> 
> Signed-off-by: Colin McAllister <[email protected]>


Hi Colin,

Thanks for your new patch. As for last week, it seems to be triggering
some issues on the autobuilder:

ERROR: cve-update-nvd2-native-1.0-r0 do_unpack: Error executing a python 
function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
     0001:
 *** 0002:do_unpack(d)
     0003:
File: 
'/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/recipes-core/meta/cve-update-nvd2-native.bb',
 lineno: 105, function: do_unpack
     0101:do_fetch[vardeps] = ""
     0102:
     0103:python do_unpack() {
     0104:    import shutil
 *** 0105:    shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), 
d.getVar("CVE_CHECK_DB_FILE"))
     0106:}
     0107:do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} 
${CVE_CHECK_DB_FILE_LOCK}"
     0108:
     0109:def cleanup_db_download(db_file, db_tmp_file):
File: '/usr/lib/python3.9/shutil.py', lineno: 264, function: copyfile
     0260:
     0261:    if not follow_symlinks and _islink(src):
     0262:        os.symlink(os.readlink(src), dst)
     0263:    else:
 *** 0264:        with open(src, 'rb') as fsrc, open(dst, 'wb') as fdst:
     0265:            # macOS
     0266:            if _HAS_FCOPYFILE:
     0267:                try:
     0268:                    _fastcopy_fcopyfile(fsrc, fdst, 
posix._COPYFILE_DATA)
Exception: FileNotFoundError: [Errno 2] No such file or directory: 
'/srv/autobuilder/valkyrie.yocto.io/current_sources/CVE_CHECK2/nvdcve_2-3.db'

https://valkyrie.yoctoproject.org/#/builders/76/builds/524/steps/15/logs/stdio
https://valkyrie.yoctoproject.org/#/builders/35/builds/532/steps/14/logs/stdio

Is this something you can fix ?

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#208139): 
https://lists.openembedded.org/g/openembedded-core/message/208139
Mute This Topic: https://lists.openembedded.org/mt/109850435/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cve-check: Add versioned CVSS vector strings

Reply via email to