Hi Pierre,
I found that the hash function is causing collisions in the generated database
such that some CVEs are being overwritten because of the UNIQUE constraint on
the HASH column. For example, CVE-2018-1000873 has the same hash of 623198722
as CVE-2018-18338. This results in one of the
Hi Kevin,
> I found that the hash function is causing collisions in the generated
> database such that some CVEs are being overwritten because of the UNIQUE
> constraint on the HASH column. For example, CVE-2018-1000873 has the same
> hash of 623198722 as CVE-2018-18338. This results in one of
Hi,
> It looks like CVE_CHECK_DB_DIR has no default value which resulted in:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/988/steps/7/logs/step1b
>
> We only started seeing that error after your later patch to add back
> the do_fetch task. build-appliance is trying to
On Wed, 2019-06-19 at 15:59 +0200, Pierre Le Magourou wrote:
> From: Pierre Le Magourou
>
> cve-check-tool-native do_populate_cve_db task was using deprecated
> NVD
> xml data feeds, cve-update-db uses NVD json data feeds.
>
> Sqlite database schema was updated to take into account CVSSv3 CVE
>
On Tue, 25 Jun 2019 at 09:49, Pierre Le Magourou wrote:
> > Also, the CVE db is updated using this custom task without link to
> > do_fetch, which means a fetchall task would not update the database for
> > off line NO_NETWORK builds.
> >
> > Could the task be added as dependency to do_fetch() or
Hi,
> Also, the CVE db is updated using this custom task without link to
> do_fetch, which means a fetchall task would not update the database for
> off line NO_NETWORK builds.
>
> Could the task be added as dependency to do_fetch() or are there some other
> side effects?
>
Yes I can do that, I
Thanks! :)
Ross
On Mon, 24 Jun 2019 at 09:33, Pierre Le Magourou wrote:
>
> Hi,
>
> > > This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> > > dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> > > documentation could be updated too, e.g.
> > >
Hi,
> > This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> > dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> > documentation could be updated too, e.g.
> >
On Fri, Jun 21, 2019 at 01:29:18PM +0100, Burton, Ross wrote:
> On Fri, 21 Jun 2019 at 12:11, wrote:
> > This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> > dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> > documentation could be updated too, e.g.
>
On Fri, 21 Jun 2019 at 12:11, wrote:
> This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> documentation could be updated too, e.g.
>
On Fri, Jun 21, 2019 at 02:03:36PM +0200, Alexander Kanavin wrote:
> On Fri, 21 Jun 2019 at 13:48, wrote:
>
> >
> > Hmm, possibly? I cherry-picked the patches to sumo and saw this missing
> > dependency in my container.
> >
> > Did poky master switch from using host python to native after sumo?
>
On Fri, 21 Jun 2019 at 13:48, wrote:
>
> Hmm, possibly? I cherry-picked the patches to sumo and saw this missing
> dependency in my container.
>
> Did poky master switch from using host python to native after sumo?
>
poky uses host python for some things and native python for other things.
On Fri, Jun 21, 2019 at 01:42:11PM +0200, Alexander Kanavin wrote:
> On Fri, 21 Jun 2019 at 13:11, wrote:
>
> > This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> > dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> > documentation could be updated
On Fri, 21 Jun 2019 at 13:11, wrote:
> This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
> dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
> documentation could be updated too, e.g.
>
>
Hi,
This adds python3 urllib3 (python3-urllib3 in Debian) to build environment
dependencies. It's the first user of urllib3 in poky, AFAIK. Maybe
documentation could be updated too, e.g.
https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#brief-build-system-packages
On my
> Not sure which of the changes is responsible, but this is new:
> WARNING: flex-native-2.6.0-r0 do_cve_check: Found unpatched CVE
> (CVE-2015-1773)
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-1773
>
> Note that the flex tool is completely unrelated to Apache Flex.
>
>
I see, the 4/4 patch is
Not sure which of the changes is responsible, but this is new:
WARNING: flex-native-2.6.0-r0 do_cve_check: Found unpatched CVE (CVE-2015-1773)
https://nvd.nist.gov/vuln/detail/CVE-2015-1773
Note that the flex tool is completely unrelated to Apache Flex.
cu
Adrian
--
"Is there not
From: Pierre Le Magourou
cve-check-tool-native do_populate_cve_db task was using deprecated NVD
xml data feeds, cve-update-db uses NVD json data feeds.
Sqlite database schema was updated to take into account CVSSv3 CVE
scores and operator in affected product versions.
A new META table was added
18 matches
Mail list logo