summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNiko Mauno <niko.mauno@iki.fi>2019-12-06 21:53:23 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-12-09 12:05:58 +0000
commitcc20e4d8ff2f3aa52a2658404af9a0ff358cc323 (patch)
tree6b8ac7c89c06217b1e560c33714f4de60d6cecf7
parentb45c967a8324c10642f2ef445f4c8c1a82947e1f (diff)
downloadopenembedded-core-contrib-cc20e4d8ff2f3aa52a2658404af9a0ff358cc323.tar.gz
openembedded-core-contrib-cc20e4d8ff2f3aa52a2658404af9a0ff358cc323.tar.bz2
openembedded-core-contrib-cc20e4d8ff2f3aa52a2658404af9a0ff358cc323.zip
cve-check: Switch to NVD CVE JSON feed version 1.1
Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass2
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb2
2 files changed, 2 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed5548b3..01b3637469 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a28e..575254af40 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
bb.utils.export_proxies(d)
- BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+ BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
YEAR_START = 2002
db_file = d.getVar("CVE_CHECK_DB_FILE")