From: Marta Rybczynska <rybczynska@gmail.com>
To: rybczynska@gmail.com
Cc: Steve Sakoman <steve@sakoman.com>,
Grant.Smith3@ngc.com, poky@lists.yoctoproject.org,
Ross Burton <ross.burton@arm.com>
Subject: Re: [poky] CVE CHECK scorev3
Date: Tue, 17 Oct 2023 11:14:24 +0200 [thread overview]
Message-ID: <CAApg2=Qf6FtjBaKynpuZ_COc_vuVOgD8+UhckDS=MoSj5NWVVQ@mail.gmail.com> (raw)
In-Reply-To: <178DEC4DABB5202F.14388@lists.yoctoproject.org>
On Sat, Oct 14, 2023 at 10:34 AM Marta Rybczynska via
lists.yoctoproject.org <rybczynska=gmail.com@lists.yoctoproject.org>
wrote:
>
> On Fri, Oct 13, 2023 at 4:23 PM Steve Sakoman <steve@sakoman.com> wrote:
> >
> > On Wed, Oct 11, 2023 at 2:19 PM <Grant.Smith3@ngc.com> wrote:
> > >
> > > All,
> > >
> > >
> > >
> > > In the poky layer (yocto-4.2.3 branch) I am using the built in cve-checker and running into an issue where it is unable to produce the scorev3 metric. All CVEs have a scorev3 equivalent to 0.0. When looking at poky (yocto-4.0.9 branch) I noticed that the cve-checker uses the 1.1 version of the NVD database and can successfully produce scorev3 when running a test build.
> >
> > You are using an old version of kirkstone (4.0.9), the current version
> > is 4.0.13. The current version now uses the new version of the
> > cve-checker. I just checked and the code is identical in kirkstone
> > and mickledore, with the exception of this commit which is required
> > for some older distros which are supported by kirkstone but not
> > mickledore:
> >
> > https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=cd1d34d5106c4484372552bb3cf93198f7b25d76
> >
> > So kirkstone and mickledore should be producing identical results
> > (assuming the same recipe versions of course)
> >
> > Looking at a random sampling of json files though, I also see
> > "scorev3": "0.0" in all of them.
> >
> > So I suspect that there is a bug, and it is present in all branches
> > (master, mickledore, kirkstone, dunfell)
> >
> > Steve
>
>
> Hello,
> I've looked into the current results of master and kirkstone and
> nothing unusual.
> There are quite many entries with cvss3 at 0.0, but that's normal.
>
> Steve, Grant, if you have situations with all cvss3 at 0.0, I will need your
> results file and the exact hash of the poky versions you use.
>
A complete re-download of the database worked for Grant, but I'm creating
an issue https://bugzilla.yoctoproject.org/show_bug.cgi?id=15239 because
it seems that more people are affected. I'll be working on this.
Regards,
Marta
prev parent reply other threads:[~2023-10-17 9:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-12 0:19 CVE CHECK scorev3 Grant.Smith3
2023-10-13 13:19 ` [poky] " Ross Burton
2023-10-13 13:52 ` Smith, Grant [US] (MS)
2023-10-13 14:23 ` Steve Sakoman
2023-10-14 8:33 ` Marta Rybczynska
2023-10-14 14:49 ` EXT :Re: " Smith, Grant [US] (MS)
[not found] ` <178DEC4DABB5202F.14388@lists.yoctoproject.org>
2023-10-17 9:14 ` Marta Rybczynska [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAApg2=Qf6FtjBaKynpuZ_COc_vuVOgD8+UhckDS=MoSj5NWVVQ@mail.gmail.com' \
--to=rybczynska@gmail.com \
--cc=Grant.Smith3@ngc.com \
--cc=poky@lists.yoctoproject.org \
--cc=ross.burton@arm.com \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).