Re: [OE-core] [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benjamin Robin <benjamin.robin@bootlin.com>
To: Marta Rybczynska <rybczynska@gmail.com>
Cc: openembedded-core@lists.openembedded.org,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	ross.burton@arm.com, peter.marko@siemens.com,
	jpewhacker@gmail.com, olivier.benjamin@bootlin.com,
	antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com,
	thomas.petazzoni@bootlin.com
Subject: Re: [OE-core] [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher
Date: Thu, 19 Mar 2026 13:03:31 +0100	[thread overview]
Message-ID: <2323982.Icojqenx9y@brobin-bootlin> (raw)
In-Reply-To: <CAApg2=SpoAyoJrwL_f6jfX5Putwj_dzeYH1FnBnqJQOsKSQbGQ@mail.gmail.com>

On Thursday, March 19, 2026 at 1:00 PM, Marta Rybczynska wrote:
> On Thu, Mar 19, 2026 at 10:48 AM Benjamin Robin <benjamin.robin@bootlin.com>
> wrote:
> 
> > Hello Marta,
> >
> > On Thursday, March 19, 2026 at 9:58 AM, Marta Rybczynska wrote:
> > > On Thu, Mar 19, 2026 at 9:45 AM Benjamin Robin via
> > lists.openembedded.org
> > > <benjamin.robin=bootlin.com@lists.openembedded.org> wrote:
> >
> > > > I have just a slight implementation "detail" if we are using BitBake
> > > > fetcher. What is the license that we should use for the sources?
> > > > How to declare that in the recipes?
> > > >
> > > > Because the license of the repositories:
> > > >  - https://github.com/CVEProject/cvelistV5 : Their is none
> > > >  - https://github.com/fkie-cad/nvd-json-data-feeds/tree/main/LICENSES
> > > >    It looks like custom license.
> >
> > > The CVE project repo does not have a licence included, but it is covered
> > by
> > > https://www.cve.org/legal/termsofuse (the usage part). It is basically
> > MIT.
> > >
> > > NVD has the specific,  licence, the one that is in the repo. A warning on
> > > the
> > > needed disclosure sentence in all documentation.
> >
> > So for you, it is fine to declare that the CVE databases are MIT?
> >
> 
> CVE database is MIT
> NVD (so also FKIE) is custom

NVD license is apparently "cve-tou" which is available in Yocto.

> >
> > > AUTOREV isn't great here because it will re-fetch for each build. So if
> > > you're
> > > building multiple images or platforms (in CI or so), you will get
> > > potentially different
> > > results. cve-check has a set of variable to handle such use cases. You
> > pin
> > > to one specific release and do the whole checking with one single common
> > > version.
> >
> > Yes, that is why I initially pushed to use my custom fetcher that is
> > doing a git pull / shallow clone. With this fetcher I have a full control
> > on the update period.
> >
> > But if we want to use BitBake fetcher, an user could pin to a specific
> > version instead of using AUTOREV. But the user needs to to that manually.
> >
> >
> I agree with Richard that using a git fetcher (or other existing fetcher)
> is a better
> idea than developing a custom fetcher.

I am preparing a v5 of the patch series based on this RFC series, which is
going to use the BitBake fetcher.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

     prev parent reply	other threads:[~2026-03-19 12:03 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09 11:57 [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher Benjamin Robin
2026-03-09 11:57 ` [PATCH RFC 1/2] " Benjamin Robin
2026-03-09 11:57 ` [PATCH RFC 2/2] sbom-cve-check: VEX class is no longer mandatory Benjamin Robin
2026-03-18 17:45 ` [OE-core] [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher Richard Purdie
2026-03-19  7:29   ` Marta Rybczynska
2026-03-19  7:52     ` Richard Purdie
2026-03-19  9:07       ` Benjamin Robin
2026-03-19  9:57     ` Benjamin Robin
2026-03-19  8:45   ` Benjamin Robin
2026-03-19  8:58     ` Marta Rybczynska
2026-03-19  9:48       ` Benjamin Robin
2026-03-19 12:00         ` Marta Rybczynska
2026-03-19 12:03           ` Benjamin Robin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2323982.Icojqenx9y@brobin-bootlin \
    --to=benjamin.robin@bootlin.com \
    --cc=antonin.godard@bootlin.com \
    --cc=jpewhacker@gmail.com \
    --cc=mathieu.dubois-briand@bootlin.com \
    --cc=olivier.benjamin@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=peter.marko@siemens.com \
    --cc=richard.purdie@linuxfoundation.org \
    --cc=ross.burton@arm.com \
    --cc=rybczynska@gmail.com \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.