From: Benjamin Robin <benjamin.robin@bootlin.com>
To: Marta Rybczynska <rybczynska@gmail.com>
Cc: openembedded-core@lists.openembedded.org,
Richard Purdie <richard.purdie@linuxfoundation.org>,
ross.burton@arm.com, peter.marko@siemens.com,
jpewhacker@gmail.com, olivier.benjamin@bootlin.com,
antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com,
thomas.petazzoni@bootlin.com
Subject: Re: [OE-core] [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher
Date: Thu, 19 Mar 2026 10:48:21 +0100 [thread overview]
Message-ID: <2750263.Lt9SDvczpP@brobin-bootlin> (raw)
In-Reply-To: <CAApg2=SHFU13o9EwuAe+NepU1CqEy2zO-xnBYoSmn2YaktXfxQ@mail.gmail.com>
Hello Marta,
On Thursday, March 19, 2026 at 9:58 AM, Marta Rybczynska wrote:
> On Thu, Mar 19, 2026 at 9:45 AM Benjamin Robin via lists.openembedded.org
> <benjamin.robin=bootlin.com@lists.openembedded.org> wrote:
> > I have just a slight implementation "detail" if we are using BitBake
> > fetcher. What is the license that we should use for the sources?
> > How to declare that in the recipes?
> >
> > Because the license of the repositories:
> > - https://github.com/CVEProject/cvelistV5 : Their is none
> > - https://github.com/fkie-cad/nvd-json-data-feeds/tree/main/LICENSES
> > It looks like custom license.
> The CVE project repo does not have a licence included, but it is covered by
> https://www.cve.org/legal/termsofuse (the usage part). It is basically MIT.
>
> NVD has the specific, licence, the one that is in the repo. A warning on
> the
> needed disclosure sentence in all documentation.
So for you, it is fine to declare that the CVE databases are MIT?
> > cve-update-db-native.bb is specifying MIT but this is kind of a lie.
> > I have done the same on my recipes for now...
> >
> > > The existing approach was only done as it was a sqlite database and we
> > > didn't have fetcher support for such a thing.
> >
> > The recipes used to download the CVE databases for the cve-check class
> > are downloading tarballs. Yes these recipes are going to create a sqlite
> > database from that. But these recipes implements there own fetcher to
> > simply download a tarball.
> > That is why I thought I could implement my own fetcher, which is way
> > simpler than the update_db_file() in cve-update-db-native.bb which is
> > quite complex.
> >
>
> They implement the fetcher to feed into sqlite. Which was an error to use,
> in my opinion.
Well, I understand why they did that. It makes a lot of sense. But it has
a lot of limitation, that is why we developed sbom-cve-check.
> AUTOREV isn't great here because it will re-fetch for each build. So if
> you're
> building multiple images or platforms (in CI or so), you will get
> potentially different
> results. cve-check has a set of variable to handle such use cases. You pin
> to one specific release and do the whole checking with one single common
> version.
Yes, that is why I initially pushed to use my custom fetcher that is
doing a git pull / shallow clone. With this fetcher I have a full control
on the update period.
But if we want to use BitBake fetcher, an user could pin to a specific
version instead of using AUTOREV. But the user needs to to that manually.
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-03-19 9:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 11:57 [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher Benjamin Robin
2026-03-09 11:57 ` [PATCH RFC 1/2] " Benjamin Robin
2026-03-09 11:57 ` [PATCH RFC 2/2] sbom-cve-check: VEX class is no longer mandatory Benjamin Robin
2026-03-18 17:45 ` [OE-core] [PATCH RFC 0/2] sbom-cve-check: Download CVE DB using BitBake fetcher Richard Purdie
2026-03-19 7:29 ` Marta Rybczynska
2026-03-19 7:52 ` Richard Purdie
2026-03-19 9:07 ` Benjamin Robin
2026-03-19 9:57 ` Benjamin Robin
2026-03-19 8:45 ` Benjamin Robin
2026-03-19 8:58 ` Marta Rybczynska
2026-03-19 9:48 ` Benjamin Robin [this message]
2026-03-19 12:00 ` Marta Rybczynska
2026-03-19 12:03 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2750263.Lt9SDvczpP@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=antonin.godard@bootlin.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=ross.burton@arm.com \
--cc=rybczynska@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.