Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Daniel Lang <dalang@gmx.at>
Cc: buildroot@buildroot.org, clement.ramirez@bootlin.com
Subject: Re: [Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0
Date: Thu, 10 Aug 2023 09:07:21 +0200	[thread overview]
Message-ID: <20230810090721.1e052f35@windsurf> (raw)
In-Reply-To: <b1d7fd7a-4959-419b-b7ff-0778b1e99722@gmx.at>

Hello Daniel,

On Thu, 10 Aug 2023 07:50:34 +0200
Daniel Lang <dalang@gmx.at> wrote:

> The problem here is, that the new API (even the one for CPEs) constrains us
> to a 6 second timeout between requests [0]. We currently have ~700 packages
> with CPEs. This would come out to 4200 seconds or about 70 minutes, each time
> we run pkg-stats for all packages.
> The only way around this is requesting an API key [1] which allows "50 requests
> in a rolling 30 seconds window". NVD still recommends to sleep in between
> requests...

Agreed, but what you do in the patch series you posted is just fine
IMO: you download the full CPE database, and then we locally check
against it. Your last patch implements exactly what Arnout suggested:
to not check the full CPE including version number, but only the
vendor/product.

> On that "latest release" note, we have a second, probably rarely used,
> use case for CPEs which is support/scripts/gen-missing-cpe.

I'm not sure why you call that "second use-case". 

> This script tries to generate a XML structure for each version that
> isn't registered in the database. For this script a lot of
> information about the CPE needs to be stored.

The idea of this script was to be able to contribute new entries to the
official CPE database, by generating the XML file that they require as
input to contribute such new entries. I've never used it myself, and we
would need to submit gazillions of new entries all the time to keep
their CPE database up-to-date.

It could still be useful to have something to contribute new entries,
for those packages that have no entry at all (regardless of their
version number) in the CPE database.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2023-08-10  7:07 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-31 20:14 [Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0 Daniel Lang
2023-07-31 21:52 ` Thomas Petazzoni via buildroot
2023-08-01 14:13   ` Daniel Lang
2023-08-01 14:19     ` Thomas Petazzoni via buildroot
2023-08-01 14:44       ` Daniel Lang
2023-08-01 19:44         ` Thomas Petazzoni via buildroot
2023-08-01 19:55           ` Daniel Lang
2023-08-09 20:31       ` Arnout Vandecappelle via buildroot
2023-08-09 20:59         ` Thomas Petazzoni via buildroot
2023-08-10  5:50           ` Daniel Lang
2023-08-10  7:07             ` Thomas Petazzoni via buildroot [this message]
2023-08-10 13:18               ` Arnout Vandecappelle via buildroot
2023-08-10 13:42                 ` Thomas Petazzoni via buildroot
2023-08-10 14:58                   ` Arnout Vandecappelle via buildroot
2023-08-10 20:12                     ` Daniel Lang
2023-08-10 21:12                       ` Thomas Petazzoni via buildroot
2023-08-11  6:51                         ` Arnout Vandecappelle via buildroot
2023-08-11 12:30                           ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot
2023-08-10 20:02               ` [Buildroot] " Daniel Lang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230810090721.1e052f35@windsurf \
    --to=buildroot@buildroot.org \
    --cc=clement.ramirez@bootlin.com \
    --cc=dalang@gmx.at \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox