Re: [Buildroot] [PATCH v4 3/6] support/scripts/nvd_api_v2.py: new helper class

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Daniel,

On Fri,  1 Sep 2023 21:27:11 +0200
Daniel Lang <dalang@gmx.at> wrote:

> The current NVD data feeds used for CVE and CPE checking will be retired
> by 2023-12-05 [0]. Both have to be switched to the new v2 API. Since
> fetching data from both sources workes the same, a common base class is
> used to handle the API interaction.
> With the new API JSON pages are downloaded, meaning that we have to come
> up with a storage solution ourselves. Therefore nvd_api_v2.py manages a
> generic set of methods to initialize and update a sqlite database.
> 
> [0]: https://nvd.nist.gov/General/News/change-timeline
> 
> Signed-off-by: Daniel Lang <dalang@gmx.at>

Thanks for working into this. I wanted to merge this, but taking a
fresh look at this, I don't quite understand the SW design choices
you've made when it comes to splitting between the NVD_API class and
the CVE_API class.

The NVD_API class implements
 - An actual init_db_meta() method
 - A dummy init_db() method
 - A dummy save_to_db() method
 - An actual download() method
 - An actual check_for_updates() method

Then the CVE_API class inherits from NVD_API, which provides the actual
implementation of init_db(), save_to_db() among others.

What is the reasoning behind this? One could think that the NVD_API
class was only related to calling the NVD HTTP API, but it does have
knowledge of the local sqlite database.

So I'm really not clear on this design. Could you provide some details?

Now I see that the CPE_API class also inherits from NVD_API, but I'm
still confused.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot