From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, vchavda@cisco.com
Subject: [openembedded-core] [scarthgap] [PATCH v1 19/34] cve-update-db-native: add the fkie source
Date: Thu, 19 Feb 2026 21:34:28 -0800 [thread overview]
Message-ID: <20260220053443.3006180-19-hetpat@cisco.com> (raw)
In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com>
From: Marta Rybczynska <rybczynska@gmail.com>
Add support for FKIE-CAD reconstruction of NVD feed from
https://github.com/fkie-cad/nvd-json-data-feeds
We download this feed directly from github releases.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6253ac8189db09fbe87141aca1733cb37a4d78f)
Signed-off-by: Het Patel <hetpat@cisco.com>
---
.../recipes-core/meta/cve-update-db-native.bb | 126 ++++++++++++++++--
1 file changed, 113 insertions(+), 13 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 3a9d43943c..792252f510 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -12,6 +12,8 @@ deltask do_install
deltask do_populate_sysroot
NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+FKIE_URL ?= "https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-"
+
# CVE database update interval, in seconds. By default: once a day (24*60*60).
# Use 0 to force the update
# Use a negative value to skip the update
@@ -109,6 +111,30 @@ def cleanup_db_download(db_file, db_tmp_file):
if os.path.exists(db_tmp_file):
os.remove(db_tmp_file)
+def db_file_names(d, year, is_nvd):
+ if is_nvd:
+ year_url = d.getVar('NVDCVE_URL') + str(year)
+ meta_url = year_url + ".meta"
+ json_url = year_url + ".json.gz"
+ return json_url, meta_url
+ year_url = d.getVar('FKIE_URL') + str(year)
+ meta_url = year_url + ".meta"
+ json_url = year_url + ".json.xz"
+ return json_url, meta_url
+
+def host_db_name(d, is_nvd):
+ if is_nvd:
+ return "nvd.nist.gov"
+ return "github.com"
+
+def db_decompress(d, data, is_nvd):
+ import gzip, lzma
+
+ if is_nvd:
+ return gzip.decompress(data).decode('utf-8')
+ # otherwise
+ return lzma.decompress(data)
+
def update_db_file(db_tmp_file, d):
"""
Update the given database file
@@ -119,6 +145,7 @@ def update_db_file(db_tmp_file, d):
YEAR_START = 2002
cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+ is_nvd = d.getVar("NVD_DB_VERSION") == "NVD1"
# Connect to database
conn = sqlite3.connect(db_tmp_file)
@@ -129,9 +156,7 @@ def update_db_file(db_tmp_file, d):
for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
bb.debug(2, "Updating %d" % year)
ph.update((float(i + 1) / total_years) * 100)
- year_url = (d.getVar('NVDCVE_URL')) + str(year)
- meta_url = year_url + ".meta"
- json_url = year_url + ".json.gz"
+ json_url, meta_url = db_file_names(d, year, is_nvd)
# Retrieve meta last modified date
try:
@@ -140,7 +165,7 @@ def update_db_file(db_tmp_file, d):
cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
bb.warn("Failed to fetch CVE data (%s)" % e)
import socket
- result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+ result = socket.getaddrinfo(host_db_name(d, is_nvd), 443, proto=socket.IPPROTO_TCP)
bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
return False
@@ -168,7 +193,7 @@ def update_db_file(db_tmp_file, d):
try:
response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
if response:
- update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+ update_db(d, conn, db_decompress(d, response.read(), is_nvd))
conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
except urllib.error.URLError as e:
cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
@@ -200,16 +225,22 @@ def initialize_db(conn):
c.close()
-def parse_node_and_insert(conn, node, cveId):
+def parse_node_and_insert(conn, node, cveId, is_nvd):
# Parse children node if needed
for child in node.get('children', ()):
- parse_node_and_insert(conn, child, cveId)
+ parse_node_and_insert(conn, child, cveId, is_nvd)
+
+ def cpe_generator(is_nvd):
+ match_string = "cpeMatch"
+ cpe_string = 'criteria'
+ if is_nvd:
+ match_string = "cpe_match"
+ cpe_string = 'cpe23Uri'
- def cpe_generator():
- for cpe in node.get('cpe_match', ()):
+ for cpe in node.get(match_string, ()):
if not cpe['vulnerable']:
return
- cpe23 = cpe.get('cpe23Uri')
+ cpe23 = cpe.get(cpe_string)
if not cpe23:
return
cpe23 = cpe23.split(':')
@@ -260,9 +291,9 @@ def parse_node_and_insert(conn, node, cveId):
# Save processing by representing as -.
yield [cveId, vendor, product, '-', '', '', '']
- conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+ conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator(is_nvd)).close()
-def update_db(conn, jsondata):
+def update_db_nvdjson(conn, jsondata):
import json
root = json.loads(jsondata)
@@ -297,8 +328,77 @@ def update_db(conn, jsondata):
configurations = elt['configurations']['nodes']
for config in configurations:
- parse_node_and_insert(conn, config, cveId)
+ parse_node_and_insert(conn, config, cveId, True)
+
+def update_db_fkie(conn, jsondata):
+ import json
+ root = json.loads(jsondata)
+
+ for elt in root['cve_items']:
+ if not 'vulnStatus' in elt or elt['vulnStatus'] == 'Rejected':
+ continue
+
+ if not 'configurations' in elt:
+ continue
+
+ accessVector = None
+ vectorString = None
+ cvssv2 = 0.0
+ cvssv3 = 0.0
+ cvssv4 = 0.0
+ cveId = elt['id']
+ cveDesc = elt['descriptions'][0]['value']
+ date = elt['lastModified']
+ try:
+ for m in elt['metrics']['cvssMetricV2']:
+ if m['type'] == 'Primary':
+ accessVector = m['cvssData']['accessVector']
+ vectorString = m['cvssData']['vectorString']
+ cvssv2 = m['cvssData']['baseScore']
+ except KeyError:
+ cvssv2 = 0.0
+ try:
+ for m in elt['metrics']['cvssMetricV30']:
+ if m['type'] == 'Primary':
+ accessVector = m['cvssData']['accessVector']
+ vectorString = m['cvssData']['vectorString']
+ cvssv3 = m['cvssData']['baseScore']
+ except KeyError:
+ accessVector = accessVector or "UNKNOWN"
+ cvssv3 = 0.0
+ try:
+ for m in elt['metrics']['cvssMetricV31']:
+ if m['type'] == 'Primary':
+ accessVector = m['cvssData']['accessVector']
+ vectorString = m['cvssData']['vectorString']
+ cvssv3 = m['cvssData']['baseScore']
+ except KeyError:
+ accessVector = accessVector or "UNKNOWN"
+ cvssv3 = 0.0
+ try:
+ for m in elt['metrics']['cvssMetricV40']:
+ if m['type'] == 'Primary':
+ accessVector = m['cvssData']['accessVector']
+ vectorString = m['cvssData']['vectorString']
+ cvssv4 = m['cvssData']['baseScore']
+ except KeyError:
+ accessVector = accessVector or "UNKNOWN"
+ cvssv4 = 0.0
+ conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+ [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
+
+ for config in elt['configurations']:
+ # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+ for node in config["nodes"]:
+ parse_node_and_insert(conn, node, cveId, False)
+
+
+def update_db(d, conn, jsondata):
+ if (d.getVar("NVD_DB_VERSION") == "FKIE"):
+ return update_db_fkie(conn, jsondata)
+ else:
+ return update_db_nvdjson(conn, jsondata)
do_fetch[nostamp] = "1"
next prev parent reply other threads:[~2026-02-20 5:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 5:34 [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 02/34] cve_check: Update selftest with new status detail Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 03/34] cve-check: annotate CVEs during analysis Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 04/34] cve-check-map: add new statuses Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 05/34] selftest: add test_product_match Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 06/34] cve-check: remove the TEXT format support Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 07/34] cve-check-update-nvd2-native: Incremement DL_DIR database location Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 08/34] cve-check: add field "modified" to JSON report Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 09/34] cve-check: do not skip cve status description after : Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 10/34] cve-check: fix malformed cve status description with : characters Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 11/34] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 12/34] cve-check: fix cvesInRecord Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 13/34] cve-check: Fix errors in log lines Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 14/34] cve-check: Rework patch parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 15/34] meta/lib/oe/cve_check.py: fix patched_cves not updated Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 17/34] cve-update-db-native: restore Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 18/34] cve-update-db-native: update structure Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 20/34] cve-check: change the default feed Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 21/34] cve-check: fix debug message Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 22/34] spdx30: Allow VEX Justification to be configurable Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 23/34] cve-update-db-native: fix fetcher for CVEs missing nodes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 24/34] cve-update-db-native: Use a local copy of the database during builds Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 25/34] cve-update-db-native: Handle BB_NO_NETWORK and missing db Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 26/34] cve-update-db-native: log a little more Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 27/34] cve-update: decrease update interval to 23 hours Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 28/34] cve-update: remove cleanup of db_file in downloads Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 29/34] cve-update-db-native: Fix FKIE CVE accessVector parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 30/34] cve-update-db-native: FKIE CVE parsing: Use Secondary metric Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 31/34] cve-update: log timestamps and add force update for future time Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 32/34] cve-update-db-native: pycodestyle fixes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 33/34] cve-update-nvd2-native: " Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 34/34] cve-update: Avoid NFS caching issues Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-23 9:46 ` [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Paul Barker
2026-02-23 12:31 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-03 9:09 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-05 13:13 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260220053443.3006180-19-hetpat@cisco.com \
--to=hetpat@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=vchavda@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox