Re: [OE-core] [PATCH] db: correct CVE_PRODUCT

["Chen Qi" <Qi.Chen@windriver.com>]

I think they are two different projects.
https://www.ibm.com/products/db2-database
https://www.oracle.com/database/technologies/related/berkeleydb.html

You can also use the original json file to check.

e.g.
$ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
$ grep -l 'cpe:.*:ibm:db2:' 
~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
/home/qichen/.cvedb/nvdcve-1.1-2010.json
/home/qichen/.cvedb/nvdcve-1.1-2012.json
/home/qichen/.cvedb/nvdcve-1.1-2013.json
/home/qichen/.cvedb/nvdcve-1.1-2014.json
/home/qichen/.cvedb/nvdcve-1.1-2015.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
/home/qichen/.cvedb/nvdcve-1.1-2018.json
/home/qichen/.cvedb/nvdcve-1.1-2019.json
/home/qichen/.cvedb/nvdcve-1.1-2020.json
/home/qichen/.cvedb/nvdcve-1.1-Modified.json

Best Regards,
Chen Qi

On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
> Hi, Mikko, Chen
>
> Now, cve_check can't checkout any cve issues of db. I read new nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that the old name of db is "oracle_berkeley_db".
>
> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
> $
> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
> CVE-2010-0462|ibm|db2|9.1|=||
> CVE-2010-0462|ibm|db2|9.1_fp1|=||
> CVE-2010-0462|ibm|db2|9.1_fp2|=||
> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
> CVE-2010-0462|ibm|db2|9.1_fp3|=||
> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
> CVE-2010-0462|ibm|db2|9.1_fp4|=||
> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
> CVE-2010-0462|ibm|db2|9.1_fp5|=||
> CVE-2010-0462|ibm|db2|9.1_fp6|=||
> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
> CVE-2010-0462|ibm|db2|9.1_fp7|=||
> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
> CVE-2010-0462|ibm|db2|9.1_fp8|=||
> CVE-2010-0462|ibm|db2|9.5|=||
> CVE-2010-0462|ibm|db2|9.5_fp1|=||
> CVE-2010-0462|ibm|db2|9.5_fp2|=||
> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3|=||
> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
> ......
>
> Best regards
> Zheng
>
>
>> -----Original Message-----
>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>> Sent: Monday, April 19, 2021 2:59 PM
>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>> Cc: openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>
>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>> Which CVEs, please add an example? In the past oracle_berkeley_db was used.
>> I wonder if both would need to be there, or if using the new value is sufficient
>> from now on.
>>
>> -Mikko
>>
>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>> ---
>>>   meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>> b/meta/recipes-support/db/db_5.3.28.bb
>>> index 9cb57e6a53..05720053f4 100644
>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>>   LICENSE = "Sleepycat"
>>>   RCONFLICTS_${PN} = "db3"
>>>
>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>> +CVE_PRODUCT = "db2"
>>>   CVE_VERSION = "11.2.${PV}"
>>>
>>>   PR = "r1"
>>> --
>>> 2.25.1
>>>
>>> 
>>>