[OE-core] [PATCH] db: correct CVE

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [OE-core] [PATCH] db: correct CVE_PRODUCT
@ 2021-04-19 13:45 zhengruoqin
  2021-04-19  6:01 ` Chen Qi
  2021-04-19  6:59 ` Mikko Rapeli
  0 siblings, 2 replies; 6+ messages in thread
From: zhengruoqin @ 2021-04-19 13:45 UTC (permalink / raw)
  To: openembedded-core

In the CVE database, now it use db2 instead of oracle_berkeley_db.
So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
---
 meta/recipes-support/db/db_5.3.28.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 9cb57e6a53..05720053f4 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
 LICENSE = "Sleepycat"
 RCONFLICTS_${PN} = "db3"
 
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "db2"
 CVE_VERSION = "11.2.${PV}"
 
 PR = "r1"
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
  2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
@ 2021-04-19  6:01 ` Chen Qi
  2021-04-19  6:59 ` Mikko Rapeli
  1 sibling, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-19  6:01 UTC (permalink / raw)
  To: zhengruoqin, openembedded-core

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

Which ones?

Regards,
Chen Qi

On 04/19/2021 09:45 PM, zhengruoqin wrote:
> In the CVE database, now it use db2 instead of oracle_berkeley_db.
> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>
> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> ---
>   meta/recipes-support/db/db_5.3.28.bb | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..05720053f4 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
>   LICENSE = "Sleepycat"
>   RCONFLICTS_${PN} = "db3"
>   
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "db2"
>   CVE_VERSION = "11.2.${PV}"
>   
>   PR = "r1"
>
>
> 
>


[-- Attachment #2: Type: text/html, Size: 1661 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
  2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
  2021-04-19  6:01 ` Chen Qi
@ 2021-04-19  6:59 ` Mikko Rapeli
  2021-04-20  1:55   ` zhengruoqin
  1 sibling, 1 reply; 6+ messages in thread
From: Mikko Rapeli @ 2021-04-19  6:59 UTC (permalink / raw)
  To: zhengrq.fnst; +Cc: openembedded-core

On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
> In the CVE database, now it use db2 instead of oracle_berkeley_db.
> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.

Which CVEs, please add an example? In the past oracle_berkeley_db was used.
I wonder if both would need to be there, or if using the new value is
sufficient from now on.

-Mikko

> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..05720053f4 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
>  LICENSE = "Sleepycat"
>  RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "db2"
>  CVE_VERSION = "11.2.${PV}"
>
>  PR = "r1"
> -- 
> 2.25.1
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
  2021-04-19  6:59 ` Mikko Rapeli
@ 2021-04-20  1:55   ` zhengruoqin
  2021-04-20  2:27     ` Chen Qi
       [not found]     ` <16776F7A4F5368B1.4443@lists.openembedded.org>
  0 siblings, 2 replies; 6+ messages in thread
From: zhengruoqin @ 2021-04-20  1:55 UTC (permalink / raw)
  To: Mikko.Rapeli@bmw.de, ChenQi; +Cc: openembedded-core@lists.openembedded.org

Hi, Mikko, Chen

Now, cve_check can't checkout any cve issues of db. I read new nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that the old name of db is "oracle_berkeley_db".

$ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log 
$ 
$ grep "|db2|" SELECT_FROM_PRODUCTS.log
CVE-2010-0462|ibm|db2|9.1|=||
CVE-2010-0462|ibm|db2|9.1_fp1|=||
CVE-2010-0462|ibm|db2|9.1_fp2|=||
CVE-2010-0462|ibm|db2|9.1_fp2a|=||
CVE-2010-0462|ibm|db2|9.1_fp3|=||
CVE-2010-0462|ibm|db2|9.1_fp3a|=||
CVE-2010-0462|ibm|db2|9.1_fp4|=||
CVE-2010-0462|ibm|db2|9.1_fp4a|=||
CVE-2010-0462|ibm|db2|9.1_fp5|=||
CVE-2010-0462|ibm|db2|9.1_fp6|=||
CVE-2010-0462|ibm|db2|9.1_fp6a|=||
CVE-2010-0462|ibm|db2|9.1_fp7|=||
CVE-2010-0462|ibm|db2|9.1_fp7a|=||
CVE-2010-0462|ibm|db2|9.1_fp8|=||
CVE-2010-0462|ibm|db2|9.5|=||
CVE-2010-0462|ibm|db2|9.5_fp1|=||
CVE-2010-0462|ibm|db2|9.5_fp2|=||
CVE-2010-0462|ibm|db2|9.5_fp2a|=||
CVE-2010-0462|ibm|db2|9.5_fp3|=||
CVE-2010-0462|ibm|db2|9.5_fp3a|=||
CVE-2010-0462|ibm|db2|9.5_fp3b|=||
......

Best regards
Zheng


> -----Original Message-----
> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
> Sent: Monday, April 19, 2021 2:59 PM
> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
> 
> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
> > In the CVE database, now it use db2 instead of oracle_berkeley_db.
> > So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
> 
> Which CVEs, please add an example? In the past oracle_berkeley_db was used.
> I wonder if both would need to be there, or if using the new value is sufficient
> from now on.
> 
> -Mikko
> 
> > Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> > ---
> >  meta/recipes-support/db/db_5.3.28.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb
> > b/meta/recipes-support/db/db_5.3.28.bb
> > index 9cb57e6a53..05720053f4 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE =
> > "https://www.oracle.com/database/technologies/related/berkeleydb.html
> >  LICENSE = "Sleepycat"
> >  RCONFLICTS_${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db"
> > +CVE_PRODUCT = "db2"
> >  CVE_VERSION = "11.2.${PV}"
> >
> >  PR = "r1"
> > --
> > 2.25.1
> >
> 
> >
> > 
> >

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
  2021-04-20  1:55   ` zhengruoqin
@ 2021-04-20  2:27     ` Chen Qi
       [not found]     ` <16776F7A4F5368B1.4443@lists.openembedded.org>
  1 sibling, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-20  2:27 UTC (permalink / raw)
  To: zhengrq.fnst@fujitsu.com, Mikko.Rapeli@bmw.de
  Cc: openembedded-core@lists.openembedded.org

I think they are two different projects.
https://www.ibm.com/products/db2-database
https://www.oracle.com/database/technologies/related/berkeleydb.html

You can also use the original json file to check.

e.g.
$ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
$ grep -l 'cpe:.*:ibm:db2:' 
~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
/home/qichen/.cvedb/nvdcve-1.1-2010.json
/home/qichen/.cvedb/nvdcve-1.1-2012.json
/home/qichen/.cvedb/nvdcve-1.1-2013.json
/home/qichen/.cvedb/nvdcve-1.1-2014.json
/home/qichen/.cvedb/nvdcve-1.1-2015.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
/home/qichen/.cvedb/nvdcve-1.1-2018.json
/home/qichen/.cvedb/nvdcve-1.1-2019.json
/home/qichen/.cvedb/nvdcve-1.1-2020.json
/home/qichen/.cvedb/nvdcve-1.1-Modified.json

Best Regards,
Chen Qi

On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
> Hi, Mikko, Chen
>
> Now, cve_check can't checkout any cve issues of db. I read new nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that the old name of db is "oracle_berkeley_db".
>
> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
> $
> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
> CVE-2010-0462|ibm|db2|9.1|=||
> CVE-2010-0462|ibm|db2|9.1_fp1|=||
> CVE-2010-0462|ibm|db2|9.1_fp2|=||
> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
> CVE-2010-0462|ibm|db2|9.1_fp3|=||
> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
> CVE-2010-0462|ibm|db2|9.1_fp4|=||
> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
> CVE-2010-0462|ibm|db2|9.1_fp5|=||
> CVE-2010-0462|ibm|db2|9.1_fp6|=||
> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
> CVE-2010-0462|ibm|db2|9.1_fp7|=||
> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
> CVE-2010-0462|ibm|db2|9.1_fp8|=||
> CVE-2010-0462|ibm|db2|9.5|=||
> CVE-2010-0462|ibm|db2|9.5_fp1|=||
> CVE-2010-0462|ibm|db2|9.5_fp2|=||
> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3|=||
> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
> ......
>
> Best regards
> Zheng
>
>
>> -----Original Message-----
>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>> Sent: Monday, April 19, 2021 2:59 PM
>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>> Cc: openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>
>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>> Which CVEs, please add an example? In the past oracle_berkeley_db was used.
>> I wonder if both would need to be there, or if using the new value is sufficient
>> from now on.
>>
>> -Mikko
>>
>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>> ---
>>>   meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>> b/meta/recipes-support/db/db_5.3.28.bb
>>> index 9cb57e6a53..05720053f4 100644
>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>>   LICENSE = "Sleepycat"
>>>   RCONFLICTS_${PN} = "db3"
>>>
>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>> +CVE_PRODUCT = "db2"
>>>   CVE_VERSION = "11.2.${PV}"
>>>
>>>   PR = "r1"
>>> --
>>> 2.25.1
>>>
>>> 
>>>


^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <16776F7A4F5368B1.4443@lists.openembedded.org>]

* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
       [not found]     ` <16776F7A4F5368B1.4443@lists.openembedded.org>
@ 2021-04-20  2:40       ` Chen Qi
  0 siblings, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-20  2:40 UTC (permalink / raw)
  To: zhengrq.fnst@fujitsu.com, Mikko.Rapeli@bmw.de
  Cc: openembedded-core@lists.openembedded.org

[-- Attachment #1: Type: text/plain, Size: 4148 bytes --]

Hi Zheng,

Looking at it further. I have to say that your observation is correct. 
The CVE_PRODUCT for 'db' recipe is not complete.
Both 'oracle_berkeley_db' and 'berkeley_db' are used.
I've sent out a patch to fix it.

Best Regards,
Chen Qi

On 04/20/2021 10:27 AM, Chen Qi wrote:
> I think they are two different projects.
> https://www.ibm.com/products/db2-database
> https://www.oracle.com/database/technologies/related/berkeleydb.html
>
> You can also use the original json file to check.
>
> e.g.
> $ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> $ grep -l 'cpe:.*:ibm:db2:' 
> ~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
> /home/qichen/.cvedb/nvdcve-1.1-2010.json
> /home/qichen/.cvedb/nvdcve-1.1-2012.json
> /home/qichen/.cvedb/nvdcve-1.1-2013.json
> /home/qichen/.cvedb/nvdcve-1.1-2014.json
> /home/qichen/.cvedb/nvdcve-1.1-2015.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> /home/qichen/.cvedb/nvdcve-1.1-2018.json
> /home/qichen/.cvedb/nvdcve-1.1-2019.json
> /home/qichen/.cvedb/nvdcve-1.1-2020.json
> /home/qichen/.cvedb/nvdcve-1.1-Modified.json
>
> Best Regards,
> Chen Qi
>
> On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
>> Hi, Mikko, Chen
>>
>> Now, cve_check can't checkout any cve issues of db. I read new 
>> nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
>> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that 
>> the old name of db is "oracle_berkeley_db".
>>
>> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
>> $
>> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
>> CVE-2010-0462|ibm|db2|9.1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp5|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp8|=||
>> CVE-2010-0462|ibm|db2|9.5|=||
>> CVE-2010-0462|ibm|db2|9.5_fp1|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
>> ......
>>
>> Best regards
>> Zheng
>>
>>
>>> -----Original Message-----
>>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>>> Sent: Monday, April 19, 2021 2:59 PM
>>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>>> Cc: openembedded-core@lists.openembedded.org
>>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>>
>>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>>> So, in order to be handled correctly by CVE check, modify CVE_ 
>>>> PRODUCT.
>>> Which CVEs, please add an example? In the past oracle_berkeley_db 
>>> was used.
>>> I wonder if both would need to be there, or if using the new value 
>>> is sufficient
>>> from now on.
>>>
>>> -Mikko
>>>
>>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>>> ---
>>>>   meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>>> b/meta/recipes-support/db/db_5.3.28.bb
>>>> index 9cb57e6a53..05720053f4 100644
>>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>>>   LICENSE = "Sleepycat"
>>>>   RCONFLICTS_${PN} = "db3"
>>>>
>>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>>> +CVE_PRODUCT = "db2"
>>>>   CVE_VERSION = "11.2.${PV}"
>>>>
>>>>   PR = "r1"
>>>> -- 
>>>> 2.25.1
>>>>
>>>>
>>>>
>
>
>
> 
>


[-- Attachment #2: Type: text/html, Size: 7722 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-04-20  2:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
2021-04-19  6:01 ` Chen Qi
2021-04-19  6:59 ` Mikko Rapeli
2021-04-20  1:55   ` zhengruoqin
2021-04-20  2:27     ` Chen Qi
     [not found]     ` <16776F7A4F5368B1.4443@lists.openembedded.org>
2021-04-20  2:40       ` Chen Qi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox