From: "Chen Qi" <Qi.Chen@windriver.com>
To: "zhengrq.fnst@fujitsu.com" <zhengrq.fnst@fujitsu.com>,
"Mikko.Rapeli@bmw.de" <Mikko.Rapeli@bmw.de>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
Date: Tue, 20 Apr 2021 10:40:50 +0800 [thread overview]
Message-ID: <a7ddce56-bf9e-0c35-e4a7-86c1b07e19e6@windriver.com> (raw)
In-Reply-To: <16776F7A4F5368B1.4443@lists.openembedded.org>
[-- Attachment #1: Type: text/plain, Size: 4148 bytes --]
Hi Zheng,
Looking at it further. I have to say that your observation is correct.
The CVE_PRODUCT for 'db' recipe is not complete.
Both 'oracle_berkeley_db' and 'berkeley_db' are used.
I've sent out a patch to fix it.
Best Regards,
Chen Qi
On 04/20/2021 10:27 AM, Chen Qi wrote:
> I think they are two different projects.
> https://www.ibm.com/products/db2-database
> https://www.oracle.com/database/technologies/related/berkeleydb.html
>
> You can also use the original json file to check.
>
> e.g.
> $ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> $ grep -l 'cpe:.*:ibm:db2:'
> ~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
> /home/qichen/.cvedb/nvdcve-1.1-2010.json
> /home/qichen/.cvedb/nvdcve-1.1-2012.json
> /home/qichen/.cvedb/nvdcve-1.1-2013.json
> /home/qichen/.cvedb/nvdcve-1.1-2014.json
> /home/qichen/.cvedb/nvdcve-1.1-2015.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> /home/qichen/.cvedb/nvdcve-1.1-2018.json
> /home/qichen/.cvedb/nvdcve-1.1-2019.json
> /home/qichen/.cvedb/nvdcve-1.1-2020.json
> /home/qichen/.cvedb/nvdcve-1.1-Modified.json
>
> Best Regards,
> Chen Qi
>
> On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
>> Hi, Mikko, Chen
>>
>> Now, cve_check can't checkout any cve issues of db. I read new
>> nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
>> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that
>> the old name of db is "oracle_berkeley_db".
>>
>> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
>> $
>> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
>> CVE-2010-0462|ibm|db2|9.1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp5|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp8|=||
>> CVE-2010-0462|ibm|db2|9.5|=||
>> CVE-2010-0462|ibm|db2|9.5_fp1|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
>> ......
>>
>> Best regards
>> Zheng
>>
>>
>>> -----Original Message-----
>>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>>> Sent: Monday, April 19, 2021 2:59 PM
>>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>>> Cc: openembedded-core@lists.openembedded.org
>>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>>
>>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>>> So, in order to be handled correctly by CVE check, modify CVE_
>>>> PRODUCT.
>>> Which CVEs, please add an example? In the past oracle_berkeley_db
>>> was used.
>>> I wonder if both would need to be there, or if using the new value
>>> is sufficient
>>> from now on.
>>>
>>> -Mikko
>>>
>>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>>> ---
>>>> meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>>> b/meta/recipes-support/db/db_5.3.28.bb
>>>> index 9cb57e6a53..05720053f4 100644
>>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>>> LICENSE = "Sleepycat"
>>>> RCONFLICTS_${PN} = "db3"
>>>>
>>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>>> +CVE_PRODUCT = "db2"
>>>> CVE_VERSION = "11.2.${PV}"
>>>>
>>>> PR = "r1"
>>>> --
>>>> 2.25.1
>>>>
>>>>
>>>>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 7722 bytes --]
prev parent reply other threads:[~2021-04-20 2:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
2021-04-19 6:01 ` Chen Qi
2021-04-19 6:59 ` Mikko Rapeli
2021-04-20 1:55 ` zhengruoqin
2021-04-20 2:27 ` Chen Qi
[not found] ` <16776F7A4F5368B1.4443@lists.openembedded.org>
2021-04-20 2:40 ` Chen Qi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a7ddce56-bf9e-0c35-e4a7-86c1b07e19e6@windriver.com \
--to=qi.chen@windriver.com \
--cc=Mikko.Rapeli@bmw.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=zhengrq.fnst@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox