* [PATCH] cve-check: fetch CVE data once at a time instead of in a single call
@ 2019-11-13 15:35 Ross Burton
2019-11-13 16:02 ` ✗ patchtest: failure for " Patchwork
0 siblings, 1 reply; 2+ messages in thread
From: Ross Burton @ 2019-11-13 15:35 UTC (permalink / raw)
To: openembedded-core
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested. For recipes such as the kernel where there are over 2000
CVEs to report this can hit limits in older sqlite releases and the query fails
with "sqlite3.OperationalError: too many SQL variables".
As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
meta/classes/cve-check.bbclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d9ded..f23f683ae80 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@ def get_cve_info(d, cves):
cve_data = {}
conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
- placeholders = ",".join("?" * len(cves))
- query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
- for row in conn.execute(query, tuple(cves)):
+
+ for cve in cves:
+ row = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)).fetchone()
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
cve_data[row[0]]["scorev2"] = row[2]
cve_data[row[0]]["scorev3"] = row[3]
cve_data[row[0]]["modified"] = row[4]
cve_data[row[0]]["vector"] = row[5]
- conn.close()
+ conn.close()
return cve_data
def cve_write_data(d, patched, unpatched, cve_data):
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* ✗ patchtest: failure for cve-check: fetch CVE data once at a time instead of in a single call
2019-11-13 15:35 [PATCH] cve-check: fetch CVE data once at a time instead of in a single call Ross Burton
@ 2019-11-13 16:02 ` Patchwork
0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2019-11-13 16:02 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
== Series Details ==
Series: cve-check: fetch CVE data once at a time instead of in a single call
Revision: 1
URL : https://patchwork.openembedded.org/series/21124/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at 4dc804b2de)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-13 16:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-13 15:35 [PATCH] cve-check: fetch CVE data once at a time instead of in a single call Ross Burton
2019-11-13 16:02 ` ✗ patchtest: failure for " Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.