[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-09-06

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-09-06

[Thomas Petazzoni]

Hello Aleksander,

On Mon, 07 Sep 2020 18:51:48 +0200
Alexander Egorenkov <egorenar-dev@posteo.net> wrote:

> >     arch     |             reason             |                                       url                                      
> > -------------+--------------------------------+---------------------------------------------------------------------------------
> >    mipsel    |       makedumpfile-1.6.7       | http://autobuild.buildroot.net/results/a8dacb1cc74e181c6b19b7fb4731899805bc47aa
> >     sh4      |       makedumpfile-1.6.7       | http://autobuild.buildroot.net/results/0e20c17bd604ee1168cc379061c120a2d8263e5f
> >   nds32le    |       makedumpfile-1.6.7       | http://autobuild.buildroot.net/results/000f622085b5b54c1b7f59d0c41ce1480c28b68e
>
> wasn't it fixed by commit
> 
> commit 34b3a071a0b038870379244a2c2264d8802e41a3
> Author: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> Date:   Sun Sep 6 10:00:28 2020 +0200
> 
>     package/makedumpfile: add BR2_PACKAGE_MAKEDUMPFILE_ARCH_SUPPORTS

All those build results were generated *before* the commit you mention.
If you take the build result URL, for example:

  http://autobuild.buildroot.net/results/a8dacb1cc74e181c6b19b7fb4731899805bc47aa

Then you can see a file called "gitid" which shows at which Buildroot
commit this build was done. In this case:
3d0c31633d170406ffd1678d56b7ca34aac0ee68, which predates when the
makedumpfile fix was committed.

The builds of our autobuilders are done 24/7, and each morning
(European time) we send an e-mail which notifies developers of the
builds that occurred during the past day (i.e between midnight and
midnight, European time). Therefore, it is possible to be notified of
build failures that have already been fixed in the mean time.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-09-06

[Ryan Barnett]

Hello,

It appears that there may be an issue with how the CVE scanning script
is working with buildroot as it is detecting that there is a CVE
vulnerability with resiprocate package when the version which is in
buildroot 1.12.0 includes this CVE fix as described in the debian
security tracker and in the nvd.nist.gov website:

https://nvd.nist.gov/vuln/detail/CVE-2017-9454

Does the automated script not handle the minor version such as "beta"
or "alpha" which is present in some of the versions listed in the
nvd.nist.gov website?

I'm not familiar with the scripts and don't have time to dig into it
but I feel like there is something missing here as I don't believe the
right fix to is put the IGNORE_CVE for this one in the package.

Thanks,
-Ryan

On Mon, Sep 7, 2020 at 2:10 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> Packages with CVEs
> ==================
>
> This is the list of packages for which a known CVE is affecting
> them, which means a security vulnerability exists for
> those packages.
>
>              name              |       CVE        |                             link
> -------------------------------+------------------+--------------------------------------------------------------
>                    resiprocate | CVE-2017-9454    | https://security-tracker.debian.org/tracker/CVE-2017-9454
>
> --
> http://autobuild.buildroot.net