do_populate_cve_db: Error in executing cve-check-update

do_populate_cve_db: Error in executing cve-check-update

[Sona Sarmadi]

Hi all,


Does anyone know if there is an issue with cve-check tool on master branch? 

It seems that "cve-check-update -d" fails, does anyone know why?
poky/build-cve-check$ bitbake -k -c cve_check universe


WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Error in executing cve-check-update
WARNING: cve-check-tool-native-5.6.4-r0 do_populate_cve_db: Failed to update cve-check-tool database, CVEs won't be checked



do_populate_cve_db() {
    if [ "${BB_NO_NETWORK}" = "1" ] ; then
        bberror "BB_NO_NETWORK is set; Can't update cve-check-tool database, CVEs won't be checked"
        return
    fi

    # In case we don't inherit cve-check class, use default values defined in the class.
    cve_dir="${CVE_CHECK_DB_DIR}"
    cve_file="${CVE_CHECK_TMP_FILE}"

    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"

    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
    if cve-check-update -d "$cve_dir" ; then
        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
    else
        bbwarn "Error in executing cve-check-update"  <<<<<<<<<<<<<<<<<<<<<<<<<
        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"    <<<<<<<<<<<<<<<<<<<<<<
        fi
    fi
}

Thanks
//Sona

Re: do_populate_cve_db: Error in executing cve-check-update

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

On 6 February 2017 at 14:43, Sona Sarmadi <sona.sarmadi@enea.com> wrote:

>     bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
>     if cve-check-update -d "$cve_dir" ; then
>         printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date
> --utc +'%F %T')" > "$cve_file"
>     else
>         bbwarn "Error in executing cve-check-update"
> <<<<<<<<<<<<<<<<<<<<<<<<<
>

This definitely needs to be rewritten so you can see the output if it
fails.  Just run cve-check-update -d <dir> yourself and see what it says.
Last time I had this failing it was because the mitre servers were offline.

Ross

[-- Attachment #2: Type: text/html, Size: 1212 bytes --]

Re: do_populate_cve_db: Error in executing cve-check-update

[Jussi Kukkonen]

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

On 6 February 2017 at 16:56, Burton, Ross <ross.burton@intel.com> wrote:

>
> On 6 February 2017 at 14:43, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>
>>     bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
>>     if cve-check-update -d "$cve_dir" ; then
>>         printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date
>> --utc +'%F %T')" > "$cve_file"
>>     else
>>         bbwarn "Error in executing cve-check-update"
>> <<<<<<<<<<<<<<<<<<<<<<<<<
>>
>
> This definitely needs to be rewritten so you can see the output if it
> fails.  Just run cve-check-update -d <dir> yourself and see what it says.
> Last time I had this failing it was because the mitre servers were offline.
>

Agreed about the error output.

I think recipe specific sysroots broke the setup somehow (so the tools are
not actually in sysroot when they're needed). I'm taking a look at this
tomorrow.

Jussi

[-- Attachment #2: Type: text/html, Size: 1912 bytes --]

Re: do_populate_cve_db: Error in executing cve-check-update

[Mariano Lopez]

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]



On 06/02/17 09:17, Jussi Kukkonen wrote:
>
>
> On 6 February 2017 at 16:56, Burton, Ross <ross.burton@intel.com
> <mailto:ross.burton@intel.com>> wrote:
>
>
>     On 6 February 2017 at 14:43, Sona Sarmadi <sona.sarmadi@enea.com
>     <mailto:sona.sarmadi@enea.com>> wrote:
>
>             bbdebug 2 "Updating cve-check-tool database located in
>         $cve_dir"
>             if cve-check-update -d "$cve_dir" ; then
>                 printf "CVE database was updated on %s UTC\n\n"
>         "$(LANG=C date --utc +'%F %T')" > "$cve_file"
>             else
>                 bbwarn "Error in executing cve-check-update" 
>         <<<<<<<<<<<<<<<<<<<<<<<<<
>
>
>     This definitely needs to be rewritten so you can see the output if
>     it fails.  Just run cve-check-update -d <dir> yourself and see
>     what it says.  Last time I had this failing it was because the
>     mitre servers were offline.
>
>
> Agreed about the error output.

Also you need to patch the tool, most of the time there is no output
from it; I think Ikey would integrate those patches without hesitation.

>
> I think recipe specific sysroots broke the setup somehow (so the tools
> are not actually in sysroot when they're needed). I'm taking a look at
> this tomorrow.

I tried today, but I'm having a hard time with the proxies (like always)
so I can't really verify this. Were you able to check?

Mariano

[-- Attachment #2: Type: text/html, Size: 3937 bytes --]

Re: do_populate_cve_db: Error in executing cve-check-update

[Jussi Kukkonen]

[-- Attachment #1: Type: text/plain, Size: 1846 bytes --]

On 7 February 2017 at 17:07, Mariano Lopez <mariano.lopez@linux.intel.com>
wrote:

> On 06/02/17 09:17, Jussi Kukkonen wrote:
>
>
>
> On 6 February 2017 at 16:56, Burton, Ross <ross.burton@intel.com> wrote:
>
>>
>> On 6 February 2017 at 14:43, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
>>
>>>     bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
>>>     if cve-check-update -d "$cve_dir" ; then
>>>         printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date
>>> --utc +'%F %T')" > "$cve_file"
>>>     else
>>>         bbwarn "Error in executing cve-check-update"
>>> <<<<<<<<<<<<<<<<<<<<<<<<<
>>>
>>
>> This definitely needs to be rewritten so you can see the output if it
>> fails.  Just run cve-check-update -d <dir> yourself and see what it says.
>> Last time I had this failing it was because the mitre servers were offline.
>>
>
> Agreed about the error output.
>
>
> Also you need to patch the tool, most of the time there is no output from
> it; I think Ikey would integrate those patches without hesitation.
>

I don't know... the branch we're using is called 'legacy-tool' and is quite
different from master (which isn't usable).


> I think recipe specific sysroots broke the setup somehow (so the tools are
> not actually in sysroot when they're needed). I'm taking a look at this
> tomorrow.
>
>
> I tried today, but I'm having a hard time with the proxies (like always)
> so I can't really verify this. Were you able to check?
>

Yes, the problem is indeed that cve-check-update is not found when
do_populate_cve_db() is run. In addition to that curl-native is currently
broken by recipe-specific sysroots as well (CA certificates are looked for
in the wrong place) and this makes all downloads in cve-check-tool fail.

TL;DR: working on it.

Jussi

[-- Attachment #2: Type: text/html, Size: 4717 bytes --]