Hi Zheng, Looking at it further. I have to say that your observation is correct. The CVE_PRODUCT for 'db' recipe is not complete. Both 'oracle_berkeley_db' and 'berkeley_db' are used. I've sent out a patch to fix it. Best Regards, Chen Qi On 04/20/2021 10:27 AM, Chen Qi wrote: > I think they are two different projects. > https://www.ibm.com/products/db2-database > https://www.oracle.com/database/technologies/related/berkeleydb.html > > You can also use the original json file to check. > > e.g. > $ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json > /home/qichen/.cvedb/nvdcve-1.1-2016.json > /home/qichen/.cvedb/nvdcve-1.1-2017.json > $ grep -l 'cpe:.*:ibm:db2:' > ~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json > /home/qichen/.cvedb/nvdcve-1.1-2010.json > /home/qichen/.cvedb/nvdcve-1.1-2012.json > /home/qichen/.cvedb/nvdcve-1.1-2013.json > /home/qichen/.cvedb/nvdcve-1.1-2014.json > /home/qichen/.cvedb/nvdcve-1.1-2015.json > /home/qichen/.cvedb/nvdcve-1.1-2016.json > /home/qichen/.cvedb/nvdcve-1.1-2017.json > /home/qichen/.cvedb/nvdcve-1.1-2018.json > /home/qichen/.cvedb/nvdcve-1.1-2019.json > /home/qichen/.cvedb/nvdcve-1.1-2020.json > /home/qichen/.cvedb/nvdcve-1.1-Modified.json > > Best Regards, > Chen Qi > > On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote: >> Hi, Mikko, Chen >> >> Now, cve_check can't checkout any cve issues of db. I read new >> nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected. >> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that >> the old name of db is "oracle_berkeley_db". >> >> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log >> $ >> $ grep "|db2|" SELECT_FROM_PRODUCTS.log >> CVE-2010-0462|ibm|db2|9.1|=|| >> CVE-2010-0462|ibm|db2|9.1_fp1|=|| >> CVE-2010-0462|ibm|db2|9.1_fp2|=|| >> CVE-2010-0462|ibm|db2|9.1_fp2a|=|| >> CVE-2010-0462|ibm|db2|9.1_fp3|=|| >> CVE-2010-0462|ibm|db2|9.1_fp3a|=|| >> CVE-2010-0462|ibm|db2|9.1_fp4|=|| >> CVE-2010-0462|ibm|db2|9.1_fp4a|=|| >> CVE-2010-0462|ibm|db2|9.1_fp5|=|| >> CVE-2010-0462|ibm|db2|9.1_fp6|=|| >> CVE-2010-0462|ibm|db2|9.1_fp6a|=|| >> CVE-2010-0462|ibm|db2|9.1_fp7|=|| >> CVE-2010-0462|ibm|db2|9.1_fp7a|=|| >> CVE-2010-0462|ibm|db2|9.1_fp8|=|| >> CVE-2010-0462|ibm|db2|9.5|=|| >> CVE-2010-0462|ibm|db2|9.5_fp1|=|| >> CVE-2010-0462|ibm|db2|9.5_fp2|=|| >> CVE-2010-0462|ibm|db2|9.5_fp2a|=|| >> CVE-2010-0462|ibm|db2|9.5_fp3|=|| >> CVE-2010-0462|ibm|db2|9.5_fp3a|=|| >> CVE-2010-0462|ibm|db2|9.5_fp3b|=|| >> ...... >> >> Best regards >> Zheng >> >> >>> -----Original Message----- >>> From: Mikko.Rapeli@bmw.de >>> Sent: Monday, April 19, 2021 2:59 PM >>> To: Zheng, Ruoqin/郑 若钦 >>> Cc: openembedded-core@lists.openembedded.org >>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT >>> >>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote: >>>> In the CVE database, now it use db2 instead of oracle_berkeley_db. >>>> So, in order to be handled correctly by CVE check, modify CVE_ >>>> PRODUCT. >>> Which CVEs, please add an example? In the past oracle_berkeley_db >>> was used. >>> I wonder if both would need to be there, or if using the new value >>> is sufficient >>> from now on. >>> >>> -Mikko >>> >>>> Signed-off-by: Zheng Ruoqin >>>> --- >>>> meta/recipes-support/db/db_5.3.28.bb | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb >>>> b/meta/recipes-support/db/db_5.3.28.bb >>>> index 9cb57e6a53..05720053f4 100644 >>>> --- a/meta/recipes-support/db/db_5.3.28.bb >>>> +++ b/meta/recipes-support/db/db_5.3.28.bb >>>> @@ -15,7 +15,7 @@ HOMEPAGE = >>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html >>>> LICENSE = "Sleepycat" >>>> RCONFLICTS_${PN} = "db3" >>>> >>>> -CVE_PRODUCT = "oracle_berkeley_db" >>>> +CVE_PRODUCT = "db2" >>>> CVE_VERSION = "11.2.${PV}" >>>> >>>> PR = "r1" >>>> -- >>>> 2.25.1 >>>> >>>> >>>> > > > > >