* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
@ 2021-04-19 6:01 ` Chen Qi
2021-04-19 6:59 ` Mikko Rapeli
1 sibling, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-19 6:01 UTC (permalink / raw)
To: zhengruoqin, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 915 bytes --]
Which ones?
Regards,
Chen Qi
On 04/19/2021 09:45 PM, zhengruoqin wrote:
> In the CVE database, now it use db2 instead of oracle_berkeley_db.
> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>
> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> ---
> meta/recipes-support/db/db_5.3.28.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..05720053f4 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
> LICENSE = "Sleepycat"
> RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "db2"
> CVE_VERSION = "11.2.${PV}"
>
> PR = "r1"
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 1661 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
2021-04-19 6:01 ` Chen Qi
@ 2021-04-19 6:59 ` Mikko Rapeli
2021-04-20 1:55 ` zhengruoqin
1 sibling, 1 reply; 6+ messages in thread
From: Mikko Rapeli @ 2021-04-19 6:59 UTC (permalink / raw)
To: zhengrq.fnst; +Cc: openembedded-core
On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
> In the CVE database, now it use db2 instead of oracle_berkeley_db.
> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
Which CVEs, please add an example? In the past oracle_berkeley_db was used.
I wonder if both would need to be there, or if using the new value is
sufficient from now on.
-Mikko
> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> ---
> meta/recipes-support/db/db_5.3.28.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
> index 9cb57e6a53..05720053f4 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
> LICENSE = "Sleepycat"
> RCONFLICTS_${PN} = "db3"
>
> -CVE_PRODUCT = "oracle_berkeley_db"
> +CVE_PRODUCT = "db2"
> CVE_VERSION = "11.2.${PV}"
>
> PR = "r1"
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [OE-core] [PATCH] db: correct CVE_PRODUCT
@ 2021-04-19 13:45 zhengruoqin
2021-04-19 6:01 ` Chen Qi
2021-04-19 6:59 ` Mikko Rapeli
0 siblings, 2 replies; 6+ messages in thread
From: zhengruoqin @ 2021-04-19 13:45 UTC (permalink / raw)
To: openembedded-core
In the CVE database, now it use db2 instead of oracle_berkeley_db.
So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
---
meta/recipes-support/db/db_5.3.28.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 9cb57e6a53..05720053f4 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html
LICENSE = "Sleepycat"
RCONFLICTS_${PN} = "db3"
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "db2"
CVE_VERSION = "11.2.${PV}"
PR = "r1"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
2021-04-19 6:59 ` Mikko Rapeli
@ 2021-04-20 1:55 ` zhengruoqin
2021-04-20 2:27 ` Chen Qi
[not found] ` <16776F7A4F5368B1.4443@lists.openembedded.org>
0 siblings, 2 replies; 6+ messages in thread
From: zhengruoqin @ 2021-04-20 1:55 UTC (permalink / raw)
To: Mikko.Rapeli, ChenQi; +Cc: openembedded-core
Hi, Mikko, Chen
Now, cve_check can't checkout any cve issues of db. I read new nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that the old name of db is "oracle_berkeley_db".
$ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
$
$ grep "|db2|" SELECT_FROM_PRODUCTS.log
CVE-2010-0462|ibm|db2|9.1|=||
CVE-2010-0462|ibm|db2|9.1_fp1|=||
CVE-2010-0462|ibm|db2|9.1_fp2|=||
CVE-2010-0462|ibm|db2|9.1_fp2a|=||
CVE-2010-0462|ibm|db2|9.1_fp3|=||
CVE-2010-0462|ibm|db2|9.1_fp3a|=||
CVE-2010-0462|ibm|db2|9.1_fp4|=||
CVE-2010-0462|ibm|db2|9.1_fp4a|=||
CVE-2010-0462|ibm|db2|9.1_fp5|=||
CVE-2010-0462|ibm|db2|9.1_fp6|=||
CVE-2010-0462|ibm|db2|9.1_fp6a|=||
CVE-2010-0462|ibm|db2|9.1_fp7|=||
CVE-2010-0462|ibm|db2|9.1_fp7a|=||
CVE-2010-0462|ibm|db2|9.1_fp8|=||
CVE-2010-0462|ibm|db2|9.5|=||
CVE-2010-0462|ibm|db2|9.5_fp1|=||
CVE-2010-0462|ibm|db2|9.5_fp2|=||
CVE-2010-0462|ibm|db2|9.5_fp2a|=||
CVE-2010-0462|ibm|db2|9.5_fp3|=||
CVE-2010-0462|ibm|db2|9.5_fp3a|=||
CVE-2010-0462|ibm|db2|9.5_fp3b|=||
......
Best regards
Zheng
> -----Original Message-----
> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
> Sent: Monday, April 19, 2021 2:59 PM
> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>
> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
> > In the CVE database, now it use db2 instead of oracle_berkeley_db.
> > So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>
> Which CVEs, please add an example? In the past oracle_berkeley_db was used.
> I wonder if both would need to be there, or if using the new value is sufficient
> from now on.
>
> -Mikko
>
> > Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
> > ---
> > meta/recipes-support/db/db_5.3.28.bb | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-support/db/db_5.3.28.bb
> > b/meta/recipes-support/db/db_5.3.28.bb
> > index 9cb57e6a53..05720053f4 100644
> > --- a/meta/recipes-support/db/db_5.3.28.bb
> > +++ b/meta/recipes-support/db/db_5.3.28.bb
> > @@ -15,7 +15,7 @@ HOMEPAGE =
> > "https://www.oracle.com/database/technologies/related/berkeleydb.html
> > LICENSE = "Sleepycat"
> > RCONFLICTS_${PN} = "db3"
> >
> > -CVE_PRODUCT = "oracle_berkeley_db"
> > +CVE_PRODUCT = "db2"
> > CVE_VERSION = "11.2.${PV}"
> >
> > PR = "r1"
> > --
> > 2.25.1
> >
>
> >
> >
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
2021-04-20 1:55 ` zhengruoqin
@ 2021-04-20 2:27 ` Chen Qi
[not found] ` <16776F7A4F5368B1.4443@lists.openembedded.org>
1 sibling, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-20 2:27 UTC (permalink / raw)
To: zhengrq.fnst, Mikko.Rapeli; +Cc: openembedded-core
I think they are two different projects.
https://www.ibm.com/products/db2-database
https://www.oracle.com/database/technologies/related/berkeleydb.html
You can also use the original json file to check.
e.g.
$ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
$ grep -l 'cpe:.*:ibm:db2:'
~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
/home/qichen/.cvedb/nvdcve-1.1-2010.json
/home/qichen/.cvedb/nvdcve-1.1-2012.json
/home/qichen/.cvedb/nvdcve-1.1-2013.json
/home/qichen/.cvedb/nvdcve-1.1-2014.json
/home/qichen/.cvedb/nvdcve-1.1-2015.json
/home/qichen/.cvedb/nvdcve-1.1-2016.json
/home/qichen/.cvedb/nvdcve-1.1-2017.json
/home/qichen/.cvedb/nvdcve-1.1-2018.json
/home/qichen/.cvedb/nvdcve-1.1-2019.json
/home/qichen/.cvedb/nvdcve-1.1-2020.json
/home/qichen/.cvedb/nvdcve-1.1-Modified.json
Best Regards,
Chen Qi
On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
> Hi, Mikko, Chen
>
> Now, cve_check can't checkout any cve issues of db. I read new nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that the old name of db is "oracle_berkeley_db".
>
> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
> $
> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
> CVE-2010-0462|ibm|db2|9.1|=||
> CVE-2010-0462|ibm|db2|9.1_fp1|=||
> CVE-2010-0462|ibm|db2|9.1_fp2|=||
> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
> CVE-2010-0462|ibm|db2|9.1_fp3|=||
> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
> CVE-2010-0462|ibm|db2|9.1_fp4|=||
> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
> CVE-2010-0462|ibm|db2|9.1_fp5|=||
> CVE-2010-0462|ibm|db2|9.1_fp6|=||
> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
> CVE-2010-0462|ibm|db2|9.1_fp7|=||
> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
> CVE-2010-0462|ibm|db2|9.1_fp8|=||
> CVE-2010-0462|ibm|db2|9.5|=||
> CVE-2010-0462|ibm|db2|9.5_fp1|=||
> CVE-2010-0462|ibm|db2|9.5_fp2|=||
> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3|=||
> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
> ......
>
> Best regards
> Zheng
>
>
>> -----Original Message-----
>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>> Sent: Monday, April 19, 2021 2:59 PM
>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>> Cc: openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>
>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>> So, in order to be handled correctly by CVE check, modify CVE_ PRODUCT.
>> Which CVEs, please add an example? In the past oracle_berkeley_db was used.
>> I wonder if both would need to be there, or if using the new value is sufficient
>> from now on.
>>
>> -Mikko
>>
>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>> ---
>>> meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>> b/meta/recipes-support/db/db_5.3.28.bb
>>> index 9cb57e6a53..05720053f4 100644
>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>> LICENSE = "Sleepycat"
>>> RCONFLICTS_${PN} = "db3"
>>>
>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>> +CVE_PRODUCT = "db2"
>>> CVE_VERSION = "11.2.${PV}"
>>>
>>> PR = "r1"
>>> --
>>> 2.25.1
>>>
>>>
>>>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
[not found] ` <16776F7A4F5368B1.4443@lists.openembedded.org>
@ 2021-04-20 2:40 ` Chen Qi
0 siblings, 0 replies; 6+ messages in thread
From: Chen Qi @ 2021-04-20 2:40 UTC (permalink / raw)
To: zhengrq.fnst, Mikko.Rapeli; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4148 bytes --]
Hi Zheng,
Looking at it further. I have to say that your observation is correct.
The CVE_PRODUCT for 'db' recipe is not complete.
Both 'oracle_berkeley_db' and 'berkeley_db' are used.
I've sent out a patch to fix it.
Best Regards,
Chen Qi
On 04/20/2021 10:27 AM, Chen Qi wrote:
> I think they are two different projects.
> https://www.ibm.com/products/db2-database
> https://www.oracle.com/database/technologies/related/berkeleydb.html
>
> You can also use the original json file to check.
>
> e.g.
> $ grep -l 'cpe:.*:oracle:oracle_berkeley_db:' ~/.cvedb/nvdcve-1.1-*.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> $ grep -l 'cpe:.*:ibm:db2:'
> ~/.cvedb/nvdcve-1.1-*.json/home/qichen/.cvedb/nvdcve-1.1-2005.json
> /home/qichen/.cvedb/nvdcve-1.1-2010.json
> /home/qichen/.cvedb/nvdcve-1.1-2012.json
> /home/qichen/.cvedb/nvdcve-1.1-2013.json
> /home/qichen/.cvedb/nvdcve-1.1-2014.json
> /home/qichen/.cvedb/nvdcve-1.1-2015.json
> /home/qichen/.cvedb/nvdcve-1.1-2016.json
> /home/qichen/.cvedb/nvdcve-1.1-2017.json
> /home/qichen/.cvedb/nvdcve-1.1-2018.json
> /home/qichen/.cvedb/nvdcve-1.1-2019.json
> /home/qichen/.cvedb/nvdcve-1.1-2020.json
> /home/qichen/.cvedb/nvdcve-1.1-Modified.json
>
> Best Regards,
> Chen Qi
>
> On 04/20/2021 09:55 AM, zhengrq.fnst@fujitsu.com wrote:
>> Hi, Mikko, Chen
>>
>> Now, cve_check can't checkout any cve issues of db. I read new
>> nvdcve_1.1.db and guess the name of CVE_ PRODUCT should be corrected.
>> ps: I don't have the old nvdcve_1.1.db, so, I can't make sure that
>> the old name of db is "oracle_berkeley_db".
>>
>> $ grep oracle_berkeley_db SELECT_FROM_PRODUCTS.log
>> $
>> $ grep "|db2|" SELECT_FROM_PRODUCTS.log
>> CVE-2010-0462|ibm|db2|9.1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp1|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2|=||
>> CVE-2010-0462|ibm|db2|9.1_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3|=||
>> CVE-2010-0462|ibm|db2|9.1_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4|=||
>> CVE-2010-0462|ibm|db2|9.1_fp4a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp5|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6|=||
>> CVE-2010-0462|ibm|db2|9.1_fp6a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7|=||
>> CVE-2010-0462|ibm|db2|9.1_fp7a|=||
>> CVE-2010-0462|ibm|db2|9.1_fp8|=||
>> CVE-2010-0462|ibm|db2|9.5|=||
>> CVE-2010-0462|ibm|db2|9.5_fp1|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2|=||
>> CVE-2010-0462|ibm|db2|9.5_fp2a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3a|=||
>> CVE-2010-0462|ibm|db2|9.5_fp3b|=||
>> ......
>>
>> Best regards
>> Zheng
>>
>>
>>> -----Original Message-----
>>> From: Mikko.Rapeli@bmw.de <Mikko.Rapeli@bmw.de>
>>> Sent: Monday, April 19, 2021 2:59 PM
>>> To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
>>> Cc: openembedded-core@lists.openembedded.org
>>> Subject: Re: [OE-core] [PATCH] db: correct CVE_PRODUCT
>>>
>>> On Mon, Apr 19, 2021 at 09:45:01PM +0800, zhengruoqin wrote:
>>>> In the CVE database, now it use db2 instead of oracle_berkeley_db.
>>>> So, in order to be handled correctly by CVE check, modify CVE_
>>>> PRODUCT.
>>> Which CVEs, please add an example? In the past oracle_berkeley_db
>>> was used.
>>> I wonder if both would need to be there, or if using the new value
>>> is sufficient
>>> from now on.
>>>
>>> -Mikko
>>>
>>>> Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
>>>> ---
>>>> meta/recipes-support/db/db_5.3.28.bb | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta/recipes-support/db/db_5.3.28.bb
>>>> b/meta/recipes-support/db/db_5.3.28.bb
>>>> index 9cb57e6a53..05720053f4 100644
>>>> --- a/meta/recipes-support/db/db_5.3.28.bb
>>>> +++ b/meta/recipes-support/db/db_5.3.28.bb
>>>> @@ -15,7 +15,7 @@ HOMEPAGE =
>>>> "https://www.oracle.com/database/technologies/related/berkeleydb.html
>>>> LICENSE = "Sleepycat"
>>>> RCONFLICTS_${PN} = "db3"
>>>>
>>>> -CVE_PRODUCT = "oracle_berkeley_db"
>>>> +CVE_PRODUCT = "db2"
>>>> CVE_VERSION = "11.2.${PV}"
>>>>
>>>> PR = "r1"
>>>> --
>>>> 2.25.1
>>>>
>>>>
>>>>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 7722 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-20 2:32 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-19 13:45 [OE-core] [PATCH] db: correct CVE_PRODUCT zhengruoqin
2021-04-19 6:01 ` Chen Qi
2021-04-19 6:59 ` Mikko Rapeli
2021-04-20 1:55 ` zhengruoqin
2021-04-20 2:27 ` Chen Qi
[not found] ` <16776F7A4F5368B1.4443@lists.openembedded.org>
2021-04-20 2:40 ` Chen Qi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.