[oe-commits] [openembedded-core] branch master updated: cve-check: Switch to NVD CVE JSON feed version 1.1

git at git.openembedded.org git at git.openembedded.org
Mon Dec 9 12:06:26 UTC 2019


This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master
in repository openembedded-core.

The following commit(s) were added to refs/heads/master by this push:
     new cc20e4d  cve-check: Switch to NVD CVE JSON feed version 1.1
cc20e4d is described below

commit cc20e4d8ff2f3aa52a2658404af9a0ff358cc323
Author: Niko Mauno <niko.mauno at iki.fi>
AuthorDate: Fri Dec 6 21:53:23 2019 +0200

    cve-check: Switch to NVD CVE JSON feed version 1.1
    
    Switch to recently released version 1.1 of NVD CVE JSON feed, as in
    https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
    it is mentioned that
    
      Due to changes required to support CVSS v3.1 scoring, the JSON
      vulnerability feeds must be modified. This will require the consumers
      of this data to update their internal processes. We will be providing
      the JSON 1.1 schema on the data feeds page and the information below
      to prepare for this transition.
      ...
      The JSON 1.1 data feeds will be available on September 9th, 2019. At
      that time the current JSON 1.0 data feeds will no longer available.
    
    This change was tested briefly by issuing 'bitbake core-image-minimal'
    with 'cve-check.bbclass' inherited via local.conf, and then comparing
    the content between the resulting two
    'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not
    seem to contain any other change, except total of 167 entries like
    
      CVSS v3 BASE SCORE: 0.0
    
    were replaced with similar 'CVSS v3 BASE SCORE:' entries which had
    scores that were greater than '0.0' (up to '9.8').
    
    Signed-off-by: Niko Mauno <niko.mauno at iki.fi>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/classes/cve-check.bbclass                 | 2 +-
 meta/recipes-core/meta/cve-update-db-native.bb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed554..01b3637 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a..575254a 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
 
     bb.utils.export_proxies(d)
 
-    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
     YEAR_START = 2002
 
     db_file = d.getVar("CVE_CHECK_DB_FILE")

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Openembedded-commits mailing list