On Mon, Sep 13, 2021 at 7:01 AM Richard Purdie <richard.pur...@linuxfoundation.org> wrote: > > On Mon, 2021-09-13 at 05:19 -1000, Steve Sakoman wrote: > > On Sun, Sep 12, 2021 at 6:05 AM Steve Sakoman via > > lists.openembedded.org <steve=sakoman....@lists.openembedded.org> > > wrote: > > > > > > > > > > > > On Sun, Sep 12, 2021, 5:57 AM Richard Purdie > > > <richard.pur...@linuxfoundation.org> wrote: > > > > > > > > On Sun, 2021-09-12 at 05:01 -1000, Steve Sakoman wrote: > > > > > Branch: hardknott > > > > > > > > > > New this week: 0 CVEs > > > > > > > > > > Removed this week: 2 CVEs > > > > > CVE-2020-27748: xdg-utils > > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 * > > > > > CVE-2021-38185: cpio > > > > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38185 * > > > > > > > > I'm not sure I believe these numbers as tar CVEs which showed up for > > > > dunfell and > > > > master don't show up here. Why? :/ > > > > > > > > > Don't know! Will investigate tomorrow. > > > > I re-ran the hardknott report this morning and it now includes the > > missing tar cve's (as well as the libsolv, vim, and inetutils cve's we > > saw in master/dunfell) > > > > No idea why these weren't in yesterday's report since they were > > obviously in the upstream database and appeared in the master and > > dunfell runs (and hardknott runs last) > > > > I've seen this kind of thing once or twice in the past and have never > > been able to figure out what is going on since it is so intermittent. > > I'm not sure how we pull the database but is it possible that there are > multiple > upstream servers of that data and we pull from different instances which may > not > have all updated to the same data? Would there be any way to investigate/prove > that?
Taking a quick look at the code in cve-update-db-native.bb I see that database updates can fail with a warning message printed. So it could well be that the update failed for some reason, printed the warning, and then used the old database for the scan. That would explain what we are seeing. Perhaps someone who knows the code better can comment (Ross? I see you've mucked about in this section of the code!) Unfortunately I didn't enable cron logging on the machine that does the reports, but I will enable that now so that I can examine the cron output if this happens in the future. > I'm a little worried about the inconsistencies. I'm guessing your builds don't > share a DL_DIR so they'd fetch different CVE databases? Correct -- I use a separate DL_DIR for each branch. Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155986): https://lists.openembedded.org/g/openembedded-core/message/155986 Mute This Topic: https://lists.openembedded.org/mt/85554291/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
