[Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Thu Aug 10 07:07:21 UTC 2023
Hello Daniel,
On Thu, 10 Aug 2023 07:50:34 +0200
Daniel Lang <dalang at gmx.at> wrote:
> The problem here is, that the new API (even the one for CPEs) constrains us
> to a 6 second timeout between requests [0]. We currently have ~700 packages
> with CPEs. This would come out to 4200 seconds or about 70 minutes, each time
> we run pkg-stats for all packages.
> The only way around this is requesting an API key [1] which allows "50 requests
> in a rolling 30 seconds window". NVD still recommends to sleep in between
> requests...
Agreed, but what you do in the patch series you posted is just fine
IMO: you download the full CPE database, and then we locally check
against it. Your last patch implements exactly what Arnout suggested:
to not check the full CPE including version number, but only the
vendor/product.
> On that "latest release" note, we have a second, probably rarely used,
> use case for CPEs which is support/scripts/gen-missing-cpe.
I'm not sure why you call that "second use-case".
> This script tries to generate a XML structure for each version that
> isn't registered in the database. For this script a lot of
> information about the CPE needs to be stored.
The idea of this script was to be able to contribute new entries to the
official CPE database, by generating the XML file that they require as
input to contribute such new entries. I've never used it myself, and we
would need to submit gazillions of new entries all the time to keep
their CPE database up-to-date.
It could still be useful to have something to contribute new entries,
for those packages that have no entry at all (regardless of their
version number) in the CPE database.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list