add support for cve metadata coming from yocto cve-check (!21) · Merge requests · Eclipse Projects / Eclipse Oniro Compliance Toolchain / toolchain / tinfoilhat

Alberto Pianon requested to merge ap/cve into master Oct 13, 2022

to add such support, we need to take into consideration two issues:

https://lists.openembedded.org/g/openembedded-core/message/171653 (CVE check may be incomplete for some builds depending on random connection problems to NIST db, so we need to aggregate data from different builds based on this assumption)
CVE metadata gets updated frequently in NIST db (including old CVEs metadata), so it may happen (it actually did, in our tests) that metadata gets updated between one build and another, and generated cve data may therefore differ; in such case, we should detect this change and keep only the latest version)

Edited Oct 13, 2022 by Alberto Pianon

add support for cve metadata coming from yocto cve-check