Next

[serhepopovych]

Hi. With this patch series I would like to introduce/extend following functionality of the cve-check-tool:

Most of the effort applied to improve database and check results consistency in multi user/instance environments. One of good example of such environment is Image Security Framework (ISAFW) used with meta-security-isafw custom layer in YOCTO project.

All patches tested before submission and seems to compile & work correctly in my test cases addressing all issues I found while working for ISAFW improvements.

• Support for specifying database location in filesystem via command line option (commits f432f9d and 652ae0a)
• Changes to the output plugin logic: now all plugins (currently HTML, CSV and CLI) use stdout to generate reports. This eases report processing. Error messages now sent to the stderr to not interfere with report data. (commits 9cfb9be, a7a5b59, eefa193, cea2b64)
• Small code clean up in prepare for the upcoming changes (commit cea2b64)
• Database locking extended to serialize all access to the database. Before this patch only parallel updates protected from each other, while readers still could access data in the middle of update process. Patch introduces full shared vs exclusive POSIX advisory locking, where exclusive locking used only for database update process, and shared locking used by multiple instances for database checks (commit 568ac0f).
• Introduce marker file in the database directory to correctly handling database partial updates (commits 567126f, 0f4bb46).
• Fixes to ensure database directory exists before working with locks (commit fcbef7f).
• Small series of changes to consolidate out-of-memory (oom) error handling in update_db(). While it uses goto statement it is pretty clean to read and I think makes code readable a bit. Statement is used in the similar way as with Linux kernel error path handling, so I think it is ok here (commit 705a2be).
• Check NVD XML files integrity before processing. Among with XML DATA files NVD provides META files. These files are colon separated list of key:value. One of the key provides sha256 digest of the uncompressed XML data file, so we can compute sha256 digest on fetched/unpacked data and compare it to the reference value from the "sha256" key in META file. These checksumming does not ensure source authenticity (e.g. like digital signatures), but it is used to catch partial downloads. Also fetch/unpack/update mechanism was changed to be more robust and retry at least once (commits 1b1bee3, 5c6cf61, b6ccdd8).

[ikeydoherty]

Sorry, going to have to merge Fixes into 5.5, its a bad bug we're seeing

[serhepopovych]

Now I perform heavy rebase to the upstream master and prefer to close this pool request in favour to the new one found in next2.