Hello Marta and Richard, On Thursday, March 19, 2026 at 8:52 AM, Richard Purdie wrote: > On Thu, 2026-03-19 at 08:29 +0100, Marta Rybczynska wrote:
> > Fetching the complete git repos has a number of problems. Why not use > > release > > tarballs like those in https://github.com/CVEProject/cvelistV5/releases ? > > Fkie feeds also have them > > https://github.com/fkie-cad/nvd-json-data-feeds/releases Here the reasons: - Fetching the tarballs is quite complex to implement. This was done in cve-update-db-native.bb. To do that we must use a custom fetcher because we cannot expect the user to manually update the URL each time a new CVE analysis needs to be done. - Also, sbom-cve-check is expecting a git repository. It does not support a simple extraction of the CVE database. - sbom-cve-check also expects one JSON file per CVE, which is not the case with release tarball for FKIE. This is a simple compressed JSON file. > FWIW we can shallow clone git repos, it is just isn't optimal in how > updates are handled which was Benjamin's concern as the shallow clones > end up more like tarballs. > > If we use the bitbake fetcher, it also makes it much easier to actually > use tarballs directly too, since the fetcher also supports those and it > just becomes a simple SRC_URI change. If we are using BitBake fetcher, with tarballs, the download directory is going to be filled with a lot of version of the CVE databases. This is really inefficient. For cvelistV5 the release zip file is the roughly the same size that the git shallow clone. For https://github.com/fkie-cad/nvd-json-data-feeds/releases this is not even an option to use tarball since sbom-cve-check is not compatible with this format. -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233470): https://lists.openembedded.org/g/openembedded-core/message/233470 Mute This Topic: https://lists.openembedded.org/mt/118219723/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
