Hello Marta, On Thursday, March 19, 2026 at 8:29 AM, Marta Rybczynska wrote: > Fetching the complete git repos has a number of problems. Why not use > release > tarballs like those in https://github.com/CVEProject/cvelistV5/releases ? > Fkie feeds also have them > https://github.com/fkie-cad/nvd-json-data-feeds/releases
sbom-cve-check is not compatible with the tarball release of FKIE. The CVE database is not in the same format. For cvelistV5, the shallow git clone is globally the same speed and same size that the release zip file. Why fetching git repo has problem? I only see advantages. The update is quick. We can easily know with which version the analysis was done: This is the git version. > CVE versions of those repositories are good for manual analysis, but a > simple > check does not need all of that. I don't understand your point. > Also, I'm worried about the size explosion with additional databases that > will be > needed in the 1-2 years time period. I also wouldn't assume all of them > will have > git mirrors. The git shallow clone of the git repository is the same size that the tarball, which is logical. I don't understand your point. > For an analysis I think it would be better to integrate sources in a > database, > but not a relational one (like it was done with sqlite). An object database > corresponds > better to what the data contains. sbom-cve-check was not designed like that. We did not want to take this approach which generates a lot of limitation. -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233474): https://lists.openembedded.org/g/openembedded-core/message/233474 Mute This Topic: https://lists.openembedded.org/mt/118219723/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
