Skip to content

Add Debian CVE check plugin#596

Open
masami256 wants to merge 7 commits intomiraclelinux:emlinux3from
masami256:debian-cve-check-plugin
Open

Add Debian CVE check plugin#596
masami256 wants to merge 7 commits intomiraclelinux:emlinux3from
masami256:debian-cve-check-plugin

Conversation

@masami256
Copy link
Contributor

@masami256 masami256 commented Feb 3, 2026
edited
Loading

This PR add new plugin that run cve check based on the debian security tracker, a bug fix, and some feature improvement.

This PR contains following commits.

  • f2115ab Check vulnerability info based on EMLINUX_SOURCE_FROM

If package is built from recipe and it based on debian source package, we get codename from EMLINUX_SOURCE_FROM variable to run cve check correct version against debian version.

  • c44995f Determine debian codename from DISTRO variable

Remove default value from debian-codename options then determines debian codename from DISTRO value to set correct value. Therefore user doesn't need to use this option by default.

  • 13d8cf2 classes/source-info: Set unkown if EMLINUX_SOURCE_FROM is not set

This commit set "unknown" to EMLINUX_SOURCE_FROM when EMLINUX_SOURCE_FROM variable is not defined in a recipe file instead of set codename from DISTRO variable.
This protects checking from wrong data source.

  • a993283 update cpe and ignore CVEs

This commit updates cve_products.yml and cve_check_ignore.yml files to reduce false positive results.

This is the main commit in the PR. This commit adds the debian cve check plugin.

  • c559ea3 scripts: Add plugin disable feature

This commit add a new feature to disable plugin for test purpose. This option support disabling multiple plugins in a same time separating by comma.

--disable-plugins eml_cve_debian_plugin,eml_cve_your_plugin
  • 353fd90 cve: Fix getting wrong column in nvd plugin

Previous code fetches OPERATOR_START column twice. This sql should fetch OPERATOR_START and OPERATOR_END respectably. This commit fixes wrong sql.

-                    "SELECT VERSION_START, OPERATOR_START, VERSION_END, OPERATOR_START  FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?",
+                    "SELECT VERSION_START, OPERATOR_START, VERSION_END, OPERATOR_END  FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?",

Test

Prepare

Create a custom layer and add following recipe to the layer.

inherit dpkg-gbp

EMLINUX_SOURCE_FROM="trixie"
PR="4"
SRC_URI = " \
      git://salsa.debian.org/debian/less.git;protocol=https;branch=master \
"

GBP_EXTRA_OPTIONS = ""
DEB_BUILD_PROFILES += "nocheck"
SRCREV = "4a2db17540471c71c31d89dd7fad683798940c72"

PROVIDES = " less"

MAINTAINER = "isar-users <isar-users@googlegroups.com>"
CHANGELOG_V = "<orig-version>+eml"
do_prepare_build() {
        deb_add_changelog
}

Set following variable to local.conf.

DISTRO = "emlinux-bookworm"
IMAGE_INSTALL:append = " less"

Then, build emlinux-image-weston.

Testing basic feature

Run following command.

cve_check_ng.py \
--image emlinux-image-weston \
--output-format text,json \
--nvd-api-key <your api key> \
--cve-db-predownload \
--verbose

Testing disable plugin

Run following command.

cve_check_ng.py \
--image emlinux-image-weston \
--output-format text,json \
--nvd-api-key <your api key> \
--cve-db-predownload \
--verbose \
--disable-plugins eml_cve_debian_plugin

Test result

Testing basic feature

Following log shows NVD and debian plugin were executed.

2026-02-05 01:53:57,947:INFO: |------------------------------|
2026-02-05 01:53:57,947:INFO: | This is experimental version |
2026-02-05 01:53:57,947:INFO: |------------------------------|
2026-02-05 01:54:05,999:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_debian_plugin.py
2026-02-05 01:54:05,999:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-02-05 01:54:06,001:DEBUG: run EmlDebianPlugin
2026-02-05 01:54:06,001:INFO: Update debian CVE database
2026-02-05 01:54:06,001:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:54:06,001:DEBUG: EmlDebianPlugin: run-check start
2026-02-05 01:54:06,589:DEBUG: run EmlNVDPlugin
2026-02-05 01:54:06,589:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvd_cve_db.db
2026-02-05 01:54:06,589:INFO: Last database update is in 1 day skip NVD database update
2026-02-05 01:54:06,590:DEBUG: EmlNVDPlugin: run-check start
2026-02-05 01:54:44,806:DEBUG: EmlNVDPlugin: run-check finish
2026-02-05 01:54:45,057:INFO: Update KEV database
2026-02-05 01:54:45,057:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:54:45,330:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-02-05 01:54:45,379:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve
2026-02-05 01:54:45,560:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-02-05 01:54:45,766:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve.json

Testing disable plugin

Following log show 2026-02-05 01:52:40,748:INFO: Plugin 'eml_cve_debian_plugin' is disabled line.

2026-02-05 01:52:33,402:INFO: |------------------------------|
2026-02-05 01:52:33,402:INFO: | This is experimental version |
2026-02-05 01:52:33,402:INFO: |------------------------------|
2026-02-05 01:52:40,748:INFO: Plugin 'eml_cve_debian_plugin' is disabled
2026-02-05 01:52:40,748:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-02-05 01:52:40,750:DEBUG: run EmlNVDPlugin
2026-02-05 01:52:40,750:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvd_cve_db.db
2026-02-05 01:52:40,750:INFO: Last database update is in 1 day skip NVD database update
2026-02-05 01:52:40,750:DEBUG: EmlNVDPlugin: run-check start
2026-02-05 01:53:19,095:DEBUG: EmlNVDPlugin: run-check finish
2026-02-05 01:53:19,223:INFO: Update KEV database
2026-02-05 01:53:19,223:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:53:19,479:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-02-05 01:53:19,530:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve
2026-02-05 01:53:19,702:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-02-05 01:53:19,903:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve.json

@masami256
cve: Fix getting wrong column in nvd plugin
353fd90 
We should get OPERATOR_END instead of OPERATOR_START twice.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
scripts: Add plugin disable feature
c559ea3 
Add plugin disable feature to make easy to disable specific plugin(s).

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 force-pushed the debian-cve-check-plugin branch 2 times, most recently from 6a49099 to ee1743b Compare February 4, 2026 00:36
@masami256
Add debian plugin
2de461d 
Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
update cpe and ignore CVEs
a993283 
Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
classes/source-info: Set unkown if EMLINUX_SOURCE_FROM is not set
13d8cf2 
If EMLINUX_SOURCE_FROM it not set, it is difficult to detect source information.
Hence, we set unknown to reduce false positive.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
Determine debian codename from DISTRO variable
c44995f 
Remove default value from debian-codename options then determines debian
codename from DISTRO value to set correct value. Therefore user doesn't need to
use this option by default.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 force-pushed the debian-cve-check-plugin branch 2 times, most recently from 978a56d to 68b5712 Compare February 4, 2026 02:10
@masami256
Check vulnerability info based on EMLINUX_SOURCE_FROM
f2115ab 
If package is built from recipe and it based on debian source package, we get
codename from EMLINUX_SOURCE_FROM variable to run cve check correct version
against debian version.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 force-pushed the debian-cve-check-plugin branch from 68b5712 to f2115ab Compare February 5, 2026 00:40
@masami256 masami256 changed the title Debian CVE check plugin Add Debian CVE check plugin Feb 5, 2026
@masami256 masami256 marked this pull request as ready for review February 5, 2026 01:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@hiraku-wfs hiraku-wfs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@masami256 @hiraku-wfs