Skip to content

Comments

Add Debian CVE check plugin#596

Merged
hiraku-wfs merged 5 commits intomiraclelinux:emlinux3from
masami256:debian-cve-check-plugin
Feb 20, 2026
Merged

Add Debian CVE check plugin#596
hiraku-wfs merged 5 commits intomiraclelinux:emlinux3from
masami256:debian-cve-check-plugin

Conversation

@masami256
Copy link
Contributor

@masami256 masami256 commented Feb 3, 2026
edited
Loading

This PR add new plugin that run cve check based on the debian security tracker, a bug fix, and some feature improvement.

This PR contains following commits.

  • 2d4beed update cpe and ignore CVEs

This commit updates cve_products.yml and cve_check_ignore.yml files to reduce false positive results.

This is the main commit in the PR. This commit adds the debian cve check plugin.

  • 9ebb5db classes/source-info: Set unkown if EMLINUX_SOURCE_FROM is not set

This commit set "unknown" to EMLINUX_SOURCE_FROM when EMLINUX_SOURCE_FROM variable is not defined in a recipe file instead of set codename from DISTRO variable.
This protects checking from wrong data source.

  • be5e486 scripts: Add plugin disable feature

This commit add a new feature to disable plugin for test purpose. This option support disabling multiple plugins in a same time separating by comma.

--disable-plugins eml_cve_debian_plugin,eml_cve_your_plugin
  • 7f49d19 cve: Fix getting wrong column in nvd plugin

Previous code fetches OPERATOR_START column twice. This sql should fetch OPERATOR_START and OPERATOR_END respectably. This commit fixes wrong sql.

-                    "SELECT VERSION_START, OPERATOR_START, VERSION_END, OPERATOR_START  FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?",
+                    "SELECT VERSION_START, OPERATOR_START, VERSION_END, OPERATOR_END  FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?",

Test

Prepare

Create a custom layer and add following recipe to the layer.

inherit dpkg-gbp

EMLINUX_SOURCE_FROM="trixie"
PR="4"
SRC_URI = " \
      git://salsa.debian.org/debian/less.git;protocol=https;branch=master \
"

GBP_EXTRA_OPTIONS = ""
DEB_BUILD_PROFILES += "nocheck"
SRCREV = "4a2db17540471c71c31d89dd7fad683798940c72"

PROVIDES = " less"

MAINTAINER = "isar-users <isar-users@googlegroups.com>"
CHANGELOG_V = "<orig-version>+eml"
do_prepare_build() {
        deb_add_changelog
}

Set following variable to local.conf.

DISTRO = "emlinux-bookworm"
IMAGE_INSTALL:append = " less"

Then, build emlinux-image-weston.

Testing basic feature

Run following command.

cve_check_ng.py \
--image emlinux-image-weston \
--output-format text,json \
--nvd-api-key <your api key> \
--cve-db-predownload \
--verbose

Testing disable plugin

Run following command.

cve_check_ng.py \
--image emlinux-image-weston \
--output-format text,json \
--nvd-api-key <your api key> \
--cve-db-predownload \
--verbose \
--disable-plugins eml_cve_debian_plugin

Test result

Testing basic feature

Following log shows NVD and debian plugin were executed.

2026-02-05 01:53:57,947:INFO: |------------------------------|
2026-02-05 01:53:57,947:INFO: | This is experimental version |
2026-02-05 01:53:57,947:INFO: |------------------------------|
2026-02-05 01:54:05,999:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_debian_plugin.py
2026-02-05 01:54:05,999:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-02-05 01:54:06,001:DEBUG: run EmlDebianPlugin
2026-02-05 01:54:06,001:INFO: Update debian CVE database
2026-02-05 01:54:06,001:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:54:06,001:DEBUG: EmlDebianPlugin: run-check start
2026-02-05 01:54:06,589:DEBUG: run EmlNVDPlugin
2026-02-05 01:54:06,589:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvd_cve_db.db
2026-02-05 01:54:06,589:INFO: Last database update is in 1 day skip NVD database update
2026-02-05 01:54:06,590:DEBUG: EmlNVDPlugin: run-check start
2026-02-05 01:54:44,806:DEBUG: EmlNVDPlugin: run-check finish
2026-02-05 01:54:45,057:INFO: Update KEV database
2026-02-05 01:54:45,057:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:54:45,330:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-02-05 01:54:45,379:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve
2026-02-05 01:54:45,560:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-02-05 01:54:45,766:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve.json

Testing disable plugin

Following log show 2026-02-05 01:52:40,748:INFO: Plugin 'eml_cve_debian_plugin' is disabled line.

2026-02-05 01:52:33,402:INFO: |------------------------------|
2026-02-05 01:52:33,402:INFO: | This is experimental version |
2026-02-05 01:52:33,402:INFO: |------------------------------|
2026-02-05 01:52:40,748:INFO: Plugin 'eml_cve_debian_plugin' is disabled
2026-02-05 01:52:40,748:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-02-05 01:52:40,750:DEBUG: run EmlNVDPlugin
2026-02-05 01:52:40,750:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvd_cve_db.db
2026-02-05 01:52:40,750:INFO: Last database update is in 1 day skip NVD database update
2026-02-05 01:52:40,750:DEBUG: EmlNVDPlugin: run-check start
2026-02-05 01:53:19,095:DEBUG: EmlNVDPlugin: run-check finish
2026-02-05 01:53:19,223:INFO: Update KEV database
2026-02-05 01:53:19,223:INFO: Last database update is in 1day so skip Debian CVE database update
2026-02-05 01:53:19,479:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-02-05 01:53:19,530:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve
2026-02-05 01:53:19,702:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-02-05 01:53:19,903:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-weston-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-weston-emlinux-bookworm-qemu-amd64_cve.json

@masami256 masami256 force-pushed the debian-cve-check-plugin branch 5 times, most recently from 68b5712 to f2115ab Compare February 5, 2026 00:40
@masami256 masami256 changed the title Debian CVE check plugin Add Debian CVE check plugin Feb 5, 2026
@masami256 masami256 marked this pull request as ready for review February 5, 2026 01:58
@masami256 masami256 force-pushed the debian-cve-check-plugin branch from f2115ab to 4dd4e59 Compare February 18, 2026 06:05
@masami256
cve: Fix getting wrong column in nvd plugin
7f49d19 
We should get OPERATOR_END instead of OPERATOR_START twice.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
scripts: Add plugin disable feature
be5e486 
Add plugin disable feature to make easy to disable specific plugin(s).

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
classes/source-info: Set unkown if EMLINUX_SOURCE_FROM is not set
9ebb5db 
If EMLINUX_SOURCE_FROM it not set, it is difficult to detect source information.
Hence, we set unknown to reduce false positive.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
cve-check: Add debian plugin
102c11b 
This commit added debian plugin for check vulnerabilities in debian packages.

This plugin checks where the package came from via debian_code name and
source_from variables to prevent checking wrong information.
Basically, the debian_codename is read from DISTRO variable unless user passes
debian_codename option.

The source_from variables are read from all-source-infis read from DISTRO
variable unless user passes debian_codename option.

If the source_from is non-debian or unknown this plugin skips to check the
package.
Also, if debian codename is not in debian's CVE tracker json file, it also
skips.
So that, this plugin relies on the debian codename to improve accuracy for
checking vulnerabilities .

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
update cpe and ignore CVEs
2d4beed 
Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 force-pushed the debian-cve-check-plugin branch from 4dd4e59 to 2d4beed Compare February 19, 2026 04:25
@hiraku-wfs hiraku-wfs merged commit 16c2d1a into miraclelinux:emlinux3 Feb 20, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@hiraku-wfs hiraku-wfs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@masami256 @hiraku-wfs