Debugging CVE check

Hey there, but specifically @marta

I’m trying to debug a particularly slow build of qemu I’m wondering if the CVE checker uses online database that the CI system should cache and mirror locally.

There are no timestamps here but this took hours to check.

WARNING: qemu-system-native-4.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2019-12067 CVE-2020-12829 CVE-2020-13253 CVE-2020-13754 CVE-2020-13791 CVE-2020-15469 CVE-2020-15859 CVE-2020-17380 CVE-2020-25742 CVE-2020-25743 CVE-2020-27661 CVE-2020-27821 CVE-2020-35503 CVE-2020-35504 CVE-2020-35505 CVE-2020-35506 CVE-2021-20255 CVE-2021-3409 CVE-2021-3507 CVE-2021-3682 CVE-2021-3713), for more information check /tmp/workspace.r4oooR1Q3E/build/tmp/work/x86_64-linux/qemu-system-native/4.2.0-r0/temp/cve.log
NOTE: recipe qemu-system-native-4.2.0-r0: task do_cve_check: Succeeded

To answer my own question.

I had a look at cve-check.bbclass « classes « meta - poky - Poky Build Tool and Metadata and it does keep a copy of some database (181MB) inside the download cache. I’ll check if it was just one particularly painful download and things will be faster from now on or if it is reproducible indicating a deeper problem.

It should pull the db from https://nvd.nist.gov/ prior to running checks due to do_cve_check[depends] = “cve-update-db-native:do_fetch”. I’d be curious to see your tmp/buildstats to see what was hanging up and why.

That is 17MB big right now. I can tarball that up and share it some way.

I’ve shared it via private forum message as I cannot attach .tar.gz files here in the public.

Good that you have found an answer, yes it caches the database. Please take into consideration that this database changes every day. For caching purposes, it would be enough to download the update once per day somewhere and distribute over the build machines.

Note: during the build itself it queries the local database, so it should be fast.

I do also experience a slow build, but this is for another reason, clearly.