[OE-core] [PATCH 1/4] cve-update-db: New recipe to update CVE database

Pierre Le Magourou lemagoup at gmail.com
Wed Jul 10 11:17:18 UTC 2019

Hi Kevin,

> I found that the hash function is causing collisions in the generated database such that some CVEs are being overwritten because of the UNIQUE constraint on the HASH column. For example, CVE-2018-1000873 has the same hash of 623198722 as CVE-2018-18338. This results in one of the two CVEs not appearing in the database.

This is problematic. I kept using djb2 hash function, because it was
the one used in the previous cve-check-tool and it was fast. But it
might not be the right hash function to use. Do you have a better hash
function in mind ?
I can also drop hash function, remove everything from the database and
recreate all entries at each update but it will increase database
update time.

I don't have the same hash as you for CVE-2018-1000873 and
CVE-2018-18338, do you use my latest patches from master ? I did
several changes recently.

Pierre Le Magourou

More information about the Openembedded-core mailing list