Skip to content

cve-check-ng: Support CVSS v4#645

Open
masami256 wants to merge 2 commits into
miraclelinux:emlinux3from
masami256:eml3-support-cvssv4
Open

cve-check-ng: Support CVSS v4#645
masami256 wants to merge 2 commits into
miraclelinux:emlinux3from
masami256:eml3-support-cvssv4

Conversation

@masami256
Copy link
Copy Markdown
Contributor

@masami256 masami256 commented May 21, 2026
edited
Loading

Purpose

This PR support CVSS v4 data to cve-check-ng.py. It contains following commits.

  1. scripts/cve_check_ng: Add CVSS v4 support
  2. script/cve_check_ng: Use CVSS v4 supported database

The commit 1 added CVSS v4 data support.
The commit 2 use CVE_DB_V2_PREDOWNLOAD_URL variable to download CVSS v4 data supported database file.

Test setup

Add following line in local.conf then build emlinux-image-base.

CVE_DB_V2_PREDOWNLOAD_URL="http://127.0.0.1:20080/nvd_cve_db_v2.db"

Test

Create database from scratch

Run following command.

cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key <you api key>\
--verbose

Use pre-created database

This test use above test result.

  1. Create www directory
  2. Move build/downloads/CVE/nvd_cve_db_v2.db into download directory
  3. Goto www directory
  4. Run "python3 -m http.server 20080" on another terminal

Then Run following command.

cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key <your api key> \
--cve-db-predownload \
--verbose

Test result

Create database from scratch

build@381fa9ba0f62:~/work$ cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key <you api key>\
--verbose 
2026-05-27 23:59:47,592:INFO: |------------------------------|
2026-05-27 23:59:47,592:INFO: | This is experimental version |
2026-05-27 23:59:47,592:INFO: |------------------------------|
>>> snip <<<
2026-05-28 00:18:03,576:DEBUG: CVE CVE-2026-8915 has no configurations
2026-05-28 00:18:03,579:INFO: Update last modified date
2026-05-28 00:18:03,586:DEBUG: EmlNVDPlugin: run-check start
2026-05-28 00:18:23,673:DEBUG: EmlNVDPlugin: run-check finish
2026-05-28 00:18:23,882:INFO: Update KEV database
2026-05-28 00:18:23,882:INFO: Last database update is in 1day so skip Debian CVE database update
2026-05-28 00:18:24,221:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-05-28 00:18:24,279:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve
2026-05-28 00:18:24,489:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-05-28 00:18:24,726:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve.json

CVSS v4 data is contained.

build@381fa9ba0f62:~/work$ grep -i "CVSS V4" build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/* | grep -v "0\.0"
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/glibc:CVSS v4 BASE SCORE: 5.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 5.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 7.2
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/mawk:CVSS v4 BASE SCORE: 9.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/ncurses:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/pcre2:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/sed:CVSS v4 BASE SCORE: 2.1
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 2.4
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 4.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 1.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 6.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/zlib:CVSS v4 BASE SCORE: 4.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/zlib:CVSS v4 BASE SCORE: 1.7

Use pre-created database

cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key 3790b688-cd75-4d6d-8714-bce59599d7d4 \
--cve-db-predownload \
--verbose
2026-05-28 00:43:39,460:INFO: |------------------------------|
2026-05-28 00:43:39,460:INFO: | This is experimental version |
2026-05-28 00:43:39,460:INFO: |------------------------------|
2026-05-28 00:43:47,658:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_debian_plugin.py
2026-05-28 00:43:47,659:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_cip_kernel_plugin.py
2026-05-28 00:43:47,660:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-05-28 00:43:47,662:DEBUG: run EmlDebianPlugin
2026-05-28 00:43:47,662:INFO: Update debian CVE database
2026-05-28 00:43:47,662:INFO: Last database update is in 1day so skip Debian CVE database update
2026-05-28 00:43:47,662:DEBUG: EmlDebianPlugin: run-check start
2026-05-28 00:43:48,342:DEBUG: run EmlCIPKernelPlugin
2026-05-28 00:43:48,342:INFO: check update
2026-05-28 00:43:48,345:DEBUG: time diff: 1:04:03.345869
2026-05-28 00:43:48,345:INFO: cip-kernel-sec has been updated in 86400 second. skip update.
2026-05-28 00:43:48,345:DEBUG: EmlCIPKernelPlugin: run-check start
2026-05-28 00:43:48,345:DEBUG: Linux kernel package is linux-cip
2026-05-28 00:44:22,290:DEBUG: run EmlNVDPlugin
2026-05-28 00:44:22,290:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvd_cve_db_v2.db
2026-05-28 00:44:22,290:INFO: Predownload CVE database file.
2026-05-28 00:44:22,290:INFO: Download CVE database file from http://127.0.0.1:20080/nvd_cve_db_v2.db.
2026-05-28 00:44:22,784:INFO: Download CVE database file was succeeded.
2026-05-28 00:44:22,900:INFO: Last database update is in 1 day skip NVD database update
2026-05-28 00:44:22,900:DEBUG: EmlNVDPlugin: run-check start
2026-05-28 00:44:42,761:DEBUG: EmlNVDPlugin: run-check finish
2026-05-28 00:44:42,972:INFO: Update KEV database
2026-05-28 00:44:42,972:INFO: Last database update is in 1day so skip Debian CVE database update
2026-05-28 00:44:43,313:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-05-28 00:44:43,378:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve
2026-05-28 00:44:43,585:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-05-28 00:44:43,837:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve.json

CVSS v4 data is contained.

build@381fa9ba0f62:~/work$ grep -i "CVSS V4" build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/* | grep -v "0\.0"
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/glibc:CVSS v4 BASE SCORE: 5.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 5.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 7.2
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/mawk:CVSS v4 BASE SCORE: 9.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/ncurses:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/pcre2:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/sed:CVSS v4 BASE SCORE: 2.1
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 2.4
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 4.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 1.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 6.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/zlib:CVSS v4 BASE SCORE: 4.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/zlib:CVSS v4 BASE SCORE: 1.7

@masami256 masami256 changed the title Eml3 support cvssv4 cve-check-ng: Support CVSS v4 May 21, 2026
@masami256 masami256 marked this pull request as ready for review May 21, 2026 04:39
@masami256 masami256 marked this pull request as draft May 24, 2026 22:46
masami256 added 2 commits May 25, 2026 23:37
@masami256
scripts/cve_check_ng: Add CVSS v4 support
b8b98c2 
Some CVEs only contains CVSS v4 data. So, we should track it.

1: https://nvd.nist.gov/vuln/detail/CVE-2025-31115

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
script/cve_check_ng: Use CVSS v4 supported database
0ea8c7f 
This changes using CVSS v4 supported database file for create or predownload.
To support it, added two variables to return value of get_bitbake_information.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 force-pushed the eml3-support-cvssv4 branch from b69732c to 0ea8c7f Compare May 26, 2026 02:05
@masami256 masami256 marked this pull request as ready for review May 28, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@masami256