Comments (13)
rossburton
commented on August 29, 2024
2
Putting it in the same database means you can't have any problems with the two being out of sync.
from cve-bin-tool.
pdxjohnny
commented on August 29, 2024
Fuck, we'll get on this soon
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
I will check this today.
But I think data is cached but function is called many times. The function is such that if called will not necessarily update the database.
from cve-bin-tool.
rossburton
commented on August 29, 2024
One of those print() calls was with the network operation.
…On Tue, 12 Mar 2019 at 08:18, PRAJWAL M ***@***.***> wrote:
I will check this today.
But I think data is cached but function is called many times.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAB-ih62pWk-jyYiZeChvvPqskngqGxXks5vV2LGgaJpZM4bokJ4>
.
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
Then I will check and see what went wrong.
…On Tue, 12 Mar 2019, 2:03 pm Ross Burton, ***@***.***> wrote:
One of those print() calls was with the network operation.
On Tue, 12 Mar 2019 at 08:18, PRAJWAL M ***@***.***> wrote:
> I will check this today.
> But I think data is cached but function is called many times.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#103 (comment)
>,
> or mute the thread
> <
https://github.com/notifications/unsubscribe-auth/AAB-ih62pWk-jyYiZeChvvPqskngqGxXks5vV2LGgaJpZM4bokJ4
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#103 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AdTzztilv4t7I8LU9gry_5I-ICG65q3uks5vV2ZEgaJpZM4bokJ4>
.
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
@rossburton I checked the code. There was nothing wrong with the code. The database exists and data is cached.
The current implementation waits 30 days from a release before downloading new data. Since 32 days have passed since the last release date and yet there is no release, it fetches the data again. It will continue to fetch as long as new release does not happen.
Probably setting it to 60 days may be safe.
So it does not cause any performance problems unless of course a new version is not released within the refresh time.
from cve-bin-tool.
rossburton
commented on August 29, 2024
I put a print() in sqlite.py:
diff --git a/cve_bin_tool/checkers/sqlite.py b/cve_bin_tool/checkers/sqlite.py
index 7b59a91..e818cc4 100644
--- a/cve_bin_tool/checkers/sqlite.py
+++ b/cve_bin_tool/checkers/sqlite.py
@@ -86,6 +86,7 @@ def get_version_map():
changeurl = "https://www.sqlite.org/changes.html"
try:
+ print("Fetching %s" % changeurl)
response = request.urlopen(changeurl)
except error.URLError as err:
print("Could not fetch " + changeurl + ", " + err)
Then run cve-bin-tool:
$ cve-bin-tool -xv /usr/ -l debug
Connecting to NVD database and extracting the CVE list ... Please hold on.. This will take few minutes...
Last Update: 2019-03-11
Local database has been updated in the past 24h.
New data not downloaded. Remove old files present at /home/ross/.cache/cve-bin-tool to force the update.
INFO:cve_bin_tool.Scanner:Checkers loaded: png, xml2, libnss, expat, libjpeg, libgcrypt, libcurl, curl, node, libtiff, openssl, kerberos, xerces, sqlite, zlib, systemd
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/games/espdiff'
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/biosdecode'
Fetching https://www.sqlite.org/changes.html
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/grpck'
Fetching https://www.sqlite.org/changes.html
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/tcpdchk'
Fetching https://www.sqlite.org/changes.html
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/chroot.fakechroot'
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/samba_kcc'
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/blkmapd'
Fetching https://www.sqlite.org/changes.html
DEBUG:cve_bin_tool.Scanner:Scanning file: '/usr/sbin/logrotate'
Fetching https://www.sqlite.org/changes.html
It is downloading from sqlite.org for almost every file that is being scanned.
from cve-bin-tool.
rossburton
commented on August 29, 2024
I think you're misunderstanding. Almost every file, sqlite.py is downloading changes.html. This is not a working cache.
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
Then the database has to be made more automatic.
Last update date must be saved and update should be done only after 30 days from when the database was last updated.
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
You can set the number to say 40 and 60 in mapdb = VersionSignatureDb('sqlite', get_version_map, 40) in sqlite.py then it does not download everytime.
from cve-bin-tool.
rossburton
commented on August 29, 2024
Yes. The last release was 31 days ago, the code should be checking how long since it last checked instead.
Also, the refresh logic where it calculates the difference is pretty poor python. If you subtract one datetime from another the results is a timedelta which has a days attribute: no need to mess around with str() and split(). Just store the current datetime in the database, and compare that with now.
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
The refresh logic is redundant, I did not know the available methods in datetime or timedelta. Thanks for the docs. 😊
New Lesson: Check the docs to see if a method already exists. Thanks
from cve-bin-tool.
PrajwalM2212
commented on August 29, 2024
@rossburton Should I store the current date (recent database update date) in a new database or store it in the current database as a singe entry ?
from cve-bin-tool.
Related Issues (20)
- ci: removing "old" csv-based scan?
- feat: new checker [checker name] : How to add custom checker ? HOT 3
- docs: upgrading sphinx & myst-parser HOT 1
- transition from pip install -e
- ci: remove spelling words that are no longer needed HOT 1
- ci: reduce tests run in short test jobs HOT 1
- ci: pull request aren't being reported with code coverage reports HOT 1
- test: improve performance on our slowest tests
- test: move language scanner tests to longtests HOT 1
- fix: add docs/tests for mismatch utilty
- feat: json2 schema & tests HOT 1
- fix: follow up on fuzzing reports (September 2024 edition)
- in CVE Tool 3.2.1, --report parameter is not generate report file when no CVE found. Same issue observe in 3.3 HOT 4
- fix: add def __str__(self): to parsers
- feat: improved scannning a python site-packages directory
- doc: Describe JSON2 file format for output
- fix: List of language parsers not reported HOT 2
- refactor: mismatch directory name?
- bug: error scanning apache-airflow requirements HOT 1
- bug: Offline operation, sqlite checker attempts internet access and results in error HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-bin-tool.