Skip to content

cve-check-ng: Support CVSS v4#645

Draft
masami256 wants to merge 2 commits into
miraclelinux:emlinux3from
masami256:eml3-support-cvssv4
Draft

cve-check-ng: Support CVSS v4#645
masami256 wants to merge 2 commits into
miraclelinux:emlinux3from
masami256:eml3-support-cvssv4

Conversation

@masami256
Copy link
Copy Markdown
Contributor

@masami256 masami256 commented May 21, 2026
edited
Loading

Purpose

This PR support CVSS v4 data to cve-check-ng.py. It contains following commits.

  1. scripts/cve_check_ng: Add CVSS v4 support
  2. scripts: Use CVE_DB_NAME variable for cve-check-ng.py

The Commit 1 added CVSS v4 data support.

The commit 2 use CVE_DB_NAME variable to specify database file name.
To support CVSS v4 data, we need to use other database otherthan nvd_cve_db.db because it's used for cve-check.py which doesn't support CVSS v4. The CVE_DB_NAME variable should be defined in conf/local.conf.
This variable is not used in cve-check.py because database name is hard coded. So cve-check.py doesn't affect this change.

Test

Add following line in local.conf then build emlinux-image-base.

CVE_DB_NAME="nvdcve_2-2.db"

Then run cve check.

cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key <your api key>\
--verbose

Test result

cve check is succeeded.

build@1d9d08bcf8bd:~/work$ cve_check_ng.py \
--image emlinux-image-base \
--debian-codename bookworm \
--output-format text,json \
--nvd-api-key <your api key>\
--verbose
2026-05-21 02:09:52,722:INFO: |------------------------------|
2026-05-21 02:09:52,723:INFO: | This is experimental version |
2026-05-21 02:09:52,723:INFO: |------------------------------|
2026-05-21 02:10:01,550:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_debian_plugin.py
2026-05-21 02:10:01,551:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_cip_kernel_plugin.py
2026-05-21 02:10:01,551:DEBUG: loading /home/build/work/build/../repos/meta-emlinux/scripts/lib/python/cve/plugin/eml_cve_nvd_plugin.py
2026-05-21 02:10:01,553:DEBUG: run EmlDebianPlugin
2026-05-21 02:10:01,553:INFO: Update debian CVE database
2026-05-21 02:10:01,553:INFO: Last database update is in 1day so skip Debian CVE database update
2026-05-21 02:10:01,553:DEBUG: EmlDebianPlugin: run-check start
2026-05-21 02:10:02,226:DEBUG: run EmlCIPKernelPlugin
2026-05-21 02:10:02,226:INFO: check update
2026-05-21 02:10:02,229:DEBUG: time diff: 2:00:23.229250
2026-05-21 02:10:02,229:INFO: cip-kernel-sec has been updated in 86400 second. skip update.
2026-05-21 02:10:02,229:DEBUG: EmlCIPKernelPlugin: run-check start
2026-05-21 02:10:02,229:DEBUG: Linux kernel package is linux-cip
2026-05-21 02:10:36,108:DEBUG: run EmlNVDPlugin
2026-05-21 02:10:36,108:DEBUG: Initialize nvd cve database /home/build/work/build/downloads/CVE/nvdcve_2-2.db
2026-05-21 02:10:36,108:INFO: Last database update is in 1 day skip NVD database update
2026-05-21 02:10:36,108:DEBUG: EmlNVDPlugin: run-check start
2026-05-21 02:10:56,329:DEBUG: EmlNVDPlugin: run-check finish
2026-05-21 02:10:56,528:INFO: Update KEV database
2026-05-21 02:10:56,528:INFO: Last database update is in 1day so skip Debian CVE database update
2026-05-21 02:10:56,855:INFO: Text report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text
2026-05-21 02:10:56,920:INFO: All in one text report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve
2026-05-21 02:10:57,148:INFO: Json report were written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/json
2026-05-21 02:10:57,407:INFO: All in one json report was written to /home/build/work/build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/emlinux-image-base-emlinux-bookworm-qemu-amd64_cve.json

CVSS v4 data is recorded.

build@1d9d08bcf8bd:~/work$ grep "CVSS v4"  build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/* | grep -v "0\.0"
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/elfutils:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/glibc:CVSS v4 BASE SCORE: 5.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 8.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 5.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 2.0
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/linux-cip:CVSS v4 BASE SCORE: 7.2
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/mawk:CVSS v4 BASE SCORE: 9.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/ncurses:CVSS v4 BASE SCORE: 4.8
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/pcre2:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/sed:CVSS v4 BASE SCORE: 2.1
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 2.4
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 6.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 1.9
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/vim:CVSS v4 BASE SCORE: 4.6
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 1.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 6.3
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/xz-utils:CVSS v4 BASE SCORE: 8.7
build/tmp/deploy/cve/emlinux-image-base-emlinux-bookworm-qemu-amd64/cve_check_ng/text/zlib:CVSS v4 BASE SCORE: 4.6

masami256 added 2 commits May 15, 2026 05:14
@masami256
scripts/cve_check_ng: Add CVSS v4 support
c263505 
Some CVEs only contains CVSS v4 data. So, we should track it.

1: https://nvd.nist.gov/vuln/detail/CVE-2025-31115

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256
scripts: Use CVE_DB_NAME variable for cve-check-ng.py
b69732c 
To support CVSS v4 data, we need to use other database otherthan nvd_cve_db.db
because it's used for cve-check.py which doesn't support CVSS v4.
The CVE_DB_NAME variable should be defined in conf/local.conf.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
@masami256 masami256 changed the title Eml3 support cvssv4 cve-check-ng: Support CVSS v4 May 21, 2026
@masami256 masami256 marked this pull request as ready for review May 21, 2026 04:39
@masami256 masami256 marked this pull request as draft May 24, 2026 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@masami256