cve-check-tool: remove

Message ID 20190716124650.22236-1-ross.burton@intel.com
State Superseded
Headers show
Series
  • cve-check-tool: remove
Related show

Commit Message

Ross Burton July 16, 2019, 12:46 p.m.
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb    |  62 -----
 ...x-freeing-memory-allocated-by-sqlite.patch |  50 ----
 ...erriding-default-CA-certificate-file.patch | 215 ------------------
 ...s-in-percent-when-downloading-CVE-db.patch | 135 -----------
 ...omputed-vs-expected-sha256-digit-str.patch |  52 -----
 ...heck-for-malloc_trim-before-using-it.patch |  51 -----
 6 files changed, 565 deletions(-)
 delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

Comments

Khem Raj July 16, 2019, 4:30 p.m. | #1
May be add a line about why it is being removed

On Tue, Jul 16, 2019 at 5:46 AM Ross Burton <ross.burton@intel.com> wrote:

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  .../cve-check-tool/cve-check-tool_5.6.4.bb    |  62 -----

>  ...x-freeing-memory-allocated-by-sqlite.patch |  50 ----

>  ...erriding-default-CA-certificate-file.patch | 215 ------------------

>  ...s-in-percent-when-downloading-CVE-db.patch | 135 -----------

>  ...omputed-vs-expected-sha256-digit-str.patch |  52 -----

>  ...heck-for-malloc_trim-before-using-it.patch |  51 -----

>  6 files changed, 565 deletions(-)

>  delete mode 100644 meta/recipes-devtools/cve-check-tool/

> cve-check-tool_5.6.4.bb

>  delete mode 100644

> meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

>  delete mode 100644

> meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

>  delete mode 100644

> meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch

>  delete mode 100644

> meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

>  delete mode 100644

> meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

>

> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb

> b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb

> deleted file mode 100644

> index 1c84fb1cf2d..00000000000

> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb

> +++ /dev/null

> @@ -1,62 +0,0 @@

> -SUMMARY = "cve-check-tool"

> -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\

> -The tool will identify potentially vunlnerable software packages within

> Linux distributions through version matching."

> -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"

> -SECTION = "Development/Tools"

> -LICENSE = "GPL-2.0+"

> -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"

> -

> -SRC_URI = "

> https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz

> \

> -           file://check-for-malloc_trim-before-using-it.patch \

> -

>  file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \

> -

>  file://0001-curl-allow-overriding-default-CA-certificate-file.patch \

> -

>  file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \

> -           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \

> -          "

> -

> -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"

> -SRC_URI[sha256sum] =

> "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"

> -

> -UPSTREAM_CHECK_URI = "

> https://github.com/ikeydoherty/cve-check-tool/releases"

> -

> -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl

> ca-certificates"

> -

> -RDEPENDS_${PN} = "ca-certificates"

> -

> -inherit pkgconfig autotools

> -

> -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"

> -CFLAGS_append = " -Wno-error=pedantic"

> -

> -do_populate_cve_db() {

> -    if [ "${BB_NO_NETWORK}" = "1" ] ; then

> -        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool

> database, new CVEs won't be detected"

> -        return

> -    fi

> -

> -    # In case we don't inherit cve-check class, use default values

> defined in the class.

> -    cve_dir="${CVE_CHECK_DB_DIR}"

> -    cve_file="${CVE_CHECK_TMP_FILE}"

> -

> -    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"

> -    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"

> -

> -    unused="${@bb.utils.export_proxies(d)}"

> -    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"

> -    # --cacert works around curl-native not finding the CA bundle

> -    if cve-check-update --cacert

> ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then

> -        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date

> --utc +'%F %T')" > "$cve_file"

> -    else

> -        bbwarn "Error in executing cve-check-update"

> -        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}"

> -ne 0 ] ; then

> -            bbwarn "Failed to update cve-check-tool database, CVEs won't

> be checked"

> -        fi

> -    fi

> -}

> -

> -addtask populate_cve_db after do_populate_sysroot

> -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"

> -do_populate_cve_db[nostamp] = "1"

> -do_populate_cve_db[progress] = "percent"

> -

> -BBCLASSEXTEND = "native nativesdk"

> diff --git

> a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

> b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

> deleted file mode 100644

> index 4a82cf2dded..00000000000

> ---

> a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

> +++ /dev/null

> @@ -1,50 +0,0 @@

> -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001

> -From: Peter Marko <peter.marko@siemens.com>

> -Date: Thu, 13 Apr 2017 23:09:52 +0200

> -Subject: [PATCH] Fix freeing memory allocated by sqlite

> -

> -Upstream-Status: Backport

> -Signed-off-by: Peter Marko <peter.marko@siemens.com>

> ----

> - src/core.c | 8 ++++----

> - 1 file changed, 4 insertions(+), 4 deletions(-)

> -

> -diff --git a/src/core.c b/src/core.c

> -index 6263031..6788f16 100644

> ---- a/src/core.c

> -+++ b/src/core.c

> -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)

> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);

> -         if (rc != SQLITE_OK) {

> -                 fprintf(stderr, "ensure_table(): %s\n", err);

> --                free(err);

> -+                sqlite3_free(err);

> -                 return false;

> -         }

> -

> -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)

> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);

> -         if (rc != SQLITE_OK) {

> -                 fprintf(stderr, "ensure_table(): %s\n", err);

> --                free(err);

> -+                sqlite3_free(err);

> -                 return false;

> -         }

> -

> -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)

> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);

> -         if (rc != SQLITE_OK) {

> -                 fprintf(stderr, "ensure_table(): %s\n", err);

> --                free(err);

> -+                sqlite3_free(err);

> -                 return false;

> -         }

> -         if (err) {

> --                free(err);

> -+                sqlite3_free(err);

> -         }

> -

> -         return true;

> ---

> -2.1.4

> -

> diff --git

> a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

> b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

> deleted file mode 100644

> index 3d8ebd1bd26..00000000000

> ---

> a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

> +++ /dev/null

> @@ -1,215 +0,0 @@

> -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001

> -From: Jussi Kukkonen <jussi.kukkonen@intel.com>

> -Date: Thu, 9 Feb 2017 14:51:28 +0200

> -Subject: [PATCH] curl: allow overriding default CA certificate file

> -

> -Similar to curl, --cacert can now be used in cve-check-tool and

> -cve-check-update to override the default CA certificate file. Useful

> -in cases where the system default is unsuitable (for example,

> -out-dated) or broken (as in OE's current native libcurl, which embeds

> -a path string from one build host and then uses it on another although

> -the right path may have become something different).

> -

> -Upstream-Status: Submitted [

> https://github.com/ikeydoherty/cve-check-tool/pull/45]

> -

> -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>

> -

> -

> -Took Patrick Ohlys original patch from meta-security-isafw, rebased

> -on top of other patches.

> -

> -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>

> ----

> - src/library/cve-check-tool.h |  1 +

> - src/library/fetch.c          | 10 +++++++++-

> - src/library/fetch.h          |  3 ++-

> - src/main.c                   |  5 ++++-

> - src/update-main.c            |  4 +++-

> - src/update.c                 | 12 +++++++-----

> - src/update.h                 |  2 +-

> - 7 files changed, 27 insertions(+), 10 deletions(-)

> -

> -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h

> -index e4bb5b1..f89eade 100644

> ---- a/src/library/cve-check-tool.h

> -+++ b/src/library/cve-check-tool.h

> -@@ -43,6 +43,7 @@ typedef struct CveCheckTool {

> -     bool bugs;                          /**<Whether bug tracking is

> enabled */

> -     GHashTable *mapping;                /**<CVE Mapping */

> -     const char *output_file;            /**<Output file, if any */

> -+    const char *cacert_file;            /**<Non-default SSL certificate

> file, if any */

> - } CveCheckTool;

> -

> - /**

> -diff --git a/src/library/fetch.c b/src/library/fetch.c

> -index 0fe6d76..8f998c3 100644

> ---- a/src/library/fetch.c

> -+++ b/src/library/fetch.c

> -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t

> dltotal, curl_off_t dlnow

> - }

> -

> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,

> --                      unsigned int start_percent, unsigned int

> end_percent)

> -+                      unsigned int start_percent, unsigned int

> end_percent,

> -+                      const char *cacert_file)

> - {

> -         FetchStatus ret = FETCH_STATUS_FAIL;

> -         CURLcode res;

> -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char

> *target, bool verbose,

> -                 return ret;

> -         }

> -

> -+        if (cacert_file) {

> -+                res = curl_easy_setopt(curl, CURLOPT_CAINFO,

> cacert_file);

> -+                if (res != CURLE_OK) {

> -+                        goto bail;

> -+                }

> -+        }

> -+

> -         if (stat(target, &st) == 0) {

> -                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION,

> CURL_TIMECOND_IFMODSINCE);

> -                 if (res != CURLE_OK) {

> -diff --git a/src/library/fetch.h b/src/library/fetch.h

> -index 4cce5d1..836c7d7 100644

> ---- a/src/library/fetch.h

> -+++ b/src/library/fetch.h

> -@@ -29,7 +29,8 @@ typedef enum {

> -  * @return A FetchStatus, indicating the operation taken

> -  */

> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,

> --                      unsigned int this_percent, unsigned int

> next_percent);

> -+                      unsigned int this_percent, unsigned int

> next_percent,

> -+                      const char *cacert_file);

> -

> - /**

> -  * Attempt to extract the given gzipped file

> -diff --git a/src/main.c b/src/main.c

> -index 8e6f158..ae69d47 100644

> ---- a/src/main.c

> -+++ b/src/main.c

> -@@ -280,6 +280,7 @@ static bool csv_mode = false;

> - static char *modified_stamp = NULL;

> - static gchar *mapping_file = NULL;

> - static gchar *output_file = NULL;

> -+static gchar *cacert_file = NULL;

> -

> - static GOptionEntry _entries[] = {

> -         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide

> patched/addressed CVEs", NULL },

> -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {

> -         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV

> formatted data only", NULL },

> -         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path

> to a mapping file", NULL},

> -         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file,

> "Path to the output file (output plugin specific)", NULL},

> -+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to

> the combined SSL certificates file (system default is used if not set)",

> NULL},

> -         { .short_name = 0 }

> - };

> -

> -@@ -492,6 +494,7 @@ int main(int argc, char **argv)

> -

> -         quiet = csv_mode || !no_html;

> -         self->output_file = output_file;

> -+        self->cacert_file = cacert_file;

> -

> -         if (!csv_mode && self->output_file) {

> -                 quiet = false;

> -@@ -530,7 +533,7 @@ int main(int argc, char **argv)

> -                 if (status) {

> -                         fprintf(stderr, "Update of db forced\n");

> -                         cve_db_unlock();

> --                        if (!update_db(quiet, db_path->str)) {

> -+                        if (!update_db(quiet, db_path->str,

> self->cacert_file)) {

> -                                 fprintf(stderr, "DB update failure\n");

> -                                 goto cleanup;

> -                         }

> -diff --git a/src/update-main.c b/src/update-main.c

> -index 2379cfa..c52d9d0 100644

> ---- a/src/update-main.c

> -+++ b/src/update-main.c

> -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the

> License, or\n\

> - static gchar *nvds = NULL;

> - static bool _show_version = false;

> - static bool _quiet = false;

> -+static const char *_cacert_file = NULL;

> -

> - static GOptionEntry _entries[] = {

> -         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory

> in filesystem", NULL },

> -         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show

> version", NULL },

> -         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently",

> NULL },

> -+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to

> the combined SSL certificates file (system default is used if not set)",

> NULL},

> -         { .short_name = 0 }

> - };

> -

> -@@ -88,7 +90,7 @@ int main(int argc, char **argv)

> -                 goto end;

> -         }

> -

> --        if (update_db(_quiet, db_path->str)) {

> -+        if (update_db(_quiet, db_path->str, _cacert_file)) {

> -                 ret = EXIT_SUCCESS;

> -         } else {

> -                 fprintf(stderr, "Failed to update database\n");

> -diff --git a/src/update.c b/src/update.c

> -index 070560a..8cb4a39 100644

> ---- a/src/update.c

> -+++ b/src/update.c

> -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char

> *update_fname, bool ok)

> -

> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,

> -                            bool db_exist, bool verbose,

> --                           unsigned int this_percent, unsigned int

> next_percent)

> -+                           unsigned int this_percent, unsigned int

> next_percent,

> -+                           const char *cacert_file)

> - {

> -         const char nvd_uri[] = URI_PREFIX;

> -         autofree(cve_string) *uri_meta = NULL;

> -@@ -331,14 +332,14 @@ refetch:

> -         }

> -

> -         /* Fetch NVD META file */

> --        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose,

> this_percent, this_percent);

> -+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose,

> this_percent, this_percent, cacert_file);

> -         if (st == FETCH_STATUS_FAIL) {

> -                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);

> -                 return -1;

> -         }

> -

> -         /* Fetch NVD XML file */

> --        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose,

> this_percent, next_percent);

> -+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose,

> this_percent, next_percent, cacert_file);

> -         switch (st) {

> -         case FETCH_STATUS_FAIL:

> -                 fprintf(stderr, "Failed to fetch %s\n",

> uri_data_gz->str);

> -@@ -391,7 +392,7 @@ refetch:

> -         return 0;

> - }

> -

> --bool update_db(bool quiet, const char *db_file)

> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file)

> - {

> -         autofree(char) *db_dir = NULL;

> -         autofree(CveDB) *cve_db = NULL;

> -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)

> -                 if (!quiet)

> -                         fprintf(stderr, "completed: %u%%\r",

> start_percent);

> -                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,

> --                                     start_percent, end_percent);

> -+                                     start_percent, end_percent,

> -+                                     cacert_file);

> -                 switch (rc) {

> -                 case 0:

> -                         if (!quiet)

> -diff --git a/src/update.h b/src/update.h

> -index b8e9911..ceea0c3 100644

> ---- a/src/update.h

> -+++ b/src/update.h

> -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);

> -

> - int update_required(const char *db_file);

> -

> --bool update_db(bool quiet, const char *db_file);

> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file);

> -

> -

> - /*

> ---

> -2.1.4

> -

> diff --git

> a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch

> b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch

> deleted file mode 100644

> index 8ea6f686e3f..00000000000

> ---

> a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch

> +++ /dev/null

> @@ -1,135 +0,0 @@

> -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001

> -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>

> -Date: Mon, 26 Sep 2016 12:12:41 +0100

> -Subject: [PATCH] print progress in percent when downloading CVE db

> -MIME-Version: 1.0

> -Content-Type: text/plain; charset=UTF-8

> -Content-Transfer-Encoding: 8bit

> -

> -Upstream-Status: Pending

> -Signed-off-by: André Draszik <git@andred.net>

> ----

> - src/library/fetch.c | 28 +++++++++++++++++++++++++++-

> - src/library/fetch.h |  3 ++-

> - src/update.c        | 16 ++++++++++++----

> - 3 files changed, 41 insertions(+), 6 deletions(-)

> -

> -diff --git a/src/library/fetch.c b/src/library/fetch.c

> -index 06d4b30..0fe6d76 100644

> ---- a/src/library/fetch.c

> -+++ b/src/library/fetch.c

> -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size,

> size_t nmemb, struct fetch_t *f

> -         return fwrite(ptr, size, nmemb, f->f);

> - }

> -

> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)

> -+struct percent_t {

> -+        unsigned int start;

> -+        unsigned int end;

> -+};

> -+

> -+static int progress_callback_new(void *ptr, curl_off_t dltotal,

> curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)

> -+{

> -+        (void) ultotal;

> -+        (void) ulnow;

> -+

> -+        struct percent_t *percent = (struct percent_t *) ptr;

> -+

> -+        if (dltotal && percent && percent->end >= percent->start) {

> -+                unsigned int diff = percent->end - percent->start;

> -+                if (diff) {

> -+                        fprintf(stderr,"completed:

> %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));

> -+                }

> -+        }

> -+

> -+        return 0;

> -+}

> -+

> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,

> -+                      unsigned int start_percent, unsigned int

> end_percent)

> - {

> -         FetchStatus ret = FETCH_STATUS_FAIL;

> -         CURLcode res;

> -         struct stat st;

> -         CURL *curl = NULL;

> -         struct fetch_t *f = NULL;

> -+        struct percent_t percent = { .start = start_percent, .end =

> end_percent };

> -

> -         curl = curl_easy_init();

> -         if (!curl) {

> -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char

> *target, bool verbose)

> -         }

> -         if (verbose) {

> -                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);

> -+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA,

> &percent);

> -+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION,

> progress_callback_new);

> -         }

> -         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION,

> (curl_write_callback)write_func);

> -         if (res != CURLE_OK) {

> -diff --git a/src/library/fetch.h b/src/library/fetch.h

> -index 70c3779..4cce5d1 100644

> ---- a/src/library/fetch.h

> -+++ b/src/library/fetch.h

> -@@ -28,7 +28,8 @@ typedef enum {

> -  * @param verbose Whether to be verbose

> -  * @return A FetchStatus, indicating the operation taken

> -  */

> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);

> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,

> -+                      unsigned int this_percent, unsigned int

> next_percent);

> -

> - /**

> -  * Attempt to extract the given gzipped file

> -diff --git a/src/update.c b/src/update.c

> -index 30fbe96..eaeeefd 100644

> ---- a/src/update.c

> -+++ b/src/update.c

> -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char

> *update_fname, bool ok)

> - }

> -

> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,

> --                           bool db_exist, bool verbose)

> -+                           bool db_exist, bool verbose,

> -+                           unsigned int this_percent, unsigned int

> next_percent)

> - {

> -         const char nvd_uri[] = URI_PREFIX;

> -         autofree(cve_string) *uri_meta = NULL;

> -@@ -330,14 +331,14 @@ refetch:

> -         }

> -

> -         /* Fetch NVD META file */

> --        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);

> -+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose,

> this_percent, this_percent);

> -         if (st == FETCH_STATUS_FAIL) {

> -                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);

> -                 return -1;

> -         }

> -

> -         /* Fetch NVD XML file */

> --        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);

> -+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose,

> this_percent, next_percent);

> -         switch (st) {

> -         case FETCH_STATUS_FAIL:

> -                 fprintf(stderr, "Failed to fetch %s\n",

> uri_data_gz->str);

> -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)

> -         for (int i = YEAR_START; i <= year+1; i++) {

> -                 int y = i > year ? -1 : i;

> -                 int rc;

> -+                unsigned int start_percent = ((i+0 - YEAR_START) * 100)

> / (year+2 - YEAR_START);

> -+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) /

> (year+2 - YEAR_START);

> -

> --                rc = do_fetch_update(y, db_dir, cve_db, db_exist,

> !quiet);

> -+                if (!quiet)

> -+                        fprintf(stderr, "completed: %u%%\r",

> start_percent);

> -+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,

> -+                                     start_percent, end_percent);

> -                 switch (rc) {

> -                 case 0:

> -+                        if (!quiet)

> -+                                fprintf(stderr,"completed: %u%%\r",

> end_percent);

> -                         continue;

> -                 case ENOMEM:

> -                         goto oom;

> ---

> -2.9.3

> -

> diff --git

> a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

> b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

> deleted file mode 100644

> index 458c0cc84e5..00000000000

> ---

> a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

> +++ /dev/null

> @@ -1,52 +0,0 @@

> -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001

> -From: Sergey Popovich <popovich_sergei@mail.ua>

> -Date: Fri, 21 Apr 2017 07:32:23 -0700

> -Subject: [PATCH] update: Compare computed vs expected sha256 digit string

> - ignoring case

> -

> -We produce sha256 digest string using %x snprintf()

> -qualifier for each byte of digest which uses alphabetic

> -characters from "a" to "f" in lower case to represent

> -integer values from 10 to 15.

> -

> -Previously all of the NVD META files supply sha256

> -digest string for corresponding XML file in lower case.

> -

> -However due to some reason this changed recently to

> -provide digest digits in upper case causing fetched

> -data consistency checks to fail. This prevents database

> -from being updated periodically.

> -

> -While commit c4f6e94 (update: Do not treat sha256 failure

> -as fatal if requested) adds useful option to skip

> -digest validation at all and thus provides workaround for

> -this situation, it might be unacceptable for some

> -deployments where we need to ensure that downloaded

> -data is consistent before start parsing it and update

> -SQLite database.

> -

> -Use strcasecmp() to compare two digest strings case

> -insensitively and addressing this case.

> -

> -Upstream-Status: Backport

> -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>

> ----

> - src/update.c | 2 +-

> - 1 file changed, 1 insertion(+), 1 deletion(-)

> -

> -diff --git a/src/update.c b/src/update.c

> -index 8588f38..3cc6b67 100644

> ---- a/src/update.c

> -+++ b/src/update.c

> -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const

> char *data)

> -                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);

> -         }

> -

> --        ret = streq(csum_meta, csum_data);

> -+        ret = !strcasecmp(csum_meta, csum_data);

> -

> - err_unmap:

> -         munmap(buffer, length);

> ---

> -2.11.0

> -

> diff --git

> a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

> b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

> deleted file mode 100644

> index 0774ad946a4..00000000000

> ---

> a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch

> +++ /dev/null

> @@ -1,51 +0,0 @@

> -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001

> -From: Khem Raj <raj.khem@gmail.com>

> -Date: Mon, 22 Aug 2016 22:54:24 -0700

> -Subject: [PATCH] Check for malloc_trim before using it

> -

> -malloc_trim is gnu specific and not all libc

> -implement it, threfore write a configure check

> -to poke for it first and use the define to

> -guard its use.

> -

> -Helps in compiling on musl based systems

> -

> -Signed-off-by: Khem Raj <raj.khem@gmail.com>

> ----

> -Upstream-Status: Submitted [

> https://github.com/ikeydoherty/cve-check-tool/pull/48]

> - configure.ac | 2 ++

> - src/core.c   | 4 ++--

> - 2 files changed, 4 insertions(+), 2 deletions(-)

> -

> -diff --git a/configure.ac b/configure.ac

> -index d3b66ce..79c3542 100644

> ---- a/configure.ac

> -+++ b/configure.ac

> -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])

> - m4_define([openssl_required_version],[1.0.0])

> - # TODO: Set minimum sqlite

> -

> -+AC_CHECK_FUNCS_ONCE(malloc_trim)

> -+

> - PKG_CHECK_MODULES(CVE_CHECK_TOOL,

> -                  [

> -                   glib-2.0 >= glib_required_version,

> -diff --git a/src/core.c b/src/core.c

> -index 6263031..0d5df29 100644

> ---- a/src/core.c

> -+++ b/src/core.c

> -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)

> -         }

> -

> -         b = true;

> --

> -+#ifdef HAVE_MALLOC_TRIM

> -         malloc_trim(0);

> --

> -+#endif

> -         xmlFreeTextReader(r);

> -         if (fd) {

> -                 close(fd);

> ---

> -2.9.3

> -

> --

> 2.20.1

>

>
<div><div dir="auto">May be add a line about why it is being removed </div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 16, 2019 at 5:46 AM Ross Burton &lt;<a href="mailto:ross.burton@intel.com">ross.burton@intel.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Signed-off-by: Ross Burton &lt;<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>&gt;<br>
---<br>
 .../cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a>    |  62 -----<br>
 ...x-freeing-memory-allocated-by-sqlite.patch |  50 ----<br>
 ...erriding-default-CA-certificate-file.patch | 215 ------------------<br>
 ...s-in-percent-when-downloading-CVE-db.patch | 135 -----------<br>
 ...omputed-vs-expected-sha256-digit-str.patch |  52 -----<br>
 ...heck-for-malloc_trim-before-using-it.patch |  51 -----<br>
 6 files changed, 565 deletions(-)<br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br>
 delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br>
<br>
diff --git a/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a> b/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br>
deleted file mode 100644<br>
index 1c84fb1cf2d..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br>
+++ /dev/null<br>
@@ -1,62 +0,0 @@<br>
-SUMMARY = &quot;cve-check-tool&quot;<br>
-DESCRIPTION = &quot;cve-check-tool is a tool for checking known (public) CVEs.\<br>
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching.&quot;<br>
-HOMEPAGE = &quot;<a href="https://github.com/ikeydoherty/cve-check-tool" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool</a>&quot;<br>
-SECTION = &quot;Development/Tools&quot;<br>
-LICENSE = &quot;GPL-2.0+&quot;<br>
-LIC_FILES_CHKSUM = &quot;file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6&quot;<br>
-<br>
-SRC_URI = &quot;<a href="https://github.com/ikeydoherty/$%7BBPN%7D/releases/download/v$%7BPV%7D/$%7BBP%7D.tar.xz" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz</a> \<br>
-           file://check-for-malloc_trim-before-using-it.patch \<br>
-           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \<br>
-           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \<br>
-           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \<br>
-           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \<br>
-          &quot;<br>
-<br>
-SRC_URI[md5sum] = &quot;c5f4247140fc9be3bf41491d31a34155&quot;<br>
-SRC_URI[sha256sum] = &quot;b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b&quot;<br>
-<br>
-UPSTREAM_CHECK_URI = &quot;<a href="https://github.com/ikeydoherty/cve-check-tool/releases" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/releases</a>&quot;<br>
-<br>
-DEPENDS = &quot;libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates&quot;<br>
-<br>
-RDEPENDS_${PN} = &quot;ca-certificates&quot;<br>
-<br>
-inherit pkgconfig autotools<br>
-<br>
-EXTRA_OECONF = &quot;--disable-coverage --enable-relative-plugins&quot;<br>
-CFLAGS_append = &quot; -Wno-error=pedantic&quot;<br>
-<br>
-do_populate_cve_db() {<br>
-    if [ &quot;${BB_NO_NETWORK}&quot; = &quot;1&quot; ] ; then<br>
-        bbwarn &quot;BB_NO_NETWORK is set; Can&#39;t update cve-check-tool database, new CVEs won&#39;t be detected&quot;<br>
-        return<br>
-    fi<br>
-<br>
-    # In case we don&#39;t inherit cve-check class, use default values defined in the class.<br>
-    cve_dir=&quot;${CVE_CHECK_DB_DIR}&quot;<br>
-    cve_file=&quot;${CVE_CHECK_TMP_FILE}&quot;<br>
-<br>
-    [ -z &quot;${cve_dir}&quot; ] &amp;&amp; cve_dir=&quot;${DL_DIR}/CVE_CHECK&quot;<br>
-    [ -z &quot;${cve_file}&quot; ] &amp;&amp; cve_file=&quot;${TMPDIR}/cve_check&quot;<br>
-<br>
-    unused=&quot;${@bb.utils.export_proxies(d)}&quot;<br>
-    bbdebug 2 &quot;Updating cve-check-tool database located in $cve_dir&quot;<br>
-    # --cacert works around curl-native not finding the CA bundle<br>
-    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d &quot;$cve_dir&quot; ; then<br>
-        printf &quot;CVE database was updated on %s UTC\n\n&quot; &quot;$(LANG=C date --utc +&#39;%F %T&#39;)&quot; &gt; &quot;$cve_file&quot;<br>
-    else<br>
-        bbwarn &quot;Error in executing cve-check-update&quot;<br>
-        if [ &quot;${@&#39;1&#39; if bb.data.inherits_class(&#39;cve-check&#39;, d) else &#39;0&#39;}&quot; -ne 0 ] ; then<br>
-            bbwarn &quot;Failed to update cve-check-tool database, CVEs won&#39;t be checked&quot;<br>
-        fi<br>
-    fi<br>
-}<br>
-<br>
-addtask populate_cve_db after do_populate_sysroot<br>
-do_populate_cve_db[depends] = &quot;cve-check-tool-native:do_populate_sysroot&quot;<br>
-do_populate_cve_db[nostamp] = &quot;1&quot;<br>
-do_populate_cve_db[progress] = &quot;percent&quot;<br>
-<br>
-BBCLASSEXTEND = &quot;native nativesdk&quot;<br>
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br>
deleted file mode 100644<br>
index 4a82cf2dded..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br>
+++ /dev/null<br>
@@ -1,50 +0,0 @@<br>
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001<br>
-From: Peter Marko &lt;<a href="mailto:peter.marko@siemens.com" target="_blank">peter.marko@siemens.com</a>&gt;<br>
-Date: Thu, 13 Apr 2017 23:09:52 +0200<br>
-Subject: [PATCH] Fix freeing memory allocated by sqlite<br>
-<br>
-Upstream-Status: Backport<br>
-Signed-off-by: Peter Marko &lt;<a href="mailto:peter.marko@siemens.com" target="_blank">peter.marko@siemens.com</a>&gt;<br>
----<br>
- src/core.c | 8 ++++----<br>
- 1 file changed, 4 insertions(+), 4 deletions(-)<br>
-<br>
-diff --git a/src/core.c b/src/core.c<br>
-index 6263031..6788f16 100644<br>
---- a/src/core.c<br>
-+++ b/src/core.c<br>
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)<br>
-         rc = sqlite3_exec(self-&gt;db, query, NULL, NULL, &amp;err);<br>
-         if (rc != SQLITE_OK) {<br>
-                 fprintf(stderr, &quot;ensure_table(): %s\n&quot;, err);<br>
--                free(err);<br>
-+                sqlite3_free(err);<br>
-                 return false;<br>
-         }<br>
-         <br>
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)<br>
-         rc = sqlite3_exec(self-&gt;db, query, NULL, NULL, &amp;err);<br>
-         if (rc != SQLITE_OK) {<br>
-                 fprintf(stderr, &quot;ensure_table(): %s\n&quot;, err);<br>
--                free(err);<br>
-+                sqlite3_free(err);<br>
-                 return false;<br>
-         }<br>
- <br>
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)<br>
-         rc = sqlite3_exec(self-&gt;db, query, NULL, NULL, &amp;err);<br>
-         if (rc != SQLITE_OK) {<br>
-                 fprintf(stderr, &quot;ensure_table(): %s\n&quot;, err);<br>
--                free(err);<br>
-+                sqlite3_free(err);<br>
-                 return false;<br>
-         }<br>
-         if (err) {<br>
--                free(err);<br>
-+                sqlite3_free(err);<br>
-         }<br>
- <br>
-         return true;<br>
--- <br>
-2.1.4<br>
-<br>
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br>
deleted file mode 100644<br>
index 3d8ebd1bd26..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br>
+++ /dev/null<br>
@@ -1,215 +0,0 @@<br>
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001<br>
-From: Jussi Kukkonen &lt;<a href="mailto:jussi.kukkonen@intel.com" target="_blank">jussi.kukkonen@intel.com</a>&gt;<br>
-Date: Thu, 9 Feb 2017 14:51:28 +0200<br>
-Subject: [PATCH] curl: allow overriding default CA certificate file<br>
-<br>
-Similar to curl, --cacert can now be used in cve-check-tool and<br>
-cve-check-update to override the default CA certificate file. Useful<br>
-in cases where the system default is unsuitable (for example,<br>
-out-dated) or broken (as in OE&#39;s current native libcurl, which embeds<br>
-a path string from one build host and then uses it on another although<br>
-the right path may have become something different).<br>
-<br>
-Upstream-Status: Submitted [<a href="https://github.com/ikeydoherty/cve-check-tool/pull/45" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/pull/45</a>]<br>
-<br>
-Signed-off-by: Patrick Ohly &lt;<a href="mailto:patrick.ohly@intel.com" target="_blank">patrick.ohly@intel.com</a>&gt;<br>
-<br>
-<br>
-Took Patrick Ohlys original patch from meta-security-isafw, rebased<br>
-on top of other patches.<br>
-<br>
-Signed-off-by: Jussi Kukkonen &lt;<a href="mailto:jussi.kukkonen@intel.com" target="_blank">jussi.kukkonen@intel.com</a>&gt;<br>
----<br>
- src/library/cve-check-tool.h |  1 +<br>
- src/library/fetch.c          | 10 +++++++++-<br>
- src/library/fetch.h          |  3 ++-<br>
- src/main.c                   |  5 ++++-<br>
- src/update-main.c            |  4 +++-<br>
- src/update.c                 | 12 +++++++-----<br>
- src/update.h                 |  2 +-<br>
- 7 files changed, 27 insertions(+), 10 deletions(-)<br>
-<br>
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h<br>
-index e4bb5b1..f89eade 100644<br>
---- a/src/library/cve-check-tool.h<br>
-+++ b/src/library/cve-check-tool.h<br>
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {<br>
-     bool bugs;                          /**&lt;Whether bug tracking is enabled */<br>
-     GHashTable *mapping;                /**&lt;CVE Mapping */<br>
-     const char *output_file;            /**&lt;Output file, if any */<br>
-+    const char *cacert_file;            /**&lt;Non-default SSL certificate file, if any */<br>
- } CveCheckTool;<br>
- <br>
- /**<br>
-diff --git a/src/library/fetch.c b/src/library/fetch.c<br>
-index 0fe6d76..8f998c3 100644<br>
---- a/src/library/fetch.c<br>
-+++ b/src/library/fetch.c<br>
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow<br>
- }<br>
- <br>
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br>
--                      unsigned int start_percent, unsigned int end_percent)<br>
-+                      unsigned int start_percent, unsigned int end_percent,<br>
-+                      const char *cacert_file)<br>
- {<br>
-         FetchStatus ret = FETCH_STATUS_FAIL;<br>
-         CURLcode res;<br>
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br>
-                 return ret;<br>
-         }<br>
- <br>
-+        if (cacert_file) {<br>
-+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);<br>
-+                if (res != CURLE_OK) {<br>
-+                        goto bail;<br>
-+                }<br>
-+        }<br>
-+<br>
-         if (stat(target, &amp;st) == 0) {<br>
-                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);<br>
-                 if (res != CURLE_OK) {<br>
-diff --git a/src/library/fetch.h b/src/library/fetch.h<br>
-index 4cce5d1..836c7d7 100644<br>
---- a/src/library/fetch.h<br>
-+++ b/src/library/fetch.h<br>
-@@ -29,7 +29,8 @@ typedef enum {<br>
-  * @return A FetchStatus, indicating the operation taken<br>
-  */<br>
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br>
--                      unsigned int this_percent, unsigned int next_percent);<br>
-+                      unsigned int this_percent, unsigned int next_percent,<br>
-+                      const char *cacert_file);<br>
- <br>
- /**<br>
-  * Attempt to extract the given gzipped file<br>
-diff --git a/src/main.c b/src/main.c<br>
-index 8e6f158..ae69d47 100644<br>
---- a/src/main.c<br>
-+++ b/src/main.c<br>
-@@ -280,6 +280,7 @@ static bool csv_mode = false;<br>
- static char *modified_stamp = NULL;<br>
- static gchar *mapping_file = NULL;<br>
- static gchar *output_file = NULL;<br>
-+static gchar *cacert_file = NULL;<br>
- <br>
- static GOptionEntry _entries[] = {<br>
-         { &quot;not-patched&quot;, &#39;n&#39;, 0, G_OPTION_ARG_NONE, &amp;hide_patched, &quot;Hide patched/addressed CVEs&quot;, NULL },<br>
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {<br>
-         { &quot;csv&quot;, &#39;c&#39;, 0, G_OPTION_ARG_NONE, &amp;csv_mode, &quot;Output CSV formatted data only&quot;, NULL },<br>
-         { &quot;mapping&quot;, &#39;M&#39;, 0, G_OPTION_ARG_STRING, &amp;mapping_file, &quot;Path to a mapping file&quot;, NULL},<br>
-         { &quot;output-file&quot;, &#39;o&#39;, 0, G_OPTION_ARG_STRING, &amp;output_file, &quot;Path to the output file (output plugin specific)&quot;, NULL},<br>
-+        { &quot;cacert&quot;, &#39;C&#39;, 0, G_OPTION_ARG_STRING, &amp;cacert_file, &quot;Path to the combined SSL certificates file (system default is used if not set)&quot;, NULL},<br>
-         { .short_name = 0 }<br>
- };<br>
- <br>
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)<br>
- <br>
-         quiet = csv_mode || !no_html;<br>
-         self-&gt;output_file = output_file;<br>
-+        self-&gt;cacert_file = cacert_file;<br>
- <br>
-         if (!csv_mode &amp;&amp; self-&gt;output_file) {<br>
-                 quiet = false;<br>
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)<br>
-                 if (status) {<br>
-                         fprintf(stderr, &quot;Update of db forced\n&quot;);<br>
-                         cve_db_unlock();<br>
--                        if (!update_db(quiet, db_path-&gt;str)) {<br>
-+                        if (!update_db(quiet, db_path-&gt;str, self-&gt;cacert_file)) {<br>
-                                 fprintf(stderr, &quot;DB update failure\n&quot;);<br>
-                                 goto cleanup;<br>
-                         }<br>
-diff --git a/src/update-main.c b/src/update-main.c<br>
-index 2379cfa..c52d9d0 100644<br>
---- a/src/update-main.c<br>
-+++ b/src/update-main.c<br>
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\<br>
- static gchar *nvds = NULL;<br>
- static bool _show_version = false;<br>
- static bool _quiet = false;<br>
-+static const char *_cacert_file = NULL;<br>
- <br>
- static GOptionEntry _entries[] = {<br>
-         { &quot;nvd-dir&quot;, &#39;d&#39;, 0, G_OPTION_ARG_STRING, &amp;nvds, &quot;NVD directory in filesystem&quot;, NULL },<br>
-         { &quot;version&quot;, &#39;v&#39;, 0, G_OPTION_ARG_NONE, &amp;_show_version, &quot;Show version&quot;, NULL },<br>
-         { &quot;quiet&quot;, &#39;q&#39;, 0, G_OPTION_ARG_NONE, &amp;_quiet, &quot;Run silently&quot;, NULL },<br>
-+        { &quot;cacert&quot;, &#39;C&#39;, 0, G_OPTION_ARG_STRING, &amp;_cacert_file, &quot;Path to the combined SSL certificates file (system default is used if not set)&quot;, NULL},<br>
-         { .short_name = 0 }<br>
- };<br>
- <br>
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)<br>
-                 goto end;<br>
-         }<br>
- <br>
--        if (update_db(_quiet, db_path-&gt;str)) {<br>
-+        if (update_db(_quiet, db_path-&gt;str, _cacert_file)) {<br>
-                 ret = EXIT_SUCCESS;<br>
-         } else {<br>
-                 fprintf(stderr, &quot;Failed to update database\n&quot;);<br>
-diff --git a/src/update.c b/src/update.c<br>
-index 070560a..8cb4a39 100644<br>
---- a/src/update.c<br>
-+++ b/src/update.c<br>
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)<br>
- <br>
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,<br>
-                            bool db_exist, bool verbose,<br>
--                           unsigned int this_percent, unsigned int next_percent)<br>
-+                           unsigned int this_percent, unsigned int next_percent,<br>
-+                           const char *cacert_file)<br>
- {<br>
-         const char nvd_uri[] = URI_PREFIX;<br>
-         autofree(cve_string) *uri_meta = NULL;<br>
-@@ -331,14 +332,14 @@ refetch:<br>
-         }<br>
- <br>
-         /* Fetch NVD META file */<br>
--        st = fetch_uri(uri_meta-&gt;str, nvdcve_meta-&gt;str, verbose, this_percent, this_percent);<br>
-+        st = fetch_uri(uri_meta-&gt;str, nvdcve_meta-&gt;str, verbose, this_percent, this_percent, cacert_file);<br>
-         if (st == FETCH_STATUS_FAIL) {<br>
-                 fprintf(stderr, &quot;Failed to fetch %s\n&quot;, uri_meta-&gt;str);<br>
-                 return -1;<br>
-         }<br>
- <br>
-         /* Fetch NVD XML file */<br>
--        st = fetch_uri(uri_data_gz-&gt;str, nvdcve_data_gz-&gt;str, verbose, this_percent, next_percent);<br>
-+        st = fetch_uri(uri_data_gz-&gt;str, nvdcve_data_gz-&gt;str, verbose, this_percent, next_percent, cacert_file);<br>
-         switch (st) {<br>
-         case FETCH_STATUS_FAIL:<br>
-                 fprintf(stderr, &quot;Failed to fetch %s\n&quot;, uri_data_gz-&gt;str);<br>
-@@ -391,7 +392,7 @@ refetch:<br>
-         return 0;<br>
- }<br>
- <br>
--bool update_db(bool quiet, const char *db_file)<br>
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)<br>
- {<br>
-         autofree(char) *db_dir = NULL;<br>
-         autofree(CveDB) *cve_db = NULL;<br>
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)<br>
-                 if (!quiet)<br>
-                         fprintf(stderr, &quot;completed: %u%%\r&quot;, start_percent);<br>
-                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,<br>
--                                     start_percent, end_percent);<br>
-+                                     start_percent, end_percent,<br>
-+                                     cacert_file);<br>
-                 switch (rc) {<br>
-                 case 0:<br>
-                         if (!quiet)<br>
-diff --git a/src/update.h b/src/update.h<br>
-index b8e9911..ceea0c3 100644<br>
---- a/src/update.h<br>
-+++ b/src/update.h<br>
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);<br>
- <br>
- int update_required(const char *db_file);<br>
- <br>
--bool update_db(bool quiet, const char *db_file);<br>
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);<br>
- <br>
- <br>
- /*<br>
--- <br>
-2.1.4<br>
-<br>
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br>
deleted file mode 100644<br>
index 8ea6f686e3f..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br>
+++ /dev/null<br>
@@ -1,135 +0,0 @@<br>
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001<br>
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= &lt;<a href="mailto:git@andred.net" target="_blank">git@andred.net</a>&gt;<br>
-Date: Mon, 26 Sep 2016 12:12:41 +0100<br>
-Subject: [PATCH] print progress in percent when downloading CVE db<br>
-MIME-Version: 1.0<br>
-Content-Type: text/plain; charset=UTF-8<br>
-Content-Transfer-Encoding: 8bit<br>
-<br>
-Upstream-Status: Pending<br>
-Signed-off-by: André Draszik &lt;<a href="mailto:git@andred.net" target="_blank">git@andred.net</a>&gt;<br>
----<br>
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-<br>
- src/library/fetch.h |  3 ++-<br>
- src/update.c        | 16 ++++++++++++----<br>
- 3 files changed, 41 insertions(+), 6 deletions(-)<br>
-<br>
-diff --git a/src/library/fetch.c b/src/library/fetch.c<br>
-index 06d4b30..0fe6d76 100644<br>
---- a/src/library/fetch.c<br>
-+++ b/src/library/fetch.c<br>
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f<br>
-         return fwrite(ptr, size, nmemb, f-&gt;f);<br>
- }<br>
- <br>
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)<br>
-+struct percent_t {<br>
-+        unsigned int start;<br>
-+        unsigned int end;<br>
-+};<br>
-+<br>
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)<br>
-+{<br>
-+        (void) ultotal;<br>
-+        (void) ulnow;<br>
-+<br>
-+        struct percent_t *percent = (struct percent_t *) ptr;<br>
-+<br>
-+        if (dltotal &amp;&amp; percent &amp;&amp; percent-&gt;end &gt;= percent-&gt;start) {<br>
-+                unsigned int diff = percent-&gt;end - percent-&gt;start;<br>
-+                if (diff) {<br>
-+                        fprintf(stderr,&quot;completed: %&quot;CURL_FORMAT_CURL_OFF_T&quot;%%\r&quot;, percent-&gt;start + (diff * dlnow / dltotal));<br>
-+                }<br>
-+        }<br>
-+<br>
-+        return 0;<br>
-+}<br>
-+<br>
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br>
-+                      unsigned int start_percent, unsigned int end_percent)<br>
- {<br>
-         FetchStatus ret = FETCH_STATUS_FAIL;<br>
-         CURLcode res;<br>
-         struct stat st;<br>
-         CURL *curl = NULL;<br>
-         struct fetch_t *f = NULL;<br>
-+        struct percent_t percent = { .start = start_percent, .end = end_percent };<br>
- <br>
-         curl = curl_easy_init();<br>
-         if (!curl) {<br>
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)<br>
-         }<br>
-         if (verbose) {<br>
-                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);<br>
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &amp;percent);<br>
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);<br>
-         }<br>
-         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);<br>
-         if (res != CURLE_OK) {<br>
-diff --git a/src/library/fetch.h b/src/library/fetch.h<br>
-index 70c3779..4cce5d1 100644<br>
---- a/src/library/fetch.h<br>
-+++ b/src/library/fetch.h<br>
-@@ -28,7 +28,8 @@ typedef enum {<br>
-  * @param verbose Whether to be verbose<br>
-  * @return A FetchStatus, indicating the operation taken<br>
-  */<br>
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);<br>
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br>
-+                      unsigned int this_percent, unsigned int next_percent);<br>
- <br>
- /**<br>
-  * Attempt to extract the given gzipped file<br>
-diff --git a/src/update.c b/src/update.c<br>
-index 30fbe96..eaeeefd 100644<br>
---- a/src/update.c<br>
-+++ b/src/update.c<br>
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)<br>
- }<br>
- <br>
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,<br>
--                           bool db_exist, bool verbose)<br>
-+                           bool db_exist, bool verbose,<br>
-+                           unsigned int this_percent, unsigned int next_percent)<br>
- {<br>
-         const char nvd_uri[] = URI_PREFIX;<br>
-         autofree(cve_string) *uri_meta = NULL;<br>
-@@ -330,14 +331,14 @@ refetch:<br>
-         }<br>
- <br>
-         /* Fetch NVD META file */<br>
--        st = fetch_uri(uri_meta-&gt;str, nvdcve_meta-&gt;str, verbose);<br>
-+        st = fetch_uri(uri_meta-&gt;str, nvdcve_meta-&gt;str, verbose, this_percent, this_percent);<br>
-         if (st == FETCH_STATUS_FAIL) {<br>
-                 fprintf(stderr, &quot;Failed to fetch %s\n&quot;, uri_meta-&gt;str);<br>
-                 return -1;<br>
-         }<br>
- <br>
-         /* Fetch NVD XML file */<br>
--        st = fetch_uri(uri_data_gz-&gt;str, nvdcve_data_gz-&gt;str, verbose);<br>
-+        st = fetch_uri(uri_data_gz-&gt;str, nvdcve_data_gz-&gt;str, verbose, this_percent, next_percent);<br>
-         switch (st) {<br>
-         case FETCH_STATUS_FAIL:<br>
-                 fprintf(stderr, &quot;Failed to fetch %s\n&quot;, uri_data_gz-&gt;str);<br>
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)<br>
-         for (int i = YEAR_START; i &lt;= year+1; i++) {<br>
-                 int y = i &gt; year ? -1 : i;<br>
-                 int rc;<br>
-+                unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);<br>
-+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);<br>
- <br>
--                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);<br>
-+                if (!quiet)<br>
-+                        fprintf(stderr, &quot;completed: %u%%\r&quot;, start_percent);<br>
-+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,<br>
-+                                     start_percent, end_percent);<br>
-                 switch (rc) {<br>
-                 case 0:<br>
-+                        if (!quiet)<br>
-+                                fprintf(stderr,&quot;completed: %u%%\r&quot;, end_percent);<br>
-                         continue;<br>
-                 case ENOMEM:<br>
-                         goto oom;<br>
--- <br>
-2.9.3<br>
-<br>
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br>
deleted file mode 100644<br>
index 458c0cc84e5..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br>
+++ /dev/null<br>
@@ -1,52 +0,0 @@<br>
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001<br>
-From: Sergey Popovich &lt;<a href="mailto:popovich_sergei@mail.ua" target="_blank">popovich_sergei@mail.ua</a>&gt;<br>
-Date: Fri, 21 Apr 2017 07:32:23 -0700<br>
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string<br>
- ignoring case<br>
-<br>
-We produce sha256 digest string using %x snprintf()<br>
-qualifier for each byte of digest which uses alphabetic<br>
-characters from &quot;a&quot; to &quot;f&quot; in lower case to represent<br>
-integer values from 10 to 15.<br>
-<br>
-Previously all of the NVD META files supply sha256<br>
-digest string for corresponding XML file in lower case.<br>
-<br>
-However due to some reason this changed recently to<br>
-provide digest digits in upper case causing fetched<br>
-data consistency checks to fail. This prevents database<br>
-from being updated periodically.<br>
-<br>
-While commit c4f6e94 (update: Do not treat sha256 failure<br>
-as fatal if requested) adds useful option to skip<br>
-digest validation at all and thus provides workaround for<br>
-this situation, it might be unacceptable for some<br>
-deployments where we need to ensure that downloaded<br>
-data is consistent before start parsing it and update<br>
-SQLite database.<br>
-<br>
-Use strcasecmp() to compare two digest strings case<br>
-insensitively and addressing this case.<br>
-<br>
-Upstream-Status: Backport<br>
-Signed-off-by: Sergey Popovich &lt;<a href="mailto:popovich_sergei@mail.ua" target="_blank">popovich_sergei@mail.ua</a>&gt;<br>
----<br>
- src/update.c | 2 +-<br>
- 1 file changed, 1 insertion(+), 1 deletion(-)<br>
-<br>
-diff --git a/src/update.c b/src/update.c<br>
-index 8588f38..3cc6b67 100644<br>
---- a/src/update.c<br>
-+++ b/src/update.c<br>
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)<br>
-                 snprintf(&amp;csum_data[idx], len, &quot;%02hhx&quot;, digest[i]);<br>
-         }<br>
- <br>
--        ret = streq(csum_meta, csum_data);<br>
-+        ret = !strcasecmp(csum_meta, csum_data);<br>
- <br>
- err_unmap:<br>
-         munmap(buffer, length);<br>
--- <br>
-2.11.0<br>
-<br>
diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br>
deleted file mode 100644<br>
index 0774ad946a4..00000000000<br>
--- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br>
+++ /dev/null<br>
@@ -1,51 +0,0 @@<br>
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001<br>
-From: Khem Raj &lt;<a href="mailto:raj.khem@gmail.com" target="_blank">raj.khem@gmail.com</a>&gt;<br>
-Date: Mon, 22 Aug 2016 22:54:24 -0700<br>
-Subject: [PATCH] Check for malloc_trim before using it<br>
-<br>
-malloc_trim is gnu specific and not all libc<br>
-implement it, threfore write a configure check<br>
-to poke for it first and use the define to<br>
-guard its use.<br>
-<br>
-Helps in compiling on musl based systems<br>
-<br>
-Signed-off-by: Khem Raj &lt;<a href="mailto:raj.khem@gmail.com" target="_blank">raj.khem@gmail.com</a>&gt;<br>
----<br>
-Upstream-Status: Submitted [<a href="https://github.com/ikeydoherty/cve-check-tool/pull/48" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/pull/48</a>]<br>
- <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 2 ++<br>
- src/core.c   | 4 ++--<br>
- 2 files changed, 4 insertions(+), 2 deletions(-)<br>
-<br>
-diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
-index d3b66ce..79c3542 100644<br>
---- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
-+++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])<br>
- m4_define([openssl_required_version],[1.0.0])<br>
- # TODO: Set minimum sqlite<br>
- <br>
-+AC_CHECK_FUNCS_ONCE(malloc_trim)<br>
-+<br>
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,<br>
-                  [<br>
-                   glib-2.0 &gt;= glib_required_version,<br>
-diff --git a/src/core.c b/src/core.c<br>
-index 6263031..0d5df29 100644<br>
---- a/src/core.c<br>
-+++ b/src/core.c<br>
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)<br>
-         }<br>
- <br>
-         b = true;<br>
--<br>
-+#ifdef HAVE_MALLOC_TRIM<br>
-         malloc_trim(0);<br>
--<br>
-+#endif<br>
-         xmlFreeTextReader(r);<br>
-         if (fd) {<br>
-                 close(fd);<br>
--- <br>
-2.9.3<br>
-<br>
-- <br>
2.20.1<br>
<br>
</blockquote></div></div>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton July 16, 2019, 5:17 p.m. | #2
Yes, I clearly meant to do that but forgot to check before posting.

Ross

On Tue, 16 Jul 2019 at 17:30, Khem Raj <raj.khem@gmail.com> wrote:
>
> May be add a line about why it is being removed
>
> On Tue, Jul 16, 2019 at 5:46 AM Ross Burton <ross.burton@intel.com> wrote:
>>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> ---
>>  .../cve-check-tool/cve-check-tool_5.6.4.bb    |  62 -----
>>  ...x-freeing-memory-allocated-by-sqlite.patch |  50 ----
>>  ...erriding-default-CA-certificate-file.patch | 215 ------------------
>>  ...s-in-percent-when-downloading-CVE-db.patch | 135 -----------
>>  ...omputed-vs-expected-sha256-digit-str.patch |  52 -----
>>  ...heck-for-malloc_trim-before-using-it.patch |  51 -----
>>  6 files changed, 565 deletions(-)
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
>>  delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
>>
>> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
>> deleted file mode 100644
>> index 1c84fb1cf2d..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
>> +++ /dev/null
>> @@ -1,62 +0,0 @@
>> -SUMMARY = "cve-check-tool"
>> -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
>> -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
>> -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
>> -SECTION = "Development/Tools"
>> -LICENSE = "GPL-2.0+"
>> -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
>> -
>> -SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
>> -           file://check-for-malloc_trim-before-using-it.patch \
>> -           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
>> -           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
>> -           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
>> -           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
>> -          "
>> -
>> -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
>> -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
>> -
>> -UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
>> -
>> -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
>> -
>> -RDEPENDS_${PN} = "ca-certificates"
>> -
>> -inherit pkgconfig autotools
>> -
>> -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
>> -CFLAGS_append = " -Wno-error=pedantic"
>> -
>> -do_populate_cve_db() {
>> -    if [ "${BB_NO_NETWORK}" = "1" ] ; then
>> -        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
>> -        return
>> -    fi
>> -
>> -    # In case we don't inherit cve-check class, use default values defined in the class.
>> -    cve_dir="${CVE_CHECK_DB_DIR}"
>> -    cve_file="${CVE_CHECK_TMP_FILE}"
>> -
>> -    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
>> -    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
>> -
>> -    unused="${@bb.utils.export_proxies(d)}"
>> -    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
>> -    # --cacert works around curl-native not finding the CA bundle
>> -    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
>> -        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
>> -    else
>> -        bbwarn "Error in executing cve-check-update"
>> -        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
>> -            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
>> -        fi
>> -    fi
>> -}
>> -
>> -addtask populate_cve_db after do_populate_sysroot
>> -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
>> -do_populate_cve_db[nostamp] = "1"
>> -do_populate_cve_db[progress] = "percent"
>> -
>> -BBCLASSEXTEND = "native nativesdk"
>> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
>> deleted file mode 100644
>> index 4a82cf2dded..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
>> +++ /dev/null
>> @@ -1,50 +0,0 @@
>> -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
>> -From: Peter Marko <peter.marko@siemens.com>
>> -Date: Thu, 13 Apr 2017 23:09:52 +0200
>> -Subject: [PATCH] Fix freeing memory allocated by sqlite
>> -
>> -Upstream-Status: Backport
>> -Signed-off-by: Peter Marko <peter.marko@siemens.com>
>> ----
>> - src/core.c | 8 ++++----
>> - 1 file changed, 4 insertions(+), 4 deletions(-)
>> -
>> -diff --git a/src/core.c b/src/core.c
>> -index 6263031..6788f16 100644
>> ---- a/src/core.c
>> -+++ b/src/core.c
>> -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
>> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
>> -         if (rc != SQLITE_OK) {
>> -                 fprintf(stderr, "ensure_table(): %s\n", err);
>> --                free(err);
>> -+                sqlite3_free(err);
>> -                 return false;
>> -         }
>> -
>> -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
>> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
>> -         if (rc != SQLITE_OK) {
>> -                 fprintf(stderr, "ensure_table(): %s\n", err);
>> --                free(err);
>> -+                sqlite3_free(err);
>> -                 return false;
>> -         }
>> -
>> -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
>> -         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
>> -         if (rc != SQLITE_OK) {
>> -                 fprintf(stderr, "ensure_table(): %s\n", err);
>> --                free(err);
>> -+                sqlite3_free(err);
>> -                 return false;
>> -         }
>> -         if (err) {
>> --                free(err);
>> -+                sqlite3_free(err);
>> -         }
>> -
>> -         return true;
>> ---
>> -2.1.4
>> -
>> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
>> deleted file mode 100644
>> index 3d8ebd1bd26..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
>> +++ /dev/null
>> @@ -1,215 +0,0 @@
>> -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
>> -From: Jussi Kukkonen <jussi.kukkonen@intel.com>
>> -Date: Thu, 9 Feb 2017 14:51:28 +0200
>> -Subject: [PATCH] curl: allow overriding default CA certificate file
>> -
>> -Similar to curl, --cacert can now be used in cve-check-tool and
>> -cve-check-update to override the default CA certificate file. Useful
>> -in cases where the system default is unsuitable (for example,
>> -out-dated) or broken (as in OE's current native libcurl, which embeds
>> -a path string from one build host and then uses it on another although
>> -the right path may have become something different).
>> -
>> -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
>> -
>> -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
>> -
>> -
>> -Took Patrick Ohlys original patch from meta-security-isafw, rebased
>> -on top of other patches.
>> -
>> -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
>> ----
>> - src/library/cve-check-tool.h |  1 +
>> - src/library/fetch.c          | 10 +++++++++-
>> - src/library/fetch.h          |  3 ++-
>> - src/main.c                   |  5 ++++-
>> - src/update-main.c            |  4 +++-
>> - src/update.c                 | 12 +++++++-----
>> - src/update.h                 |  2 +-
>> - 7 files changed, 27 insertions(+), 10 deletions(-)
>> -
>> -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
>> -index e4bb5b1..f89eade 100644
>> ---- a/src/library/cve-check-tool.h
>> -+++ b/src/library/cve-check-tool.h
>> -@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
>> -     bool bugs;                          /**<Whether bug tracking is enabled */
>> -     GHashTable *mapping;                /**<CVE Mapping */
>> -     const char *output_file;            /**<Output file, if any */
>> -+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
>> - } CveCheckTool;
>> -
>> - /**
>> -diff --git a/src/library/fetch.c b/src/library/fetch.c
>> -index 0fe6d76..8f998c3 100644
>> ---- a/src/library/fetch.c
>> -+++ b/src/library/fetch.c
>> -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
>> - }
>> -
>> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
>> --                      unsigned int start_percent, unsigned int end_percent)
>> -+                      unsigned int start_percent, unsigned int end_percent,
>> -+                      const char *cacert_file)
>> - {
>> -         FetchStatus ret = FETCH_STATUS_FAIL;
>> -         CURLcode res;
>> -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
>> -                 return ret;
>> -         }
>> -
>> -+        if (cacert_file) {
>> -+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
>> -+                if (res != CURLE_OK) {
>> -+                        goto bail;
>> -+                }
>> -+        }
>> -+
>> -         if (stat(target, &st) == 0) {
>> -                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
>> -                 if (res != CURLE_OK) {
>> -diff --git a/src/library/fetch.h b/src/library/fetch.h
>> -index 4cce5d1..836c7d7 100644
>> ---- a/src/library/fetch.h
>> -+++ b/src/library/fetch.h
>> -@@ -29,7 +29,8 @@ typedef enum {
>> -  * @return A FetchStatus, indicating the operation taken
>> -  */
>> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
>> --                      unsigned int this_percent, unsigned int next_percent);
>> -+                      unsigned int this_percent, unsigned int next_percent,
>> -+                      const char *cacert_file);
>> -
>> - /**
>> -  * Attempt to extract the given gzipped file
>> -diff --git a/src/main.c b/src/main.c
>> -index 8e6f158..ae69d47 100644
>> ---- a/src/main.c
>> -+++ b/src/main.c
>> -@@ -280,6 +280,7 @@ static bool csv_mode = false;
>> - static char *modified_stamp = NULL;
>> - static gchar *mapping_file = NULL;
>> - static gchar *output_file = NULL;
>> -+static gchar *cacert_file = NULL;
>> -
>> - static GOptionEntry _entries[] = {
>> -         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
>> -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
>> -         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
>> -         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
>> -         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
>> -+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
>> -         { .short_name = 0 }
>> - };
>> -
>> -@@ -492,6 +494,7 @@ int main(int argc, char **argv)
>> -
>> -         quiet = csv_mode || !no_html;
>> -         self->output_file = output_file;
>> -+        self->cacert_file = cacert_file;
>> -
>> -         if (!csv_mode && self->output_file) {
>> -                 quiet = false;
>> -@@ -530,7 +533,7 @@ int main(int argc, char **argv)
>> -                 if (status) {
>> -                         fprintf(stderr, "Update of db forced\n");
>> -                         cve_db_unlock();
>> --                        if (!update_db(quiet, db_path->str)) {
>> -+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
>> -                                 fprintf(stderr, "DB update failure\n");
>> -                                 goto cleanup;
>> -                         }
>> -diff --git a/src/update-main.c b/src/update-main.c
>> -index 2379cfa..c52d9d0 100644
>> ---- a/src/update-main.c
>> -+++ b/src/update-main.c
>> -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
>> - static gchar *nvds = NULL;
>> - static bool _show_version = false;
>> - static bool _quiet = false;
>> -+static const char *_cacert_file = NULL;
>> -
>> - static GOptionEntry _entries[] = {
>> -         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
>> -         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
>> -         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
>> -+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
>> -         { .short_name = 0 }
>> - };
>> -
>> -@@ -88,7 +90,7 @@ int main(int argc, char **argv)
>> -                 goto end;
>> -         }
>> -
>> --        if (update_db(_quiet, db_path->str)) {
>> -+        if (update_db(_quiet, db_path->str, _cacert_file)) {
>> -                 ret = EXIT_SUCCESS;
>> -         } else {
>> -                 fprintf(stderr, "Failed to update database\n");
>> -diff --git a/src/update.c b/src/update.c
>> -index 070560a..8cb4a39 100644
>> ---- a/src/update.c
>> -+++ b/src/update.c
>> -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
>> -
>> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
>> -                            bool db_exist, bool verbose,
>> --                           unsigned int this_percent, unsigned int next_percent)
>> -+                           unsigned int this_percent, unsigned int next_percent,
>> -+                           const char *cacert_file)
>> - {
>> -         const char nvd_uri[] = URI_PREFIX;
>> -         autofree(cve_string) *uri_meta = NULL;
>> -@@ -331,14 +332,14 @@ refetch:
>> -         }
>> -
>> -         /* Fetch NVD META file */
>> --        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
>> -+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
>> -         if (st == FETCH_STATUS_FAIL) {
>> -                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
>> -                 return -1;
>> -         }
>> -
>> -         /* Fetch NVD XML file */
>> --        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
>> -+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
>> -         switch (st) {
>> -         case FETCH_STATUS_FAIL:
>> -                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
>> -@@ -391,7 +392,7 @@ refetch:
>> -         return 0;
>> - }
>> -
>> --bool update_db(bool quiet, const char *db_file)
>> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
>> - {
>> -         autofree(char) *db_dir = NULL;
>> -         autofree(CveDB) *cve_db = NULL;
>> -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
>> -                 if (!quiet)
>> -                         fprintf(stderr, "completed: %u%%\r", start_percent);
>> -                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
>> --                                     start_percent, end_percent);
>> -+                                     start_percent, end_percent,
>> -+                                     cacert_file);
>> -                 switch (rc) {
>> -                 case 0:
>> -                         if (!quiet)
>> -diff --git a/src/update.h b/src/update.h
>> -index b8e9911..ceea0c3 100644
>> ---- a/src/update.h
>> -+++ b/src/update.h
>> -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
>> -
>> - int update_required(const char *db_file);
>> -
>> --bool update_db(bool quiet, const char *db_file);
>> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
>> -
>> -
>> - /*
>> ---
>> -2.1.4
>> -
>> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
>> deleted file mode 100644
>> index 8ea6f686e3f..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
>> +++ /dev/null
>> @@ -1,135 +0,0 @@
>> -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
>> -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
>> -Date: Mon, 26 Sep 2016 12:12:41 +0100
>> -Subject: [PATCH] print progress in percent when downloading CVE db
>> -MIME-Version: 1.0
>> -Content-Type: text/plain; charset=UTF-8
>> -Content-Transfer-Encoding: 8bit
>> -
>> -Upstream-Status: Pending
>> -Signed-off-by: André Draszik <git@andred.net>
>> ----
>> - src/library/fetch.c | 28 +++++++++++++++++++++++++++-
>> - src/library/fetch.h |  3 ++-
>> - src/update.c        | 16 ++++++++++++----
>> - 3 files changed, 41 insertions(+), 6 deletions(-)
>> -
>> -diff --git a/src/library/fetch.c b/src/library/fetch.c
>> -index 06d4b30..0fe6d76 100644
>> ---- a/src/library/fetch.c
>> -+++ b/src/library/fetch.c
>> -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
>> -         return fwrite(ptr, size, nmemb, f->f);
>> - }
>> -
>> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
>> -+struct percent_t {
>> -+        unsigned int start;
>> -+        unsigned int end;
>> -+};
>> -+
>> -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
>> -+{
>> -+        (void) ultotal;
>> -+        (void) ulnow;
>> -+
>> -+        struct percent_t *percent = (struct percent_t *) ptr;
>> -+
>> -+        if (dltotal && percent && percent->end >= percent->start) {
>> -+                unsigned int diff = percent->end - percent->start;
>> -+                if (diff) {
>> -+                        fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
>> -+                }
>> -+        }
>> -+
>> -+        return 0;
>> -+}
>> -+
>> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
>> -+                      unsigned int start_percent, unsigned int end_percent)
>> - {
>> -         FetchStatus ret = FETCH_STATUS_FAIL;
>> -         CURLcode res;
>> -         struct stat st;
>> -         CURL *curl = NULL;
>> -         struct fetch_t *f = NULL;
>> -+        struct percent_t percent = { .start = start_percent, .end = end_percent };
>> -
>> -         curl = curl_easy_init();
>> -         if (!curl) {
>> -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
>> -         }
>> -         if (verbose) {
>> -                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
>> -+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
>> -+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
>> -         }
>> -         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
>> -         if (res != CURLE_OK) {
>> -diff --git a/src/library/fetch.h b/src/library/fetch.h
>> -index 70c3779..4cce5d1 100644
>> ---- a/src/library/fetch.h
>> -+++ b/src/library/fetch.h
>> -@@ -28,7 +28,8 @@ typedef enum {
>> -  * @param verbose Whether to be verbose
>> -  * @return A FetchStatus, indicating the operation taken
>> -  */
>> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
>> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
>> -+                      unsigned int this_percent, unsigned int next_percent);
>> -
>> - /**
>> -  * Attempt to extract the given gzipped file
>> -diff --git a/src/update.c b/src/update.c
>> -index 30fbe96..eaeeefd 100644
>> ---- a/src/update.c
>> -+++ b/src/update.c
>> -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
>> - }
>> -
>> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
>> --                           bool db_exist, bool verbose)
>> -+                           bool db_exist, bool verbose,
>> -+                           unsigned int this_percent, unsigned int next_percent)
>> - {
>> -         const char nvd_uri[] = URI_PREFIX;
>> -         autofree(cve_string) *uri_meta = NULL;
>> -@@ -330,14 +331,14 @@ refetch:
>> -         }
>> -
>> -         /* Fetch NVD META file */
>> --        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
>> -+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
>> -         if (st == FETCH_STATUS_FAIL) {
>> -                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
>> -                 return -1;
>> -         }
>> -
>> -         /* Fetch NVD XML file */
>> --        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
>> -+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
>> -         switch (st) {
>> -         case FETCH_STATUS_FAIL:
>> -                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
>> -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
>> -         for (int i = YEAR_START; i <= year+1; i++) {
>> -                 int y = i > year ? -1 : i;
>> -                 int rc;
>> -+                unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
>> -+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
>> -
>> --                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
>> -+                if (!quiet)
>> -+                        fprintf(stderr, "completed: %u%%\r", start_percent);
>> -+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
>> -+                                     start_percent, end_percent);
>> -                 switch (rc) {
>> -                 case 0:
>> -+                        if (!quiet)
>> -+                                fprintf(stderr,"completed: %u%%\r", end_percent);
>> -                         continue;
>> -                 case ENOMEM:
>> -                         goto oom;
>> ---
>> -2.9.3
>> -
>> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
>> deleted file mode 100644
>> index 458c0cc84e5..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
>> +++ /dev/null
>> @@ -1,52 +0,0 @@
>> -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
>> -From: Sergey Popovich <popovich_sergei@mail.ua>
>> -Date: Fri, 21 Apr 2017 07:32:23 -0700
>> -Subject: [PATCH] update: Compare computed vs expected sha256 digit string
>> - ignoring case
>> -
>> -We produce sha256 digest string using %x snprintf()
>> -qualifier for each byte of digest which uses alphabetic
>> -characters from "a" to "f" in lower case to represent
>> -integer values from 10 to 15.
>> -
>> -Previously all of the NVD META files supply sha256
>> -digest string for corresponding XML file in lower case.
>> -
>> -However due to some reason this changed recently to
>> -provide digest digits in upper case causing fetched
>> -data consistency checks to fail. This prevents database
>> -from being updated periodically.
>> -
>> -While commit c4f6e94 (update: Do not treat sha256 failure
>> -as fatal if requested) adds useful option to skip
>> -digest validation at all and thus provides workaround for
>> -this situation, it might be unacceptable for some
>> -deployments where we need to ensure that downloaded
>> -data is consistent before start parsing it and update
>> -SQLite database.
>> -
>> -Use strcasecmp() to compare two digest strings case
>> -insensitively and addressing this case.
>> -
>> -Upstream-Status: Backport
>> -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
>> ----
>> - src/update.c | 2 +-
>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>> -
>> -diff --git a/src/update.c b/src/update.c
>> -index 8588f38..3cc6b67 100644
>> ---- a/src/update.c
>> -+++ b/src/update.c
>> -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
>> -                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
>> -         }
>> -
>> --        ret = streq(csum_meta, csum_data);
>> -+        ret = !strcasecmp(csum_meta, csum_data);
>> -
>> - err_unmap:
>> -         munmap(buffer, length);
>> ---
>> -2.11.0
>> -
>> diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
>> deleted file mode 100644
>> index 0774ad946a4..00000000000
>> --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
>> +++ /dev/null
>> @@ -1,51 +0,0 @@
>> -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
>> -From: Khem Raj <raj.khem@gmail.com>
>> -Date: Mon, 22 Aug 2016 22:54:24 -0700
>> -Subject: [PATCH] Check for malloc_trim before using it
>> -
>> -malloc_trim is gnu specific and not all libc
>> -implement it, threfore write a configure check
>> -to poke for it first and use the define to
>> -guard its use.
>> -
>> -Helps in compiling on musl based systems
>> -
>> -Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> ----
>> -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
>> - configure.ac | 2 ++
>> - src/core.c   | 4 ++--
>> - 2 files changed, 4 insertions(+), 2 deletions(-)
>> -
>> -diff --git a/configure.ac b/configure.ac
>> -index d3b66ce..79c3542 100644
>> ---- a/configure.ac
>> -+++ b/configure.ac
>> -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
>> - m4_define([openssl_required_version],[1.0.0])
>> - # TODO: Set minimum sqlite
>> -
>> -+AC_CHECK_FUNCS_ONCE(malloc_trim)
>> -+
>> - PKG_CHECK_MODULES(CVE_CHECK_TOOL,
>> -                  [
>> -                   glib-2.0 >= glib_required_version,
>> -diff --git a/src/core.c b/src/core.c
>> -index 6263031..0d5df29 100644
>> ---- a/src/core.c
>> -+++ b/src/core.c
>> -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
>> -         }
>> -
>> -         b = true;
>> --
>> -+#ifdef HAVE_MALLOC_TRIM
>> -         malloc_trim(0);
>> --
>> -+#endif
>> -         xmlFreeTextReader(r);
>> -         if (fd) {
>> -                 close(fd);
>> ---
>> -2.9.3
>> -
>> --
>> 2.20.1
>>

Patch

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1cf2d..00000000000
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@ 
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
-           file://check-for-malloc_trim-before-using-it.patch \
-           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
-           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
-           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
-           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
-          "
-
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-
-RDEPENDS_${PN} = "ca-certificates"
-
-inherit pkgconfig autotools
-
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-
-do_populate_cve_db() {
-    if [ "${BB_NO_NETWORK}" = "1" ] ; then
-        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
-        return
-    fi
-
-    # In case we don't inherit cve-check class, use default values defined in the class.
-    cve_dir="${CVE_CHECK_DB_DIR}"
-    cve_file="${CVE_CHECK_TMP_FILE}"
-
-    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
-    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-
-    unused="${@bb.utils.export_proxies(d)}"
-    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    # --cacert works around curl-native not finding the CA bundle
-    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
-        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
-    else
-        bbwarn "Error in executing cve-check-update"
-        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
-            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
-        fi
-    fi
-}
-
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
deleted file mode 100644
index 4a82cf2dded..00000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
+++ /dev/null
@@ -1,50 +0,0 @@ 
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
-From: Peter Marko <peter.marko@siemens.com>
-Date: Thu, 13 Apr 2017 23:09:52 +0200
-Subject: [PATCH] Fix freeing memory allocated by sqlite
-
-Upstream-Status: Backport
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core.c b/src/core.c
-index 6263031..6788f16 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
- 
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         if (err) {
--                free(err);
-+                sqlite3_free(err);
-         }
- 
-         return true;
--- 
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1bd26..00000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@ 
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
-
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
----
- src/library/cve-check-tool.h |  1 +
- src/library/fetch.c          | 10 +++++++++-
- src/library/fetch.h          |  3 ++-
- src/main.c                   |  5 ++++-
- src/update-main.c            |  4 +++-
- src/update.c                 | 12 +++++++-----
- src/update.h                 |  2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
---- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
-     bool bugs;                          /**<Whether bug tracking is enabled */
-     GHashTable *mapping;                /**<CVE Mapping */
-     const char *output_file;            /**<Output file, if any */
-+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
- 
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
- 
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
--                      unsigned int start_percent, unsigned int end_percent)
-+                      unsigned int start_percent, unsigned int end_percent,
-+                      const char *cacert_file)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                 return ret;
-         }
- 
-+        if (cacert_file) {
-+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+                if (res != CURLE_OK) {
-+                        goto bail;
-+                }
-+        }
-+
-         if (stat(target, &st) == 0) {
-                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
-                 if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
-  * @return A FetchStatus, indicating the operation taken
-  */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
--                      unsigned int this_percent, unsigned int next_percent);
-+                      unsigned int this_percent, unsigned int next_percent,
-+                      const char *cacert_file);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
-         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
-         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
-         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
- 
-         quiet = csv_mode || !no_html;
-         self->output_file = output_file;
-+        self->cacert_file = cacert_file;
- 
-         if (!csv_mode && self->output_file) {
-                 quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
-                 if (status) {
-                         fprintf(stderr, "Update of db forced\n");
-                         cve_db_unlock();
--                        if (!update_db(quiet, db_path->str)) {
-+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
-                                 fprintf(stderr, "DB update failure\n");
-                                 goto cleanup;
-                         }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
---- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
-         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
-         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
-                 goto end;
-         }
- 
--        if (update_db(_quiet, db_path->str)) {
-+        if (update_db(_quiet, db_path->str, _cacert_file)) {
-                 ret = EXIT_SUCCESS;
-         } else {
-                 fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-                            bool db_exist, bool verbose,
--                           unsigned int this_percent, unsigned int next_percent)
-+                           unsigned int this_percent, unsigned int next_percent,
-+                           const char *cacert_file)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
--        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
--        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
-         return 0;
- }
- 
--bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
-         autofree(char) *db_dir = NULL;
-         autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
-                 if (!quiet)
-                         fprintf(stderr, "completed: %u%%\r", start_percent);
-                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
--                                     start_percent, end_percent);
-+                                     start_percent, end_percent,
-+                                     cacert_file);
-                 switch (rc) {
-                 case 0:
-                         if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
---- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
- 
- int update_required(const char *db_file);
- 
--bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
- 
- 
- /*
--- 
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
deleted file mode 100644
index 8ea6f686e3f..00000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
+++ /dev/null
@@ -1,135 +0,0 @@ 
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 26 Sep 2016 12:12:41 +0100
-Subject: [PATCH] print progress in percent when downloading CVE db
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream-Status: Pending
-Signed-off-by: André Draszik <git@andred.net>
----
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-
- src/library/fetch.h |  3 ++-
- src/update.c        | 16 ++++++++++++----
- 3 files changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 06d4b30..0fe6d76 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
-         return fwrite(ptr, size, nmemb, f->f);
- }
- 
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-+struct percent_t {
-+        unsigned int start;
-+        unsigned int end;
-+};
-+
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
-+{
-+        (void) ultotal;
-+        (void) ulnow;
-+
-+        struct percent_t *percent = (struct percent_t *) ptr;
-+
-+        if (dltotal && percent && percent->end >= percent->start) {
-+                unsigned int diff = percent->end - percent->start;
-+                if (diff) {
-+                        fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
-+                }
-+        }
-+
-+        return 0;
-+}
-+
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int start_percent, unsigned int end_percent)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-         struct stat st;
-         CURL *curl = NULL;
-         struct fetch_t *f = NULL;
-+        struct percent_t percent = { .start = start_percent, .end = end_percent };
- 
-         curl = curl_easy_init();
-         if (!curl) {
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-         }
-         if (verbose) {
-                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
-         }
-         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
-         if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 70c3779..4cce5d1 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -28,7 +28,8 @@ typedef enum {
-  * @param verbose Whether to be verbose
-  * @return A FetchStatus, indicating the operation taken
-  */
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int this_percent, unsigned int next_percent);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/update.c b/src/update.c
-index 30fbe96..eaeeefd 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- }
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
--                           bool db_exist, bool verbose)
-+                           bool db_exist, bool verbose,
-+                           unsigned int this_percent, unsigned int next_percent)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -330,14 +331,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
--        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
--        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
-         for (int i = YEAR_START; i <= year+1; i++) {
-                 int y = i > year ? -1 : i;
-                 int rc;
-+                unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
-+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
- 
--                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
-+                if (!quiet)
-+                        fprintf(stderr, "completed: %u%%\r", start_percent);
-+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-+                                     start_percent, end_percent);
-                 switch (rc) {
-                 case 0:
-+                        if (!quiet)
-+                                fprintf(stderr,"completed: %u%%\r", end_percent);
-                         continue;
-                 case ENOMEM:
-                         goto oom;
--- 
-2.9.3
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc84e5..00000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@ 
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
----
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
-                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
-         }
- 
--        ret = streq(csum_meta, csum_data);
-+        ret = !strcasecmp(csum_meta, csum_data);
- 
- err_unmap:
-         munmap(buffer, length);
--- 
-2.11.0
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
deleted file mode 100644
index 0774ad946a4..00000000000
--- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
+++ /dev/null
@@ -1,51 +0,0 @@ 
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 22 Aug 2016 22:54:24 -0700
-Subject: [PATCH] Check for malloc_trim before using it
-
-malloc_trim is gnu specific and not all libc
-implement it, threfore write a configure check
-to poke for it first and use the define to
-guard its use.
-
-Helps in compiling on musl based systems
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
- configure.ac | 2 ++
- src/core.c   | 4 ++--
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d3b66ce..79c3542 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
- m4_define([openssl_required_version],[1.0.0])
- # TODO: Set minimum sqlite
- 
-+AC_CHECK_FUNCS_ONCE(malloc_trim)
-+
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,
-                  [
-                   glib-2.0 >= glib_required_version,
-diff --git a/src/core.c b/src/core.c
-index 6263031..0d5df29 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
-         }
- 
-         b = true;
--
-+#ifdef HAVE_MALLOC_TRIM
-         malloc_trim(0);
--
-+#endif
-         xmlFreeTextReader(r);
-         if (fd) {
-                 close(fd);
--- 
-2.9.3
-